Share
## https://sploitus.com/exploit?id=0B1BDC40-069F-50E3-B974-77679CB4F5BA
# CVE-2026-21962 Concurrent WebLogic Scanner/Exploiter
High-performance Go application for scanning and exploiting CVE-2026-21962 (Oracle WebLogic Proxy Plug-in vulnerability) across multiple targets concurrently.
## Features
- **Concurrent Processing**: Worker pool pattern for high-throughput scanning
- **GNMAP Parser**: Parses Masscan gnmap output files
- **Multi-phase Exploitation**:
- Phase 1: Probe for vulnerable ProxyServlet endpoints
- Phase 2: Send malicious headers with Base64 payloads
- Phase 3: Analyze responses for vulnerability indicators
- **Structured Output**: JSON or human-readable text format
- **Progress Reporting**: Real-time progress updates
- **Graceful Shutdown**: Handles interrupts cleanly
## Project Structure
```
cve-2026-oracle/
โโโ cmd/
โ โโโ scanner/
โ โโโ main.go # CLI entry point
โโโ internal/
โ โโโ scanner/ # Scanning logic and worker pool
โ โโโ exploit/ # Payload generation and exploit execution
โ โโโ parser/ # GNMAP file parsing
โ โโโ client/ # HTTP client wrapper
โ โโโ types/ # Shared data structures
โโโ go.mod # Go module definition
โโโ README.md # This file
```
## Build
### Using Make (Recommended)
```bash
# Build the scanner binary
make build
# Build optimized release binary
make build-release
# Build for all platforms (Linux, Windows, macOS)
make build-all
# Run development workflow (fmt, vet, test, build)
make dev
# See all available targets
make help
```
### Using Go directly
```bash
# Build the scanner binary
go build -o scanner ./cmd/scanner
# Or install globally
go install ./cmd/scanner@latest
```
## Usage
```bash
./scanner -file weblogic_ports.gnmap [options]
```
### Options
- `-file `: Path to Masscan gnmap file (required)
- `-workers `: Number of concurrent workers (default: 50, max: 500)
- `-timeout `: Request timeout in seconds (default: 15)
- `-insecure`: Skip SSL certificate verification
- `-json`: Output results in JSON format
- `-command `: Command to execute on vulnerable targets (default: "id")
- `-exploit`: Attempt actual command execution on vulnerable targets (default: true)
### Examples
```bash
# Basic scan with default settings
./scanner -file weblogic_ports.gnmap
# High-throughput scan with 100 workers
./scanner -file weblogic_ports.gnmap -workers 100
# JSON output for automation
./scanner -file weblogic_ports.gnmap -json > results.json
# Skip SSL verification for lab environments
./scanner -file weblogic_ports.gnmap -insecure
# Execute specific command on vulnerable targets
./scanner -file weblogic_ports.gnmap -command "uname -a" -exploit
# Windows command format
./scanner -file weblogic_ports.gnmap -command "cmd:whoami" -exploit
# Disable exploitation (scan only)
./scanner -file weblogic_ports.gnmap -exploit=false
```
## GNMAP File Format
The scanner expects Masscan gnmap output format:
```
Host: () Ports: /open/tcp////
```
Multiple ports per host are supported (comma-separated).
## Output
### Text Mode (default)
- Summary statistics (total, vulnerable, errors, duration)
- Vulnerable targets with findings
- Error details
### JSON Mode (`-json`)
Structured JSON output with:
- Summary statistics
- Complete results array with findings per target
## Vulnerability Detection
The scanner identifies vulnerable targets by:
1. **CRITICAL Findings**: Injected headers reflected in response
2. **SUSPICIOUS Findings**: Oracle/WebLogic indicators in responses
3. **Response Analysis**: Unusual status codes, error messages, content hashing
## Performance
- **Complexity**: O(n) where n = number of targets
- **Concurrency**: Configurable worker pool (default 50 workers)
- **Network**: Connection pooling and reuse for efficiency
- **Timeouts**: Per-request timeout prevents hanging
## Security Notes
- **Authorized Use Only**: For authorized security research and testing
- **SSL Verification**: Use `-insecure` only in isolated lab environments
- **Rate Limiting**: Consider network capacity when setting worker count
## Architecture
- **cmd/scanner/main.go**: CLI interface and orchestration
- **internal/parser/**: GNMAP file parsing
- **internal/types/**: Data structures (Target, Result, Finding, ScanStats)
- **internal/exploit/**: Payload generation and exploit logic
- **internal/client/**: HTTP client wrapper with TLS configuration
- **internal/scanner/**: Worker pool and concurrent scanning logic
## Error Handling
- Network errors โ marked as error, scan continues
- Timeouts โ marked as timeout, scan continues
- Invalid targets โ skipped with warning
- Panic recovery โ logged, scan continues
## License
This tool is for authorized security research and testing only. Use responsibly and in compliance with all applicable laws and policies.