Oracle Coherence / WebLogic T3 Deserialization RCE (CVE-2020-2555)

This repository is a comprehensive exploit library (exphub) containing operational exploit scripts for a wide range of high-profile vulnerabilities affecting popular enterprise software. The structure is organized by product (e.g., drupal/, f5/, fastjson/, jboss/, nexus/, ofbiz/, shiro/, solr/, spring/, struts2/, tomcat/, weblogic/), with each directory containing Python or Java scripts for specific CVEs. The scripts are primarily remote code execution (RCE) exploits, but also include file read, webshell upload, SSRF, and administrative bypasses. Many scripts provide interactive shells or allow arbitrary command execution, and some require authentication. The repository includes both proof-of-concept (POC) and full exploit scripts, with detailed usage instructions embedded in the code and readme files. The attack vector is predominantly network-based, targeting HTTP(S) endpoints, and the scripts are suitable for both vulnerability validation and exploitation. The codebase is mature, with operational exploits for each vulnerability, and is a valuable resource for penetration testers and red teamers.

This repository is a comprehensive Python-based exploit and POC framework with a GUI (Tkinter) for managing and executing a wide range of vulnerability checks and exploits. The structure is organized into EXP/ (exploit) and POC/ (proof-of-concept or auxiliary) directories, each containing scripts for specific products and vulnerabilities. The main entry point is CodeTest.pyw, which provides a GUI for selecting and running exploits. The EXP/ directory contains modules for major enterprise software (Apache, Jenkins, Nexus, JBoss, Drupal, ThinkPHP, Fastjson, etc.), each supporting multiple CVEs, primarily focused on remote code execution, file upload, and information disclosure vulnerabilities. The framework supports both detection and exploitation, with payloads that can be customized per target. The code is modular, with each exploit script implementing a class for the target product and methods for each CVE. The repository also includes auxiliary scripts for reconnaissance (e.g., FOFA, GithubHunter, JSFinder, LinkFinder) and configuration files. The overall purpose is to provide penetration testers and security researchers with a unified, extensible platform for vulnerability assessment and exploitation across a wide range of popular enterprise software.

This repository provides operational exploits for three Oracle WebLogic Server vulnerabilities: CVE-2020-2551, CVE-2020-2555, and CVE-2020-2883. The structure includes a Java-based exploit for CVE-2020-2551 (in CVE-2020-2551/src/exp.java) and two Python scripts for CVE-2020-2555 and CVE-2020-2883 (in CVE-2020-2555/CVE20202555Exp.py and CVE-2020-2883/CVE20202883Exp.py). The Java exploit leverages IIOP deserialization to trigger command execution, using callback domains (win.wb2551.starsosectest.starso.cn, lin.wb2551.starsosectest.starso.cn) to verify success. The Python scripts exploit the T3 protocol to send serialized payloads that execute arbitrary commands on the target. The exploits are configurable, allowing the attacker to specify the target URL and command to execute. The repository is well-structured, with clear separation for each CVE and supporting build files for the Java exploit. The main purpose is to provide proof-of-concept and operational exploit code for remote command execution on vulnerable WebLogic servers.

This repository is a proof-of-concept (POC) exploit for CVE-2020-2555, a deserialization vulnerability in Oracle WebLogic Server. The main code is in 'src/com/axin/Main.java', which constructs a malicious Java object chain using classes from the Coherence library and Java's BadAttributeValueExpException. The exploit generates a serialized payload ('payload.ser') that, when deserialized by a vulnerable WebLogic server (typically via the T3 protocol), will execute 'calc.exe' on the target system, demonstrating arbitrary command execution. The repository contains mostly IDE configuration files and a single Java source file implementing the exploit logic. The exploit does not include code to send the payload over the network; it only generates the payload file, which must be delivered to the target by other means (e.g., using a separate tool or script).

This repository provides a full exploit chain for CVE-2020-2555, a deserialization vulnerability in Oracle WebLogic Server (Coherence integration). The exploit consists of both a Python script (CVE-2020-2555.py) for network delivery and a comprehensive Java codebase for payload generation and advanced exploitation. The Java code constructs malicious serialized objects using known gadget chains (BadAttributeValueExpException, ChainedExtractor, ReflectionExtractor, LimitFilter) to achieve remote code execution. The exploit can install a persistent RMI backdoor ('supeream'), execute arbitrary commands, upload files, and uninstall the backdoor. The Python script sends the payload over the T3 protocol to the target WebLogic server. The codebase is modular, with clear separation between payload generation, protocol handling, and auxiliary functions (file upload, SSL, etc.). The exploit is operational and can be used for both one-shot command execution and persistent access. No authentication is required, and the attack is performed over the network via the T3/T3S protocol (default port 7001).

This repository is a full-featured exploit for CVE-2020-2555, a remote code execution vulnerability in Oracle WebLogic Server via a deserialization bug in the Coherence component. The exploit is implemented primarily in Java, with a supporting Python script (weblogic_t3.py) for payload delivery. The Java code constructs a malicious serialized object using a gadget chain involving BadAttributeValueExpException and Coherence's ReflectionExtractor, ultimately leading to arbitrary command execution via Runtime.getRuntime().exec(). The main entry points are: - src/com/supeream/CVE_2020_2555.java: Demonstrates the exploit chain and sends the payload to a target WebLogic server using the T3 protocol. - src/com/supeream/Main.java: Provides a command-line interface for exploiting the vulnerability, supporting features such as command execution, file upload, and installation of a persistent RMI backdoor for further access. - src/com/supeream/payload/RemoteImpl.java: Implements the RMI backdoor, allowing remote command execution and file upload. - weblogic_t3.py: A Python script for sending serialized payloads to the T3 endpoint of a WebLogic server. The exploit requires the target to be running a vulnerable version of WebLogic (tested on 12.2.1.4, JDK 8u202, CentOS) without a security manager, and with a matching coherence.jar. The exploit can be used to execute arbitrary commands, upload files, and maintain persistent access via RMI. Several hardcoded IP addresses and endpoints are present for demonstration, but these can be customized for real-world use. The attack vector is network-based, targeting the T3/T3S protocol endpoints exposed by WebLogic.