前言

有时候拿到weblogic能命令执行,但是目标不能出网,不方便直接上线,这时就需要上个webshell来辅助后续的渗透
但是weblogic的web路径可能和常规的web系统不一样,不清楚的时候可能会一脸懵逼不知道上传到哪个目录下,以及如何访问,所以记录一下

漏洞点

不能出网
image-20220127090452634

路径

路径1:写入bea_wls_internal目录

上传目录绝对路径:

[!NOTE]

自己根据需要对照修改,命令执行的时候一般在目录sv0

  1. E:\APP\Middleware\Oracle_Home\user_projects\domains\sv0\servers\AdminServer\tmp\_WL_internal\bea_wls_internal\6位随机字符\war\shell.jsp

image-20220127091450615
web访问路径:

  1. /bea_wls_internal/shell.jsp

image-20220127091327651

路径2:写入console images目录

[!NOTE]

这个shell不是写在AdminServer下,需要能访问到console

上传目录绝对路径:

  1. E:\APP\Middleware\Oracle_Home\wlserver\server\lib\consoleapp\webapp\framework\skins\wlsconsole\images\

web访问路径:

  1. /console/framework/skins/wlsconsole/images/shell.jsp

路径3:写入uddiexplorer目录

[!NOTE]

和路径1类似,只不过这里是uddiexplorer罢了

上传目录绝对路径:

  1. E:\APP\Middleware\Oracle_Home\user_projects\domains\sv0\servers\AdminServer\tmp\_WL_internal\uddiexplorer\6位随机字符\war\shell.jsp

web访问路径:

  1. /uddiexplorer/shell.jsp

路径4:写入应用安装目录

上传目录绝对路径:

  1. E:\APP\Middleware\Oracle_Home\user_projects\domains\sv0\servers\AdminServer\tmp\_WL_user\项目名\6位随机字符\war\shell.jsp

web访问路径:

  1. /项目名/shell.jsp

shell无法访问

有时候上传的shell无法访问,大概率是因为端口不对,weblogic不同端口开放的server也不一样,找一找能访问的端口的server即可。
主要查看weblogic的配置文件domains\sv0\config\config.xml

  1. <?xml version='1.0' encoding='UTF-8'?>
  2. <domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd">
  3. <name>sv0</name>
  4. <domain-version>12.1.2.0.0</domain-version>
  5. <security-configuration>
  6. <name>sv0</name>
  7. <realm>
  8. <sec:authentication-provider xsi:type="wls:default-authenticatorType">
  9. <sec:name>DefaultAuthenticator</sec:name>
  10. </sec:authentication-provider>
  11. <sec:authentication-provider xsi:type="wls:default-identity-asserterType">
  12. <sec:name>DefaultIdentityAsserter</sec:name>
  13. <sec:active-type>AuthenticatedUser</sec:active-type>
  14. </sec:authentication-provider>
  15. <sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType">
  16. <sec:name>XACMLRoleMapper</sec:name>
  17. </sec:role-mapper>
  18. <sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType">
  19. <sec:name>XACMLAuthorizer</sec:name>
  20. </sec:authorizer>
  21. <sec:adjudicator xsi:type="wls:default-adjudicatorType">
  22. <sec:name>DefaultAdjudicator</sec:name>
  23. </sec:adjudicator>
  24. <sec:credential-mapper xsi:type="wls:default-credential-mapperType">
  25. <sec:name>DefaultCredentialMapper</sec:name>
  26. </sec:credential-mapper>
  27. <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType">
  28. <sec:name>WebLogicCertPathProvider</sec:name>
  29. </sec:cert-path-provider>
  30. <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
  31. <sec:name>myrealm</sec:name>
  32. <sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
  33. <sec:name>SystemPasswordValidator</sec:name>
  34. <pas:min-password-length>8</pas:min-password-length>
  35. <pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
  36. </sec:password-validator>
  37. </realm>
  38. <default-realm>myrealm</default-realm>
  39. <credential-encrypted>{AES}xxx</credential-encrypted>
  40. <node-manager-username>weblogic</node-manager-username>
  41. <node-manager-password-encrypted>{AES}xxx</node-manager-password-encrypted>
  42. </security-configuration>
  43. <server>
  44. <name>AdminServer</name>
  45. <ssl>
  46. <name>AdminServer</name>
  47. <listen-port>7002</listen-port>
  48. </ssl>
  49. <listen-port>8002</listen-port>
  50. <listen-address></listen-address>
  51. </server>
  52. <embedded-ldap>
  53. <name>sv0</name>
  54. <credential-encrypted>{AES}xxx</credential-encrypted>
  55. </embedded-ldap>
  56. <configuration-version>12.1.2.0.0</configuration-version>
  57. <app-deployment>
  58. <name>sv0</name>
  59. <target>AdminServer</target>
  60. <module-type>ear</module-type>
  61. <source-path>D:\test\applications\sv0</source-path>
  62. <security-dd-model>DDOnly</security-dd-model>
  63. <staging-mode xsi:nil="true"></staging-mode>
  64. <plan-staging-mode xsi:nil="true"></plan-staging-mode>
  65. <cache-in-app-directory>false</cache-in-app-directory>
  66. </app-deployment>
  67. <app-deployment>
  68. <name>index</name>
  69. <target>AdminServer</target>
  70. <module-type xsi:nil="true"></module-type>
  71. <source-path>D:\test\applications\index</source-path>
  72. <security-dd-model>DDOnly</security-dd-model>
  73. <staging-mode xsi:nil="true"></staging-mode>
  74. <plan-staging-mode xsi:nil="true"></plan-staging-mode>
  75. <cache-in-app-directory>false</cache-in-app-directory>
  76. </app-deployment>
  77. <app-deployment>
  78. <name>software</name>
  79. <target>AdminServer</target>
  80. <module-type xsi:nil="true"></module-type>
  81. <source-path>D:\test\software</source-path>
  82. <security-dd-model>DDOnly</security-dd-model>
  83. <staging-mode xsi:nil="true"></staging-mode>
  84. <plan-staging-mode xsi:nil="true"></plan-staging-mode>
  85. <cache-in-app-directory>false</cache-in-app-directory>
  86. </app-deployment>
  87. <app-deployment>
  88. <name>doas</name>
  89. <target>AdminServer</target>
  90. <module-type>war</module-type>
  91. <source-path>servers\AdminServer\upload\dddd.war</source-path>
  92. <security-dd-model>DDOnly</security-dd-model>
  93. <staging-mode xsi:nil="true"></staging-mode>
  94. <plan-staging-mode xsi:nil="true"></plan-staging-mode>
  95. <cache-in-app-directory>false</cache-in-app-directory>
  96. </app-deployment>
  97. <app-deployment>
  98. <name>tniq</name>
  99. <target>AdminServer</target>
  100. <module-type>war</module-type>
  101. <source-path>servers\AdminServer\upload\tttt.war</source-path>
  102. <security-dd-model>DDOnly</security-dd-model>
  103. <staging-mode xsi:nil="true"></staging-mode>
  104. <plan-staging-mode xsi:nil="true"></plan-staging-mode>
  105. <cache-in-app-directory>false</cache-in-app-directory>
  106. </app-deployment>
  107. <admin-server-name>AdminServer</admin-server-name>
  108. </domain>

如上配置只有AdminServer,所以我们写到AdminServer下都可以访问,如果配置了其他Server,则就需要根据端口开放情况写到其他的目录下

  1. E:\APP\Middleware\Oracle_Home\user_projects\domains\sv0\servers\其Server

扩展:weblogic密码解密

https://github.com/TideSec/Decrypt_Weblogic_Password