jsp – Exploit an Oracle WebLogic server but get a 404

I am doing a pentest for a client and, via Qualys, we have discovered a CVE-2018-2894 vulnerability. We are using it now as part of the pentest and try to exploit it. I've followed this proof of concept video that seems pretty simple:


And everything works fine (can change working directory, upload to keystore, etc.), but when I go to the link where the shell is supposed to be (/ ws_utc / css / config / keystore /https://security.stackexchange.com/q/205173_[filename].jsp) he throws a 404.

Go to ws_utc / css / config / keystore is the same, only ws_utc / css seems to not show a 404.

What am I doing wrong?


The home directory was already set to "/ test_apps / config / domains / test / tmp / WSTestPageWorkDir" by the client.

Definition of the basic working directory on


instead of

"servers / AdminServer / tmp / _WL_internal / com.oracle.webservices.wls.ws-testclient-app-wls / 4mcj4y / war / css"

(absolute vs. relative path that is referenced in some other pages) does not actually work, says the directory is not writable

Reset Weblogic Datasource Reset – Stack Overrun

Any changes to the packages and the database procedure require resetting the data source to take effect.

If you change the initial and minimum capacity to 0, do you need to reset the Weblogic data source?

Please share your thoughts.
I want to avoid the reset process in Weblogic and share your views.

java – Weblogic uses Eclipse-Link instead of Hibernate

I'm developing a migration project jboss at Weblogic and my application on jboss perfectly, but in the Weblogic I receive the following error:

Exception [EclipseLink-7298] (Eclipse Persistence Services – 2.5.2.v20140319-9ad6abd): org.eclipse.persistence.exceptions.ValidationException Exception Description: The mapping [xxx] of the built-in identifier class [class br.com.yyy.xyz.pk.rrrPK] is an invalid mapping for this class. An embeddable class used with an integrated ID specification (attribute [pqrsPK] from the source [class br.com.yyy.xyz.model.klm.Pppq]) can only contain basic mappings. Remove the non-basic mapping or modify the embedded ID specification on the source for it to be embedded.

From what I understand, he uses the EclipseLinkbut I use the Hibernate keep the data.
I tried to add weblogic.xml or prefer-application-packages following:

 my subject

Any suggestions or solutions to solve this problem?