hacktricks/network-services-pentesting/pentesting-web/jboss.md

# JBOSS

{% hint style="success" %}
Učite i vežbajte AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Učite i vežbajte GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Podržite HackTricks</summary>

* Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)!
* **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.

</details>
{% endhint %}

<figure><img src="../../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>

**Bug bounty savet**: **prijavite se** za **Intigriti**, premium **bug bounty platformu koju su kreirali hakeri, za hakere**! Pridružite nam se na [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) danas, i počnite da zarađujete nagrade do **$100,000**!

{% embed url="https://go.intigriti.com/hacktricks" %}

## Tehnike enumeracije i eksploatacije

Kada se procenjuje bezbednost web aplikacija, određene putanje kao što su _/web-console/ServerInfo.jsp_ i _/status?full=true_ su ključne za otkrivanje **informacija o serveru**. Za JBoss servere, putanje kao što su _/admin-console_, _/jmx-console_, _/management_, i _/web-console_ mogu biti presudne. Ove putanje mogu omogućiti pristup **menadžerskim servletima** sa podrazumevanim akreditivima često postavljenim na **admin/admin**. Ovaj pristup olakšava interakciju sa MBeans putem specifičnih servleta:

* Za JBoss verzije 6 i 7, koristi se **/web-console/Invoker**.
* U JBoss 5 i ranijim verzijama, dostupni su **/invoker/JMXInvokerServlet** i **/invoker/EJBInvokerServlet**.

Alati kao što su **clusterd**, dostupni na [https://github.com/hatRiot/clusterd](https://github.com/hatRiot/clusterd), i Metasploit modul `auxiliary/scanner/http/jboss_vulnscan` mogu se koristiti za enumeraciju i potencijalnu eksploataciju ranjivosti u JBOSS servisima.

### Resursi za eksploataciju

Za eksploataciju ranjivosti, resursi kao što su [JexBoss](https://github.com/joaomatosf/jexboss) pružaju vredne alate.

### Pronalaženje ranjivih ciljeva

Google Dorking može pomoći u identifikaciji ranjivih servera sa upitom kao što je: `inurl:status EJInvokerServlet`

<figure><img src="../../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>

**Bug bounty savet**: **prijavite se** za **Intigriti**, premium **bug bounty platformu koju su kreirali hakeri, za hakere**! Pridružite nam se na [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) danas, i počnite da zarađujete nagrade do **$100,000**!

{% embed url="https://go.intigriti.com/hacktricks" %}

{% hint style="success" %}
Učite i vežbajte AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Učite i vežbajte GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Podržite HackTricks</summary>

* Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)!
* **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.

</details>
{% endhint %}
GitBook: [#3220] No subject 2022-05-24 00:07:19 +00:00			`# JBOSS`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:41:39 +00:00			`{% hint style="success" %}`
			`Učite i vežbajte AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Učite i vežbajte GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:41:39 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:41:39 +00:00			`<summary>Podržite HackTricks</summary>`
arte 2023-12-31 01:24:39 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:41:39 +00:00			`* Proverite [planove pretplate](https://github.com/sponsors/carlospolop)!`
			`* Pridružite se 💬 [Discord grupi](https://discord.gg/hRep4RUj7f) ili [telegram grupi](https://t.me/peass) ili pratite nas na Twitteru 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Podelite hakerske trikove slanjem PR-ova na [HackTricks](https://github.com/carlospolop/hacktricks) i [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:41:39 +00:00			`{% endhint %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-18 14:58:46 +00:00			`<figure><img src="../../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>`
GitBook: [#3220] No subject 2022-05-24 00:07:19 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:41:39 +00:00			`Bug bounty savet: prijavite se za Intigriti, premium bug bounty platformu koju su kreirali hakeri, za hakere! Pridružite nam se na [https://go.intigriti.com/hacktricks](https://go.intigriti.com/hacktricks) danas, i počnite da zarađujete nagrade do $100,000!`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-18 14:58:46 +00:00			`{% embed url="https://go.intigriti.com/hacktricks" %}`
GitBook: [#3220] No subject 2022-05-24 00:07:19 +00:00
Translated to Serbian 2024-02-10 13:11:20 +00:00			`## Tehnike enumeracije i eksploatacije`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:41:39 +00:00			Kada se procenjuje bezbednost web aplikacija, određene putanje kao što su _/web-console/ServerInfo.jsp_ i _/status?full=true_ su ključne za otkrivanje informacija o serveru. Za JBoss servere, putanje kao što su _/admin-console_, _/jmx-console_, _/management_, i _/web-console_ mogu biti presudne. Ove putanje mogu omogućiti pristup menadžerskim servletima sa podrazumevanim akreditivima često postavljenim na admin/admin. Ovaj pristup olakšava interakciju sa MBeans putem specifičnih servleta:
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-18 14:58:46 +00:00			`* Za JBoss verzije 6 i 7, koristi se /web-console/Invoker.`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:41:39 +00:00			`* U JBoss 5 i ranijim verzijama, dostupni su /invoker/JMXInvokerServlet i /invoker/EJBInvokerServlet.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:41:39 +00:00			Alati kao što su clusterd, dostupni na [https://github.com/hatRiot/clusterd](https://github.com/hatRiot/clusterd), i Metasploit modul `auxiliary/scanner/http/jboss_vulnscan` mogu se koristiti za enumeraciju i potencijalnu eksploataciju ranjivosti u JBOSS servisima.
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated to Serbian 2024-02-10 13:11:20 +00:00			`### Resursi za eksploataciju`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:41:39 +00:00			`Za eksploataciju ranjivosti, resursi kao što su [JexBoss](https://github.com/joaomatosf/jexboss) pružaju vredne alate.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:41:39 +00:00			`### Pronalaženje ranjivih ciljeva`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:41:39 +00:00			Google Dorking može pomoći u identifikaciji ranjivih servera sa upitom kao što je: `inurl:status EJInvokerServlet`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-18 14:58:46 +00:00			`<figure><img src="../../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>`
GitBook: [#3220] No subject 2022-05-24 00:07:19 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:41:39 +00:00			`Bug bounty savet: prijavite se za Intigriti, premium bug bounty platformu koju su kreirali hakeri, za hakere! Pridružite nam se na [https://go.intigriti.com/hacktricks](https://go.intigriti.com/hacktricks) danas, i počnite da zarađujete nagrade do $100,000!`
GitBook: [#3220] No subject 2022-05-24 00:07:19 +00:00
Translated ['forensics/basic-forensic-methodology/specific-software-file 2024-02-18 14:58:46 +00:00			`{% embed url="https://go.intigriti.com/hacktricks" %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:41:39 +00:00			`{% hint style="success" %}`
			`Učite i vežbajte AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Učite i vežbajte GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:41:39 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:41:39 +00:00			`<summary>Podržite HackTricks</summary>`
arte 2023-12-31 01:24:39 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:41:39 +00:00			`* Proverite [planove pretplate](https://github.com/sponsors/carlospolop)!`
			`* Pridružite se 💬 [Discord grupi](https://discord.gg/hRep4RUj7f) ili [telegram grupi](https://t.me/peass) ili pratite nas na Twitteru 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Podelite hakerske trikove slanjem PR-ova na [HackTricks](https://github.com/carlospolop/hacktricks) i [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:41:39 +00:00			`{% endhint %}`