WeblogicScan icon indicating copy to clipboard operation
WeblogicScan copied to clipboard
verified publisher icon dr0op

CVE-2019-2725.py

Open adon90 opened this issue 6 years ago • 1 comments

Regarding this exploit, this is a question, do you know how to convert the bytearray which seems to be in decimal (but with negative values) to ascii?? I want to transform it in order to change the upload path (favicon.ico) to another. Thank you

adon90 avatar Jul 03 '19 13:07 adon90

you can try this:

`public class Test{ public static void main(String[] args) throws Exception { File file = new File("E:/1.txt"); //读取ysoserial文件生成的payload FileInputStream fileInputStream = new FileInputStream(file);

    //初始化比特数组输出流
    ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream((int) file.length());

    int buf_size=1024;
    byte[] buffer=new byte[buf_size];
    int len=0;
    //读取文件中的内容转到byte数组输出流
    while(-1 != (len=fileInputStream.read(buffer,0,buf_size))){
        byteArrayOutputStream.write(buffer,0,len);
    }

    BufferedOutputStream oop = new BufferedOutputStream(new FileOutputStream(new File("E:/2.txt")));
    
    //使用jdk的xmlencoder把byte数组写入到 e:/2.txt
    XMLEncoder xmlEncoder = new XMLEncoder(oop);
    xmlEncoder.flush();
    xmlEncoder.writeObject(byteArrayOutputStream.toByteArray());
    xmlEncoder.close();
    byteArrayOutputStream.close();
    fileInputStream.close();

}

}`

f not work , check if ysoserial's dependence and your own java enviroment。

dr0op avatar Jul 24 '19 09:07 dr0op