### [CVE-2015-4852](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4852) ![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue) ![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue) ![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen) ### Description The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product. ### POC #### Reference - http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ - http://packetstormsecurity.com/files/152268/Oracle-Weblogic-Server-Deserialization-Remote-Code-Execution.html - http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html - http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html - http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html - http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html - http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html - https://www.exploit-db.com/exploits/42806/ - https://www.exploit-db.com/exploits/46628/ #### Github - https://github.com/ARPSyndicate/cvemon - https://github.com/AdeliaNitzsche/Java-Deserialization-Cheat-Sheet - https://github.com/AndersonSingh/serialization-vulnerability-scanner - https://github.com/BrittanyKuhn/javascript-tutorial - https://github.com/CVEDB/PoC-List - https://github.com/CVEDB/awesome-cve-repo - https://github.com/CVEDB/top - https://github.com/Drun1baby/JavaSecurityLearning - https://github.com/GhostTroops/TOP - https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet - https://github.com/Hpd0ger/weblogic_hpcmd - https://github.com/JERRY123S/all-poc - https://github.com/KimJun1010/WeblogicTool - https://github.com/Komthie/Deserialization-Insecure - https://github.com/MrTcsy/Exploit - https://github.com/Ostorlab/KEV - https://github.com/Ostorlab/known_exploited_vulnerbilities_detectors - https://github.com/PalindromeLabs/Java-Deserialization-CVEs - https://github.com/ReAbout/audit-java - https://github.com/Snakinya/Weblogic_Attack - https://github.com/Weik1/Artillery - https://github.com/Y4tacker/JavaSec - https://github.com/ZTK-009/RedTeamer - https://github.com/angeloqmartin/Vulnerability-Assessment - https://github.com/apachecn-archive/Middleware-Vulnerability-detection - https://github.com/asa1997/topgear_test - https://github.com/awsassets/weblogic_exploit - https://github.com/cross2to/betaseclab_tools - https://github.com/cyberanand1337x/bug-bounty-2022 - https://github.com/fengjixuchui/RedTeamer - https://github.com/followboy1999/weblogic-deserialization - https://github.com/hanc00l/weblogic_unserialize_exploit - https://github.com/hashtagcyber/Exp - https://github.com/hktalent/TOP - https://github.com/jbmihoub/all-poc - https://github.com/klausware/Java-Deserialization-Cheat-Sheet - https://github.com/koutto/jok3r-pocs - https://github.com/langu-xyz/JavaVulnMap - https://github.com/lovechinacoco/https-github.com-mai-lang-chai-Middleware-Vulnerability-detection - https://github.com/mishmashclone/GrrrDog-Java-Deserialization-Cheat-Sheet - https://github.com/nex1less/CVE-2015-4852 - https://github.com/nihaohello/N-MiddlewareScan - https://github.com/oneplus-x/jok3r - https://github.com/onewinner/VulToolsKit - https://github.com/password520/RedTeamer - https://github.com/psadmin-io/weblogic-patching-scripts - https://github.com/qiqiApink/apkRepair - https://github.com/rabbitmask/WeblogicScan - https://github.com/roo7break/serialator - https://github.com/rosewachera-rw/vulnassessment - https://github.com/safe6Sec/WeblogicVuln - https://github.com/sourcery-ai-bot/Deep-Security-Reports - https://github.com/superfish9/pt - https://github.com/tdtc7/qps - https://github.com/weeka10/-hktalent-TOP - https://github.com/zema1/oracle-vuln-crawler - https://github.com/zhzhdoai/Weblogic_Vuln - https://github.com/zzwlpx/weblogic