简介
该漏洞针对gadget cve-2020-2555 绕过利用。
分析
com.tangosol.util.extractor.UniversalExtractor代码如下
public UniversalExtractor() {
this.m_sNameCanon = null;
}
public UniversalExtractor(String sName) {
this(sName, (Object[])null, 0);
}
public UniversalExtractor(String sName, Object[] aoParam) {
this(sName, aoParam, 0);
}
@JsonbCreator
public UniversalExtractor(@JsonbProperty("name") String sName, @JsonbProperty("params") Object[] aoParam, @JsonbProperty("target") int nTarget) {
this.m_sNameCanon = null;
azzert(sName != null);
if (aoParam != null && aoParam.length > 0 && !sName.endsWith("()")) {
throw new IllegalArgumentException("UniversalExtractor constructor: parameter sName[value:" + sName + "] must end with method suffix \"" + "()" + "\" when optional parameters provided");
} else {
this.m_sName = sName;
this.m_aoParam = aoParam;
this.m_nTarget = nTarget;
this.init();
}
}
public E extract(T oTarget) {
if (oTarget == null) {
return null;
} else {
TargetReflectionDescriptor targetPrev = this.m_cacheTarget;
try {
if (targetPrev != null && oTarget.getClass() == targetPrev.getTargetClass()) {
return targetPrev.isMap() ? ((Map)oTarget).get(this.getCanonicalName()) : targetPrev.getMethod().invoke(oTarget, this.m_aoParam);
} else {
return this.extractComplex(oTarget);
}
} catch (NullPointerException var4) {
throw new RuntimeException(this.suggestExtractFailureCause(oTarget.getClass()));
} catch (Exception var5) {
throw ensureRuntimeException(var5, oTarget.getClass().getName() + this + '(' + oTarget + ')');
}
}
}
从代码可以看出,与cve-2020-2555 类似
利用
只需要修改cve 2020-2555 gadget的最后一环为该类即可
后期有时间的话,可能会放出针对这次weblogic更新的利用工具