Oracle WebLogic Server 12c, the world’s first cloud-native, enterprise Java platform enables you to fully realize the benefits of cloud computing. It is been widely used by main stream enterprises for hosting java based applications.
Oracle WebLogic is now affected by multiple Zero-Days frequently. It has been reported that this critical vulnerability is under active exploit, we urge all WebLogic users to take steps to remediate as soon as possible. Succesful attack can lead to full system compromose depending on the privellege of the oracle weblogic server.
I have shared a proof of concept for exploiting WebLogic exploit. Unfortunately Pro tools like Nessus Professional and Qualys was not able to detect this vulnerability while doing the test. More details of the series of vulnerabilites are given below
https://www.rapid7.com/db/modules/exploit/multi/misc/weblogic_deserialize
Below are the list of CVEs that are published regarding this critical remote code execution vulnerability series.
CVE-2019-2658
CVE-2019-2645
CVE-2019-2646
CVE-2019-2725
CVE-2018-3252
CVE-2018-3250
CVE-2018-3191
CVE-2018-3197
CVE-2018-2893
CVE-2017-10352
To start with this we can scan the remote WebLogic server with Nmap.
nmap -sS -sV -p- <target_ip> -vv

Now check whether the WLS-SAT component is enabled or not. This can be done by browsing directly to http://vulnerableserver/wls-sat/
Now the exploit code. Below is the advance crafted exploit which creates a reverse command shell inside a Windows system.

Also refer:
https://www.exploit-db.com/exploits/46814
https://www.exploit-db.com/exploits/43924
Now the exploit is ran against the target vulnerable server using Burp Repeater. Also you can use curl command to do that. Make sure you listen to the local port, which was initialy set in the exploit code. Here we used port 443 as most of the firewalls ignore traffic going through 443.
Below screenshot shows the reverse shell recieved on successful exploitation of the vulnerability.

Oracle has been trying to patch this RCE vulnerability repeatedly. So always upgrade to the latest release versions. As a precautionary measure, patch your software to latest version as per their repository and if the wls-sat component is not required, then disable it.
Update, Patch, Disable, and Be Safe….
Leave A Comment