CVE-2017-12149
/invoker/JMXInvokerServlet 反序列化
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
环境搭建:
受影响版本下载:
https://download.jboss.org/jbossas/6.1/jboss-as-distribution-6.1.0.Final.zip
进入\jboss-6.1.0.Final\bin
目录:
默认运行了127.0.0.1,如果给局域网访问,则
.\run.bat -b 0.0.0.0
如果碰到这样的问题
org.apache.jasper.JasperException: Unable to compile class for JSP:
An error occurred at line: 1 in the generated java file
The type java.io.ObjectInputStream cannot be resolved. It is indirectly referenced from required .class files
,说明JDK版本的 问题:
直接POST访问这个接口/invoker/JMXInvokerServlet
是这样的:
使用插件Java Deserialization Scanner,将请求发送过去
然后设置插入点,然后attack: