first commit

2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
--- a/jboss/JMXInvokerServlet-deserialization/1.png
+++ b/jboss/JMXInvokerServlet-deserialization/1.png
--- a/jboss/JMXInvokerServlet-deserialization/README.md
+++ b/jboss/JMXInvokerServlet-deserialization/README.md
@@ -0,0 +1,32 @@
+# JBoss JMXInvokerServlet Deserialization Remote Code Execution
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Red Hat JBoss Application Server is a JavaEE-based open source application server.
+
+This is a classic JBoss deserialization vulnerability where JBoss reads user-supplied objects in the `/invoker/JMXInvokerServlet` request, allowing attackers to execute arbitrary code using Gadgets from Apache Commons Collections.
+
+References:
+
+ - https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
+ - https://www.seebug.org/vuldb/ssvid-89723
+ - http://www.freebuf.com/sectool/88908.html
+ - https://paper.seebug.org/312/
+
+## Environment Setup
+
+Execute the following command to start JBoss AS 6.1.0:
+
+```
+docker compose up -d
+```
+
+The initial setup will take 1-3 minutes. After initialization is complete, visit `http://your-ip:8080/` to see the JBoss default page.
+
+## Vulnerability Reproduce
+
+When JBoss processes the `/invoker/JMXInvokerServlet` request, it reads the object directly. Therefore, we can simply attach a POC generated by [ysoserial](https://github.com/frohoff/ysoserial) in the POST Body. The entire process is similar to [jboss/CVE-2017-12149](https://github.com/vulhub/vulhub/tree/master/jboss/CVE-2017-12149), so I won't repeat it here.
+
+There are many existing exploits available online. For example, you can use [DeserializeExploit.jar](https://download.vulhub.org/download/deserialization/DeserializeExploit.jar) to directly execute commands and upload files:
+
+![](1.png)
--- a/jboss/JMXInvokerServlet-deserialization/README.zh-cn.md
+++ b/jboss/JMXInvokerServlet-deserialization/README.zh-cn.md
@@ -0,0 +1,28 @@
+# JBoss JMXInvokerServlet 反序列化漏洞
+
+Red Hat JBoss Application Server 是一款基于JavaEE的开源应用服务器。这是经典的JBoss反序列化漏洞，JBoss在`/invoker/JMXInvokerServlet`请求中读取了用户传入的对象，然后我们利用Apache Commons Collections中的Gadget执行任意代码。
+
+参考文档：
+
+ - https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
+ - https://www.seebug.org/vuldb/ssvid-89723
+ - http://www.freebuf.com/sectool/88908.html
+ - https://paper.seebug.org/312/
+
+## 漏洞环境
+
+执行如下命令启动JBoss AS 6.1.0：
+
+```
+docker compose up -d
+```
+
+首次执行时会有1~3分钟时间初始化，初始化完成后访问`http://your-ip:8080/`即可看到JBoss默认页面。
+
+## 漏洞复现
+
+JBoss在处理`/invoker/JMXInvokerServlet`请求的时候读取了对象，所以我们直接将[ysoserial](https://github.com/frohoff/ysoserial)生成好的POC附在POST Body中发送即可。整个过程可参考[jboss/CVE-2017-12149](https://github.com/vulhub/vulhub/tree/master/jboss/CVE-2017-12149)，我就不再赘述。
+
+网上已经有很多EXP了，比如[DeserializeExploit.jar](https://download.vulhub.org/download/deserialization/DeserializeExploit.jar)，直接用该工具执行命令、上传文件即可：
+
+![](1.png)
--- a/jboss/JMXInvokerServlet-deserialization/docker-compose.yml
+++ b/jboss/JMXInvokerServlet-deserialization/docker-compose.yml
@@ -0,0 +1,6 @@
+services:
+  jboss:
+    image: vulhub/jboss:as-6.1.0
+    ports:
+      - "9990:9990"
+      - "8080:8080"