What do you do when you have an arbitrary file upload to a web-accessible directory in J2EE? Obviously, you need a JSP shell! But there’s one problem: the available ones are kind of terrible. The Metasploit reverse shell is only intended to serve as placeholder for an already-owned box. The world needs a JSP shell that really helps a blackbox attacker pivot to important assets, so I took a stab at it. It’s called quite lamely called pwnshell.

What is it?
A single JSP file, embedded with jQuery and everything else you need to make an awesome web shell.

How do you use it?
1. Upload it to the victim server (try it on a local Tomcat server!)
2. Browse to it
3. Pretend you’re on looking at xterm

Where does it work?
– Works across platform
– Works on Java 1.5+ (probably 1.4 too, but I haven’t tested)

Why would you use it?
– Browse around the system (as the web application system user)
– Execute arbitrary system commands (it’s a shell, after all)
– Show and alter session variables
– Dump JNDI entries

Here’s a video:

Finally, some screenshots of the shell in action. The first one shows simple directory browsing. Notice all those directory links are clickable! This makes for a weird Explorer-like interface.

pwnshell - showing ls output

The next screenshot shows the help screen (type ‘help’) and the execution of a system command, ‘netstat’:

The last screenshot shows the shell’s autocomplete functionality.

If you can think of anything cool to add, let me know. Download here!