jsp内网探测脚本&简单代理访问


Oct 15 2015

jsp内网探测脚本&简单代理访问

首页 » 神器下载 » jsp内网探测脚本&简单代理访问   

1.jpg

2.jpg

3.jpg

4.jpg

..
1.直接访问默认扫描当前IP的C段,获取标题、web容器.

2.可以自定义传入需要扫描的段,传入参数ip即可

3.代理访问参数为url,可简单的访问内网的web,对了,我还加载了网站里的css,做到尽量看上去和直接访问的效果一样

<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>
<%@ page isThreadSafe="false"%>
<%@page import="java.io.PrintWriter"%>
<%@page import="java.io.OutputStreamWriter"%>
<%@page import="java.util.regex.Matcher"%>
<%@page import="java.io.IOException"%>
<%@page import="java.net.InetAddress"%>
<%@page import="java.util.regex.Pattern"%>
<%@page import="java.net.HttpURLConnection"%>
<%@page import="java.util.concurrent.LinkedBlockingQueue"%>

<%!final static List<String> list = new ArrayList<String>();
  String referer = "";
  String cookie = "";
  String decode = "utf-8";
  int thread = 100;

  HttpURLConnection getHTTPConn(String urlString) {
    try {
      java.net.URL url = new java.net.URL(urlString);
      java.net.HttpURLConnection conn = (java.net.HttpURLConnection) url
          .openConnection();
      conn.setRequestMethod("GET");
      conn.addRequestProperty("User-Agent",
          "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon;)");
      conn.addRequestProperty("Accept-Encoding", "gzip");
      conn.addRequestProperty("referer", referer);
      conn.addRequestProperty("cookie", cookie);
      //conn.setInstanceFollowRedirects(false);
      conn.setConnectTimeout(3000);
      conn.setReadTimeout(3000);

      return conn;
    } catch (Exception e) {
      return null;
    }
  }

  HttpURLConnection conn;

  String getHtmlContext(HttpURLConnection conn, String decode) {
    Map<String, Object> result = new HashMap<String, Object>();
    try {

      String code = "utf-8";
      if (decode != null) {
        code = decode;
      }
      StringBuffer html = new StringBuffer();
      java.io.InputStreamReader isr = new java.io.InputStreamReader(
          conn.getInputStream(), code);
      java.io.BufferedReader br = new java.io.BufferedReader(isr);

      String temp;
      while ((temp = br.readLine()) != null) {
        if (!temp.trim().equals("")) {
          html.append(temp).append("\n");
        }
      }
      br.close();
      isr.close();
      return html.toString();
    } catch (Exception e) {
      System.out.println("getHtmlContext:"+e.getMessage());
      return "null";
    }
  }

  String getServerType(HttpURLConnection conn) {
    try {
      return conn.getHeaderField("Server");
    } catch (Exception e) {
      return "null";
    }

  }

  String getTitle(String htmlSource) {
    try {
      List<String> list = new ArrayList<String>();
      String title = "";
      Pattern pa = Pattern.compile("<title>.*?</title>");
      Matcher ma = pa.matcher(htmlSource);
      while (ma.find()) {
        list.add(ma.group());
      }
      for (int i = 0; i < list.size(); i++) {
        title = title + list.get(i);
      }
      return title.replaceAll("<.*?>", "");
    } catch (Exception e) {
      return null;
    }
  }

  List<String> getCss(String html, String url, String decode) {
    List<String> cssurl = new ArrayList<String>();
    List<String> csscode = new ArrayList<String>();
    try {

      String title = "";
      Pattern pa = Pattern.compile(".*href=\"(.*)[.]css");
      Matcher ma = pa.matcher(html.toLowerCase());
      while (ma.find()) {
        cssurl.add(ma.group(1) + ".css");
      }

      for (int i = 0; i < cssurl.size(); i++) {
        String cssuuu = url + "/" + cssurl.get(i);
        String csshtml = "<style>"
            + getHtmlContext(getHTTPConn(cssuuu), decode)
            + "</style>";
        csscode.add(csshtml);

      }
    } catch (Exception e) {
      System.out.println("getCss:"+e.getMessage());
    }
    return csscode;

