Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Add Weblogic deserialize AsyncResponseService module #11780
Please, add this exploit module for CVE-2019-2725, CNVD-C 2019-48814, Oracle Weblogic Deserialization Vulnerability in the WLS AsyncResponseService web service component.
Please feel free to fix or add things!!!
Fix the Unix payload to make it more generic
@acamro : Thanks again for the quick turnaround!
I compared your
I went ahead and wrote docs, added a
I've tested this against Ubuntu and Win10 on WebLogic v10.3.6, as well as against a seemingly non-vulnerable WebLogic 12c (126.96.36.199). Throwing this against the latter doesn't seem to cause any adverse affects.
Getting ready to land this PR.
Sanity testing failed because of a VM / infrastructure failure, not because of anything in the module:
May 6, 2019
I was working on a bug for Oracle Application Testing Suite and I noticed this also works against its WebLogic service, except this is on port 8088 by default. Just wanted to share for whoever is attacking Oracle services: