1. What is WebLogic
WebLogic is an application server produced by Oracle Corporation of the United States. To be precise, it is a middleware based on the JAVAEE architecture. WebLogic is a Java application server used to develop, integrate, deploy and manage large-scale distributed Web applications, network applications and database applications. Introduce the dynamic capabilities of Java and the security of Java Enterprise standards into the development, integration, deployment, and management of large-scale network applications.
2. Vulnerability description
This environment simulates a real weblogic environment, with a weak password in the background and an arbitrary file reading vulnerability in the frontend. Through these two vulnerabilities, the penetration of weblogic scenarios is simulated.
Weblogic version: 10.3.6(11g)
Java version: 1.6
3. Vulnerability environment construction
Enter the corresponding directory
Start container
docker-compose up -d
Query port
docker ps -a
4. Reproduction of Weblogic Vulnerability
Weak password
Visit the login background
http://192.168.0.116:7001/console/login/LoginForm.jsp
There are weak passwords in this environment:
Account | Password |
---|---|
weblogic | Oracle@123 |
File reading
How to penetrate Weblogic assuming there are no weak passwords?
Download any file
This environment simulates an arbitrary file download vulnerability in the frontend to verify it. Visit http://your-ip:32770/hello/file.jsp?path=/etc/passwd
to see that the passwd file is successfully read:
Account | Password |
---|---|
weblogic | Oracle@123 |
Download and open the passwd file:
AES password cracking
Weblogic passwords are encrypted using AES (old version 3DES), and symmetric encryption can be decrypted. You only need to find the user’s ciphertext and encryption key. These two files are located under base_domain and are named SerializedSystemIni.dat and config.xml. In this environment, they are ./security/SerializedSystemIni.dat and ./config/config.xml (based on the current directory /root/Oracle/Middleware/ user_projects/domains/base_domain).
1. SerializedSystemIni.dat is a binary file, so it must be read with burpsuite. Direct downloading with a browser may introduce some interfering characters. Select the read string of garbled characters in Burp, right-click and select copy to file to save it as a file:
config.xml
is the global configuration file of base_domain, so it has a lot of messy content. Find the value of
, which is the encrypted value. Administrator password:
Download the Weblogic decryption tool from Github and save it locally together with the above SerializedSystemIni.dat
file, as shown in the following figure:
Decrypt the ciphertext and obtain the password of the Weblogic backend user:
Backstage Horse Racing
After getting the login account and password of the Weblogic backend, you can enter the backend and upload the War Trojan file to obtain WebShell.
1. Enter your account name and password to log in and enter the backend management interface -> Deployment -> Installation:
Click to upload files on the installation page:
Then select the prepared war Trojan file package and click Next:
How to make the War Trojan file package: Prepare a JSP Malaysia file: xxx.jsp
, compress it into ma1.zip, and then rename it to ma1.war. Test means that the deployment is successful and the Malaysian storage Directory:
Keep going to the next step (note here that you click the next step above, don’t click the wrong one):
Then click Finish-Save:
Deployment completed :
To access the Malaysian file http://IP:7001/test/JspSpy.jsp
, you need to verify the password:
Connection password for JSP Malaysia file ma1.jsp
: admin
Successfully connected to Malaysia:
Five. Defense and Repair
1. Set up the Config.do page to log in and authorize access;
2. IPS and other defense products can add corresponding features;
3. Upgrade to the latest official version