内网探测脚本(内网代理访问+内网端口扫描) [php+jsp]_html/css_WEB-ITnose

WBOY
發布: 2016-06-21 08:52:21
原創
1667 人瀏覽過

前言: 某些情况下,内网渗透时,代理出不来,工具传上去被杀,总之就是遇到各种问题。而最过纠结的时,我已经知道内网哪台机器有洞了..(经验多的大神飘过,如果能解决某些内网渗透时遇到的坑的问题,求分享解决方法..)

功能: 代理访问虽然是个简单的功能,但是我觉得够用了。完全可以用来直接扫描内网其他web服务器的目录,尝试内网其其他登陆入口的弱口令,或者直接代理打struts或者其他漏洞。

web扫描: 其实我觉得用web发现更加贴切,其实有了端口扫描为啥还要这个.(因为之前的代码不想动它了。)

端口扫描: 大家都懂。(此功能问题较多,我觉得如果能使用工具或者代理回来就尽量不使用此脚本进行扫描。)

<%@page import="java.io.File"%><%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%><%@ page isThreadSafe="false"%><%@page import="java.net.*"%><%@page import="java.io.PrintWriter"%><%@page import="java.io.BufferedReader"%><%@page import="java.io.FileReader"%><%@page import="java.io.FileWriter"%><%@page import="java.io.OutputStreamWriter"%><%@page import="java.util.regex.Matcher"%><%@page import="java.io.IOException"%><%@page import="java.net.InetAddress"%><%@page import="java.util.regex.Pattern"%><%@page import="java.net.HttpURLConnection"%><%@page import="java.util.concurrent.LinkedBlockingQueue"%><%!final static List<String> list = new ArrayList<String>();    String referer = "";    String cookie = "";    String decode = "utf-8";    int thread = 100;    //final static List<String> scanportlist = new ArrayList<String>();    String cpath="";    //建立一个HTTP连接    HttpURLConnection getHTTPConn(String urlString) {        try {            java.net.URL url = new java.net.URL(urlString);            java.net.HttpURLConnection conn = (java.net.HttpURLConnection) url                    .openConnection();            conn.setRequestMethod("GET");            conn.addRequestProperty("User-Agent",                    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon;)");            conn.addRequestProperty("Accept-Encoding", "gzip");            conn.addRequestProperty("referer", referer);            conn.addRequestProperty("cookie", cookie);            //conn.setInstanceFollowRedirects(false);            conn.setConnectTimeout(3000);            conn.setReadTimeout(3000);            return conn;        } catch (Exception e) {            return null;        }    }    String PostData(String urlString, String postString) {        HttpURLConnection http = null;        String response = null;        try {            java.net.URL url = new java.net.URL(urlString);            http = (HttpURLConnection) url.openConnection();            http.setDoInput(true);            http.setDoOutput(true);            http.setUseCaches(false);            http.setConnectTimeout(50000);            http.setReadTimeout(50000);            http.setRequestMethod("POST");            http.setRequestProperty("Content-Type",                    "application/x-www-form-urlencoded");            http.connect();            OutputStreamWriter osw = new OutputStreamWriter(                    http.getOutputStream(), decode);            osw.write(postString);            osw.flush();            osw.close();            response = getHtmlByInputStream(http.getInputStream(), decode);        } catch (Exception e) {            response = getHtmlByInputStream(http.getErrorStream(), decode);        }        return response;    }    HttpURLConnection conn;    //从输入流中读取源码    String getHtmlByInputStream(java.io.InputStream is, String code) {        StringBuffer html = new StringBuffer();        try {            java.io.InputStreamReader isr = new java.io.InputStreamReader(is,                    code);            java.io.BufferedReader br = new java.io.BufferedReader(isr);            String temp;            while ((temp = br.readLine()) != null) {                if (!temp.trim().equals("")) {                    html.append(temp).append("\n");                }            }            br.close();            isr.close();        } catch (Exception e) {            System.out.print(e.getMessage());        }        return html.toString();    }    //获取HTML源码    String getHtmlContext(HttpURLConnection conn, String decode,boolean isError) {        Map<String, Object> result = new HashMap<String, Object>();        String code = "utf-8";        if (decode != null) {            code = decode;        }        try {            return getHtmlByInputStream(conn.getInputStream(), code);        } catch (Exception e) {            try {            if(isError){               return getHtmlByInputStream(conn.getErrorStream(), code);            }            } catch (Exception e1) {                System.out.println("getHtmlContext2:" + e.getMessage());            }            System.out.println("getHtmlContext:" + e.getMessage());            return "null";        }    }    //获取Server头    String getServerType(HttpURLConnection conn) {        try {            return conn.getHeaderField("Server");        } catch (Exception e) {            return "null";        }    }    //匹配标题    String getTitle(String htmlSource) {        try {            List<String> list = new ArrayList<String>();            String title = "";            Pattern pa = Pattern.compile("<title>.*?</title>");            Matcher ma = pa.matcher(htmlSource);            while (ma.find()) {                list.add(ma.group());            }            for (int i = 0; i < list.size(); i++) {                title = title + list.get(i);            }            return title.replaceAll("<.*?>", "");        } catch (Exception e) {            return null;        }    }    //得到css    List<String> getCss(String html, String url, String decode) {        List<String> cssurl = new ArrayList<String>();        List<String> csscode = new ArrayList<String>();        try {            String title = "";            Pattern pa = Pattern.compile(".*href=\"(.*)[.]css");            Matcher ma = pa.matcher(html.toLowerCase());            while (ma.find()) {                cssurl.add(ma.group(1) + ".css");            }            for (int i = 0; i < cssurl.size(); i++) {                String cssuuu = url + "/" + cssurl.get(i);                String csshtml = "<style>"                        + getHtmlContext(getHTTPConn(cssuuu), decode,false)                        + "</style>";                csscode.add(csshtml);            }        } catch (Exception e) {            System.out.println("getCss:" + e.getMessage());        }        return csscode;    }    //域名解析成IP    String getMyIPLocal() throws IOException {        InetAddress ia = InetAddress.getLocalHost();        return ia.getHostAddress();    }                boolean getHostPort(String task){        Socket client = null;        boolean isOpen=false;        try{             String[] s=task.split(":");             client = new Socket(s[0], Integer.parseInt(s[1]));             isOpen=true;             System.out.println("getHostPort:"+task);             //scanportlist.add(task+" >>> Open");             saveScanReslt2(task+" >>> Open\r\n");        }catch(Exception e){             isOpen=false;        }        return isOpen;    }        void getPath(String path){    cpath=path;    }    /*  void saveScanReslt(String s){    try{    FileUtils.writeStringToFile(new File(cpath+"/port.txt"), s,"UTF-8",true);    }catch(Exception e){    System.out.print(e.getLocalizedMessage());    }    } */         void saveScanReslt2(String content) {           FileWriter writer = null;          try {                 writer = new FileWriter(cpath+"/port.txt", true);                 writer.write(content);               } catch (IOException e) {                System.out.print(e.getLocalizedMessage());           } finally {                 try {                     if(writer != null){                      writer.close();                     }              } catch (IOException e) {                   System.out.print(e.getLocalizedMessage());               }             }       }                String s="Result:<br/>";    String readPortResult(String portfile){        File file = new File(portfile);        BufferedReader reader = null;        try {            System.out.println("");            reader = new BufferedReader(new FileReader(file));            String tempString = null;            while ((tempString = reader.readLine()) != null) {              s+=tempString+"<br/>";            }            reader.close();        } catch (IOException e) {             return null;        } finally {            if (reader != null) {                try {                    reader.close();                } catch (IOException e1) {                return null;                }            }        }        return s;    }            %><html><head><title>内网简单扫描脚本</title></head><body>    <script>        function showDiv(obj) {            //var statu = document.getElementById("prequest").style.display;            if (obj == "proxy") {                document.getElementById("proxy").style.display = "block";                document.getElementById("web").style.display = "none";                document.getElementById("port").style.display = "none";            } else if (obj == "web") {                document.getElementById("proxy").style.display = "none";                document.getElementById("web").style.display = "block";                document.getElementById("port").style.display = "none";            } else if (obj == "port") {                document.getElementById("proxy").style.display = "none";                document.getElementById("web").style.display = "none";                document.getElementById("port").style.display = "block";            }        }    </script>    <p>        <a href="javascript:void(0);" onclick="showDiv('proxy');"            style="margin-left: 32px;">代理访问</a> <a href="javascript:void(0);"            onclick="showDiv('web');" style="margin-left: 32px;">Web扫描</a> <a            href="javascript:void(0);" onclick="showDiv('port');"            style="margin-left: 32px;">端口扫描</a>    </p>    <div id="proxy"        style="border:1px solid #999;padding:3px;margin-left:30px;width: 95%;height: 32%;display:block;">        <form action="" method="POST" style="margin-left: 50px;">            <p>                Url:<input name="url" value="http://127.0.0.1:8080"                    style="width: 380px;" />            </p>            <p>                Method:<select name="method">                    <option value="GET">GET</option>                    <option value="POST">POST</option>                </select> Decode:<select name="decode">                    <option value="utf-8">utf-8</option>                    <option value="gbk">gbk</option>                </select>            </p>            <p>                <textarea name="post" cols=40 rows=4>username=admin&password=admin</textarea>                <textarea name="post" cols=40 rows=4>SESSION:d89de9c2b4e2395ee786f1185df21f2c51438059222</textarea>            </p>            <p>                Referer:<input name="referer" value="http://www.baidu.com"                    style="width: 380px;" />            </p>            <p></p>            <p>                <input type="submit" value="Request" />            </p>        </form>    </div>    <div id="web"        style="border:1px solid #999;padding:3px;margin-left:30px;width: 95%;height: 32%; display:none;">        <form action="" method="POST" style="margin-left: 50px;">            <p>                IP:<input name="ip" value="127.0.0.1">            </p>            <p>                Port:<input name="port" value="80,8080,8081,8088">            </p>            <input type="submit" value="Scan">        </form>    </div>    <div id="port"        style="border:1px solid #999;padding:3px;margin-left:30px;width: 95%;height: 32%; display:none;">        <form action="" method="POST" style="margin-left: 50px;">            <p>                IP:<input name="scanip" value="192.168.12.1">-<input                    name="scanip2" value="192.168.12.10">            </p>            <p>                Port:<input name="scanport"                    value="21,80,135,443,1433,1521,3306,3389,8080,27017"                    style="width: 300px;">            </p>            <p>                Thread:<input name="thread" value="100" style="width: 30px;">            </p>            <input type="submit" value="Scan">        </form>    </div>    <br /></body></html><%    final JspWriter pwx = out;    String s = application.getRealPath("/") + "/port.txt";    String result = readPortResult(s);    if (result != null) {        try {            pwx.println(result);        } catch (Exception e) {            System.out.print(e.getMessage());        }    }else{       pwx.println("如果你进行了端口扫描操作,那么这里将会显示扫描结果!<br/>");    }    String div1 = "<div style=\"border:1px solid #999;padding:3px;margin-left:30px;width:95%;height:90%;\">";    String div2 = "</div>";    String u = request.getParameter("url");    String ip = request.getParameter("ip");    String scanip = request.getParameter("scanip");    if (u != null) {        String post = request.getParameter("post");        //System.out.print(u);        //System.out.print(post);        decode = request.getParameter("decode");        String ref = request.getParameter("referer");        String cook = request.getParameter("cookie");        if (ref != null) {            referer = ref;        }        if (cook != null) {            cookie = cook;        }        String html = null;        if (post != null) {            html = PostData(u, post);        } else {            html = getHtmlContext(getHTTPConn(u), decode, true);        }        String path = request.getContextPath()+"/netspy.jsp";        System.out.println("path:"+path);        String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"?url=";        System.out.println("base:"+basePath);        String reaplce = "href=\""+basePath;        //html=html.replaceAll("href=['|\"]?http://(.*)['|\"]?", reaplce+"http://$1\"");        html = html.replaceAll("href=['|\"]?(?!http)(.*)['|\"]?",                reaplce + u + "$1");        List<String> css = getCss(html, u, decode);        String csshtml = "";        if (!html.equals("null")) {            for (int i = 0; i < css.size(); i++) {                csshtml += css.get(i);            }            out.print(div1 + html + csshtml + div2);        } else {            response.setStatus(HttpServletResponse.SC_NOT_FOUND);            out.print("请求失败!");        }        return;    }    else if (ip != null) {        String threadpp = (request.getParameter("thread"));        String[] port = request.getParameter("port").split(",");        if (threadpp != null) {            thread = Integer.parseInt(threadpp);            System.out.println(threadpp);        }        try {            try {                String http = "http://";                String localIP = getMyIPLocal();                if (ip != null) {                    localIP = ip;                }                