靶场下载地址:漏洞详情
环境配置参考:【红日安全-VulnStack】ATT&CK实战系列——红队实战(二) - yokan - 博客园
此实战仅有3台机器 DMZ区的WEB机 、核心区的AD机、办公区的PC
第一步:信息收集(模拟黑盒测试)
已知WEB机的IP地址,用syn包进行扫描。
nmap -sS -v 192.168.111.80
获得开放端口
WEB服务器:
Nmap scan report for 192.168.111.80
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn Samba服务 存在爆破/未授权访问/远程命令执行漏洞
445/tcp open microsoft-ds smb服务 ms17-010/端口溢出漏洞
1433/tcp open ms-sql-s 存在mssql服务 存在爆破/注入/SA弱口令
3389/tcp open ms-wbt-server 存在远程桌面
7001/tcp open afs3-callback weblogic漏洞
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
MAC Address: 00:0C:29:68:D3:5F (VMware)
whatWEB扫描
whatweb http://192.168.111.80:7001
得到信息:
http://192.168.111.80:7001 [404 Not Found]
Country[RESERVED][ZZ], IP[192.168.111.80],
Java[2.1][Servlet/2.5],
Title[Error 404--Not Found],
X-Powered-By[Servlet/2.5 JSP/2.1]
观察知道这是一个java开发的WEB,那就扫扫看有没有java类的漏洞
工具地址:GitHub - rabbitmask/WeblogicScan: Weblogic一键漏洞检测工具,V1.5,更新时间:20200730
利用到WeblogicScan来扫描
python3 WeblogicScan.py -u 192.168.111.80 -p 7001
得到漏洞信息:
[192.168.111.80:7001] Weblogic Version Is 10.3.6.0
[+] [192.168.111.80:7001] Weblogic console address is exposed! The path is: http://192.168.111.80:7001/console/login/LoginForm.jsp
[+] [192.168.111.80:7001] Weblogic UDDI module is exposed! The path is: http://192.168.111.80:7001/uddiexplorer/
[-] [192.168.111.80:7001] weblogic not detected CVE-2016-0638
[-] [192.168.111.80:7001] weblogic not detected CVE-2016-3510
[-] [192.168.111.80:7001] weblogic not detected CVE-2017-10271
[-] [192.168.111.80:7001] weblogic not detected CVE-2017-3248
[-] [192.168.111.80:7001] weblogic not detected CVE-2017-3506
[-] [192.168.111.80:7001] weblogic not detected CVE-2018-2628
[-] [192.168.111.80:7001] weblogic not detected CVE-2018-2893
[-] [192.168.111.80:7001] weblogic not detected CVE-2018-2894
[+] [192.168.111.80:7001] weblogic has a JAVA deserialization vulnerability:CVE-2019-2725
[+] [192.168.111.80:7001] weblogic has a JAVA deserialization vulnerability:CVE-2019-2729
[-] [192.168.111.80:7001] weblogic not detected CVE-2019-2890
发现两个java序列化漏洞
扫描WEB目录:
dirb http://192.168.111.80:7001
获得信息
---