增加JBoss EAP/AS <= 6.X探测

JKme · JKme · commit 874e4a5b6fdc · 2022-04-28T18:44:53.000+08:00
diff --git a/README.md b/README.md
@@ -1,6 +1,10 @@
 ## 声明
 >特别声明：此工具仅限于安全研究，禁止使用该项目进行违法操作，否则自行承担相关责任
 
+## 问题反馈
+
+![cai.jpeg](./image/cai.jpeg)
+
 ## 特点
 - 方便二次开发，快速增加插件
 - 支持输出结果到excel文档
@@ -72,7 +76,7 @@ cube probe -x oxid,ms17010 -s 192.168.2.1/24
 ```
 
 #### 支持的探测插件
-|   FUNC    | PORT  | LOAD BY X |
+| FUNC      | PORT  | LOAD BY X |
 |-----------|-------|-----------|
 | docker    |  2375 | Y         |
 | dubbo     | 20880 | Y         |
@@ -89,6 +93,7 @@ cube probe -x oxid,ms17010 -s 192.168.2.1/24
 | winrm     |  5985 | N         |
 | wmi       |   135 | N         |
 | zookeeper |  2181 | Y         |
+| jboss     |  3873 | Y         |
 
 * `smb/wmi/winrm/mssql`是利用NTLM认证过程获取[Windows版本系统信息](https://jkme.github.io/2021/08/06/windows-ntlm-smb-scan.html)
 * 使用`ping/netbios`的时候，最好单独使用获取更准确的结果，线程数量建议为10
diff --git a/config/config.go b/config/config.go
@@ -11,6 +11,6 @@ const (
 
 var CrackX = []string{"elastic", "ftp", "mongo", "mssql", "mysql", "postgres", "smb", "ssh", "redis", "oracle"}
 
-var ProbeX = []string{"docker", "rmi", "oxid", "ms17010", "smb", "zookeeper", "dubbo", "etcd", "k8s", "smbghost"}
+var ProbeX = []string{"docker", "rmi", "oxid", "ms17010", "smb", "zookeeper", "dubbo", "etcd", "k8s", "smbghost", "jboss"}
 
 var PASSWORDS = []string{" ", "123456", "admin", "admin123", "root", "5201314", "pass123", "pass@123", "password", "123123", "654321", "111111", "123", "1", "admin@123", "Admin@123", "admin123!@#", "1234qwer!@#$", "1qaz@WSX1qaz", "QAZwsxEDC", "{user}", "{user}1", "{user}12", "{user}111", "{user}123", "{user}1234", "{user}12345", "{user}123456", "{user}@123", "{user}_123", "{user}#123", "{user}@111", "{user}@2019", "P@ssw0rd!", "P@ssw0rd", "Passw0rd", "qwe123", "12345678", "test", "test123", "123qwe!@#", "123456789", "123321", "666666", "a123456.", "123456~a", "000000", "1234567890", "8888888", "!QAZ2wsx", "1qaz2wsx", "1QAZ2wsx", "1q2w3e4r", "abc123", "abc123456", "1qaz@WSX", "a11111", "a12345", "Aa1234", "Aa1234.", "Aa12345", "123456a", "123456aa", "a123456", "a123123", "Aa123123", "Aa123456", "Aa12345.", "sysadmin", "system"}
diff --git a/core/probemodule/jboss.go b/core/probemodule/jboss.go
@@ -0,0 +1,48 @@
+package probemodule
+
+import (
+	"cube/config"
+	"cube/pkg"
+	"encoding/hex"
+	"fmt"
+	"net"
+)
+
+type JBoss struct {
+	*Probe
+}
+
+func (J JBoss) ProbeName() string {
+	return "jboss"
+}
+
+func (J JBoss) ProbePort() string {
+	return "3873"
+}
+
+func (J JBoss) PortCheck() bool {
+	return true
+}
+
+func (J JBoss) ProbeExec() ProbeResult {
+	//https://jspin.re/jboss-eap-as-6-rce-a-little-bit-beyond-xac-xed/
+	//https://s3.amazonaws.com/files.joaomatosf.com/slides/alligator_slides.pdf
+	result := ProbeResult{Probe: *J.Probe, Result: "", Err: nil}
+
+	host := fmt.Sprintf("%s:%v", J.Ip, J.Port)
+	conn, _ := net.DialTimeout("tcp", host, config.TcpConnTimeout)
+	//_, err := conn.Write([]byte{0x4a, 0x52, 0x4d, 0x49, 0x00, 0x02, 0x4b})
+	//if err != nil {
+	//	return result
+	//}
+	r1, _ := pkg.ReadBytes(conn)
+	fmt.Printf("Receive: %s\n", hex.EncodeToString(r1[:4]))
+	if hex.EncodeToString(r1[:4]) == "aced0005" {
+		result.Result = "JBoss EAP/AS <= 6.X"
+	}
+	return result
+}
+
+func init() {
+	AddProbeKeys("jboss")
+}
diff --git a/core/probemodule/probe_interface.go b/core/probemodule/probe_interface.go
@@ -57,6 +57,8 @@ func (p *Probe) NewIProbe() IProbe {
 		return &Etcd{p}
 	case "k8s":
 		return &K8s{p}
+	case "jboss":
+		return &JBoss{p}
 	default:
 		return nil
 	}

Original file line number	Diff line number	Diff line change
`@@ -57,6 +57,8 @@ func (p *Probe) NewIProbe() IProbe {`
`57`	`57`	`return &Etcd{p}`
`58`	`58`	`case "k8s":`
`59`	`59`	`return &K8s{p}`
	`60`	`+ case "jboss":`
	`61`	`+ return &JBoss{p}`
`60`	`62`	`default:`
`61`	`63`	`return nil`
`62`	`64`	`}`