> For the complete documentation index, see [llms.txt](https://www.heresecurity.wiki/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.heresecurity.wiki/quan-xian-wei-chi/web-fu-wu-zhong-jian-jian/java.md). # Java **JAVA Web Backdoor** ``` From:https://www.freebuf.com/articles/web/172753.html https://github.com/rebeyond/memShell 当获取一个webshell或bashshell权限时,下载后门执行注入进程形成无文件复活后门 下载后解压到任意web目录 ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/605.png) ``` 得到2个jar文件 执行,password设置为你的密码 >java -jar inject.jar password ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/606.png) ``` 注入成功,在web任意页面任意url执行命令 http://192.168.0.121:8080/css/app.css?pass_the_world=password ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/607.png) ``` 可执行命令,反弹shell,上传/下载文件,列目录,读文件,添加代理,连接菜刀 ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/608.png) **Tomcat JSP HideShell** ``` From:https://mp.weixin.qq.com/s/7b3Fyu_K6ZRgKlp6RkdYoA https://github.com/QAX-A-Team/HideShell 把自己的shell和hideshell传入靶机,先访问自己的shell,目的是为了让 Tomcat 将它编译,并生成 JspServletWrapper 保存在 JspRuntimeContext 中。 ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/609.png) ``` 再访问hideshell.jsp,点击hide你的shell。 ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/610.png) ``` 已经隐藏了 ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/611.png) ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/612.png) ``` 再访问hideshell.jsp,可以看到隐藏后的shell的文件名。 ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/613.png) ``` 访问看看 ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/614.png) ``` 当然,也可以把hideshell自身隐藏了,那访问它的方式就是hidden-hideshell.jsp ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/615.png) ``` 目录里啥都没了 ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/616.png) ``` 此方式隐藏之后请求不会产生日志 ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/617.png) ``` 那如果把shelltest文件夹删掉权限还会在吗? ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/618.png) ``` 是在的 ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/619.png) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://www.heresecurity.wiki/quan-xian-wei-chi/web-fu-wu-zhong-jian-jian/java.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.