CVE-2018-1306 PoC — Apache Pluto 信息泄露漏洞

Source

https://github.com/JJSO12/Apache-Pluto-3.0.0--CVE-2018-1306

Associated Vulnerability

Title:Apache Pluto 信息泄露漏洞 (CVE-2018-1306)
Description:Apache Pluto是美国阿帕奇（Apache）软件基金会的一套Portlet容器的运行时环境。 Apache Pluto 3.0.0版本中的PortletV3AnnotatedDemo Multipart Portlet war文件代码存在安全漏洞，该漏洞源于在上传文件时程序没有限制提交的路径信息。远程攻击者可利用该漏洞获取配置数据和其他敏感信息。

Readme

# CVE-2018-1306

Apache Pluto 3.0.0 issue in the authorisation logic which lets attacker upload malicious files by tampering HTTP methods.

Script written in python3.

Usage: python3 ./plutorce.py http://192.168.0.1/ webshell.jsp

File Snapshot


 [4.0K]  /data/pocs/7df3ec7f8801a93a4f351fe621db2295d68c4b3a
├── [ 613]  plutorce.py
├── [ 230]  README.md
└── [ 581]  webshell.jsp

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!