jsp内网探测脚本&简单代理访问

jeary ((:‮?办么怎,了多越来越法方象抽的我)) | 2015-09-09 19:06

直接上图:

jsp.jpg

jsp2.jpg

jsp4.jpg

jsp5.jpg

..

1.直接访问默认扫描当前IP的C段,获取标题、web容器.

2.可以自定义传入需要扫描的段,传入参数ip即可

3.代理访问参数为url,可简单的访问内网的web,对了,我还加载了网站里的css,做到尽量看上去和直接访问的效果一样

<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>

<%@ page isThreadSafe="false"%>

<%@page import="java.io.PrintWriter"%>

<%@page import="java.io.OutputStreamWriter"%>

<%@page import="java.util.regex.Matcher"%>

<%@page import="java.io.IOException"%>

<%@page import="java.net.InetAddress"%>

<%@page import="java.util.regex.Pattern"%>

<%@page import="java.net.HttpURLConnection"%>

<%@page import="java.util.concurrent.LinkedBlockingQueue"%>

<%!final static List<String> list = new ArrayList<String>();

  String referer = "";

  String cookie = "";

  String decode = "utf-8";

  int thread = 100;

  HttpURLConnection getHTTPConn(String urlString) {

    try {

      java.net.URL url = new java.net.URL(urlString);

      java.net.HttpURLConnection conn = (java.net.HttpURLConnection) url

          .openConnection();

      conn.setRequestMethod("GET");

      conn.addRequestProperty("User-Agent",

          "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon;)");

      conn.addRequestProperty("Accept-Encoding", "gzip");

      conn.addRequestProperty("referer", referer);

      conn.addRequestProperty("cookie", cookie);

      //conn.setInstanceFollowRedirects(false);

      conn.setConnectTimeout(3000);

      conn.setReadTimeout(3000);

      return conn;

    } catch (Exception e) {

      return null;

    }

  }

  HttpURLConnection conn;

  String getHtmlContext(HttpURLConnection conn, String decode) {

    Map<String, Object> result = new HashMap<String, Object>();

    try {

      String code = "utf-8";

      if (decode != null) {

        code = decode;

      }

      StringBuffer html = new StringBuffer();

      java.io.InputStreamReader isr = new java.io.InputStreamReader(

          conn.getInputStream(), code);

      java.io.BufferedReader br = new java.io.BufferedReader(isr);

      String temp;

      while ((temp = br.readLine()) != null) {

        if (!temp.trim().equals("")) {

          html.append(temp).append("\n");

        }

      }

      br.close();

      isr.close();

      return html.toString();

    } catch (Exception e) {

      System.out.println("getHtmlContext:"+e.getMessage());

      return "null";

    }

  }

  String getServerType(HttpURLConnection conn) {

    try {

      return conn.getHeaderField("Server");

    } catch (Exception e) {

      return "null";

    }

  }

  String getTitle(String htmlSource) {

    try {

      List<String> list = new ArrayList<String>();

      String title = "";

      Pattern pa = Pattern.compile("<title>.*?</title>");

      Matcher ma = pa.matcher(htmlSource);

      while (ma.find()) {

        list.add(ma.group());

      }

      for (int i = 0; i < list.size(); i++) {

        title = title + list.get(i);

      }

      return title.replaceAll("<.*?>", "");

    } catch (Exception e) {

      return null;

    }

  }

  List<String> getCss(String html, String url, String decode) {

    List<String> cssurl = new ArrayList<String>();

    List<String> csscode = new ArrayList<String>();

    try {

      String title = "";

      Pattern pa = Pattern.compile(".*href=\"(.*)[.]css");

      Matcher ma = pa.matcher(html.toLowerCase());

      while (ma.find()) {

        cssurl.add(ma.group(1) + ".css");

      }

      for (int i = 0; i < cssurl.size(); i++) {

        String cssuuu = url + "/" + cssurl.get(i);

        String csshtml = "<style>"

            + getHtmlContext(getHTTPConn(cssuuu), decode)

            + "</style>";

        csscode.add(csshtml);

      }

    } catch (Exception e) {

      System.out.println("getCss:"+e.getMessage());

    }

    return csscode;

  }

  String getMyIPLocal() throws IOException {

    InetAddress ia = InetAddress.getLocalHost();

    return ia.getHostAddress();

  }%>

<%

  String u = request.getParameter("url");

  String ip = request.getParameter("ip");

  if (u != null) {

    decode = request.getParameter("decode");

    String ref = request.getParameter("referer");

    String cook = request.getParameter("cookie");

    if (ref != null) {

      referer = ref;

    }

    if (cook != null) {

      cookie = cook;

    }

    String html = getHtmlContext(getHTTPConn(u), decode);

    List<String> css = getCss(html, u, decode);

    String csshtml = "";

    if (!html.equals("null")) {

      for (int i = 0; i < css.size(); i++) {

        csshtml += css.get(i);

      }

      out.print(html + csshtml);

    } else {

      response.setStatus(HttpServletResponse.SC_NOT_FOUND);

      out.print("请求失败!");

    }

    return;

  }

  else if (ip != null || u == null) {

    String threadpp = (request.getParameter("thread"));

    if (threadpp != null) {

      thread = Integer.parseInt(threadpp);

      System.out.println(threadpp);

    }

    try {

      try {

        String http = "http://";

        String localIP = getMyIPLocal();

        if (ip != null) {

          localIP = ip;

        }

        String useIP = localIP.substring(0,

            localIP.lastIndexOf(".") + 1);

        final Queue<String> queue = new LinkedBlockingQueue<String>();

        for (int i = 1; i <= 256; i++) {

          String url = http + useIP + i;

          queue.offer(url);

        }

        final JspWriter pw = out;

        ThreadGroup tg = new ThreadGroup("c");

        for (int i = 0; i < thread; i++) {

          new Thread(tg, new Runnable() {

            public void run() {

              while (true) {

                String addr = queue.poll();

                if (addr != null) {

                  System.out.println(addr);

                  HttpURLConnection conn = getHTTPConn(addr);

                  String html = getHtmlContext(conn,

                      decode);

                  String title = getTitle(html);

                  String serverType = getServerType(conn);

                  String status = !html

                      .equals("null") ? "Success"

                      : "Fail";

                  if (html != null

                      && !status.equals("Fail")) {

                    try {

                      pw.println(addr + "  >>  "+ title + ">>"+ serverType+ " >>" + status+ "<br/>");

                    } catch (Exception e) {

                      e.printStackTrace();

                    }

                  }

                } else {

                  return;

                }

              }

            }

          }).start();

        }

        while (tg.activeCount() != 0) {

        }

      } catch (Exception e) {

        e.printStackTrace();

      }

    } catch (Exception e) {

      out.println(e.toString());

    }

  }

%>


参数:

ip [需要探测的ip段]

url [需要请求的地址]

其他参数:

thread [指定线程数]

decode [指定编码]

referer  [伪造referer]

cookie [伪造cookie]

待完善:

1.一个C段,可能有多种编码格式,所以指定一个参数是有问题的。

2.端口可以修改传入一个数组,支持探测多个端口80,8080..

3.代理访问功能并不完善,例如加载js、加载图片、超链接替换成代理访问的链接、表单替换支持真实请求..

对了,其实这个主要是用于偷懒或者内网渗透时,各种代理总是遇到问题出不来。坐等大神写个完善版本的。

(我自己来还得慢慢改。)

PS:很久没写代码,代码渣,多线程还是没学会。看来代码就是得天天写才能熟练。

Link:http://pan.baidu.com/s/1qWDsv3e