String useIP = localIP.substring(0,                        localIP.lastIndexOf(".") + 1);                final Queue<String> queue = new LinkedBlockingQueue<String>();                for (int i = 1; i <= 256; i++) {                    for (int j = 0; j < port.length; j++) {                        String url = http + useIP + i + ":" + port[j];                        queue.offer(url);                        System.out.print(url);                    }                }                final JspWriter pw = out;                ThreadGroup tg = new ThreadGroup("c");                for (int i = 0; i < thread; i++) {                    new Thread(tg, new Runnable() {                        public void run() {                            while (true) {                                String addr = queue.poll();                                if (addr != null) {                                    System.out.println(addr);                                    HttpURLConnection conn = getHTTPConn(addr);                                    String html = getHtmlContext(conn,                                            decode, false);                                    String title = getTitle(html);                                    String serverType = getServerType(conn);                                    String status = !html                                            .equals("null") ? "Success"                                            : "Fail";                                    if (html != null                                            && !status.equals("Fail")) {                                        try {                                            pw.println(addr + "  >>  "                                                    + title + ">>"                                                    + serverType                                                    + " >>" + status                                                    + "<br/>");                                        } catch (Exception e) {                                            e.printStackTrace();                                        }                                    }                                } else {                                    return;                                }                            }                        }                    }).start();                }                while (tg.activeCount() != 0) {                }            } catch (Exception e) {                e.printStackTrace();            }        } catch (Exception e) {            out.println(e.toString());        }    } else if (scanip != null) {        getPath(application.getRealPath("/"));        int thread = Integer.parseInt(request.getParameter("thread"));        String[] port = request.getParameter("scanport").split(",");        String ip1 = scanip;        String ip2 = request.getParameter("scanip2");        int start = Integer.parseInt(ip1.substring(                ip1.lastIndexOf(".") + 1, ip1.length()));        int end = Integer.parseInt(ip2.substring(                ip2.lastIndexOf(".") + 1, ip2.length()));        String useIp = scanip.substring(0, scanip.lastIndexOf(".") + 1);        System.out.println("start:" + start);        System.out.println("end:" + end);        final Queue<String> queue = new LinkedBlockingQueue<String>();        for (int i = start; i <= end; i++) {            for (int j = 0; j < port.length; j++) {                String scantarget = useIp + i + ":" + port[j];                queue.offer(scantarget);                //System.out.println(scantarget);            }        }        System.out.print("Count1:" + queue.size());        final JspWriter pw = out;        ThreadGroup tg = new ThreadGroup("c");        for (int i = 0; i < thread; i++) {            new Thread(tg, new Runnable() {                public void run() {                    while (true) {                        String scantask = queue.poll();                        if (scantask != null) {                            getHostPort(scantask);                            /* String result = null;                            if(isOpen){                            result=scantask+ " >>> Open<br/>";                            scanportlist.add(result);                            System.out.println(result);                            } */                            /* try {                            pw.println(result);                            } catch (Exception e) {                            System.out.print(e.getMessage());                            } */                        }                    }                }            }).start();        }        /* while (tg.activeCount() != 0) {        } */        try {            pw.println("扫描线程已经开始,请查看" + cpath+"/port.txt文件或者直接刷新本页面!");        } catch (Exception e) {            System.out.print(e.getMessage());        }    }%>
登入後複製

