JBoss is widely used web server for deploying web apps which are developed using Java. The default state may lead for an attacker to take complete control of the server.
These vulnerable website's can easily be found by using simple Google dork . say for example.
intitle:”JBoss Management Console – Server Information” “application server” inurl:”web-console” OR inurl:”jmx-console”
or
intitle:”JBoss JMX Management Console” inurl:”jmx-console”
Now i will explain in detail how to exploit the unprotected JBOSS jmx-console vulnerability.
Please note : This is for educational purpose and we do not motivate to try out this attack on real/production websites.
After invoking the void store() operation the shell will be successfully uploaded in the server and can be accessed by the following link
http://example.com/Command/CommandShell.jsp.
Using this you can execute any command of your choice of the CLI(Command Line Interface) like shutting down the server. I have used a simple shell for demonstration purposes, but we can upload shells with higher privileges which may lead to destructive scenarios and easily get the entire control of the server.
You can find these kind of shells from Google itself.
However you can download a few of the shells from the below link
Link to Download Shell
Suggestions are always welcome ,you can also comment your views on this .thanks for your time.
These vulnerable website's can easily be found by using simple Google dork . say for example.
intitle:”JBoss Management Console – Server Information” “application server” inurl:”web-console” OR inurl:”jmx-console”
or
intitle:”JBoss JMX Management Console” inurl:”jmx-console”
Now i will explain in detail how to exploit the unprotected JBOSS jmx-console vulnerability.
Please note : This is for educational purpose and we do not motivate to try out this attack on real/production websites.
- Visit the affected URL which will be something like "http://example.com/jmx-console/" (which you got using Google dork ) .
- Search for “service= DeploymentFileRepository“in the jmx-Console page and open it.
- Now scroll down and search for the ‘void store ( )’ operation.
- Enter a command shell program by filling up all the parameters in the void store() operation as shown in the figure and click on the invoke button.
After invoking the void store() operation the shell will be successfully uploaded in the server and can be accessed by the following link
http://example.com/Command/CommandShell.jsp.
Using this you can execute any command of your choice of the CLI(Command Line Interface) like shutting down the server. I have used a simple shell for demonstration purposes, but we can upload shells with higher privileges which may lead to destructive scenarios and easily get the entire control of the server.
You can find these kind of shells from Google itself.
However you can download a few of the shells from the below link
Link to Download Shell
Reference:
https://www.redteam-pentesting.de/publications/2010-06-15-JBoss-AS-Deploying-WARs-with-the-DeploymentFileRepository-MBean.pdfSuggestions are always welcome ,you can also comment your views on this .thanks for your time.
