From 874e4a5b6fdce3437bda07e4448dd23e86062a5b Mon Sep 17 00:00:00 2001 From: JKme <2935865+JKme@users.noreply.github.com> Date: Thu, 28 Apr 2022 18:44:53 +0800 Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0JBoss=20EAP/AS=20<=3D=206.X?= =?UTF-8?q?=E6=8E=A2=E6=B5=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 7 ++++- config/config.go | 2 +- core/probemodule/jboss.go | 48 +++++++++++++++++++++++++++++ core/probemodule/probe_interface.go | 2 ++ 4 files changed, 57 insertions(+), 2 deletions(-) create mode 100644 core/probemodule/jboss.go diff --git a/README.md b/README.md index 9366845..f1697d4 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,10 @@ ## 声明 >特别声明:此工具仅限于安全研究,禁止使用该项目进行违法操作,否则自行承担相关责任 +## 问题反馈 + +![cai.jpeg](./image/cai.jpeg) + ## 特点 - 方便二次开发,快速增加插件 - 支持输出结果到excel文档 @@ -72,7 +76,7 @@ cube probe -x oxid,ms17010 -s 192.168.2.1/24 ``` #### 支持的探测插件 -| FUNC | PORT | LOAD BY X | +| FUNC | PORT | LOAD BY X | |-----------|-------|-----------| | docker | 2375 | Y | | dubbo | 20880 | Y | @@ -89,6 +93,7 @@ cube probe -x oxid,ms17010 -s 192.168.2.1/24 | winrm | 5985 | N | | wmi | 135 | N | | zookeeper | 2181 | Y | +| jboss | 3873 | Y | * `smb/wmi/winrm/mssql`是利用NTLM认证过程获取[Windows版本系统信息](https://jkme.github.io/2021/08/06/windows-ntlm-smb-scan.html) * 使用`ping/netbios`的时候,最好单独使用获取更准确的结果,线程数量建议为10 diff --git a/config/config.go b/config/config.go index 5f1aea5..4e743c9 100644 --- a/config/config.go +++ b/config/config.go @@ -11,6 +11,6 @@ const ( var CrackX = []string{"elastic", "ftp", "mongo", "mssql", "mysql", "postgres", "smb", "ssh", "redis", "oracle"} -var ProbeX = []string{"docker", "rmi", "oxid", "ms17010", "smb", "zookeeper", "dubbo", "etcd", "k8s", "smbghost"} +var ProbeX = []string{"docker", "rmi", "oxid", "ms17010", "smb", "zookeeper", "dubbo", "etcd", "k8s", "smbghost", "jboss"} var PASSWORDS = []string{" ", "123456", "admin", "admin123", "root", "5201314", "pass123", "pass@123", "password", "123123", "654321", "111111", "123", "1", "admin@123", "Admin@123", "admin123!@#", "1234qwer!@#$", "1qaz@WSX1qaz", "QAZwsxEDC", "{user}", "{user}1", "{user}12", "{user}111", "{user}123", "{user}1234", "{user}12345", "{user}123456", "{user}@123", "{user}_123", "{user}#123", "{user}@111", "{user}@2019", "P@ssw0rd!", "P@ssw0rd", "Passw0rd", "qwe123", "12345678", "test", "test123", "123qwe!@#", "123456789", "123321", "666666", "a123456.", "123456~a", "000000", "1234567890", "8888888", "!QAZ2wsx", "1qaz2wsx", "1QAZ2wsx", "1q2w3e4r", "abc123", "abc123456", "1qaz@WSX", "a11111", "a12345", "Aa1234", "Aa1234.", "Aa12345", "123456a", "123456aa", "a123456", "a123123", "Aa123123", "Aa123456", "Aa12345.", "sysadmin", "system"} diff --git a/core/probemodule/jboss.go b/core/probemodule/jboss.go new file mode 100644 index 0000000..cb95c2b --- /dev/null +++ b/core/probemodule/jboss.go @@ -0,0 +1,48 @@ +package probemodule + +import ( + "cube/config" + "cube/pkg" + "encoding/hex" + "fmt" + "net" +) + +type JBoss struct { + *Probe +} + +func (J JBoss) ProbeName() string { + return "jboss" +} + +func (J JBoss) ProbePort() string { + return "3873" +} + +func (J JBoss) PortCheck() bool { + return true +} + +func (J JBoss) ProbeExec() ProbeResult { + //https://jspin.re/jboss-eap-as-6-rce-a-little-bit-beyond-xac-xed/ + //https://s3.amazonaws.com/files.joaomatosf.com/slides/alligator_slides.pdf + result := ProbeResult{Probe: *J.Probe, Result: "", Err: nil} + + host := fmt.Sprintf("%s:%v", J.Ip, J.Port) + conn, _ := net.DialTimeout("tcp", host, config.TcpConnTimeout) + //_, err := conn.Write([]byte{0x4a, 0x52, 0x4d, 0x49, 0x00, 0x02, 0x4b}) + //if err != nil { + // return result + //} + r1, _ := pkg.ReadBytes(conn) + fmt.Printf("Receive: %s\n", hex.EncodeToString(r1[:4])) + if hex.EncodeToString(r1[:4]) == "aced0005" { + result.Result = "JBoss EAP/AS <= 6.X" + } + return result +} + +func init() { + AddProbeKeys("jboss") +} diff --git a/core/probemodule/probe_interface.go b/core/probemodule/probe_interface.go index 606b54b..84e856f 100644 --- a/core/probemodule/probe_interface.go +++ b/core/probemodule/probe_interface.go @@ -57,6 +57,8 @@ func (p *Probe) NewIProbe() IProbe { return &Etcd{p} case "k8s": return &K8s{p} + case "jboss": + return &JBoss{p} default: return nil }