前些天看到wooyun社区有人发的jsp内网探测脚本,可以内网代理访问和内网端口扫描。但是却没找到php的既能代理内网,又能扫描内网端口的的脚本。所以我写了这个集合版本的php内网探测脚本。

<?php set_time_limit(0);//设置程序执行时间ob_implicit_flush(True);ob_end_flush();$url = isset($_REQUEST['url'])?$_REQUEST['url']:null; /*端口扫描代码*/function check_port($ip,$port,$timeout=0.1) { $conn = @fsockopen($ip, $port, $errno, $errstr, $timeout); if ($conn) { fclose($conn); return true; }} function scanip($ip,$timeout,$portarr){foreach($portarr as $port){if(check_port($ip,$port,$timeout=0.1)==True){echo 'Port: '.$port.' is open<br/>';@ob_flush();@flush(); } }}echo '<html><form action="" method="post"><input type="text" name="startip" value="Start IP" /><input type="text" name="endip" value="End IP" /><input type="text" name="port" value="80,8080,8888,1433,3306" />Timeout<input type="text" name="timeout" value="10" /><br/><button type="submit" name="submit">Scan</button></form></html>';if(isset($_POST['startip'])&&isset($_POST['endip'])&&isset($_POST['port'])&&isset($_POST['timeout'])){    $startip=$_POST['startip'];$endip=$_POST['endip'];$timeout=$_POST['timeout'];$port=$_POST['port'];$portarr=explode(',',$port);$siparr=explode('.',$startip);$eiparr=explode('.',$endip);$ciparr=$siparr;if(count($ciparr)!=4||$siparr[0]!=$eiparr[0]||$siparr[1]!=$eiparr[1]){exit('IP error: Wrong IP address or Trying to scan class A address');}if($startip==$endip){echo 'Scanning IP '.$startip.'<br/>';@ob_flush();@flush();scanip($startip,$timeout,$portarr);@ob_flush();@flush();exit();} if($eiparr[3]!=255){$eiparr[3]+=1;}while($ciparr!=$eiparr){$ip=$ciparr[0].'.'.$ciparr[1].'.'.$ciparr[2].'.'.$ciparr[3];echo '<br/>Scanning IP '.$ip.'<br/>';@ob_flush();@flush();scanip($ip,$timeout,$portarr);$ciparr[3]+=1; if($ciparr[3]>255){$ciparr[2]+=1;$ciparr[3]=0;}if($ciparr[2]>255){$ciparr[1]+=1;$ciparr[2]=0;}}}/*内网代理代码*/function getHtmlContext($url){     $ch = curl_init();     curl_setopt($ch, CURLOPT_URL, $url);     curl_setopt($ch, CURLOPT_HEADER, TRUE);    //表示需要response header     curl_setopt($ch, CURLOPT_NOBODY, FALSE); //表示需要response body     curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);     curl_setopt($ch, CURLOPT_TIMEOUT, 120);     $result = curl_exec($ch);   global $header;   if($result){        $headerSize = curl_getinfo($ch, CURLINFO_HEADER_SIZE);        $header = explode("\r\n",substr($result, 0, $headerSize));        $body = substr($result, $headerSize);   }     if (curl_getinfo($ch, CURLINFO_HTTP_CODE) == '200') {         return $body;     }     if (curl_getinfo($ch, CURLINFO_HTTP_CODE) == '302') {     $location = getHeader("Location");     if(strpos(getHeader("Location"),'http://') == false){       $location = getHost($url).$location;     }         return getHtmlContext($location);     }     return NULL; } function getHost($url){     preg_match("/^(http:\/\/)?([^\/]+)/i",$url, $matches);     return $matches[0]; } function getCss($host,$html){     preg_match_all("/<link[\s\S]*?href=['\"](.*?[.]css.*?)[\"'][\s\S]*?>/i",$html, $matches);     foreach($matches[1] as $v){     $cssurl = $v;         if(strpos($v,'http://') == false){       $cssurl = $host."/".$v;     }     $csshtml = "<style>".file_get_contents($cssurl)."</style>";     $html .= $csshtml;   }   return $html; } if($url != null){     $host = getHost($url);     echo getCss($host,getHtmlContext($url)); }?>
登入後複製

用法:

1、端口扫描部分:

填好起始ip、结束ip、自定义端口、超时等,点击扫描即可,十分方便

2、内网代理部分:直接在文件后面加url参数,注意这里要带着http协议,不然可能css加载不完

from

http://jeary.org/post-69.html

http://www.answ.cc/?post=18

标签:端口扫描, 内网 , 代理 , 端口

來源:php.cn
本網站聲明
本文內容由網友自願投稿,版權歸原作者所有。本站不承擔相應的法律責任。如發現涉嫌抄襲或侵權的內容,請聯絡admin@php.cn
熱門教學
更多>
最新下載
更多>
網站特效
網站源碼
網站素材
前端模板