Oracle WebLogic WLS-WSAT XML Deserialization RCE

This repository contains a Python-based exploit tool for CVE-2017-10271, a critical remote code execution vulnerability in Oracle WebLogic Server. The main file, 'CVE-2017-10271_Tool.py', is a comprehensive interactive tool that allows the user to: - Detect WebLogic servers and enumerate their versions. - Scan for the presence of the CVE-2017-10271 vulnerability. - Upload test files to the server. - Execute arbitrary system commands, including launching a reverse shell or uploading a webshell for persistent access. - Interact with a webshell via Selenium for browser-based access. The tool is menu-driven and logs all activities to a timestamped log file. It targets specific WebLogic endpoints known to be vulnerable, such as '/wls-wsat/CoordinatorPortType'. The included 'docker-compose.yml' file provides a quick way to deploy a vulnerable WebLogic instance for testing, using the 'vulhub/weblogic:10.3.6.0-2017' Docker image. Overall, the repository is well-structured for both exploitation and testing, providing detection, exploitation, and post-exploitation capabilities for CVE-2017-10271 on Oracle WebLogic Server.

This repository provides a working exploit for CVE-2017-10271, a critical unauthenticated remote code execution vulnerability in Oracle WebLogic Server. The exploit targets the /wls-wsat/CoordinatorPortType SOAP endpoint, sending a specially crafted XML payload that leverages Java XMLDecoder deserialization to execute arbitrary system commands on the server. The main files are: - exploit.py: Core exploit script that takes a target URL and a command, then sends the malicious SOAP payload to the vulnerable endpoint. - payloads.py: Contains the function to generate the SOAP/XML payload for command execution. - weblogic.py: A more advanced script that reads a list of hosts, checks for the vulnerability, and attempts exploitation with a default PowerShell payload that downloads and executes a remote script. - scanner.sh: Bash script to quickly check if a host exposes the vulnerable endpoint and appears to be running WebLogic. The exploit is operational and allows the attacker to execute arbitrary commands, with the default payload designed to fetch and run a PowerShell script from a remote server. The repository also includes detection and host enumeration logic. The main attack vector is network-based, requiring access to the WebLogic SOAP endpoint. The exploit is not part of a larger framework and is implemented in Python and Bash.

This repository is a Java-based GUI tool for exploiting Oracle WebLogic Server deserialization vulnerabilities, specifically CVE-2017-10271 and CVE-2019-2725, affecting versions 10 and 12. The tool provides a graphical interface (Main.java) allowing users to check for vulnerabilities, execute arbitrary commands, upload files, and retrieve server paths on vulnerable WebLogic instances. The core logic is implemented in the 'paylaod' package, with separate classes for each CVE and WebLogic version. The tool constructs and sends crafted SOAP/XML payloads to specific WebLogic endpoints (such as /wls-wsat/CoordinatorPortType and /_async/AsyncResponseService) to trigger the vulnerabilities. The 'tools' package provides supporting utilities for HTTP requests, encoding, and other helper functions. The repository is operational, providing working exploit code with customizable payloads, and is not part of a larger exploit framework.

This repository contains a set of exploits targeting Oracle WebLogic Server's CVE-2017-10271 vulnerability, which allows unauthenticated remote code execution via a SOAP/XML deserialization flaw in the WLS Security component. The main exploit scripts are 'weblogic_wls_wsat_exp.py' (for Linux) and 'weblogic_wls_wsat_exp_win.py' (for Windows), both written in Python. These scripts craft malicious SOAP requests to the '/wls-wsat/CoordinatorPortType' endpoint, leveraging XMLDecoder deserialization to execute arbitrary system commands or upload a JSP webshell ('exec.jsp') to the server. The webshell enables further command execution via HTTP requests. The 'weblogic_check_version.py' script is included to fingerprint and determine the version of a target WebLogic server. The exploit supports both command execution with output retrieval and direct webshell upload, providing operational-level exploitation capabilities. The repository is structured with clear separation between Linux and Windows exploitation, a reusable JSP webshell, and a version checking utility.

This repository provides a comprehensive exploitation and detection toolkit for CVE-2017-10271, a critical remote code execution vulnerability in Oracle WebLogic Server's wls-wsat component. The main exploit (CVE-2017-10271.py) is a standalone Python script that can both check for vulnerability (by causing the target to make an outbound HTTP request) and exploit it (by executing a reverse shell payload for Unix or Windows). The repository also includes a Metasploit module (oracle_weblog_wsat_rce.rb) for framework-based exploitation, a Go-based scanner for bulk detection, and original proof-of-concept code. Multiple shell scripts are provided to assist with setting up listeners for reverse shells or check responses. The vulnerable endpoints are well-documented and include several /wls-wsat/* SOAP endpoints. The exploit works by sending a specially crafted SOAP XML payload to the target's vulnerable endpoint, leveraging Java deserialization to achieve arbitrary command execution. The repository is well-structured, with clear separation between exploit, detection, and setup components, and includes documentation for both setting up a vulnerable environment and using the tools provided.

This repository contains a Python exploit script (CVE-2017-10271.py) targeting Oracle WebLogic Server instances vulnerable to CVE-2017-10271, a remote code execution flaw. The exploit works by sending a specially crafted SOAP XML payload to the /wls-wsat/CoordinatorPortType endpoint of the target server. The payload leverages Java's XMLDecoder to execute arbitrary system commands via ProcessBuilder, specifically using 'cmd /c <command>' (thus, the exploit is tailored for Windows targets). The script provides an interactive shell-like interface, allowing the user to input commands that are then executed on the remote server. The README provides basic usage instructions and notes that the exploit is for Windows, but could be adapted for Linux. The repository is straightforward, with one main exploit script and a brief README.