CVE-2017-12149
/invoker/JMXInvokerServlet 反序列化
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
環境搭建:
受影響版本下載:
https://download.jboss.org/jbossas/6.1/jboss-as-distribution-6.1.0.Final.zip
進入\jboss-6.1.0.Final\bin
目錄:
默認運行了127.0.0.1,如果給局域網訪問,則
.\run.bat -b 0.0.0.0
如果碰到這樣的問題
org.apache.jasper.JasperException: Unable to compile class for JSP:
An error occurred at line: 1 in the generated java file
The type java.io.ObjectInputStream cannot be resolved. It is indirectly referenced from required .class files
,說明JDK版本的 問題:
直接POST訪問這個接口/invoker/JMXInvokerServlet
是這樣的:
使用插件Java Deserialization Scanner,將請求發送過去
然後設置插入點,然後attack: