From 36e3b7b3226211cd98336c6273f834c1daa06625 Mon Sep 17 00:00:00 2001 From: Giulio Date: Mon, 13 Jul 2020 17:48:45 +0200 Subject: [PATCH] Markdown fix --- Readme.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Readme.md b/Readme.md index 10b24a4..7ec0b4e 100644 --- a/Readme.md +++ b/Readme.md @@ -17,7 +17,7 @@ As Tomcat does, WAS has an administrative interface where an application can be The main objective is to obtain at least a directory traversal vulnerability and from there gain code execution. An example of this type of vulnerability in WPS is [CVE-2012-4834](https://nvd.nist.gov/vuln/detail/CVE-2012-4834) and although old it might still be found on legacy websites. This kind of vulnerabilities can of course also be in custom portlets, JSP pages or other dynamic content. Once there's an arbitrary file read it should also be possible to get a lot of useful additional information, including JDBC objects, LDAP binds and of course administrative credentials. ### Url Scheme -(This is an interesting read)[https://www.optiv.com/explore-optiv-insights/blog/decoding-ibm-webshere-portlet-urls] and there's also a Burp plugin. URLs can also be plaintext. +[This is an interesting read](https://www.optiv.com/explore-optiv-insights/blog/decoding-ibm-webshere-portlet-urls) and there's also a Burp plugin. URLs can also be plaintext. ### Interesting paths Here's a short list of interesting paths and what they means (assuming that the base is `/wps`: @@ -182,4 +182,3 @@ EJPXB0020I: The request was processed successfully on the server. The webshell will be now available at `http:///wps/shell/cmd.jsp` and will be working. - \ No newline at end of file