CVE-2021-35464 PoC — ForgeRock AM 代码问题漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-35464.yaml

Associated Vulnerability

Title:ForgeRock AM 代码问题漏洞 (CVE-2021-35464)
Description:ForgeRock AM是一个开源的访问管理、权限控制平台，在大学、社会组织中存在广泛的应用。 ForgeRock AM存在代码问题漏洞，未经身份验证的攻击者可以通过构造特殊的请求远程执行任意代码，并接管运行ForgeRockAM的服务器。

Description

ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages.
The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted
/ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO)
found in versions of Java 8 or earlier.

File Snapshot


 id: CVE-2021-35464

info:
  name: ForgeRock OpenAM <7.0 - Remote Code Execution
  author: madrobot
 

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!