vulhub weblogic CVE-2018-2894
1. Set up the shooting range and follow the prompts to access. According http://192.168.137.157:7001/console
to the given document, you will check the log of the container and find that the administrator username/password is weblogic / h3VCmK2L , which is not used temporarily and does not need to log in
2. Unauthorized access, http://192.168.137.157:7001/ws_utc/config.do
, there is an interface for uploading any file
without any other operations, mainly I am curious about where it uploads the file
/u01/oracle/user_projects/domains/base_domain/tmp/WSTestPageWorkDir/config/keystore/1685608640016_ma.jsp
It can be seen that the uploaded file has been renamed, and a string of prefix characters is added. After capturing the packet, it is found to be a timestamp, which can be obtained from the response packet. So far, the file name has been controlled. The key is still a path. How to solve it?
The path in the underlined part can also be customized in the website
Set Work Home Dir to /u01/oracle/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css
. This directory is the static file css directory of the ws_utc application. It is very important to access this directory without permission.
The directory at the same level as css: META-INF WEB-INF css images js
I tried it, the images directory can also be used, but the js directory cannot
accesshttp://192.168.137.157:7001/ws_utc/images/config/keystore/1685608640016_ma.jsp?pwd=666&&i=whoami
Summarize
The full path format of all uploaded files is /u01/oracle/user_projects/domains/base_domain/tmp/WSTestPageWorkDir/config/keystore/timestamp_filename.jsp
But after setting the current working directory Work Home Dir in http://192.168.137.157:7001/ws_utc/config.do, the path of the uploaded file has not changed, but it can be accessed
The writing is very shallow, I haven't read the specific principle of the loophole, I have time to make up
Utilization path: /ws_utc/[the last directory name of the directory set by Work Home Dir]/config/keystore/timestamp_filename.jsp