Fixed a bunch of bugs, added SEAM2 deployer for JBoss.

Added Oracle Glassfish, Coldfusion 5.x support, and Railo RCE/LFI modules.

Features

• Oracle Glassfish now supported; this includes versions 3.0, 3.1, and 4.x Not all functions are supported for the platform yet, as it's kind of a crappy platform, but it's still in progress. Early support stable.
• Platform-specific flags no longer included in the default help output. This was primarily done to improve help readability and prevent overflowing the user with potentially irrelevant information.
• The --aux-list and --deployer-list flags now support a platform argument to print only platform-specific modules. All platforms/modules may still be printed by not providing an argument.
• Significant modules added for Railo; pre-authentication LFI and pre-authentication RCE added.
• Another post-authentication deployer (log_injection.py) added for Railo.
• ColdFusion 5 fingerprint and support added

Enhancements

• Payload invocation now tied to --timeout.
• Coldfusion 6 now fully supported in all modules.

Bugs

• Issue #25 revealed three separate bugs in JBoss invokes. All have now been patched.
• Added Axis2 output for failed/already deployed payloads.
• Fixed a bug with incorrectly invoking JBoss 7.0+ payloads.

Largely a maintenance release, with some newer features.

Features

• Added WebLogic support for --invoke
• Added JBoss 8.1 fingerprints
• JBoss undeployer now supports 7.x/8.x
• New flag --rand-payload can be used to randomly generate a payload name for deployment

Enhancements

• Now prompt for JSP payloads during JMX/EJB invoker servlet deploys
• Better exception handling for Java deployers
• Refreshed the README to better reflect clusterd's current state

Bugs

• Fixed a bug in the Coldfusion task scheduler deployer
• Updated the requirements file to actually work
• Fixed a missing auth import on JBoss Status fingerprint
• We're now catching all exceptions thrown by fingerprints, so we shouldn't die miserably during a timeout

Added support for Axis2, plenty of bug fixes, tons of coffee, etc.

Features

• Added support for Axis2, a Java-based web services platform
• Added support for Railo 4.2
• Added support for ColdFusion 11
• For deployers that require the remote host to connect back, we now allow the connecting port to be configured in the state.py file
• Tomcat 3.x credential fetch auxiliary module
• Added a Tomcat deployer that uses only the manager-gui role

Enhancements

• Updated check support for the -sSV flag in --discover
• Confirm the user knows that an external port needs to be open when using deployers that require it
• Added --invoke support for Railo
• Support invokes for JSP payloads
• Axis2 payload generation now supported

Bugs

• Fixed a Railo authentication bug
• Fixed a missing import in the jmx_deploy deployer
• Fixed a bug in the DFS deployer for JBoss that was mishandling paths

Support for Railo, plenty of bug fixes, features, et al

Features

• Support for the Railo platform, a CFML engine
• New discovery flag --discover for parsing nmap grep output. See the wiki for more information
• ColdFusion 7-9 now supports pass the hash for authentication. The hash can be retrieved via --cf-hash
• New deployer for ColdFusion 6-8 that exploits LFI and log poisoning to obtain a shell; this is a preauth deployer that does not require valid credentials
• Added Tomcat 5.0 fingerprints
• New --listen flag now accepts an adapter to listen on for any reverse HTTP connections (a la deployers)
• Invoker servlets now support version 5.x of JBoss

Enhancements

• (JBoss) If the user is attempting to deploy a WAR via the EJB/JMXInvokerServlets, emit an error. These deployers only support jsp's.
• (JBoss) Force HTTP header fingerprint to a specific version
• (JBoss) EJB|JMXInvokerServlet deployers now only use the DFS method. This is much more reliable and less error prone than using the MainDeployer.
• (ColdFusion) Cleaned up the hash retrieval module to be more reliable
• Moved all shells into /src/lib/resources
• Added a small CFML web shell
• clusterd header now only prints the number of supported platforms

Bugs

• (JBoss) If we could not capture the version of a remote host and only get an Any fingerprint, prompt for entry of the version
• (JBoss) Fixed invoker servlets for version 3.x by packaging up old libraries
• Payload generator now fixed

Rehaul of WebLogic (no longer requires enormous libs), significant beefing up of Coldfusion, undeployers, and more.

• WebLogic received a significant overhaul; all functionality now moves through the web server
• Now supports undeploying applications from Tomcat/WebLogic/JBoss
• Added JRun path traversal for Coldfusion and updated the deployer for CF 7 and 8
• Added FCKEditor deployer for ColdFusion
• Moved RDS module into the main authentication routine for CF
• Added JBoss fingerprinting for HTTP headers
• EJBInvokerServlet now supported
• EJB/JMXInvokerServlet now deploys to JBoss 5.x
• Switched --gen-payload to use java/jsp_shell_reverse_tcp for all platforms

Bugs:

• Fixed a bug with unsupported platforms
• No longer crashes with bad auxiliary modules
• Updated output emission in a few places

Added support for JBoss 8.0, several major bug fixes, other features.

• Added fingerprint for JBoss 8.0 (WildFly)
• SMB modules now timeout if not sent to a Windows box, or the Windows box never sends its hashes
• Added an EJBInvokerServlet for JBoss
• Fixed a critical bug in the ColdFusion deployer
• Added ColdFusion 10.x deployment support
• Now detects if the deploying WAR is already deployed to the remote Tomcat server

This update removes WebLogic libraries that cannot be distributed by clusterd due to licensing issues. This reduces the bundle from 55mb to 4mb.