关联漏洞
描述
JBoss CVE-2017-12149 (Insecure Deserialization - RCE) Exploitation Lab.
介绍
# JBoss Insecure Deserialization to RCE via CVE-2017-12149.
### JBoss Insecure Deserialization - RCE Exploitation Lab.
The idea here is to setup a lab with an old JBoss version (<7.0) in order to exploit the vulnerability.
We can use Docker to facilitate all the process. For this, we're gonna need an Oracle JDK rpm package, that's because JBoss 6.0.0 final works with a JDK 6 runtime. We're also gonna need the Dockerfile present in the repository, and obviously Docker installed on the system. Just make sure to have all files in the same directory.
1. Clone this repository with `git clone https://github.com/Xcatolin/jboss-deserialization`
2. Download the [jdk-6u45-linux-x64-rpm.bin](https://www.oracle.com/java/technologies/javase-java-archive-javase6-downloads.html#jdk-6u45-oth-JPR) package and move it into the same directory as the Dockerfile (you can use an temporary e-mail address to register)
3. Build the image with `docker build -t ovanekem/docker-jboss-6.0.0.final .
`
4. Run the image with `docker run -it -p 8080:8080 ovanekem/docker-jboss-6.0.0.final
`
5. Click [here](http://localhost:8080) to validate if it worked, you should see the JBoss main page
## Reference and All Credits to
* [ovanekem/docker-jboss-6.0.0.final](https://github.com/ovanekem/docker-jboss-6.0.0.final)
文件快照
[4.0K] /data/pocs/b10c6d6b595e485e158786a6edb6fddfdb98e39a
├── [1.8K] Dockerfile
└── [1.3K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。