漏洞描述
对于任何一个以对象为参数的RMI接口,攻击者可以发一个精心构建的对象,迫使服务器端将这个对象按任何一个存在于classpath中的可序列化类来反序列化。在反序列化的过程中调用系统命令执行的类及对应的方法,达到远程命令执行的效果。
JAVA RMI反序列化远程命令执行漏洞(CVE-2017-3241)
PoC代码
暂无相关漏洞推荐
-
CVE-2017-12149: Java/Jboss Deserialization [RCE] POC
2025-09-01 | Java JbossIn Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was foun... -
javamelody-detect: JavaMelody Monitoring Exposed POC
2025-09-01 | JavaMelodyJavaMelody is a tool used to monitor Java or Java EE applications in QA and production environments.... -
CVE-2013-3827: Javafaces LFI POC
2025-08-01 | JavafacesAn Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.... -
CVE-2017-1000028: GlassFish LFI POC
2025-09-01 | GlassFishGlassFish是一款强健的商业兼容应用服务器,达到产品级质量,可免费用于开发、部署和重新分发。开发者可以免费获得源代码,还可以对代码进行更改。GlassFish漏洞成因:java语义中会把&quo... -
CVE-2017-1000486: Primetek Primefaces 5.x - Remote Code Execution POC
2025-09-01 | Primetek PrimefacesPrimetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution.