Oracle WebCenter Sites Multiple Vulnerabilities (April 2017 CPU)

Oracle WebCenter Sites component of Oracle Fusion Middleware is vulnerable to multiple vulnerabilities. - A remote code execution in the Oracle WebCenter Sites component of Oracle Fusion Middleware subcomponent: Install Apache Common Collections. An unauthenticated, remote attacker can exploit...

Gadgetinspector - A Byte Code Analyzer For Finding Deserialization Gadget Chains In Java Applications

This project inspects Java libraries and classpaths for gadget chains. Gadgets chains are used to construct exploits for deserialization vulnerabilities. By automatically discovering possible gadgets chains in an application's classpath penetration testers can quickly construct exploits and...

Jenkins < 1.642.2 / 1.650 and Jenkins Enterprise < 1.609.16.1 / 1.625.16.1 / 1.642.2.1 Multiple Vulnerabilities

The remote web server hosts a version of Jenkins that is prior to 1.650, or a version of Jenkins LTS prior to 1.642.2; or else a version of Jenkins Enterprise that is 1.642.x.y prior to 1.642.2.1, 1.625.x.y prior to 1.625.16.1, or 1.609.x.y prior to 1.609.16.1. It is, therefore, affected by the...

common-collections in Java deserialization vulnerability leads to RCE the principle of analysis-vulnerability warning-the black bar safety net

0x01 Java deserialization leads to the vulnerability principle and the PHP reverse sequence, as also is due to the user's input can control our incoming object. If the service end of the program not the user can control the serialization code to be verified but to directly deserialize to use, and...

常见 Java Web 容器通用远程命令执行漏洞

漏洞概述 国外 FoxgLove 安全团队公开了一篇关于常见 Java Web 容器如何利用反序 列化操作进行远程命令执行的文章1,并在文章中提供了相应的利用工具。文中 所涉及到的 Java Web 容器有:WebSphere,JBoss,Jenkins,WebLogic 和 OpenNMS。 漏洞演示 使用文章中所提供的 Payload 生成工具 ysoserial2和 PoC3基于 common -collections 库生成序列化对象来对 JBoss 和 Jenkins 进行测试。成功远程命 令执行会在服务端 /tmp 目录下创建名为 isvuln 文件 2.1...