id: CVE-2019-2725

info:
  name: Oracle WebLogic Server - Unauthenticated RCE
  author: dwisiswant0
  severity: critical
  tags: cve,cve2019,oracle,weblogic,rce

  # Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services).
  # Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0.
  # Easily exploitable vulnerability allows unauthenticated attacker
  # with network access via HTTP to compromise Oracle WebLogic Server.
  # Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
  # --
  # References:
  # > https://paper.seebug.org/910/

requests:
  - method: POST
    path:
      - "{{BaseURL}}/_async/AsyncResponseService"
    body: >-
      <?xml version="1.0" encoding="UTF-8" ?>
      <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
      xmlns:ads="http://www.w3.org/2005/08/addressing">
        <soapenv:Header></soapenv:Header>
        <soapenv:Body></soapenv:Body>
      </soapenv:Envelope>
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "soapenv:Envelope"
        part: body
      - type: word
        words:
          - "X-Powered-By: Servlet"
        part: header
      - type: status
        status:
          - 200