http://carnal0wnage.attackresearch.com/2012/04/from-low-to-pwned-3-jbosstomcat-server.html

Several (tm) months back I did my talk on "From LOW to PWNED" at hashdays and BSides Atlanta.

The slides were published here and the video from hashdays is here, no video for BSides ATL.

I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.

Post [3] JBoss/Tomcat server-status

There have been some posts/exploits/modules on hitting up unprotected jboss and tomcat servers.

http://www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf 
http://carnal0wnage.attackresearch.com/2009/11/hacking-unprotected-jboss-jmx-console.html 
http://www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/ 
http://goohackle.com/jboss-security-vulnerability-jmx-management-console/ 

http://www.metasploit.com/modules/exploit/multi/http/jboss_maindeployer 
http://www.metasploit.com/modules/exploit/multi/http/tomcat_mgr_deploy 

Sometimes even though the deployer functionality is password protected the sever-status may not be.

/web-console/status?full=true

• Lists of applications
• Recent URL's accessed
  • sometimes with sessionids 
• Find hidden services/apps
• Enabled servlets
• owned stuff :-)