Results 1 to 9 of 9

Thread: JBoss Default Authentication Share/Save - My123World.Com!

  1. #1

    Lightbulb JBoss Default Authentication

    I was working on one application and found an interesting Google query while looking for exploitation technique, may be this is not new for you.
    The default configuration of JBoss does not restrict access to the console and web management interfaces, which allows remote attackers to bypass authentication and gain administrative access via direct requests.

    There you get thousand results..Click on any of the links
    and you will gain access to the backend application

  2. #2
    Awesome find bro
    The three great essentials to achieve anything worth while are: Hard work, Stick-to-itiveness, and Common sense. - Thomas A. Edison
    __________________________________________________ _____________________

  3. #3
    great research bro

  4. #4
    Similarly this will also help:


  5. #5
    JBOSS also has persistent XSS
    For examples check the following:

  6. #6
    another APache TOMCAT Dork
    Vinnu Bro where you added the redirect string :?

  7. #7
    Well i did it because few months back airtel said that its webportals are unhackable, it was an open challenge for all hackers.

    A jsp shell can be easily loaded on it.

    At the same place where we can specify the url for jsp war application we can also inject scripts into it.

    U can do it in addURL() text box. The JBOSS has persistent XSS.


  8. #8
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Blog Entries
    Similarly you could use shodan also as jboss installed servers response witt "jboss" string .
    Hacking Is a Matter of Time Knowledge and Patience

  9. #9
    InfoSec Consultant the_empty's Avatar
    Join Date
    Jul 2010
    the blue no-where
    Blog Entries
    as I recall, there was an auth bypass vulnerability as well where-in attacker could user "PUT" instead of "GET" and get access.

    also there is a paper which provides a good insight on how that can be exploited further. thanks to FB1 (for old times sake, I hope it reminds him of something)...


Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts