ASExplorer
ASExplorer is a tool useful to browse resources exposed by an application server, such as Weblogic or JBoss; especially useful if you’re enforcing security.
Main features:
- built-in support for Weblogic and JBoss<
- JNDI resources browsing
- automatic discovering of SQL datasource
- automatic loading of external libraries (JARs) to interact with AS
- interaction with SQL datasources
- easy to extend
Installation
To use ASExplorer you’ll need:
- a JAVA compiler (javac)
- a Java based make tool (ant)
- specific application server libraries
First of all, download the package and build it:
1 2 3 4 | |
Copy all JAR files you need to connect to in this folder (lib/ext); in my testing environment, I use the following files:
- concurrent.jar
- cryptojFIPS.jar
- jboss-client.jar
- jboss-common-core.jar
- jboss-integration.jar
- jboss-jmx.jar
- jboss-logging-log4j.jar
- jboss-logging-spi.jar
- jboss-remoting.jar
- jboss-security-spi.jar
- jboss-serialization.jar
- jbossall-client.jar
- jbosscx-client.jar
- jbosssx-client.jar
- jnp-client.jar
- ojdbc14.jar
- webserviceclient+ssl.jar
- webserviceclient.jar
- wlcipher.jar
- wlfullclient.jar
- wls-api.jar
- wlthint3client.jar
Examples
Enumerate all JNDI resources exposed by application server
1 2 3 4 5 6 7 8 | |
Automatic datasources enumeration
1 2 3 | |
Interaction with SQL datasources
Assuming that your application server is exporting an Oracle-based datasource named OracleDS:
1 2 3 4 5 6 7 8 9 10 11 12 | |
Parameters available:
| Parameter | Description |
|---|---|
| –datasource name | datasource name to interact (required) |
| –sql string | SELECT command to issue (required) |
| –colsize num | limit all columns size to ‘num’ (optional) |
Inspect a class with reflection
1
| |
TODO
- complete log4j integration
- add GlassFish support
- support for DQL queries
Check it out at GitHub