Detect JSP websites based on java Struts

Key points:

Find the injection point
Use mysql load_file () to read website configuration information and find the management backend
Upload webshell9
 
Let's take a look at Struts and. do:
First, let's know what Struts is. Struts is an Open Source project of the Jakarta Project Team of the Apache Foundation. It is an excellent J2EE MVC Architecture. It uses taglib to obtain reusable code and abstract Java code, use ActionServlet with Struts-config.xml to achieve navigation of the entire system. It enhances developers' overall understanding of the system and enhances the maintainability and scalability of the system.
The core of Struts is Controller, that is, ActionServlet, and the core of ActionServlet is Struts-config. xml, the Struts-config.xml centralized the navigation definition of all pages. For more details about sstruts, visit the following address:

Http://www.ibm.com/developerworks/cn/java/j-struts/
 
. The do file is a Web page background program. It is actually not a file and there is no real one. the do file exists and cannot be opened directly. struts uses a special servlet as a "Switch" to forward requests from the web browser to the corresponding serverpage. A deployment description file (web-inf/web. xml) must be written when developing a web application ). This file describes the configuration of your web application, including the welcome pages (the files that appear in the directory when the request is not specified), servlet (path or extension) serving with those servlets parameters. In this file, you configure struts actionservlet as a servlet to manipulate all specified mappings (usually with the. do extension)-this is the "Switch ".
 
Access to the xx. do page actually accesses the xx. jsp file. However, direct access to xx. jsp from websites using struts technology will not be parsed by web servers such as Tomcat and Resin.
 
Xx. do page Directory must have web-inf folder, store Struts-config.xml !!
The following describes the transfer subject:
 
1. Open the target site and find a jsp-type website. The webpage suffix is. do and. jsp. Open the page.
Http://www.bkjia.com/newslistAction. do? Type = 1 w
 
Enter punctuation marks. Based on the Content returned on the page, the website is found to be based on Apache Tomcat/5.0.28 web servers.
Here is our own communication platform, a technology sharing platform for all our 90sec members!
 
2. Find the injection point, open "Product Center"-"network firewall"-open a product introduction
Http://www.bkjia.com/showproAction. do? Id = 47
Try whether it can be manually injected, according to the understanding of this site, the database should be mysql or oracle, oracle that we do not dare to touch, first try it is mysql, http://www.bkjia.com/showproAction. do? Id = 47 and ord (mid (version (), 1, 1)> 51
If the page is normal, it indicates that it is mysql and the mysql version is later than 4.0, you can use the union query. The number of fields is listed below:
Http://www.bkjia.com/showproAction. do? Id = 47 'and 1 = 2 union select 1, 2, 3/* Page error;
Http://www.bkjia.com/showproAction. do? Id = 47 '% 20and % 201 = 2% 20 union % 20 select %, 7 /*
The page is normal, and the page content shows the number we want !!
 
There is a technique for injecting fields into mysql. You can use the order by field quantity, for example:
Www.2cto.com/showproAction. do? Id = 47 'and 1 = 2 union select 1, 2/* Page error;
The http://www.bkjia.com r/showproAction. do? Id = 47 'order by 7/* The page is normal;
 
Http://www.bkjia.com/showproAction. do? Id = 47 'order by8/* Page error. There are 7 fields in total
3. Now that we know that it is a mysql database, we have also found the injection point. Of course, we have taken out the php injection tool. Here we use the PHP injection tool on the top of the ocean to get some information about the database, more importantly, use the load_file () function.
 
