This article has been published in the hacker X-Files for 2 0 0 8 year 1 1 issue of the magazine on After the author published on the blog, such as reproduced please retain this information! Tomcat is estimated to many people to bring a N meaty chicken server, directly scan weak passwords, into the Tomcat management backend, upload Webshell will get a broiler server, the operation is simple, efficiency is high, it is catch the chicken must have! But this minor DESCRIPTION is similar to the one Tomcat JSP support platform WebLogic vulnerability of the simple use of actually is also the default password, compared to the Tomcat will be slightly more complicated, but the operation up is also relatively easy. One, to find the target 1, batch scanning WebLogic Default WEB Management port http 7 0 0 1, https 7 0 0 2, and open this two ports are generally installed with the WebLogic host. 2, Google search for the keyword“WebLogic Server Administration Console inurl:console”, the URL is behind the console end, is generally the target. 3, the IISput batch scanning, when found HTTP banner is displayed under“WebLogic Server”on the General for the use of the WebLogic site, as shown in Figure 1. ! Second, the default password attack Find the target URL behind the plus console, Enter will automatically jump to the admin login page. Default the default password with the following groups: 1, User name password is: weblogic 2, the user name and password are: system 3, the user name and password are: portaladmin 4, the user name and password are: guest If you try to over can't login, can be cross exchanged with the user name and password, such as the user name is weblogic, password is the system, this can be your flexible, of course, can also be a dictionary file storm break. An example of the target the user name and password are weblogic, respectively, in the Username and Password filled in weblogic, you can enter the management background, the need to install the jre, otherwise can't see the front of the description of the content, as shown in Figure 2. ! Then find“mydomain”->“Deployments”->“Web Application Modules”->“Deploy new Web Application Moudule...”, as shown in Figure 3. ! Then click on the figure 4 in the“upload your file(s)”in the jump page after upload war package war package and Tomcat weak password use of packages, note that the horse'sfree to killcan be, as shown in Figure 4, Figure 5. ! ! Then in the upload Directory to find the just uploaded of mickey. war and select it, then click on the“Target Module” And then“Deploy”, as shown in Figure 6, Figure 7. ! ! Deployment is completed after will be in the“Web Application Modules”below see mickey items, as shown in Figure 8. ! Finally you can access Webshell, the URL format is: http://www.xxx.com/mickey/j1.jsp（j1. jsp for JSP Backdoor file name, this is in the war package inside the settings of the Windows system under system permissions, the Unix/Linux root privileges, as shown in Figure 9, Figure 1 0 is. ! ! Third, the attack prevention Can firewall settings filter 7 0 0 1, A 7 0 0 2 port, you can also set only allow access to background IP list, if I have to remotely manage WebLogic, it is necessary to set a stronger password for the password. Click on the“Security”->“myrealm”-> Users->“to change the password of user name”, and then in the“New Password”fill in a new password in the“Retype to Confirm”again to fill in the new password, and then“Apply”to change the password, as shown in Figure 1 1 The. ! IV, Supplement knowledge In Unix/Linux system environment, obtained by the above method of the JSP Webshell file list function is not available. Unless the file is located in war package outside, that may put the war package inside the JSP Trojan is copied to theWeb serverto another single directory can be used normally.