jsp内网探测脚本&简单代理访问

  • A+
所属分类:WooYun-Zone

直接上图:

jsp内网探测脚本&简单代理访问

jsp内网探测脚本&简单代理访问

jsp内网探测脚本&简单代理访问

jsp内网探测脚本&简单代理访问

..

1.直接访问默认扫描当前IP的C段,获取标题、web容器.

2.可以自定义传入需要扫描的段,传入参数ip即可

3.代理访问参数为url,可简单的访问内网的web,对了,我还加载了网站里的css,做到尽量看上去和直接访问的效果一样

<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>

<%@ page isThreadSafe="false"%>

<%@page import="java.io.PrintWriter"%>

<%@page import="java.io.OutputStreamWriter"%>

<%@page import="java.util.regex.Matcher"%>

<%@page import="java.io.IOException"%>

<%@page import="java.net.InetAddress"%>

<%@page import="java.util.regex.Pattern"%>

<%@page import="java.net.HttpURLConnection"%>

<%@page import="java.util.concurrent.LinkedBlockingQueue"%>

<%!final static List<String> list = new ArrayList<String>();

  String referer = "";

  String cookie = "";

  String decode = "utf-8";

  int thread = 100;

  HttpURLConnection getHTTPConn(String urlString) {

    try {

      java.net.URL url = new java.net.URL(urlString);

      java.net.HttpURLConnection conn = (java.net.HttpURLConnection) url

          .openConnection();

      conn.setRequestMethod("GET");

      conn.addRequestProperty("User-Agent",

          "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon;)");

      conn.addRequestProperty("Accept-Encoding", "gzip");

      conn.addRequestProperty("referer", referer);

      conn.addRequestProperty("cookie", cookie);

      //conn.setInstanceFollowRedirects(false);

      conn.setConnectTimeout(3000);

      conn.setReadTimeout(3000);

      return conn;

    } catch (Exception e) {

      return null;

    }

  }

  HttpURLConnection conn;

  String getHtmlContext(HttpURLConnection conn, String decode) {

    Map<String, Object> result = new HashMap<String, Object>();

    try {

      String code = "utf-8";

      if (decode != null) {

        code = decode;

      }

      StringBuffer html = new StringBuffer();

      java.io.InputStreamReader isr = new java.io.InputStreamReader(

          conn.getInputStream(), code);

      java.io.BufferedReader br = new java.io.BufferedReader(isr);

      String temp;

      while ((temp = br.readLine()) != null) {

        if (!temp.trim().equals("")) {

          html.append(temp).append("\n");

        }

      }

      br.close();

      isr.close();

      return html.toString();

    } catch (Exception e) {

      System.out.println("getHtmlContext:"+e.getMessage());

      return "null";

    }

  }

  String getServerType(HttpURLConnection conn) {

    try {

      return conn.getHeaderField("Server");

    } catch (Exception e) {

      return "null";

    }

  }

  String getTitle(String htmlSource) {

    try {

      List<String> list = new ArrayList<String>();

      String title = "";

      Pattern pa = Pattern.compile("<title>.*?</title>");

      Matcher ma = pa.matcher(htmlSource);

      while (ma.find()) {

        list.add(ma.group());

      }

      for (int i = 0; i < list.size(); i++) {

        title = title + list.get(i);

      }

      return title.replaceAll("<.*?>", "");

    } catch (Exception e) {

      return null;

    }

  }

  List<String> getCss(String html, String url, String decode) {

    List<String> cssurl = new ArrayList<String>();

    List<String> csscode = new ArrayList<String>();

    try {

      String title = "";

      Pattern pa = Pattern.compile(".*href=\"(.*)[.]css");

      Matcher ma = pa.matcher(html.toLowerCase());

      while (ma.find()) {

        cssurl.add(ma.group(1) + ".css");

      }

      for (int i = 0; i < cssurl.size(); i++) {

        String cssuuu = url + "/" + cssurl.get(i);

        String csshtml = "<style>"

            + getHtmlContext(getHTTPConn(cssuuu), decode)

            + "</style>";

        csscode.add(csshtml);

      }

    } catch (Exception e) {

      System.out.println("getCss:"+e.getMessage());

    }

    return csscode;

  }

  String getMyIPLocal() throws IOException {

    InetAddress ia = InetAddress.getLocalHost();

    return ia.getHostAddress();

  }%>

<%

  String u = request.getParameter("url");

  String ip = request.getParameter("ip");

  if (u != null) {

    decode = request.getParameter("decode");

    String ref = request.getParameter("referer");

    String cook = request.getParameter("cookie");

    if (ref != null) {

      referer = ref;

    }

    if (cook != null) {

      cookie = cook;

    }

    String html = getHtmlContext(getHTTPConn(u), decode);

    List<String> css = getCss(html, u, decode);

    String csshtml = "";

    if (!html.equals("null")) {

      for (int i = 0; i < css.size(); i++) {

        csshtml += css.get(i);

      }

      out.print(html + csshtml);

    } else {

      response.setStatus(HttpServletResponse.SC_NOT_FOUND);

      out.print("请求失败!");

    }

    return;

