Jump to content


Recommended Posts


If you’ve got arbitrary file uploads to a J2EE web accessible directory, you need something to maximize your compromise. The world needs a JSP shell that really helps a blackbox attacker pivot to important assets, so I took a stab at it. It’s called quite lamely called pwnshell. It’s a single JSP that, when browsed to, delivers the user a Web 2.0 shell for the victimized server. Great for demos! The shell is here.

How do you use it?

1. Upload it to the victim server (try it on a local Tomcat server!)

2. Browse to it

3. Pretend you’re on looking at xterm

Where does it work?

- Works across platform

- Works on Java 1.5+ (probably 1.4 too, but I haven’t tested)

Why would you use it?

- Browse around the system (as the web application system user)

- Execute arbitrary system commands (it’s a shell, after all)

- Show and alter session variables

- Dump JNDI entries

Here are some screenshots of the shell in action. The first one shows simple directory browsing. Notice all those directory links are clickable! This makes for a weird Explorer-like interface.


Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...