  }

  String getMyIPLocal() throws IOException {
    InetAddress ia = InetAddress.getLocalHost();
    return ia.getHostAddress();
  }%>
<%
  String u = request.getParameter("url");
  String ip = request.getParameter("ip");

  if (u != null) {
    decode = request.getParameter("decode");
    String ref = request.getParameter("referer");
    String cook = request.getParameter("cookie");
    if (ref != null) {
      referer = ref;
    }
    if (cook != null) {
      cookie = cook;
    }
    String html = getHtmlContext(getHTTPConn(u), decode);
    List<String> css = getCss(html, u, decode);
    String csshtml = "";
    if (!html.equals("null")) {

      for (int i = 0; i < css.size(); i++) {
        csshtml += css.get(i);
      }
      out.print(html + csshtml);
    } else {
      response.setStatus(HttpServletResponse.SC_NOT_FOUND);
      out.print("请求失败!");
    }

    return;
  }

  else if (ip != null || u == null) {
    String threadpp = (request.getParameter("thread"));
    if (threadpp != null) {
      thread = Integer.parseInt(threadpp);
      System.out.println(threadpp);
    }
    try {
      try {
        String http = "http://";
        String localIP = getMyIPLocal();
        if (ip != null) {
          localIP = ip;
        }
        String useIP = localIP.substring(0,
            localIP.lastIndexOf(".") + 1);
        final Queue<String> queue = new LinkedBlockingQueue<String>();
        for (int i = 1; i <= 256; i++) {
          String url = http + useIP + i;
          queue.offer(url);
        }
        final JspWriter pw = out;
        ThreadGroup tg = new ThreadGroup("c");
        for (int i = 0; i < thread; i++) {
          new Thread(tg, new Runnable() {
            public void run() {
              while (true) {
                String addr = queue.poll();
                if (addr != null) {
                  System.out.println(addr);
                  HttpURLConnection conn = getHTTPConn(addr);
                  String html = getHtmlContext(conn,
                      decode);
                  String title = getTitle(html);
                  String serverType = getServerType(conn);
                  String status = !html
                      .equals("null") ? "Success"
                      : "Fail";
                  if (html != null
                      && !status.equals("Fail")) {
                    try {
                      pw.println(addr + "  >>  "+ title + ">>"+ serverType+ " >>" + status+ "<br/>");
                    } catch (Exception e) {
                      e.printStackTrace();
                    }
                  }
                } else {
                  return;
                }
              }
            }
          }).start();
        }
        while (tg.activeCount() != 0) {
        }
      } catch (Exception e) {
        e.printStackTrace();
      }
    } catch (Exception e) {
      out.println(e.toString());
    }
  }
%>
参数:
ip [需要探测的ip段]

url [需要请求的地址]

其他参数:

thread [指定线程数]

decode [指定编码]

referer  [伪造referer]

cookie [伪造cookie]

待完善:
1.一个C段,可能有多种编码格式,所以指定一个参数是有问题的。

2.端口可以修改传入一个数组,支持探测多个端口80,8080..

3.代理访问功能并不完善,例如加载js、加载图片、超链接替换成代理访问的链接、表单替换支持真实请求..



对了,其实这个主要是用于偷懒或者内网渗透时,各种代理总是遇到问题出不来。坐等大神写个完善版本的。
(我自己来还得慢慢改。)

PS:很久没写代码,代码渣,多线程还是没学会。看来代码就是得天天写才能熟练。

Link:http://pan.baidu.com/s/1qWDsv3e

本地下载

out.rar

如果您喜欢本博客,欢迎点击图片定订阅到邮箱填写您的邮件地址,订阅我们的精彩内容:

正文部分到此结束

文章标签: 渗透工具 内网渗透

版权声明:若无特殊注明,本文皆为( mOon )原创,转载请保留文章出处。

也许喜欢: «php内网探测脚本&简单代理访问 | ECSHOP后台注入»

你肿么看?

你还可以输入 250/250 个字

 微笑 大笑 拽 大哭 亲亲 流汗 喷血 奸笑 囧 不爽 晕 示爱 害羞 吃惊 惊叹 爱你 吓死了 呵呵

评论信息框

这篇文章还没有收到评论,赶紧来抢沙发吧~