Docker set up a test environment using loopholes
micr067@test:~/vulhub/weblogic/CVE-2018-2894$ sudo docker-compose build
weblogic uses an image, skipping
micr067@test:~/vulhub/weblogic/CVE-2018-2894$ sudo docker-compose up -d
http://192.168.190.135:7001/console
login console
sudo docker-compose logs | grep password account password to view the environment
Username: weblogic
Password: cWkt0VPA
Click
base_domain
, configuration
On "Enable Web Services Test Page" option in the advanced in preservation.
T3 also called rich sockets, BEA is an internal protocol, feature-rich, good scalability. T3 is two-way and multi-protocol asynchronous, highly optimized, using only one socket and a thread. With this method, you can use a variety of server-side RMI objects based on the needs of Java-based client, but still use a socket and a thread.
Set to Work Home Dir
/u01/oracle/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css
The directory is set to ws_utc application of static files css directory, there is no need to access the directory permissions, and then submit.
然后点击“安全”,添加 ,弹出登录框,点击“浏览”上传webshell并抓包。
可以看到已经成功上传。
访问http://your-ip:7001/ws_utc/css/config/keystore/[时间戳]_[文件名],即可执行webshell
可以访问。
使用蚁剑和菜刀连接失败,换用冰蝎的shell 使用冰蝎成功连接。