Skip to content

Commit

Permalink
增加JBoss EAP/AS <= 6.X探测
Browse files Browse the repository at this point in the history
  • Loading branch information
@JKme
JKme committed Apr 28, 2022
1 parent e067a49 commit 874e4a5
Show file tree
Hide file tree
Showing 4 changed files with 57 additions and 2 deletions.
7 changes: 6 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
## 声明
>特别声明:此工具仅限于安全研究,禁止使用该项目进行违法操作,否则自行承担相关责任
## 问题反馈

![cai.jpeg](./image/cai.jpeg)

## 特点
- 方便二次开发,快速增加插件
- 支持输出结果到excel文档
Expand Down Expand Up @@ -72,7 +76,7 @@ cube probe -x oxid,ms17010 -s 192.168.2.1/24
```

#### 支持的探测插件
| FUNC | PORT | LOAD BY X |
| FUNC | PORT | LOAD BY X |
|-----------|-------|-----------|
| docker | 2375 | Y |
| dubbo | 20880 | Y |
Expand All @@ -89,6 +93,7 @@ cube probe -x oxid,ms17010 -s 192.168.2.1/24
| winrm | 5985 | N |
| wmi | 135 | N |
| zookeeper | 2181 | Y |
| jboss | 3873 | Y |

* `smb/wmi/winrm/mssql`是利用NTLM认证过程获取[Windows版本系统信息](https://jkme.github.io/2021/08/06/windows-ntlm-smb-scan.html)
* 使用`ping/netbios`的时候,最好单独使用获取更准确的结果,线程数量建议为10
Expand Down
2 changes: 1 addition & 1 deletion config/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,6 @@ const (

var CrackX = []string{"elastic", "ftp", "mongo", "mssql", "mysql", "postgres", "smb", "ssh", "redis", "oracle"}

var ProbeX = []string{"docker", "rmi", "oxid", "ms17010", "smb", "zookeeper", "dubbo", "etcd", "k8s", "smbghost"}
var ProbeX = []string{"docker", "rmi", "oxid", "ms17010", "smb", "zookeeper", "dubbo", "etcd", "k8s", "smbghost", "jboss"}

var PASSWORDS = []string{" ", "123456", "admin", "admin123", "root", "5201314", "pass123", "pass@123", "password", "123123", "654321", "111111", "123", "1", "admin@123", "Admin@123", "admin123!@#", "1234qwer!@#$", "1qaz@WSX1qaz", "QAZwsxEDC", "{user}", "{user}1", "{user}12", "{user}111", "{user}123", "{user}1234", "{user}12345", "{user}123456", "{user}@123", "{user}_123", "{user}#123", "{user}@111", "{user}@2019", "P@ssw0rd!", "P@ssw0rd", "Passw0rd", "qwe123", "12345678", "test", "test123", "123qwe!@#", "123456789", "123321", "666666", "a123456.", "123456~a", "000000", "1234567890", "8888888", "!QAZ2wsx", "1qaz2wsx", "1QAZ2wsx", "1q2w3e4r", "abc123", "abc123456", "1qaz@WSX", "a11111", "a12345", "Aa1234", "Aa1234.", "Aa12345", "123456a", "123456aa", "a123456", "a123123", "Aa123123", "Aa123456", "Aa12345.", "sysadmin", "system"}
48 changes: 48 additions & 0 deletions core/probemodule/jboss.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
package probemodule

import (
"cube/config"
"cube/pkg"
"encoding/hex"
"fmt"
"net"
)

type JBoss struct {
*Probe
}

func (J JBoss) ProbeName() string {
return "jboss"
}

func (J JBoss) ProbePort() string {
return "3873"
}

func (J JBoss) PortCheck() bool {
return true
}

func (J JBoss) ProbeExec() ProbeResult {
//https://jspin.re/jboss-eap-as-6-rce-a-little-bit-beyond-xac-xed/
//https://s3.amazonaws.com/files.joaomatosf.com/slides/alligator_slides.pdf
result := ProbeResult{Probe: *J.Probe, Result: "", Err: nil}

host := fmt.Sprintf("%s:%v", J.Ip, J.Port)
conn, _ := net.DialTimeout("tcp", host, config.TcpConnTimeout)
//_, err := conn.Write([]byte{0x4a, 0x52, 0x4d, 0x49, 0x00, 0x02, 0x4b})
//if err != nil {
// return result
//}
r1, _ := pkg.ReadBytes(conn)
fmt.Printf("Receive: %s\n", hex.EncodeToString(r1[:4]))
if hex.EncodeToString(r1[:4]) == "aced0005" {
result.Result = "JBoss EAP/AS <= 6.X"
}
return result
}

func init() {
AddProbeKeys("jboss")
}
2 changes: 2 additions & 0 deletions core/probemodule/probe_interface.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,8 @@ func (p *Probe) NewIProbe() IProbe {
return &Etcd{p}
case "k8s":
return &K8s{p}
case "jboss":
return &JBoss{p}
default:
return nil
}
Expand Down

0 comments on commit 874e4a5

Please sign in to comment.