Results 1 to 3 of 3

Thread: Java web application - reverse shell problem

  1. #1
    Just burned his ISO
    Join Date
    Apr 2010
    Posts
    2

    Post Java web application - reverse shell problem

    Can someone help me with an issue I'm having with a java web app. It has a sql injection vulnerability and I am able to upload a reverse shell jsp file. When I try and browse to the file I get two errors, the first is

    java.lang.NoClassDefFoundError: org/apache/tools/ant/BuildListener)

    and every other time after that I get

    java.lang.NullPointerException
    sun.misc.URLClassPath$3.run(Unknown Source)
    java.security.AccessController.doPrivileged(Native Method)

    My knowledge of java is limited but this looks like a security setting designed to prevent me from browsing to the jsp file, is there any way to get around this problem?

    Any help with this would be greatly appreciated.

  2. #2
    Very good friend of the forum killadaninja's Avatar
    Join Date
    Oct 2007
    Location
    London, United Kingdom.
    Posts
    526

    Default Re: Java web application - reverse shell problem

    How old is the reverse shell code? Have you tried it locally?

    "java.security.AccessController.doPrivileged(Nativ e Method)" is not a security setting stopping you browsing to anything if that`s what your thinking,

    Your problem lies here "java.lang.NoClassDefFoundError: org/apache/tools/ant/BuildListener)"
    Sometimes I try to fit a 16-character string into an 8–byte space, on purpose.

  3. #3
    Just burned his ISO
    Join Date
    Apr 2010
    Posts
    2

    Default Re: Java web application - reverse shell problem

    Thanks for the reply

    I'm getting this error even when I try and upload the most basic of jsp files. (just printing out the current date/time)
    The shell file I'm using is quite old, but as I'm getting this error with any jsp file it suggests something else.

    Findings so far:
    I've got a copy of the application running locally, and there are two other jsp files that it employs, when I amend either of them and browse to them, my changes don't appear, which suggests the application requires a restart/recompile.
    The 2 jsp files are listed in the web.xml file, which produces a sharing violation when you try and amend it, so thats a no go. (again, my knowledge of java is limited, so this might seem futile, but I'm trying everything here)
    The application allows the upload of image files, which means I can get around the 64kb issue of binary to hex conversion and upload whatever file I want.
    I have found a website that lists .jar files that has the ant/buildListener class that the first error message is complaining about, but not sure what I can/should do with this to resolve the error (I've tried uploading this to the same folder as my jsp pge, but still get the same error)
    It feels like I am 99% of the way there, (learning a lot about java on the way!). ASP and PHP allow you to push files on the fly, and from what I have read, jsp/java should allow the same, but for some reason it won't let me?

Similar Threads

  1. Replies: 9
    Last Post: 12-22-2009, 12:09 AM
  2. reverse shell ?
    By 13X13 in forum OLD Newbie Area
    Replies: 9
    Last Post: 11-17-2009, 10:13 AM
  3. making meterpreter/reverse shell FUD?
    By seankilla in forum OLD Newbie Area
    Replies: 4
    Last Post: 11-14-2009, 05:08 AM
  4. Need Help Making Java Application Interact with Aerodump-NG
    By aliendude5300 in forum OLD Programming
    Replies: 3
    Last Post: 06-09-2009, 07:26 PM
  5. netcat reverse shell help
    By Turbolsv in forum OLD Newbie Area
    Replies: 8
    Last Post: 05-29-2009, 01:46 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •