Java web application - reverse shell problem

[Sidoli]

Can someone help me with an issue I'm having with a java web app. It has a sql injection vulnerability and I am able to upload a reverse shell jsp file. When I try and browse to the file I get two errors, the first is

java.lang.NoClassDefFoundError: org/apache/tools/ant/BuildListener)

and every other time after that I get

java.lang.NullPointerException
sun.misc.URLClassPath$3.run(Unknown Source)
java.security.AccessController.doPrivileged(Native Method)

My knowledge of java is limited but this looks like a security setting designed to prevent me from browsing to the jsp file, is there any way to get around this problem?

Any help with this would be greatly appreciated.

[killadaninja]

How old is the reverse shell code? Have you tried it locally?

"java.security.AccessController.doPrivileged(Nativ e Method)" is not a security setting stopping you browsing to anything if that`s what your thinking,

Your problem lies here "java.lang.NoClassDefFoundError: org/apache/tools/ant/BuildListener)"

[Sidoli]

Thanks for the reply

I'm getting this error even when I try and upload the most basic of jsp files. (just printing out the current date/time)
The shell file I'm using is quite old, but as I'm getting this error with any jsp file it suggests something else.

Findings so far:
I've got a copy of the application running locally, and there are two other jsp files that it employs, when I amend either of them and browse to them, my changes don't appear, which suggests the application requires a restart/recompile.
The 2 jsp files are listed in the web.xml file, which produces a sharing violation when you try and amend it, so thats a no go. (again, my knowledge of java is limited, so this might seem futile, but I'm trying everything here)
The application allows the upload of image files, which means I can get around the 64kb issue of binary to hex conversion and upload whatever file I want.
I have found a website that lists .jar files that has the ant/buildListener class that the first error message is complaining about, but not sure what I can/should do with this to resolve the error (I've tried uploading this to the same folder as my jsp pge, but still get the same error)
It feels like I am 99% of the way there, (learning a lot about java on the way!). ASP and PHP allow you to push files on the fly, and from what I have read, jsp/java should allow the same, but for some reason it won't let me?