在检测 weblogic 漏洞之前,我们往往需要探测下 weblogic 版本。好判断是否在漏洞版本范围,同时也为我们构造 EXP 做准备(相同漏洞,可能因为 weblogic 版本不同需要的对应的 EXP,比如 CVE-2019-2725)
0x01 以前的方法
以前的方法是访问控制台登录页面,页面底部便有版本号!这里注意 404 页面的10.4.5
并不是版本号。
http://...:7001/console/login/LoginForm.jsp
然而这个页面可能会被删除或禁止访问,那有没有其他方法呢?
0x02 通过 t3 协议识别
最近在学习 t3 协议时,使用 wireshark 抓包时发现,协议报文中带有 weblogic 的版本
所以只需要通过 t3 协议发送以下数据包,即可从返回包中获取 Weblogic 版本。
t3 10.3.6
AS: 255
HL: 19
这里需要注意,有时候发送数据包时,可能只会返回一个HELLO
。这时候说明 t3 协议应该是开启的,需要多次提交探测包,才可能在某次中成功获取到。
下面使用脚本来完成我们的上面的想法。
import os
import socket
import time
hello = b't3 10.3.6\nAS:255\nHL:19\n\n'
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect(('127.0.0.1', 7001))
sock.send(hello)
time.sleep(1)
resp1 = sock.recv(1024)
print(resp1)
如果未探测到,以下几种可能情况:
- t3 协议未启用
- 服务器做了负载均衡
#!/usr/bin/env python3
# _*_ coding:utf-8 _*_
import socket
import time
import re
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(10)
server_addr = ("127.0.0.1", 7001)
try:
sock.connect(server_addr)
sock.send(bytes.fromhex('74332031322E312E320A41533A323034380A484C3A31390A0A'))
time.sleep(1)
res = sock.recv(1024)
# print(res)
res = res.decode('utf-8')
# versionInfo = res.splitlines()[0].replace("HELO:", "").replace(".false", "")
versionInfo = re.match(r'.*?([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)', res).group(1)
if versionInfo:
if versionInfo == "12.1.2":
sock.send(bytes.fromhex('74332031312E312E320A41533A323034380A484C3A31390A0A'))
time.sleep(1)
res = sock.recv(1024)
res = res.decode('utf-8')
versionInfo = re.match(r'.*?([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)', res).group(1)
if versionInfo == "11.1.2":
# Server just echoes whatever version we send.
print('[-] T3 protocol in use (Unknown WebLogic version).')
print('[+] T3 protocol in use (Weblogic Version: {})'.format(versionInfo))
else:
print('[+] ' + res[:-1])
print('[-] Unknown response received.')
except Exception as e:
print('[-] Target Weblogic T3 Handshake Failed.')
#!/usr/bin/env python3
##################################################
# Author: synfinner #
# Description: Get Weblogic version via T3. #
##################################################
import sys
import socket
import argparse
import ssl
import ipaddress
def t3ssl(host,port):
# Setup SSL context
context = ssl.create_default_context()
# Ignore ssl validations
context.check_hostname = False
context.verify_mode |= ssl.CERT_NONE
# Specify that we want to use T3S
msg = "t3s 12.1.2\nAS:2048\nHL:19\n\n"
try:
logicSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
logicSocket.settimeout(5) # 5 second timeout
# SSL wrap the socket
secureLogicSocket = context.wrap_socket(logicSocket, server_side=False,
server_hostname=host)
secureLogicSocket.connect((host, port))
secureLogicSocket.send(msg.encode())
data = secureLogicSocket.recv(1024)
print("HOST: ", host,"--",data.decode().rstrip())
secureLogicSocket.close()
except Exception as e:
print("[+]Error: ",e)
return
def t3(host,port):
# construct TCP socket.
logicSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM);
logicSocket.settimeout(5) # 5 second timeout.
try:
logicSocket.connect((host,port))
except Exception as e:
print("[+]Error: ",e)
return
# Send t3 request.
msg = "t3 10.3.6\nAS:255\nHL:19\n\n"
try:
logicSocket.send(msg.encode())
except Exception as e:
print("[+]Error: ",e)
return
data = logicSocket.recv(1024)
print(data)
print("HOST: ", host,"--",data)
logicSocket.close()
return
def main():
parser = argparse.ArgumentParser()
parser.add_argument("-t", "--target", type=str,
help="hotname/ip of target")
parser.add_argument("-p", "--port", type=int,
help="port to connect on")
parser.add_argument("-s", "--secure",
help="negotiate over ssl/t3s",
action='store_true')
parser.add_argument("-r", "--range", action='store_true',
help="cidr addresses specified as target. Ex: 192.168.10.0/24")
args = parser.parse_args()
host = args.target
port = args.port
if args.range:
network = ipaddress.ip_network(host)
for ip in network:
if args.secure:
t3ssl(str(ip),port)
else:
t3(str(ip),port)
else:
pass
if args.secure:
t3ssl(host,port)
else:
t3(host,port)
if __name__ == '__main__':
main()