For learning java vulnerabilities debug.
To weblogic example.
cve-2017-10271
weblogic:10.3.6
Environment to build
Take for example docker
https://github.com/vulhub/vulhub/blob/master/weblogic/CVE-2017-10271
To debug docker
First docker's 8453 open
docker-compose.yml inside
version: '2'
services:
weblogic:
image: vulhub/weblogic
ports:
- "7001:7001"
- "8453:8453"
Then run docker-compose up -d download and run the image.
After the download is complete
Use docker exec -it weblogic / bin / bash into the container, modifying /root/Oracle/Middleware/user_projects/domains/base_domain/bin/setDomainEnv.sh
Add two lines of code
debugFlag="true"
export debugFlag
Then docker restart container id
Because of the need weblogic source code, so we put weblogic source and jdk packages are copied out.
docker cp weblogic:/root ./weblogic_jars
Then open the idea /root/Oracle/Middleware/wlserver_10.3/ directory
Figure
Then use the command put all * .jar package under Middleware directory are placed in a test of the folder.
Command is as follows:
find ./ -name *.jar -exec cp {} ./test/ \;
Then add the test directory in libraries
In this selection weblogic10.3.6 jdk comes jdk6
Have increased in the future
This will be two directories.
Then we add the remote server.
Port number is 8453
Then the application, open the debug
When the console appears below the picture when it explained.
Then the breakpoint at line 129 of /wlserver_10.3/server/lib/weblogic.jar!/weblogic/wsee/jaxws/WLSServletAdapter.class
burp contract performed in wls-wsat
When appears the figure below shows a success.
