tag:blogger.com,1999:blog-2410549130005981530.post3654044057689197548..comments2023-10-25T05:05:04.859-05:00Comments on Confessions of a Penetration Tester: Fun With WebLogic Connection Pools- Free database connectionsUnknownnoreply@blogger.comBlogger8125tag:blogger.com,1999:blog-2410549130005981530.post-21610119428085745762009-12-14T09:49:11.896-06:002009-12-14T09:49:11.896-06:00Hey M00dy,
Glad i could help you. You were going t...Hey M00dy,<br />Glad i could help you. You were going to send me a paper. I'd like to see it when you get a chance.ascetikhttps://www.blogger.com/profile/08338141154718417309noreply@blogger.comtag:blogger.com,1999:blog-2410549130005981530.post-64285812758939919832009-10-20T09:07:37.144-05:002009-10-20T09:07:37.144-05:00Hello,
Firstly I would to thank you for helping...Hello,<br /><br /> Firstly I would to thank you for helping me to resolve the problem described previously. Sorry for being little bit late to give a sign (the pen test was too long).<br /><br />So, in case of installing a Weblogic server to gather the two jar files (weblogic and xbean) I’ve retrieved them from the Weblogic target (cause I’ve found a weak account on it).<br /><br />then i recompiled the whole program with no error. But, the Weblogic configuration did not contain a "DataStore". In consequence, and for demonstration reason i created a "DataStore" on the target.<br /><br />Carrying out the program against the Weblogic was just tremendous!!! It worked perfectly.<br /><br />The test that I’ve just finished this morning is realizing the same attack against a Weblogic connected to an Oracle Server trough a "DataSore" and i could confirm that works too. For that purpose, I’ve done some minor modification to your code.<br /><br />I'll send to you a little paper that summarizes all what I’ve said as soon possible. Thanks to you.Mouad Abouhali (m00dy)https://www.blogger.com/profile/06204872005613480203noreply@blogger.comtag:blogger.com,1999:blog-2410549130005981530.post-35370104548950302692009-10-05T10:33:05.671-05:002009-10-05T10:33:05.671-05:00Yeah.. you need both weblogic.jar and xbean.jar. Y...Yeah.. you need both weblogic.jar and xbean.jar. You get these jars by downloading the whole weblogic application server from oracle.( I know its terrible. ) You can download the server here. <br />http://www.oracle.com/technology/software/products/database/index.html<br /><br />This has worked for me on versions 10g and 9.2. I 'should' work on 8 as well but you may need to download the weblogic 8 server.<br /><br />once installed... the jars are in the following file structure: <br />[BEA HOME]\weblogic92\server\lib\<br /><br />I copied these files into a directory named 'weblogic92' in the same directory of my class files. I then ran the following:<br />java -cp .\weblogic92\*;. DataTest <br /><br />Let me know if you have any trouble. I have a much better weblogic test tool that I created that i should publish. Hopefully i'll have some time to do that in the next few weeks.ascetikhttps://www.blogger.com/profile/08338141154718417309noreply@blogger.comtag:blogger.com,1999:blog-2410549130005981530.post-72386567852665948722009-10-05T09:52:02.082-05:002009-10-05T09:52:02.082-05:00Hello,
During a pen test i had to deal with a ...Hello,<br /><br /> During a pen test i had to deal with a weblogic server with a DB2 back end. I thought that was the real case to test your code.<br /><br />Unfortunately, when compiling your sample i had the following error codde:<br /><br />//-----------Stack error<br />javax.naming.NoInitialContextException: Cannot instantiate class: weblogic.jndi.WLInitialContextFactory [Root exception is java.lang.ClassNotFoundException: weblogic.jndi.WLInitialContextFactory]<br /> <br /><br />I think that i missed something and after some googling it seemed to me that i have to indicate weblogic.jar file in the classpath. But where do i get the weblogic.jar file? should i install weblogic server?<br /><br />Please help me.Mouad Abouhali (m00dy)https://www.blogger.com/profile/06204872005613480203noreply@blogger.comtag:blogger.com,1999:blog-2410549130005981530.post-33438039131067536992008-10-02T10:26:00.000-05:002008-10-02T10:26:00.000-05:00From outside attacks ... yes. from insiders no. An...From outside attacks ... yes. from insiders no. And to be fair this is really an attack on your middle tier that unless you have some horribly miss configured architecture should not be accessible outside the perimeter. You should also compliment the connection filters with an additional app id and password which I left out of my recommendation before. This app id and password is not the same as your database credentials. <BR/><BR/>Now if you have this middle tier in a extremely locked down network where access is highly controlled (the |DMZ|-|ZMD|-|corp network| model) then you may determine that this is overkill. I've been given this example before. The problem is that the app owner is relying on technology that is really outside of their control and has to trust it. I leave that to you to determine the risk but for myself if i don't control it then i cannot fully trust it and connection filters are trivial to implement.ascetikhttps://www.blogger.com/profile/08338141154718417309noreply@blogger.comtag:blogger.com,1999:blog-2410549130005981530.post-18370241952104337752008-10-02T00:35:00.000-05:002008-10-02T00:35:00.000-05:00Let's say a weblogic server is deployed in an envi...Let's say a weblogic server is deployed in an environment based on 3-tier architecture. This server is placed in the Application tier which can only be accessed via another web server in the Presentation tier. In between the tiers are firewalls. Clients can only access the weblogic server through presentation tier. Won't that greatly reduced the needed for the "connection filters" ?ABChttps://www.blogger.com/profile/13278350100991782462noreply@blogger.comtag:blogger.com,1999:blog-2410549130005981530.post-22633804019316943252008-03-04T12:47:00.000-06:002008-03-04T12:47:00.000-06:00actually, i don't remember the site that i found i...actually, i don't remember the site that i found it on. I just did a Google image search for 'internet'. I found quite a few that where cool but i liked this one the best.ascetikhttps://www.blogger.com/profile/08338141154718417309noreply@blogger.comtag:blogger.com,1999:blog-2410549130005981530.post-77688959235834604222008-03-03T23:51:00.000-06:002008-03-03T23:51:00.000-06:00unrelated question where did you get that great ba...unrelated question where did you get that great banner pic of the internet ? PS: Good material thanks.Chris Gatfordhttps://www.blogger.com/profile/01617397637143599994noreply@blogger.com