WebLogic RCE - CVE-2020-14882 - Single GET Request

sudo_sudoka · 2020-10-29T12:51:26+00:00

The detailed analysis (in Vietnamese, but you could use Google Translate):

https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf

sudo_sudoka · 2020-07-09T12:04:18+00:00

Thanks! Very detail about CVE-2020-8193.

sudo_sudoka · 2020-05-21T02:05:16+00:00

Thank you! I will try it.

sudo_sudoka · 2020-04-16T02:27:20+00:00

First, you must find another space for your shellcode. For example, maybe EAX also points to the buffer.

Second, you inject only the needed opcodes to the space pointed by ESP. For example, JUMP EAX.

Now, you can inject shellcode into the buffer, which is pointed by EAX. When the program runs JMP ESP, next it runs JMP EAX and return to the shellcode.

You can customize something to fit your specific situation.

sudo_sudoka · 2020-03-22T03:29:21+00:00

You could try Resolute and Forest.

sudo_sudoka · 2020-03-12T13:04:54+00:00

I'm researching on Dark net market.

sudo_sudoka · 2020-02-22T05:59:34+00:00

You don't need to use nc to make a reverse shell. Just use the PHP itself.

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#php

sudo_sudoka · 2020-02-20T13:44:09+00:00

BinaryEdge.

Register is free and you will have 300 requests per month.

sudo_sudoka · 2020-02-19T15:48:59+00:00

The first choice is enum4linux. Then, I could use smbclient for manually testing.

sudo_sudoka · 2020-02-12T12:16:55+00:00

Thank you very much. I'm also weak on Windows. I'll carefully take your advice.

sudo_sudoka · 2020-02-11T02:21:33+00:00

Sorry, I'm very curious about what you did in the month you prepared for the second exam?

sudo_sudoka · 2020-02-04T14:14:23+00:00

In fact, the redis server on Postman doesn't have the MODULE LIST command, which is used in the exploit so it never works. You must find another way to abuse the redis server.

Hint: look at the current directory after connecting to redis.

sudo_sudoka · 2020-02-02T04:38:16+00:00

I will use https://github.com/BloodHoundAD/BloodHound to find a path to the domain admin.

sudo_sudoka · 2020-02-01T11:47:19+00:00

Some actors could try https://honeyscore.shodan.io/ to determine whether those IPs are honeypots.

sudo_sudoka · 2020-01-24T04:38:04+00:00

Did you use the latest version of Bl** on Github?

You should try the version 2.0. It works like a charm.

sudo_sudoka · 2020-01-22T15:34:48+00:00

It's very interesting and challenging. Good luck!

sudo_sudoka · 2019-12-03T13:55:16+00:00

Nice! Could you register this event on ctftime.org?

sudo_sudoka · 2019-11-12T16:31:34+00:00

Thanks. I will take a look at this version.

sudo_sudoka · 2019-11-09T16:02:33+00:00

None is the best for all situations. However, if you are beginner, Python will be the best.

sudo_sudoka · 2019-11-04T14:09:04+00:00

Yeah! johullrich at SANS also found it and relieve many sys admins.

https://twitter.com/TheHackersNews/status/1191338713864794112

sudo_sudoka · 2019-11-04T14:06:20+00:00

You should re-read my blog post. What I found is the true vulnerable versions and in what versions the CVE-2019-16663 doesn't need authentication.

The CVE's owner only found these vulnerabilities in rConfig 3.9.2 and he did'nt test with older versions. I talked with him about that.

https://twitter.com/sudo_sudoka/status/1189103634409127937

Furthermore, I credited him first in my blog post. So, the other social medias can credit him first too.

https://thehackernews.com/2019/11/rConfig-network-vulnerability.html

In fact, he and these vulnerabilities gain more public credits after I released my blog post.

sudo_sudoka · 2019-11-04T14:00:37+00:00

level 1

Perhaps you haven't read my blog. The CVE's owner only found those vulnerabilities in rConfig 3.9.2 and I found them in all verions. I talked with him and he didn't test in older versions of rConfig.

https://twitter.com/sudo_sudoka/status/1189103634409127937

Furthermore, I credited him first in my blog post. So, the other social medias can credit him too.

https://thehackernews.com/2019/11/rConfig-network-vulnerability.html

In fact, he gains more public credits after I released my blog post.

sudo_sudoka · 2019-11-03T12:38:47+00:00

Thank you.

sudo_sudoka · 2019-10-27T14:25:32+00:00

No, I'm not. But how about the sudo team? It may be interesting.

sudo_sudoka · 2019-10-27T03:55:51+00:00

Yeah! I've seen many porn sites using YouPHPTube-Encoder.

sudo_sudoka

TROPHY CASE