WebLogic - CVE-2019-2729
Oracle WebLogic server is affected by a remote code execution vulnerability in wls-wsat.war
and wls9_async_response.war
packages due to unsafe deserialization of Java objects. A remote unauthenticated attacker can exploit the issue by sending a custom Java serialized object via HTTP request to execute arbitrary Java code in the context of the web server.
Exploiting wls-wsat.war
will return command output, while wls9_async_response.war
is blind.
Affected versions: 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0
Vulnerable endpoints
Test data
Request 01, RCE on version 10.3.6.0:
![](https://0xpthree.gitbook.io/~gitbook/image?url=https%3A%2F%2F2314265932-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FLZ9hPT4FtAP57VrTApYv%252Fuploads%252FhxJW3FENgBbiNICm8a8E%252Fcve-2019-2725.png%3Falt%3Dmedia%26token%3Df68758ac-2894-4e96-9f63-e7a2e0c6ba8e&width=768&dpr=4&quality=100&sign=eb05f17&sv=2)
Request 02, designed for version 10.2.7.1, RCE on 10.3.6.0:
![](https://0xpthree.gitbook.io/~gitbook/image?url=https%3A%2F%2F2314265932-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FLZ9hPT4FtAP57VrTApYv%252Fuploads%252F9nj2QgSCwz5VpSMy5s9i%252Fimage.png%3Falt%3Dmedia%26token%3Dbd505abb-9ba9-4aaf-804c-0c6455d978ba&width=768&dpr=4&quality=100&sign=9dc0d677&sv=2)
Request 03, designed for version 10.3.6.0, RCE on 10.3.6.0:
![](https://0xpthree.gitbook.io/~gitbook/image?url=https%3A%2F%2F2314265932-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FLZ9hPT4FtAP57VrTApYv%252Fuploads%252F5L5wavLApgF1rDnmT1z0%252Fimage.png%3Falt%3Dmedia%26token%3D1f77fdb9-a8ef-42a2-b816-d5605e26b028&width=768&dpr=4&quality=100&sign=c43b49de&sv=2)
Request 04, designed for version 10.3.6.2, RCE on 10.3.6.0:
![](https://0xpthree.gitbook.io/~gitbook/image?url=https%3A%2F%2F2314265932-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FLZ9hPT4FtAP57VrTApYv%252Fuploads%252FXOwsswYjyPQ2Ob16FQrY%252Fimage.png%3Falt%3Dmedia%26token%3Def4263cd-e836-4204-9eb8-b38fe01e1773&width=768&dpr=4&quality=100&sign=ca076de5&sv=2)
Request 05, designed for version 12.2.1.3, error "Old format work area header is disabled." on version 12.2.1.3. Not sure if this is an error caused by my container, need more test data.
![](https://0xpthree.gitbook.io/~gitbook/image?url=https%3A%2F%2F2314265932-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FLZ9hPT4FtAP57VrTApYv%252Fuploads%252FmiJGthQwMb29mhPiCCap%252Fimage.png%3Falt%3Dmedia%26token%3D27501680-bbee-429b-b5a3-02524666eaa2&width=768&dpr=4&quality=100&sign=acb8fc29&sv=2)
Scripts
weblogic_get_webshell.py
- runs three payloads on target at once, by rootedshell.
As there are few public exploits using the /_async/
endpoint, I've modified rootedshells script to only upload a webshell and allow direct command execution. The script can be found here.
![](https://0xpthree.gitbook.io/~gitbook/image?url=https%3A%2F%2F2314265932-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FLZ9hPT4FtAP57VrTApYv%252Fuploads%252FzVzGzOpPNsJ7lXjPPqe3%252Fimage.png%3Falt%3Dmedia%26token%3Dfa96aaad-64fc-4c7d-8437-ab8c44bb28d2&width=768&dpr=4&quality=100&sign=3e980257&sv=2)
Last updated
Was this helpful?