|
|
@@ -17,7 +17,7 @@ As Tomcat does, WAS has an administrative interface where an application can be
|
|
|
The main objective is to obtain at least a directory traversal vulnerability and from there gain code execution. An example of this type of vulnerability in WPS is [CVE-2012-4834](https://nvd.nist.gov/vuln/detail/CVE-2012-4834) and although old it might still be found on legacy websites. This kind of vulnerabilities can of course also be in custom portlets, JSP pages or other dynamic content. Once there's an arbitrary file read it should also be possible to get a lot of useful additional information, including JDBC objects, LDAP binds and of course administrative credentials.
|
|
|
|
|
|
### Url Scheme
|
|
|
-(This is an interesting read)[https://www.optiv.com/explore-optiv-insights/blog/decoding-ibm-webshere-portlet-urls] and there's also a Burp plugin. URLs can also be plaintext.
|
|
|
+[This is an interesting read](https://www.optiv.com/explore-optiv-insights/blog/decoding-ibm-webshere-portlet-urls) and there's also a Burp plugin. URLs can also be plaintext.
|
|
|
|
|
|
### Interesting paths
|
|
|
Here's a short list of interesting paths and what they means (assuming that the base is `/wps`:
|
|
|
@@ -182,4 +182,3 @@ EJPXB0020I: The request was processed successfully on the server.
|
|
|
|
|
|
The webshell will be now available at `http://<target>/wps/shell/cmd.jsp` and will be working.
|
|
|
|
|
|
-
|