For mysql databases, by default, the root user can only log on to the local machine, instead of using an empty password to connect to port 3306 to remotely log on to the mysql database.
I still don't know whether the operating system is windows or linux. if the system does not set user permissions, I can use the load_file () function to try it out. load_file ('/etc/password '), load_file ('C: \ boot. ini '), it turns out to be a windows 2000 Server! It seems that the website architecture should be windows 2000 server + tomcat + mysql. Do not count on IIS.
4. Continue the injection to see if you can find the website administrator account and password. Come up with pangolin, the most popular injection tool recently, and enter the injection address.
Http://www.bkjia.com/showproAction. do? Id = 47ww
 
The database is of course mysql, and the injection character type is int, dizzy. After running for a long time, nothing can be run, and no data table can be guessed, it seems that it is unrealistic to use a tool to guess the Administrator account and password of the database. Think about other methods.
5. If you know the absolute path of the page file on the hard disk, you can view the page source code in load_file (). The key is how to expose the page address? If it is a php page, you can also construct some SQL statements that cause query errors and expose the absolute path of the web page. However, it is tomcat, when an error occurs in page execution, tomcat's damn debugging information occupies the page. Try the management portal search of the d injection tool. Only the default Management page of tomcat is found, and the tomcat management interface that has not been configured cannot be logged on. Continue searching, accidentally opened
 
Http://www.bkjia.com/manager/
 
Http://www.bkjia.com/jiehe/
 
You can list directories, but you cannot see any valuable page addresses.
6, try the tool wwwscan, a command line CGI scanner that supports SSL, it is said that the collection of a lot of sensitive directory files, and finally access the http://www.bkjia.com \ com3, the path of the website exposed on the error page is F: \ Tomcat 5.0 \ webapps \ ROOT \ com3 (the specified file cannot be found by the system). This indicates that the tomcat virtual directory path is
 
F: \ Tomcat 5.0 \ webapps \ ROOT \
 
The lumon vulnerability Library (http://www.nsfocus.net/vulndb/9875) describes the vulnerability as follows :,
 
DApache Tomcat MS-DOS device name Remote Denial of Service Vulnerability:
 
Apache Tomcat has a vulnerability in processing malformed user requests. Remote attackers can exploit this vulnerability to launch denial-of-service attacks on the service program, so that legal users cannot access the service normally. A Denial-of-Service occurs when a user sends a file request to the server with the MS-DOS device name plus ". jsp.
7. Now that you know the virtual path of the website, you can use load_file () to view the Page code. First try load_file ("index. php"). Unfortunately, you cannot see any valuable information, so check the tomcat configuration file,
F: \ Tomcat 5.0 \ conf \ server. xml
If the website virtual directory is moved to another path and is not in the tomcat installation directory, there will be new virtual directory information in server. xml, but there is no useful information at this time. Try F: \ Tomcat 5.0 \ webapps \ root \ web-inf \ struts-config.xml
 
The page path of the entire site is displayed!
 
Http://www.bkjia.com/usereditAction. do? Id = 1. The administrator password modification page is displayed. You can access the page without user authentication. what's even worse is that there is a pie in the sky: in the html code, you can see the user account and password !! Continue to find in the struts-config.xml background management interface login page, finally found that the background login address is
Http://www.bkjia.com/siteadmin/login. jsp
9. google searches for and finds one: JFolder. jsp. the jsp Trojan is uploaded using the website background function. The upload is successful. You can directly access the JFolder. jsp Based on the paths of other uploaded images on the website.
Http://www.bkjia.com // dir/upload file new name, get webshell !!
 
10, summary: In this security detection, there is a website injection point, and then through the struts-config.xml to find the website management background address, and then exposed the Administrator account and password, it is luck, otherwise, it will take a lot of effort to guess the name of the management table and the Administrator account and password before you can smoothly enter the management background and upload jsp Trojans to form a webshell.

All in all, website system protection defects include:

There are injection points in the website system, no user permission settings on the server, no user authentication is performed on some management pages in the website background, and any types of files can be uploaded on the upload page.

The upload page has been found in the scan results of wwwscan and can upload any file, however, you still need to guess whether the path to the file is img or dir or another path before accessing this jsp Trojan, but this intrusion mainly uses the struts configuration file struts-config.xml to obtain webshell!


From 90sec