http://www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/
http://goohackle.com/jboss-security-vulnerability-jmx-management-console/
http://www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf
The pdf (last link) actually details all the steps to get it done.
Google Dorks
intitle:”jboss management console” “application server” version inurl:”web-console”
intitle:”JBoss Management Console – Server Information” “application server” inurl:”web-console” OR inurl:”jmx-console”
Those searches will lead you to
http://somecrappysite.com/web-console/ServerInfo.jsp
will all kinds of fun information like below:
switch the URL to
http://somecrappysite.com/jmx-console/
and you'll either be greeted with a password prompt box (good) or the JMX Console page (not good--least for them)
Good
Bad
Very BadFrom there, just add the link to your cmd shell wrapped up in a war file. (check pdf for screenshot)
need to turn your .jsp into a .war?
jar -cf meh.war meh.jsp
From there enjoy access to your jsp shell.
Todo: Kick the shell to an msf instance via the msf jsp reverse shell
need to turn your .jsp into a .war?
jar -cf meh.war meh.jsp
From there enjoy access to your jsp shell.
Todo: Kick the shell to an msf instance via the msf jsp reverse shell
7 comments:
I tried this couple of weeks ago using the original PDF during a Penetration Test. Everything seemed to work fine but the last step, opening the .jsp on browser, I could not find the full path to the jsp shell.
Idd, JBOSS doesn't have password on default installation.
Hi,
This paper is more complete, describes other attack vectors such as RMI:
http://www.redteam-pentesting.de/publications/2009-11-30-Whitepaper_Whos-the-JBoss-now_RedTeam-Pentesting_EN.pdf
RedTeam's info is very good (albeit spotty to those not fluent in German). The /{web|jmx}-console vector can be very potent indeed, but is often quickly discovered by the admin. Also, as for dumping a .jsp up there, keep in mind that JSPs in most cases have to be run-time compiled (ala JIT) into servlets (this is true if you have any inline/nested classes in your JSP), and if the install is an older JBoss install using a JRE (vs JDK) then there is a very strong chance that you'll get exceptions thrown by the presence of your JSP since the server isn't set up for run-time JSP compilation. I would, instead, pre-compile your JSP into a servlet...much cleaner. It also allows you to mask the footprint of your war a bit more as you can name the servlet whatever you want vs. having the server create servlet .class files that are named using names from your code.
PS, Try a google query sometime for "MBean Inspector inurl:HtmlAdapter"...very enlightening :>
Even if Protected ;D
Have a look here:
http://blog.mindedsecurity.com/2010/04/good-bye-critical-jboss-0day.html
"I tried this couple of weeks ago using the original PDF during a Penetration Test. Everything seemed to work fine but the last step, opening the .jsp on browser, I could not find the full path to the jsp shell."
-I encountered the same problem. :/
You people need to do ten years in prison.
Post a Comment