Vulnerability reproduction CVE-2018-2894 weblogic file upload

Language 2023-08-12 19:18:13 views: null

vulhub weblogic CVE-2018-2894

1. Set up the shooting range and follow the prompts to access. According http://192.168.137.157:7001/console
insert image description here
to the given document, you will check the log of the container and find that the administrator username/password is weblogic / h3VCmK2L , which is not used temporarily and does not need to log in
insert image description here

2. Unauthorized access, http://192.168.137.157:7001/ws_utc/config.do, there is an interface for uploading any file
insert image description here
without any other operations, mainly I am curious about where it uploads the file
insert image description here
/u01/oracle/user_projects/domains/base_domain/tmp/WSTestPageWorkDir/config/keystore/1685608640016_ma.jsp

insert image description here

It can be seen that the uploaded file has been renamed, and a string of prefix characters is added. After capturing the packet, it is found to be a timestamp, which can be obtained from the response packet. So far, the file name has been controlled. The key is still a path. How to solve it?
The path in the underlined part can also be customized in the website

insert image description here
Set Work Home Dir to /u01/oracle/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css. This directory is the static file css directory of the ws_utc application. It is very important to access this directory without permission.

The directory at the same level as css: META-INF WEB-INF css images js
I tried it, the images directory can also be used, but the js directory cannot

accesshttp://192.168.137.157:7001/ws_utc/images/config/keystore/1685608640016_ma.jsp?pwd=666&&i=whoami
insert image description here

Summarize

The full path format of all uploaded files is /u01/oracle/user_projects/domains/base_domain/tmp/WSTestPageWorkDir/config/keystore/timestamp_filename.jsp

But after setting the current working directory Work Home Dir in http://192.168.137.157:7001/ws_utc/config.do, the path of the uploaded file has not changed, but it can be accessed

The writing is very shallow, I haven't read the specific principle of the loophole, I have time to make up

Utilization path: /ws_utc/[the last directory name of the directory set by Work Home Dir]/config/keystore/timestamp_filename.jsp

Guess you like

Origin blog.csdn.net/m0_52062236/article/details/130991000
Recommended
微软回应中国区AI团队“打包赴美”传闻
Ranking
How to use ChatGPT to write 100,000+ hot articles for public accounts (includes prompt words)
sudo echo command execution Permission denied
ADO: Using Transactions to Operate Oracle Database
[Java] [Class and Object] equals, hashCode, clone methods
Linux virtual host function
Порт управления rabbitmq открыт
on,where
jQuery WeUI
How can there be a weed pilot in Hangzhou?
tcp / ip model four
Daily
More
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)

Code World

© 2018 codetd.com