Unauthenticated RCE in Oracle WebLogic Server Web Services

Repository contains a single Python exploit script and a README describing CVE-2019-2725 (Oracle WebLogic unauthenticated RCE via AsyncResponseService). The exploit (web_logic_CVE-2019-2725.py) uses the requests library to POST a crafted SOAP/XML payload to a user-supplied target URL (intended to be /_async/AsyncResponseService). It first performs a lightweight vulnerability check by POSTing with SOAP headers and interpreting HTTP 500 with a specific SOAP faultcode or HTTP 202 as potentially vulnerable. If positive, it sends a SOAP envelope with a WorkContext header that instantiates java.lang.ProcessBuilder to run '/bin/bash -c <command>' where <command> is provided on the command line (XML-escaped). Primary capability is remote command execution; the README demonstrates using it to obtain a reverse shell (e.g., netcat listener on port 2323). The code assumes a Unix-like target due to the hardcoded /bin/bash and does not include advanced features like target discovery, multi-target scanning, or payload staging.

This repository is a Java-based GUI tool for exploiting Oracle WebLogic Server deserialization vulnerabilities, specifically CVE-2017-10271 and CVE-2019-2725, affecting versions 10 and 12. The tool provides a graphical interface (Main.java) allowing users to check for vulnerabilities, execute arbitrary commands, upload files, and retrieve server paths on vulnerable WebLogic instances. The core logic is implemented in the 'paylaod' package, with separate classes for each CVE and WebLogic version. The tool constructs and sends crafted SOAP/XML payloads to specific WebLogic endpoints (such as /wls-wsat/CoordinatorPortType and /_async/AsyncResponseService) to trigger the vulnerabilities. The 'tools' package provides supporting utilities for HTTP requests, encoding, and other helper functions. The repository is operational, providing working exploit code with customizable payloads, and is not part of a larger exploit framework.

This repository provides a working exploit for CVE-2019-2725, a critical remote code execution vulnerability in Oracle WebLogic Server (wls9-async component). The exploit leverages a Java deserialization vulnerability by sending a crafted SOAP XML payload containing a malicious serialized object (using the TemplatesImpl gadget chain) to the /wls-wsat/CoordinatorPortType endpoint. The Java files (JDK7u21.java and ResultBaseExec.java) are used to generate the payload and execute arbitrary system commands on the target server. The repository includes example payloads for both command execution and echoing results, as well as documentation and sample HTTP requests. The exploit is operational and demonstrates command execution with output returned in the HTTP response, targeting WebLogic versions 10.3.6 and 12.1.3.

This repository contains a Python-based universal exploit tool targeting multiple critical vulnerabilities in Oracle WebLogic Server: CVE-2017-3506, CVE-2017-10271, CVE-2019-2725, and CVE-2019-2729. The main script, 'weblogic_exploit.py', allows attackers to craft and deliver SOAP/XML payloads that exploit deserialization and XMLDecoder flaws, enabling remote command execution on vulnerable WebLogic instances. The tool supports several payload types: direct command execution (process_builder, event_data), serialized object deserialization (unit_of_work_change_set, requiring ysoserial), and remote XML payload fetching (fs_xml_app_ctx). It can target different WebLogic endpoints, notably '/wls-wsat/CoordinatorPortType11' for command output and '/_async/AsyncResponseService' for blind execution. The exploit is highly customizable, supporting proxying, custom commands, and payload hosting (e.g., via file.io). The README provides detailed usage instructions, payload templates, and example commands. The repository is operational and suitable for real-world exploitation, not just proof-of-concept.

This repository is a proof-of-concept exploit for Oracle WebLogic Server vulnerabilities CVE-2019-2725 and CVE-2019-2729. It contains a Python script ('weblogic_get_webshell.py') that automates exploitation by sending crafted SOAP/XML payloads to vulnerable WebLogic endpoints. The script can target a single URL or multiple URLs listed in 'url_list.txt'. The main capabilities are remote command execution and uploading a persistent JSP webshell to the target server. The payloads are stored in separate files (payload3.txt, and references to payload.txt and payload2.txt, which are missing in this archive). The exploit targets the '/_async/AsyncResponseService' and '/wls-wsat/CoordinatorPortType' endpoints on the WebLogic server. The repository is operational, providing a working exploit with a hardcoded payload, and is not part of a larger framework. The README provides usage instructions in Chinese, indicating how to run the exploit for single or multiple targets.