id: CVE-2019-2725

info:
  name: Oracle WebLogic Server - Remote Command Execution
  author: dwisiswant0
  severity: critical
  description: |
    The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services) allows unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server. Versions that are affected are 10.3.6.0.0 and 12.1.3.0.0.
  reference:
    - https://paper.seebug.org/910/
    - https://www.exploit-db.com/exploits/46780/
    - https://www.oracle.com/security-alerts/cpujan2020.html
    - https://nvd.nist.gov/vuln/detail/CVE-2019-2725
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-2725
    cwe-id: CWE-74
  tags: cve,cve2019,oracle,weblogic,rce

requests:
  - method: POST
    path:
      - "{{BaseURL}}/_async/AsyncResponseService"
    headers:
      Content-Type: application/soap;  charset="utf-8"
    body: >-
      <?xml version="1.0" encoding="UTF-8" ?>
      <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
      xmlns:ads="http://www.w3.org/2005/08/addressing">
        <soapenv:Header></soapenv:Header>
        <soapenv:Body></soapenv:Body>
      </soapenv:Envelope>
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "soapenv:Envelope"
        part: body
      - type: word
        words:
          - "X-Powered-By: Servlet"
        part: header
      - type: status
        status:
          - 200

# Enhanced by mp on 2022/05/03