search

joaomatosf / jexboss

JexBoss: Jboss (and Java Deserialization Vulnerabilities) verify and EXploitation Tool
Other
2.41k stars 638 forks source link

your backdoor? #5

Closed Xyntax closed 8 years ago

Xyntax commented 8 years ago

http://webshell.jexboss.net/

joaomatosf commented 8 years ago

Hello Friend, This is the JSP shell that is deployed within the JBoss server successfully exploited via Jexboss and http://webshell.jexboss.net/ address must be the official tool site (at the time, I'm just migrating the releases notes file for he). Currently there are 5 different exploits that help improve the effectiveness of JexBoss. They deploy SAME JSP code within the vulnerable server (if you have permission). As you can see, the code is available both within the python script or hosted on http://joaomatosf.com/rnp/jexws.war. The specific case of your figure, the code is using url encoding, otherwise the exploit does not work. In exploit for vector "invoker", in turn, the same code is in hexadecimal, why it is a holding which sends binary payload. If you download the http://joaomatosf.com/rnp/jexws.war file and unpack with unzip, inside is the same JSP shell that appears in his image, but without using url encoding.

Addresses "http://webshell.jexboss.net" and "http://webshell.jexboss.com" will be used to host the webshells JexBoss and changelog file (instead of the address http://joaomatosf.com/rnp/, which is an old abandoned blog). Currently the shell JSP that JexBoss deploys within your server vulnerable seeks changelog file hosted on http://webshell.jexboss.net but does not warn the user when updates are available yet (I'm currently implementing it). In future releases, when the shell jsp is accessed, it must inform you whenever there are updates itself, similar to what happens when you run the python script jexboss.py. At the time, it just checks the version control file (changelog) which you can view here: http://webshell.jexboss.net/.

Thank you for your question and I am available for any questions.

Xyntax commented 8 years ago

thanks for a long reply.I finfished reading it and I hold on to my opinion, it's a backdoor to show u those victims' IP

joaomatosf commented 8 years ago

Hello Friend, I understand your opinion. This Webshell update check is important to keep the webshells always up to date and thus avoid problems (eg, blocking by Intrusion Detection Systems IPS, etc.), but I assure you that I do not store access information.

In respect your opinion, I'll add today an option "--disable-updates" that will instruct the Webshell JSP not to do the checking for updates, okay?

Xyntax commented 8 years ago

yeah, it's a possible solution. anyway, thanks a lot for sharing your python code .

ghost commented 8 years ago

围观中......

joaomatosf commented 8 years ago

In a few hours I will be releasing a version with --disable-check-updates option, among others that follow below:

optional arguments: -h, --help show this help message and exit --version show program's version number and exit --auto-exploit, -A Send exploit code automatically (USE ONLY IF YOU HAVE PERMISSION!!!) --disable-check-updates, -D Disable the check for updates performed by JSP Webshell at: http://webshell.jexboss.net/jsp_version.txt -mode {auto-scan,file-scan,standalone} Operation mode

Standalone mode: -host HOST Host address to be checked

Auto scan mode: -network NETWORK Network to be checked in CIDR format (eg. 10.0.0.0/8) -ports PORTS List of ports separated by commas to be checked for each host (eg. 8080,8443,8888,80,443) -results FILENAME File name to store the auto scan results

File scan mode: -file FILENAME_HOSTS Filename with host list to be scanned (one host per line) -out FILENAME_RESULTS File name to store the file scan results

joaomatosf commented 8 years ago

Dear, the version was released. Please report any problems. Thank you