https://github.com/Y4er/CVE-2020-2555
Weblogic com.tangosol.util.extractor.ReflectionExtractor RCE
https://github.com/Y4er/CVE-2020-2555
Last synced: 4 months ago
JSON representation
Weblogic com.tangosol.util.extractor.ReflectionExtractor RCE
- Host: GitHub
- URL: https://github.com/Y4er/CVE-2020-2555
- Owner: Y4er
- License: mit
- Created: 2020-03-07T18:58:09.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2022-12-15T00:36:55.000Z (almost 3 years ago)
- Last Synced: 2024-08-05T17:26:42.220Z (over 1 year ago)
- Language: Java
- Size: 60.7 MB
- Stars: 181
- Watchers: 4
- Forks: 55
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - Y4er/CVE-2020-2555 - Weblogic com.tangosol.util.extractor.ReflectionExtractor RCE (Java)
README
# CVE-2020-2555
Weblogic com.tangosol.util.extractor.ReflectionExtractor RCE
com.supeream.CVE_2020_2555
```
/*
* author:Y4er.com
*
* gadget:
* BadAttributeValueExpException.readObject()
* com.tangosol.util.filter.LimitFilter.toString()
* com.tangosol.util.extractor.ChainedExtractor.extract()
* com.tangosol.util.extractor.ReflectionExtractor.extract()
* Method.invoke()
* ...
* Runtime.getRuntime.exec()
*/
```
# Require
This only works in JDK 8u76 and WITHOUT a security manager, because of `BadAttributeValueExpException` in here:
https://github.com/JetBrains/jdk8u_jdk/commit/af2361ee2878302012214299036b3a8b4ed36974#diff-f89b1641c408b60efe29ee513b3d22ffR70
And Please replace `coherence.jar` with your weblogic version, if not, you will get serialVersionUID inconsistent error.
Only test on Centos jdk8u202 Weblogic 12.2.1.4.
# Reference
1. https://www.thezdi.com/blog/2020/3/5/cve-2020-2555-rce-through-a-deserialization-bug-in-oracles-weblogic-server
2. https://www.youtube.com/watch?v=VzmZTYbm4Zw
3. https://github.com/5up3rc/weblogic_cmd/