JBOSS remote code execution vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201025877
Type myhack58
Reporter 佚名
Modified 2010-01-10T00:00:00


Author: safe3

JBOSS default configuration will have a background of vulnerability, the vulnerability occurs inthe jboss. deployment namespace

AddURL()function,the function can be remote download a war archive and extract

Visit http://www. safe3. com. cn:8 0 8 0/jmx-console/ background, as in the following figure


Drop down to find as shown below


Click on the flavor=URL,type=DeploymentScanner into


In the input box write the war of the compressed file webshell url address, as shown on Figure

Click on the invoke implementation of the interface to get a jsp webshell, the following figure


Temporary bug fixes method:to the jmx-console plus to access the password

  1. In the ${jboss. server. home. dir}/deploy the following to find the jmx-console. war directory to edit the WEB-INF/web. xml file to remove the security-constraint block comment, to make it work

  2. Edit WEB-INF/classes/jmx-console-users. properties or server/default/conf/props/jmx-console-users. properties (version >=4.0.2)and WEB-INF/classes/jmx-console-roles. properties

Or server/default/conf/props/jmx-console-roles. properties(version >=4.0.2) add the user name and password

  1. Edit WEB-INF/jboss-web. xml remove the security-domain block of the note, the security-domain value mapping file for login-config.xml the file defines the login authorization.