From LOW to PWNED [3] JBoss/Tomcat server-status-阿里云开发者社区

From LOW to PWNED [3] JBoss/Tomcat server-status

2012-05-15 1200

版权

本文内容由阿里云实名注册用户自发贡献，版权归原作者所有，阿里云开发者社区不拥有其著作权，亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容，填写侵权投诉表单进行举报，一经查实，本社区将立刻删除涉嫌侵权内容。

简介： http://carnal0wnage.attackresearch.com/2012/04/from-low-to-pwned-3-jbosstomcat-server.

Several (tm) months back I did my talk on "From LOW to PWNED" at hashdays and BSides Atlanta.

The slides were published here and the video from hashdays is here, no video for BSides ATL.

I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.

Post [3] JBoss/Tomcat server-status

There have been some posts/exploits/modules on hitting up unprotected jboss and tomcat servers.

http://www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf
http://carnal0wnage.attackresearch.com/2009/11/hacking-unprotected-jboss-jmx-console.html
http://www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/
http://goohackle.com/jboss-security-vulnerability-jmx-management-console/

http://www.metasploit.com/modules/exploit/multi/http/jboss_maindeployer
http://www.metasploit.com/modules/exploit/multi/http/tomcat_mgr_deploy

Sometimes even though the deployer functionality is password protected the sever-status may not be.

/web-console/status?full=true

/manager/status/all

LOW?

This can be useful to find:

Finding 0wned stuff is always fun let's see

Looking at the list of applications list one that doesnt look normal (zecmd)

Following that down leads us to zecmd.jsp that is a jsp shell

If you are interested in zecmd.jsp and jboss worm it comes from --> this is a good write up as well as this OWASP preso https://www.owasp.org/images/a/a9/OWASP3011_Luca.pdf

thoughts?

-CG

From LOW to PWNED [3] JBoss/Tomcat server-status