Sunshine insurance group's java deserialization command executes two packages (write shell tutorial Linux)

Sunshine insurance group's java deserialization command executes two packages (write shell tutorial Linux)

Celebrate the achievement of 1000rank and share some experience in shell writing.
This is a Linux server and has the default jboss interface.

0x01

Http: // 111.203.203.24: 8080/WebContent/addECPolicy/kuaisutoubao. jsp
 

The insurance system jointly developed by sunshine insurance and yiche


Http: // 111.203.203.24: 8080/the default jboss interface exists.
 

Jboss middleware, JAVA deserialization command execution vulnerability!


Echo tool written by rebeyond

Execute whoami
 

Ifconfig Intranet IP Address
 

Next we will focus on shell writing.

Write by default
 

Failed, 404


We use JD-GUI decompilation rebeyond Writing Tool, find writeshell, default "/" to the path is
 

./server/default/deploy/ROOT.WAR/shell.jsp

 

However, many sites do not necessarily leave ROOT. WAR in the default deploy.

Run the following command to view
 

ls ../server/default/deploy

ROOT. war has been removed from default deploy
 

Therefore, shell writing fails.



So how to write it?

We know that the jboss interface is rendered through the index.html of root.warpost, that is, the root directory.

Find
 

find / -name ROOT.war

 

Three addresses are obtained. The second is the correct configuration path for activation.

You only need to get the path + Your shell Name
 

Done!

You can also write the trojan address.

Http: // 111.203.203.24: 8080/she11.jsp
 

0x02

Next station

Http: // 111.203.203.25: 8080/WebContent/addECPolicy/kuaisutoubao. jsp

For the same jboss, run the same command and write the shell. Fix it together.

Shell address

Http: // 111.203.203.25: 8080/she11.jsp
 

Solution:

The two are packed together and handed over to you!