CVE-2018-2894 – Weblogic JSP File Upload

CVE-2018-2894 – Weblogic JSP File Upload vulnerability

Oracle weblogic suffers from a trivial file upload vulnerability. Here are the steps to reproduce the vulnerability.

1) Go to http://172.17.0.2:7001/ws_utc/config.do
If you can’t access 172.17.0.2:7001/ws_utc. This means the webservice test client is disabled for your weblogic server which is a good thing.

1.png
2) Change the Work Home Dir from “/u01/oracle/user_projects/domains/base_domain/tmp/WSTestPageWorkDir” to “/u01/oracle/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war”

NOTE: The weblogic domain home directory will be different for most installations

for e.g.: In the above case our domain home directory is /u01/oracle/user_projects/domains/base_domain. Another example of a domain home directory is /u01/app/oracle/product/wls/tnt/user_projects/domains/tnt_domain/.

2.png
3) Go to Security and add a keystore file. Upload the webshell cmd.jsp as a keystore file and click the Submit button.

3.png
4) Intercept the response in Burp and note the ID 1533718460334 in the response

4.png
5) Now access your webshell at http://172.17.0.2:7001/bea_wls_internal/config/keystore/1533718460334_cmd.jsp

5.png

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: