前言

有时候拿到weblogic能命令执行,但是目标不能出网,不方便直接上线,这时就需要上个webshell来辅助后续的渗透
但是weblogic的web路径可能和常规的web系统不一样,不清楚的时候可能会一脸懵逼不知道上传到哪个目录下,以及如何访问,所以记录一下

漏洞点

不能出网
image-20220127090452634

路径

路径1:写入bea_wls_internal目录

上传目录绝对路径:

[!NOTE]

自己根据需要对照修改,命令执行的时候一般在目录sv0

  1. E:\APP\Middleware\Oracle_Home\user_projects\domains\sv0\servers\AdminServer\tmp\_WL_internal\bea_wls_internal\6位随机字符\war\shell.jsp

image-20220127091450615
web访问路径:

  1. /bea_wls_internal/shell.jsp

image-20220127091327651

路径2:写入console images目录

[!NOTE]

这个shell不是写在AdminServer下,需要能访问到console

上传目录绝对路径:

  1. E:\APP\Middleware\Oracle_Home\wlserver\server\lib\consoleapp\webapp\framework\skins\wlsconsole\images\

web访问路径:

  1. /console/framework/skins/wlsconsole/images/shell.jsp

路径3:写入uddiexplorer目录

[!NOTE]

和路径1类似,只不过这里是uddiexplorer罢了

上传目录绝对路径:

  1. E:\APP\Middleware\Oracle_Home\user_projects\domains\sv0\servers\AdminServer\tmp\_WL_internal\uddiexplorer\6位随机字符\war\shell.jsp

web访问路径:

  1. /uddiexplorer/shell.jsp

路径4:写入应用安装目录

上传目录绝对路径:

  1. E:\APP\Middleware\Oracle_Home\user_projects\domains\sv0\servers\AdminServer\tmp\_WL_user\项目名\6位随机字符\war\shell.jsp

web访问路径:

  1. /项目名/shell.jsp

shell无法访问

有时候上传的shell无法访问,大概率是因为端口不对,weblogic不同端口开放的server也不一样,找一找能访问的端口的server即可。
主要查看weblogic的配置文件domains\sv0\config\config.xml

