1.1. 前言

有时候拿到weblogic能命令执行,但是目标不能出网,不方便直接上线,这时就需要上个webshell来辅助后续的渗透

但是weblogic的web路径可能和常规的web系统不一样,不清楚的时候可能会一脸懵逼不知道上传到哪个目录下,以及如何访问,所以记录一下

1.2. 漏洞点

不能出网

image-20220127090452634

1.3. 路径

1.3.1. 路径1:写入bea_wls_internal目录

上传目录绝对路径:

[!NOTE]

自己根据需要对照修改,命令执行的时候一般在目录sv0

E:\APP\Middleware\Oracle_Home\user_projects\domains\sv0\servers\AdminServer\tmp\_WL_internal\bea_wls_internal\6位随机字符\war\shell.jsp

image-20220127091450615

web访问路径:

/bea_wls_internal/shell.jsp

image-20220127091327651

1.3.2. 路径2:写入console images目录

[!NOTE]

这个shell不是写在AdminServer下,需要能访问到console

上传目录绝对路径:

E:\APP\Middleware\Oracle_Home\wlserver\server\lib\consoleapp\webapp\framework\skins\wlsconsole\images\

web访问路径:

/console/framework/skins/wlsconsole/images/shell.jsp

1.3.3. 路径3:写入uddiexplorer目录

[!NOTE]

和路径1类似,只不过这里是uddiexplorer罢了

上传目录绝对路径:

E:\APP\Middleware\Oracle_Home\user_projects\domains\sv0\servers\AdminServer\tmp\_WL_internal\uddiexplorer\6位随机字符\war\shell.jsp

web访问路径:

/uddiexplorer/shell.jsp

1.3.4. 路径4:写入应用安装目录

上传目录绝对路径:

E:\APP\Middleware\Oracle_Home\user_projects\domains\sv0\servers\AdminServer\tmp\_WL_user\项目名\6位随机字符\war\shell.jsp

web访问路径:

/项目名/shell.jsp

1.4. shell无法访问

有时候上传的shell无法访问,大概率是因为端口不对,weblogic不同端口开放的server也不一样,找一找能访问的端口的server即可。

主要查看weblogic的配置文件domains\sv0\config\config.xml

<?xml version='1.0' encoding='UTF-8'?>
<domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd">
  <name>sv0</name>
  <domain-version>12.1.2.0.0</domain-version>
  <security-configuration>
    <name>sv0</name>
    <realm>
      <sec:authentication-provider xsi:type="wls:default-authenticatorType">
        <sec:name>DefaultAuthenticator</sec:name>
      </sec:authentication-provider>
      <sec:authentication-provider xsi:type="wls:default-identity-asserterType">
        <sec:name>DefaultIdentityAsserter</sec:name>
        <sec:active-type>AuthenticatedUser</sec:active-type>
      </sec:authentication-provider>
      <sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType">
        <sec:name>XACMLRoleMapper</sec:name>
      </sec:role-mapper>
      <sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType">
        <sec:name>XACMLAuthorizer</sec:name>
      </sec:authorizer>
      <sec:adjudicator xsi:type="wls:default-adjudicatorType">
        <sec:name>DefaultAdjudicator</sec:name>
      </sec:adjudicator>
      <sec:credential-mapper xsi:type="wls:default-credential-mapperType">
        <sec:name>DefaultCredentialMapper</sec:name>
      </sec:credential-mapper>
      <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType">
        <sec:name>WebLogicCertPathProvider</sec:name>
      </sec:cert-path-provider>
      <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
      <sec:name>myrealm</sec:name>
      <sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
        <sec:name>SystemPasswordValidator</sec:name>
        <pas:min-password-length>8</pas:min-password-length>
        <pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
      </sec:password-validator>
    </realm>
    <default-realm>myrealm</default-realm>
    <credential-encrypted>{AES}xxx</credential-encrypted>
    <node-manager-username>weblogic</node-manager-username>
    <node-manager-password-encrypted>{AES}xxx</node-manager-password-encrypted>
  </security-configuration>
  <server>
    <name>AdminServer</name>
    <ssl>
      <name>AdminServer</name>
      <listen-port>7002</listen-port>
    </ssl>
    <listen-port>8002</listen-port>
    <listen-address></listen-address>
  </server>
  <embedded-ldap>
    <name>sv0</name>
    <credential-encrypted>{AES}xxx</credential-encrypted>
  </embedded-ldap>
  <configuration-version>12.1.2.0.0</configuration-version>
  <app-deployment>
    <name>sv0</name>
    <target>AdminServer</target>
    <module-type>ear</module-type>
    <source-path>D:\test\applications\sv0</source-path>
    <security-dd-model>DDOnly</security-dd-model>
    <staging-mode xsi:nil="true"></staging-mode>
    <plan-staging-mode xsi:nil="true"></plan-staging-mode>
    <cache-in-app-directory>false</cache-in-app-directory>
  </app-deployment>
  <app-deployment>
    <name>index</name>
    <target>AdminServer</target>
    <module-type xsi:nil="true"></module-type>
    <source-path>D:\test\applications\index</source-path>
    <security-dd-model>DDOnly</security-dd-model>
    <staging-mode xsi:nil="true"></staging-mode>
    <plan-staging-mode xsi:nil="true"></plan-staging-mode>
    <cache-in-app-directory>false</cache-in-app-directory>
  </app-deployment>
  <app-deployment>
    <name>software</name>
    <target>AdminServer</target>
    <module-type xsi:nil="true"></module-type>
    <source-path>D:\test\software</source-path>
    <security-dd-model>DDOnly</security-dd-model>
    <staging-mode xsi:nil="true"></staging-mode>
    <plan-staging-mode xsi:nil="true"></plan-staging-mode>
    <cache-in-app-directory>false</cache-in-app-directory>
  </app-deployment>
  <app-deployment>
    <name>doas</name>
    <target>AdminServer</target>
    <module-type>war</module-type>
    <source-path>servers\AdminServer\upload\dddd.war</source-path>
    <security-dd-model>DDOnly</security-dd-model>
    <staging-mode xsi:nil="true"></staging-mode>
    <plan-staging-mode xsi:nil="true"></plan-staging-mode>
    <cache-in-app-directory>false</cache-in-app-directory>
  </app-deployment>
  <app-deployment>
    <name>tniq</name>
    <target>AdminServer</target>
    <module-type>war</module-type>
    <source-path>servers\AdminServer\upload\tttt.war</source-path>
    <security-dd-model>DDOnly</security-dd-model>
    <staging-mode xsi:nil="true"></staging-mode>
    <plan-staging-mode xsi:nil="true"></plan-staging-mode>
    <cache-in-app-directory>false</cache-in-app-directory>
  </app-deployment>
  <admin-server-name>AdminServer</admin-server-name>
</domain>

如上配置只有AdminServer,所以我们写到AdminServer下都可以访问,如果配置了其他Server,则就需要根据端口开放情况写到其他的目录下

E:\APP\Middleware\Oracle_Home\user_projects\domains\sv0\servers\其他Server

1.5. 扩展:weblogic密码解密

https://github.com/TideSec/Decrypt_Weblogic_Password

Copyright © d4m1ts 2022 all right reserved,powered by Gitbook该文章修订时间: 2022-01-27 10:09:02

results matching ""

    No results matching ""