WebLogic Remote Code Execution Vulnerability

According to OWASP (Open Web Application Security Project) Code Injection differs from Command Injection. In that an attacker is only limited by the functionality of the injected language itself. If an attacker can inject PHP code into an application and have it executed, he is only limited by what PHP is capable of. Command injection consists of leveraging existing code to execute commands, usually within the context of a shell.

Hey fellow Hackers today in this post we will talk about Remote Code Execution which I found on one of India’s biggest private banking domain Which was using Oracle WebLogic server and will see some POC’s related to it. So, without wasting more time let’s get started.

Just like every day work I was testing bank’s external environments and I came across a domain were an application was running on an unpatched WebLogic server.

Exploitation

I ran a simple Nmap scan on domain to fingerprint the services and found that application was running on WebLogic server.

Then I used Dirbuster to find out existing directories. So, I ran WebLogic wordlist on port 443 which I found it on GitHub and got some accessible directories.huntergregal/wordlistsCommon Wordlists. Contribute to huntergregal/wordlists development by creating an account on GitHub.github.com

As it turns out, there is a login page and it is showing current WebLogic version.

I did a quick google search and found few known vulnerabilities and one of them was remote code execution. I found exploit on GitHub before running the exploit I tried to check if the vulnerable endpoint is accessible to me.

Before running actual exploit, I tried to test if the server is vulnerable or not. And below screenshot Shows that test file is uploaded on the server.

After confirming the vulnerability, I uploaded my web shell on the server.

Knowing that I am already a root user there is no need for privilege escalation.

I started to look for internal directories and I found credentials of WebLogic administrator console.

Conclusion

System administrators often forget to update their external web server software to the latest version. It is very important to understand that external environments are the first point of attack.

References

https://nvd.nist.gov/vuln/detail/CVE-2017-10271

https://github.com/RealBearcat/Oracle-WebLogic-CVE-2017-10271