  1. <?xml version='1.0' encoding='UTF-8'?>
  2. <domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd">
  3.   <name>sv0</name>
  4.   <domain-version>12.1.2.0.0</domain-version>
  5.   <security-configuration>
  6.     <name>sv0</name>
  7.     <realm>
  8.       <sec:authentication-provider xsi:type="wls:default-authenticatorType">
  9.         <sec:name>DefaultAuthenticator</sec:name>
  10.       </sec:authentication-provider>
  11.       <sec:authentication-provider xsi:type="wls:default-identity-asserterType">
  12.         <sec:name>DefaultIdentityAsserter</sec:name>
  13.         <sec:active-type>AuthenticatedUser</sec:active-type>
  14.       </sec:authentication-provider>
  15.       <sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType">
  16.         <sec:name>XACMLRoleMapper</sec:name>
  17.       </sec:role-mapper>
  18.       <sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType">
  19.         <sec:name>XACMLAuthorizer</sec:name>
  20.       </sec:authorizer>
  21.       <sec:adjudicator xsi:type="wls:default-adjudicatorType">
  22.         <sec:name>DefaultAdjudicator</sec:name>
  23.       </sec:adjudicator>
  24.       <sec:credential-mapper xsi:type="wls:default-credential-mapperType">
  25.         <sec:name>DefaultCredentialMapper</sec:name>
  26.       </sec:credential-mapper>
  27.       <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType">
  28.         <sec:name>WebLogicCertPathProvider</sec:name>
  29.       </sec:cert-path-provider>
  30.       <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
  31.       <sec:name>myrealm</sec:name>
  32.       <sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
  33.         <sec:name>SystemPasswordValidator</sec:name>
  34.         <pas:min-password-length>8</pas:min-password-length>
  35.         <pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
  36.       </sec:password-validator>
  37.     </realm>
  38.     <default-realm>myrealm</default-realm>
  39.     <credential-encrypted>{AES}xxx</credential-encrypted>
  40.     <node-manager-username>weblogic</node-manager-username>
  41.     <node-manager-password-encrypted>{AES}xxx</node-manager-password-encrypted>
  42.   </security-configuration>
  43.   <server>
  44.     <name>AdminServer</name>
  45.     <ssl>
  46.       <name>AdminServer</name>
  47.       <listen-port>7002</listen-port>
  48.     </ssl>
  49.     <listen-port>8002</listen-port>
  50.     <listen-address></listen-address>
  51.   </server>
  52.   <embedded-ldap>
  53.     <name>sv0</name>
  54.     <credential-encrypted>{AES}xxx</credential-encrypted>
  55.   </embedded-ldap>
  56.   <configuration-version>12.1.2.0.0</configuration-version>
  57.   <app-deployment>
  58.     <name>sv0</name>
  59.     <target>AdminServer</target>
  60.     <module-type>ear</module-type>
  61.     <source-path>D:\test\applications\sv0</source-path>
  62.     <security-dd-model>DDOnly</security-dd-model>
  63.     <staging-mode xsi:nil="true"></staging-mode>
  64.     <plan-staging-mode xsi:nil="true"></plan-staging-mode>
  65.     <cache-in-app-directory>false</cache-in-app-directory>
  66.   </app-deployment>
  67.   <app-deployment>
  68.     <name>index</name>
  69.     <target>AdminServer</target>
  70.     <module-type xsi:nil="true"></module-type>
  71.     <source-path>D:\test\applications\index</source-path>
  72.     <security-dd-model>DDOnly</security-dd-model>
  73.     <staging-mode xsi:nil="true"></staging-mode>
  74.     <plan-staging-mode xsi:nil="true"></plan-staging-mode>
  75.     <cache-in-app-directory>false</cache-in-app-directory>
  76.   </app-deployment>
  77.   <app-deployment>
  78.     <name>software</name>
  79.     <target>AdminServer</target>
  80.     <module-type xsi:nil="true"></module-type>
  81.     <source-path>D:\test\software</source-path>
  82.     <security-dd-model>DDOnly</security-dd-model>
  83.     <staging-mode xsi:nil="true"></staging-mode>
  84.     <plan-staging-mode xsi:nil="true"></plan-staging-mode>
  85.     <cache-in-app-directory>false</cache-in-app-directory>
  86.   </app-deployment>
  87.   <app-deployment>
  88.     <name>doas</name>
  89.     <target>AdminServer</target>
  90.     <module-type>war</module-type>
  91.     <source-path>servers\AdminServer\upload\dddd.war</source-path>
  92.     <security-dd-model>DDOnly</security-dd-model>
  93.     <staging-mode xsi:nil="true"></staging-mode>
  94.     <plan-staging-mode xsi:nil="true"></plan-staging-mode>
  95.     <cache-in-app-directory>false</cache-in-app-directory>
  96.   </app-deployment>
  97.   <app-deployment>
  98.     <name>tniq</name>
  99.     <target>AdminServer</target>
  100.     <module-type>war</module-type>
  101.     <source-path>servers\AdminServer\upload\tttt.war</source-path>
  102.     <security-dd-model>DDOnly</security-dd-model>
  103.     <staging-mode xsi:nil="true"></staging-mode>
  104.     <plan-staging-mode xsi:nil="true"></plan-staging-mode>
  105.     <cache-in-app-directory>false</cache-in-app-directory>
  106.   </app-deployment>
  107.   <admin-server-name>AdminServer</admin-server-name>
  108. </domain>

如上配置只有AdminServer,所以我们写到AdminServer下都可以访问,如果配置了其他Server,则就需要根据端口开放情况写到其他的目录下

  1. E:\APP\Middleware\Oracle_Home\user_projects\domains\sv0\servers\其Server

扩展:weblogic密码解密

https://github.com/TideSec/Decrypt_Weblogic_Password