  }

  else if (ip != null || u == null) {

    String threadpp = (request.getParameter("thread"));

    if (threadpp != null) {

      thread = Integer.parseInt(threadpp);

      System.out.println(threadpp);

    }

    try {

      try {

        String http = "http://";

        String localIP = getMyIPLocal();

        if (ip != null) {

          localIP = ip;

        }

        String useIP = localIP.substring(0,

            localIP.lastIndexOf(".") + 1);

        final Queue<String> queue = new LinkedBlockingQueue<String>();

        for (int i = 1; i <= 256; i++) {

          String url = http + useIP + i;

          queue.offer(url);

        }

        final JspWriter pw = out;

        ThreadGroup tg = new ThreadGroup("c");

        for (int i = 0; i < thread; i++) {

          new Thread(tg, new Runnable() {

            public void run() {

              while (true) {

                String addr = queue.poll();

                if (addr != null) {

                  System.out.println(addr);

                  HttpURLConnection conn = getHTTPConn(addr);

                  String html = getHtmlContext(conn,

                      decode);

                  String title = getTitle(html);

                  String serverType = getServerType(conn);

                  String status = !html

                      .equals("null") ? "Success"

                      : "Fail";

                  if (html != null

                      && !status.equals("Fail")) {

                    try {

                      pw.println(addr + "  >>  "+ title + ">>"+ serverType+ " >>" + status+ "<br/>");

                    } catch (Exception e) {

                      e.printStackTrace();

                    }

                  }

                } else {

                  return;

                }

              }

            }

          }).start();

        }

        while (tg.activeCount() != 0) {

        }

      } catch (Exception e) {

        e.printStackTrace();

      }

    } catch (Exception e) {

      out.println(e.toString());

    }

  }

%>

参数:

ip [需要探测的ip段]

url [需要请求的地址]

其他参数:

thread [指定线程数]

decode [指定编码]

referer  [伪造referer]

cookie [伪造cookie]

待完善:

1.一个C段,可能有多种编码格式,所以指定一个参数是有问题的。

2.端口可以修改传入一个数组,支持探测多个端口80,8080..

3.代理访问功能并不完善,例如加载js、加载图片、超链接替换成代理访问的链接、表单替换支持真实请求..

对了,其实这个主要是用于偷懒或者内网渗透时,各种代理总是遇到问题出不来。坐等大神写个完善版本的。

(我自己来还得慢慢改。)

PS:很久没写代码,代码渣,多线程还是没学会。看来代码就是得天天写才能熟练。

Link:http://pan.baidu.com/s/1qWDsv3e

  1. 1#

    sqlfeng (头一天,来到,鬼呀么鬼门关呐~) | 2015-09-09 19:08

    mark

  2. 2#

    八云紫 | 2015-09-09 19:43

    cool

  3. 3#

    (慢慢的我,习惯了这种生活.) | 2015-09-09 20:12

    嗨嗨嗨 鼠大侄

  4. 4#

    Pany自留地 (‮) | 2015-09-09 21:49

    mark

  5. 5#

    园长 (喵~) | 2015-09-09 21:56

    熟能生巧

  6. 6#

    K4r1iNNg (]’or 1#) | 2015-09-09 22:18

    mark

  7. 7#

    金枪银矛小霸王 (勿忘初心:)) | 2015-09-09 22:22

    mark

  8. 8#

    糖剩七颗 (退潮后才发现自己原来一直在裸泳) | 2015-09-09 23:02

    mark

  9. 9#

    动后河 (☭) | 2015-09-09 23:19

    你应该先抱园长大大大腿后再写
    你实现这个功能比较纯朴,jsp开个代理更方便些,不然你只是访问那些网站刺探一下,连里面的连接都不能直接点击

  10. 10#

    小人物Reno | 2015-09-09 23:25

    666666666

  11. 11#

    木木小子 (菜逼一枚。) | 2015-09-09 23:26

    师傅,66666

  12. 12#

    生鲜一手 (重剑无锋,大巧不工) | 2015-09-10 00:10

    Mark

  13. 13#

    子非海绵宝宝 | 2015-09-10 08:41

    mark

  14. 14#

    hack2012 (http://www.waitalone.cn) | 2015-09-10 08:53

    楼主很强大呀。。

  15. 15#

    进击的zjx | 2015-09-10 08:54

    马克华菲

  16. 16#

    南哥 (<///////////////////////>) | 2015-09-10 09:34

    mark

  17. 17#

    jeary ((:‮?办么怎,了多越来越法方象抽的我)) | 2015-09-10 09:38

    @动后河 里面的链接直接点击已经在实现,不难,只是需要处理的细节有点多。另外,我以前碰到过代理死活不出来的,试了很多脚本都没用,唯独用这种方式可以实现访问。

  18. 18#

    风情万种 (很有味道…) | 2015-09-10 10:36

    php版 看这里 http://zone.wooyun.org/content/22879  嘻嘻

  19. 19#

    wsg00d (这也不会,那也得学~~) | 2015-09-23 23:00

    mark,楼主牛逼

  20. 20#

    柯腾 | 2016-01-01 16:36

    mark

  21. 21#

    浮世浮城 | 2016-01-02 10:36

    mark