Nothing new, notes for later, actually got most of the info from:
http://www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/
http://goohackle.com/jboss-security-vulnerability-jmx-management-console/
http://www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf
The pdf (last link) actually details all the steps to get it done.
Google Dorks
intitle:”jboss management console” “application server” version inurl:”web-console”
intitle:”JBoss Management Console – Server Information” “application server” inurl:”web-console” OR inurl:”jmx-console”
Those searches will lead you to
http://somecrappysite.com/web-console/ServerInfo.jsp
will all kinds of fun information like below:
switch the URL to
http://somecrappysite.com/jmx-console/
and you'll either be greeted with a password prompt box (good) or the JMX Console page (not good--least for them)
I tried this couple of weeks ago using the original PDF during a Penetration Test. Everything seemed to work fine but the last step, opening the .jsp on browser, I could not find the full path to the jsp shell.
ReplyDeleteIdd, JBOSS doesn't have password on default installation.
ReplyDeleteHi,
ReplyDeleteThis paper is more complete, describes other attack vectors such as RMI:
http://www.redteam-pentesting.de/publications/2009-11-30-Whitepaper_Whos-the-JBoss-now_RedTeam-Pentesting_EN.pdf
RedTeam's info is very good (albeit spotty to those not fluent in German). The /{web|jmx}-console vector can be very potent indeed, but is often quickly discovered by the admin. Also, as for dumping a .jsp up there, keep in mind that JSPs in most cases have to be run-time compiled (ala JIT) into servlets (this is true if you have any inline/nested classes in your JSP), and if the install is an older JBoss install using a JRE (vs JDK) then there is a very strong chance that you'll get exceptions thrown by the presence of your JSP since the server isn't set up for run-time JSP compilation. I would, instead, pre-compile your JSP into a servlet...much cleaner. It also allows you to mask the footprint of your war a bit more as you can name the servlet whatever you want vs. having the server create servlet .class files that are named using names from your code.
ReplyDeletePS, Try a google query sometime for "MBean Inspector inurl:HtmlAdapter"...very enlightening :>
Even if Protected ;D
ReplyDeleteHave a look here:
http://blog.mindedsecurity.com/2010/04/good-bye-critical-jboss-0day.html
"I tried this couple of weeks ago using the original PDF during a Penetration Test. Everything seemed to work fine but the last step, opening the .jsp on browser, I could not find the full path to the jsp shell."
ReplyDelete-I encountered the same problem. :/
You people need to do ten years in prison.
ReplyDelete