adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add clarification about c3p0

Browse Source
This commit is contained in:
Pedro Ribeiro
2021-01-28 18:23:20 +07:00
parent c73fa70543
commit 7ea5c3ffce
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/multi/http/microfocus_obm_auth_rce.md
+2
View File
@@ -15,6 +15,8 @@ Exploiting this vulnerability will result in remote code execution as the root u
Authentication is required, the module user needs to login to the application and obtain the authenticated LWSSO_COOKIE_KEY, which should be fed to the module.
Any authenticated user can exploit this vulnerability, even the lowest privileged ones.
The exploit uses a modified ysoserial c3p0 payload. The only part that is modified is that c3p0 is built using version 0.9.1.2, so that the serialVersionUid of the target is the same as the exploit. This can be achieved by patching ysoserial's pom.xml.
For more information refer to the advisory link:
* https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBM.md