Recon → Interesting URL → java code → download to windows machine → Defender identified as jsp webshell
This is an interesting finding I have found on a public vdp program. While me and a friend of mine Jaimin was doing recon on a public program, he found an interesting URL. He shared it with me and I was just poking it and found out that java code is disclosed.
I thought I have found some source code disclosure vulnerability and let’s see we can find something interesting out of this. So I tried to download it on my system. Fortunately I was on a windows machine (Mostly I work on linux system) and it turns out that downloaded file was a webshell.
- Fuzzing the URL leads to following page
2. Downloading on windows and defender detects it right away. Microsoft advisory for the same.
3. By searching on internet the same code snippet it turns out following web shell was uploaded.
收集自网络各处的 webshell 样本，用于测试 webshell 扫描器检测率。. Contribute to ysrc/webshell-sample development by creating an account on…
You can found weird stuff on internet. 😂
Thanks for reading! Have a nice day ahead.
~Nishith K( https://twitter.com/busk3r )