Share
## https://sploitus.com/exploit?id=0B1BDC40-069F-50E3-B974-77679CB4F5BA
# CVE-2026-21962 Concurrent WebLogic Scanner/Exploiter

High-performance Go application for scanning and exploiting CVE-2026-21962 (Oracle WebLogic Proxy Plug-in vulnerability) across multiple targets concurrently.

## Features

- **Concurrent Processing**: Worker pool pattern for high-throughput scanning
- **GNMAP Parser**: Parses Masscan gnmap output files
- **Multi-phase Exploitation**: 
  - Phase 1: Probe for vulnerable ProxyServlet endpoints
  - Phase 2: Send malicious headers with Base64 payloads
  - Phase 3: Analyze responses for vulnerability indicators
- **Structured Output**: JSON or human-readable text format
- **Progress Reporting**: Real-time progress updates
- **Graceful Shutdown**: Handles interrupts cleanly

## Project Structure

```
cve-2026-oracle/
โ”œโ”€โ”€ cmd/
โ”‚   โ””โ”€โ”€ scanner/
โ”‚       โ””โ”€โ”€ main.go          # CLI entry point
โ”œโ”€โ”€ internal/
โ”‚   โ”œโ”€โ”€ scanner/             # Scanning logic and worker pool
โ”‚   โ”œโ”€โ”€ exploit/             # Payload generation and exploit execution
โ”‚   โ”œโ”€โ”€ parser/              # GNMAP file parsing
โ”‚   โ”œโ”€โ”€ client/              # HTTP client wrapper
โ”‚   โ””โ”€โ”€ types/               # Shared data structures
โ”œโ”€โ”€ go.mod                   # Go module definition
โ””โ”€โ”€ README.md               # This file
```

## Build

### Using Make (Recommended)

```bash
# Build the scanner binary
make build

# Build optimized release binary
make build-release

# Build for all platforms (Linux, Windows, macOS)
make build-all

# Run development workflow (fmt, vet, test, build)
make dev

# See all available targets
make help
```

### Using Go directly

```bash
# Build the scanner binary
go build -o scanner ./cmd/scanner

# Or install globally
go install ./cmd/scanner@latest
```

## Usage

```bash
./scanner -file weblogic_ports.gnmap [options]
```

### Options

- `-file `: Path to Masscan gnmap file (required)
- `-workers `: Number of concurrent workers (default: 50, max: 500)
- `-timeout `: Request timeout in seconds (default: 15)
- `-insecure`: Skip SSL certificate verification
- `-json`: Output results in JSON format
- `-command `: Command to execute on vulnerable targets (default: "id")
- `-exploit`: Attempt actual command execution on vulnerable targets (default: true)

### Examples

```bash
# Basic scan with default settings
./scanner -file weblogic_ports.gnmap

# High-throughput scan with 100 workers
./scanner -file weblogic_ports.gnmap -workers 100

# JSON output for automation
./scanner -file weblogic_ports.gnmap -json > results.json

# Skip SSL verification for lab environments
./scanner -file weblogic_ports.gnmap -insecure

# Execute specific command on vulnerable targets
./scanner -file weblogic_ports.gnmap -command "uname -a" -exploit

# Windows command format
./scanner -file weblogic_ports.gnmap -command "cmd:whoami" -exploit

# Disable exploitation (scan only)
./scanner -file weblogic_ports.gnmap -exploit=false
```

## GNMAP File Format

The scanner expects Masscan gnmap output format:
```
Host:  ()	Ports: /open/tcp////
```

Multiple ports per host are supported (comma-separated).

## Output

### Text Mode (default)

- Summary statistics (total, vulnerable, errors, duration)
- Vulnerable targets with findings
- Error details

### JSON Mode (`-json`)

Structured JSON output with:
- Summary statistics
- Complete results array with findings per target

## Vulnerability Detection

The scanner identifies vulnerable targets by:

1. **CRITICAL Findings**: Injected headers reflected in response
2. **SUSPICIOUS Findings**: Oracle/WebLogic indicators in responses
3. **Response Analysis**: Unusual status codes, error messages, content hashing

## Performance

- **Complexity**: O(n) where n = number of targets
- **Concurrency**: Configurable worker pool (default 50 workers)
- **Network**: Connection pooling and reuse for efficiency
- **Timeouts**: Per-request timeout prevents hanging

## Security Notes

- **Authorized Use Only**: For authorized security research and testing
- **SSL Verification**: Use `-insecure` only in isolated lab environments
- **Rate Limiting**: Consider network capacity when setting worker count

## Architecture

- **cmd/scanner/main.go**: CLI interface and orchestration
- **internal/parser/**: GNMAP file parsing
- **internal/types/**: Data structures (Target, Result, Finding, ScanStats)
- **internal/exploit/**: Payload generation and exploit logic
- **internal/client/**: HTTP client wrapper with TLS configuration
- **internal/scanner/**: Worker pool and concurrent scanning logic

## Error Handling

- Network errors โ†’ marked as error, scan continues
- Timeouts โ†’ marked as timeout, scan continues
- Invalid targets โ†’ skipped with warning
- Panic recovery โ†’ logged, scan continues

## License

This tool is for authorized security research and testing only. Use responsibly and in compliance with all applicable laws and policies.