Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2015-4852

Description

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.

POC

Reference

- http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

- http://packetstormsecurity.com/files/152268/Oracle-Weblogic-Server-Deserialization-Remote-Code-Execution.html

- http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html

- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

- http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

- https://www.exploit-db.com/exploits/42806/

- https://www.exploit-db.com/exploits/46628/

Github

- https://github.com/ARPSyndicate/cvemon

- https://github.com/AdeliaNitzsche/Java-Deserialization-Cheat-Sheet

- https://github.com/AndersonSingh/serialization-vulnerability-scanner

- https://github.com/BrittanyKuhn/javascript-tutorial

- https://github.com/CVEDB/PoC-List

- https://github.com/CVEDB/awesome-cve-repo

- https://github.com/CVEDB/top

- https://github.com/Coldplay1517/Middleware-Vulnerability-detection-master

- https://github.com/Drun1baby/JavaSecurityLearning

- https://github.com/GhostTroops/TOP

- https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet

- https://github.com/Hpd0ger/weblogic_hpcmd

- https://github.com/JERRY123S/all-poc

- https://github.com/JasonLOU/WeblogicScan-master

- https://github.com/KimJun1010/WeblogicTool

- https://github.com/Komthie/Deserialization-Insecure

- https://github.com/L42yH4d3s/Vulnerable-Webapp-With-Java-Spring-HOD402

- https://github.com/MrTcsy/Exploit

- https://github.com/Ostorlab/KEV

- https://github.com/Ostorlab/known_exploited_vulnerbilities_detectors

- https://github.com/PalindromeLabs/Java-Deserialization-CVEs

- https://github.com/QChiLan/weblogic

- https://github.com/QChiLan/weblogicscanner

- https://github.com/ReAbout/audit-java

- https://github.com/Snakinya/Weblogic_Attack

- https://github.com/SourceryAI/Deep-Security-Reports

- https://github.com/Weik1/Artillery

- https://github.com/Y4tacker/JavaSec

- https://github.com/ZTK-009/RedTeamer

- https://github.com/angeloqmartin/Vulnerability-Assessment

- https://github.com/apachecn-archive/Middleware-Vulnerability-detection

- https://github.com/asa1997/topgear_test

- https://github.com/awsassets/weblogic_exploit

- https://github.com/cross2to/betaseclab_tools

- https://github.com/cyberanand1337x/bug-bounty-2022

- https://github.com/fengjixuchui/RedTeamer

- https://github.com/followboy1999/weblogic-deserialization

- https://github.com/hanc00l/weblogic_unserialize_exploit

- https://github.com/hashtagcyber/Exp

- https://github.com/hktalent/TOP

- https://github.com/jbmihoub/all-poc

- https://github.com/klausware/Java-Deserialization-Cheat-Sheet

- https://github.com/koutto/jok3r-pocs

- https://github.com/langu-xyz/JavaVulnMap

- https://github.com/lovechinacoco/https-github.com-mai-lang-chai-Middleware-Vulnerability-detection

- https://github.com/mishmashclone/GrrrDog-Java-Deserialization-Cheat-Sheet

- https://github.com/nex1less/CVE-2015-4852

- https://github.com/nihaohello/N-MiddlewareScan

- https://github.com/oneplus-x/jok3r

- https://github.com/onewinner/VulToolsKit

- https://github.com/password520/RedTeamer

- https://github.com/psadmin-io/weblogic-patching-scripts

- https://github.com/qiqiApink/apkRepair

- https://github.com/rabbitmask/WeblogicScan

- https://github.com/roo7break/serialator

- https://github.com/rosewachera-rw/vulnassessment

- https://github.com/safe6Sec/WeblogicVuln

- https://github.com/sourcery-ai-bot/Deep-Security-Reports

- https://github.com/superfish9/pt

- https://github.com/syadg123/WeblogicScan

- https://github.com/tdtc7/qps

- https://github.com/weeka10/-hktalent-TOP

- https://github.com/wukong-bin/weblogiscan

- https://github.com/zema1/oracle-vuln-crawler

- https://github.com/zhzhdoai/Weblogic_Vuln

- https://github.com/zzwlpx/weblogic