id: CVE-2019-2725

info:
  name: Oracle WebLogic Server - Unauthenticated RCE
  author: dwisiswant0
  severity: critical
  tags: cve,cve2019,oracle,weblogic,rce
  description: |
    Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
  reference:
    - https://paper.seebug.org/910/
    - https://www.exploit-db.com/exploits/46780/
    - https://www.oracle.com/security-alerts/cpujan2020.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.80
    cve-id: CVE-2019-2725
    cwe-id: CWE-74

requests:
  - method: POST
    path:
      - "{{BaseURL}}/_async/AsyncResponseService"
    headers:
      Content-Type: application/soap;  charset="utf-8"
    body: >-
      <?xml version="1.0" encoding="UTF-8" ?>
      <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
      xmlns:ads="http://www.w3.org/2005/08/addressing">
        <soapenv:Header></soapenv:Header>
        <soapenv:Body></soapenv:Body>
      </soapenv:Envelope>
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "soapenv:Envelope"
        part: body
      - type: word
        words:
          - "X-Powered-By: Servlet"
        part: header
      - type: status
        status:
          - 200