Hacking JBoss with JMX Console

October 27, 2009

Often while doing Internal Infrastructure assessments, its common to find unrestricted access to JBOSS JMX console. This web interface allows deployment of arbitrary war files. Here is an excellent article describing the process:
http://www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf

Here is a war file, ready to use: cmd.war (zipped)
Once deployed check for this file on the vulnerable jboss: http://victim:8080/cmd/cmd.jsp

Happy Hacking 🙂
————————–
Advert: Testking offers complete collection of latest practice questions for 000-201 as well as 000-330 and 000-331 exams.