Weblogic deserialization in my eyes

Preface

Looking forward to learning Weblogic deserialization

Environment setup

I was thinking about downloading the webloigc environment by myself, but I didn't get it done for a long time. I didn't know the fragrance of tools when I was young.
I chose to build in docker, and then use idea for remote debugging.

Weblogic download address, I downloaded 10.3.6.0

https://www.oracle.com/middleware/technologies/weblogic-server-downloads.html

jdk7 download address

http://www.oracle.com/java/technologies/javase/javase7-archive-downloads.html

Tool address

https://github.com/QAX-A-Team/WeblogicEnvironment

First of all, a docker environment is required.
Then create two new directories under the root directory of the tool, namely jdks and weblogics. As shown in the figure,

Insert picture description here


put the downloaded jdk into the jdks directory, and put the downloaded weblogic into the weblogics directory

Insert picture description here


Insert picture description here

Enter the root directory of the tool and execute the following command

docker build --build-arg JDK_PKG=jdk-7u21-linux-x64.tar.gz --build-arg WEBLOGIC_JAR=wls1036_generic.jar  -t weblogic1036jdk7u21 .

After the execution is completed, the weblogic environment has been set up

Then start the container.

docker run -d -p 7001:7001 -p 8453:8453 -p 5556:5556 --name weblogic1036jdk7u21 weblogic1036jdk7u21
Insert picture description here


There is another way. There are some sh files in the tools directory, as follows. The naming is very clear. The sh file in the box in the figure below indicates that weblogic10.3.6 and jdk6 are installed. But the so-called one-click build.

Insert picture description here


After installation. We need to obtain some files needed for debugging. The following commands must be executed in the root directory of the tool.

mkdir -p ./middleware/coherence_3.7/lib

docker cp weblogic1036jdk7u21:/u01/app/oracle/middleware/modules ./middleware/

docker cp weblogic1036jdk7u21:/u01/app/oracle/middleware/wlserver ./middleware/

docker cp weblogic1036jdk7u21:/u01/app/oracle/middleware/coherence_3.7/lib ./middleware/coherence_3.7/lib

After execution, there will be a middleware directory, which should look like the following figure, copy this directory to the physical machine.

Insert picture description here

Remote debugging

After setting up, open the idea and test whether it can be debugged remotely.

Create a new empty Java project, and then add library files, as shown below.

Insert picture description here


Just add modules and wlserver in turn. Then you can see the package on the left.

Insert picture description here

Set up remote debugging

Insert picture description here


Create a new Remote.

Insert picture description here


Write the IP and port.

Insert picture description here


Then click the shift key three times to search for the class InboundMsgAbbrev.

Insert picture description here


Find the readObject method and add a breakpoint.

Insert picture description here


Turn on debugging

Insert picture description here


Insert picture description here


and use weblogicscan to scan for vulnerabilities

https://github.com/rabbitmask/WeblogicScan

Then found that the breakpoint was not broken. . .
Then restarted the docker, and then scanned again, successfully broken

Insert picture description here

Weblogic in my eyes

to be continued. . . .