Sunshine insurance group's java deserialization command executes two packages (write shell tutorial Linux)
Celebrate the achievement of 1000rank and share some experience in shell writing.
This is a Linux server and has the default jboss interface.
0x01
Http: // 111.203.203.24: 8080/WebContent/addECPolicy/kuaisutoubao. jsp
The insurance system jointly developed by sunshine insurance and yiche
Http: // 111.203.203.24: 8080/the default jboss interface exists.
Jboss middleware, JAVA deserialization command execution vulnerability!
Echo tool written by rebeyond
Execute whoami
Ifconfig Intranet IP Address
Next we will focus on shell writing.
Write by default
Failed, 404
We use JD-GUI decompilation rebeyond Writing Tool, find writeshell, default "/" to the path is
./server/default/deploy/ROOT.WAR/shell.jsp
However, many sites do not necessarily leave ROOT. WAR in the default deploy.
Run the following command to view
ls ../server/default/deploy
ROOT. war has been removed from default deploy
Therefore, shell writing fails.
So how to write it?
We know that the jboss interface is rendered through the index.html of root.warpost, that is, the root directory.
Find
find / -name ROOT.war
Three addresses are obtained. The second is the correct configuration path for activation.
You only need to get the path + Your shell Name
Done!
You can also write the trojan address.
Http: // 111.203.203.24: 8080/she11.jsp
0x02
Next station
Http: // 111.203.203.25: 8080/WebContent/addECPolicy/kuaisutoubao. jsp
For the same jboss, run the same command and write the shell. Fix it together.
Shell address
Http: // 111.203.203.25: 8080/she11.jsp
Solution:
The two are packed together and handed over to you!