内网探测脚本(内网代理访问+内网端口扫描) [php+jsp]

发布时间:April 2, 2016 // 分类:工作日志,PHP,运维工作,转帖文章,python // No Comments

前言: 某些情况下,内网渗透时,代理出不来,工具传上去被杀,总之就是遇到各种问题。而最过纠结的时,我已经知道内网哪台机器有洞了..(经验多的大神飘过,如果能解决某些内网渗透时遇到的坑的问题,求分享解决方法..)

功能: 代理访问虽然是个简单的功能,但是我觉得够用了。完全可以用来直接扫描内网其他web服务器的目录,尝试内网其其他登陆入口的弱口令,或者直接代理打struts或者其他漏洞。

web扫描: 其实我觉得用web发现更加贴切,其实有了端口扫描为啥还要这个.(因为之前的代码不想动它了。)

端口扫描: 大家都懂。(此功能问题较多,我觉得如果能使用工具或者代理回来就尽量不使用此脚本进行扫描。)

<%@page import="java.io.File"%>
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>
<%@ page isThreadSafe="false"%>
<%@page import="java.net.*"%>
<%@page import="java.io.PrintWriter"%>
<%@page import="java.io.BufferedReader"%>
<%@page import="java.io.FileReader"%>
<%@page import="java.io.FileWriter"%>
<%@page import="java.io.OutputStreamWriter"%>
<%@page import="java.util.regex.Matcher"%>
<%@page import="java.io.IOException"%>
<%@page import="java.net.InetAddress"%>
<%@page import="java.util.regex.Pattern"%>
<%@page import="java.net.HttpURLConnection"%>
<%@page import="java.util.concurrent.LinkedBlockingQueue"%>


<%!final static List<String> list = new ArrayList<String>();
    String referer = "";
    String cookie = "";
    String decode = "utf-8";
    int thread = 100;
    //final static List<String> scanportlist = new ArrayList<String>();
    String cpath="";

    //建立一个HTTP连接
    HttpURLConnection getHTTPConn(String urlString) {
        try {
            java.net.URL url = new java.net.URL(urlString);
            java.net.HttpURLConnection conn = (java.net.HttpURLConnection) url
                    .openConnection();
            conn.setRequestMethod("GET");
            conn.addRequestProperty("User-Agent",
                    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon;)");
            conn.addRequestProperty("Accept-Encoding", "gzip");
            conn.addRequestProperty("referer", referer);
            conn.addRequestProperty("cookie", cookie);
            //conn.setInstanceFollowRedirects(false);
            conn.setConnectTimeout(3000);
            conn.setReadTimeout(3000);

            return conn;
        } catch (Exception e) {
            return null;
        }
    }

    String PostData(String urlString, String postString) {
        HttpURLConnection http = null;
        String response = null;
        try {
            java.net.URL url = new java.net.URL(urlString);
            http = (HttpURLConnection) url.openConnection();
            http.setDoInput(true);
            http.setDoOutput(true);
            http.setUseCaches(false);
            http.setConnectTimeout(50000);
            http.setReadTimeout(50000);
            http.setRequestMethod("POST");
            http.setRequestProperty("Content-Type",
                    "application/x-www-form-urlencoded");
            http.connect();
            OutputStreamWriter osw = new OutputStreamWriter(
                    http.getOutputStream(), decode);
            osw.write(postString);
            osw.flush();
            osw.close();
            response = getHtmlByInputStream(http.getInputStream(), decode);
        } catch (Exception e) {
            response = getHtmlByInputStream(http.getErrorStream(), decode);
        }
        return response;
    }

    HttpURLConnection conn;

    //从输入流中读取源码
    String getHtmlByInputStream(java.io.InputStream is, String code) {
        StringBuffer html = new StringBuffer();
        try {

            java.io.InputStreamReader isr = new java.io.InputStreamReader(is,
                    code);
            java.io.BufferedReader br = new java.io.BufferedReader(isr);
            String temp;
            while ((temp = br.readLine()) != null) {
                if (!temp.trim().equals("")) {
                    html.append(temp).append("\n");
                }
            }
            br.close();
            isr.close();
        } catch (Exception e) {
            System.out.print(e.getMessage());
        }

        return html.toString();
    }

    //获取HTML源码
    String getHtmlContext(HttpURLConnection conn, String decode,boolean isError) {
        Map<String, Object> result = new HashMap<String, Object>();
        String code = "utf-8";
        if (decode != null) {
            code = decode;
        }
        try {
            return getHtmlByInputStream(conn.getInputStream(), code);
        } catch (Exception e) {
            try {
            if(isError){
               return getHtmlByInputStream(conn.getErrorStream(), code);
            }
            } catch (Exception e1) {
                System.out.println("getHtmlContext2:" + e.getMessage());
            }
            System.out.println("getHtmlContext:" + e.getMessage());
            return "null";
        }
    }

    //获取Server头
    String getServerType(HttpURLConnection conn) {
        try {
            return conn.getHeaderField("Server");
        } catch (Exception e) {
            return "null";
        }

    }

    //匹配标题
    String getTitle(String htmlSource) {
        try {
            List<String> list = new ArrayList<String>();
            String title = "";
            Pattern pa = Pattern.compile("<title>.*?</title>");
            Matcher ma = pa.matcher(htmlSource);
            while (ma.find()) {
                list.add(ma.group());
            }
            for (int i = 0; i < list.size(); i++) {
                title = title + list.get(i);
            }
            return title.replaceAll("<.*?>", "");
        } catch (Exception e) {
            return null;
        }
    }

    //得到css
    List<String> getCss(String html, String url, String decode) {
        List<String> cssurl = new ArrayList<String>();
        List<String> csscode = new ArrayList<String>();
        try {

            String title = "";
            Pattern pa = Pattern.compile(".*href=\"(.*)[.]css");
            Matcher ma = pa.matcher(html.toLowerCase());
            while (ma.find()) {
                cssurl.add(ma.group(1) + ".css");
            }

            for (int i = 0; i < cssurl.size(); i++) {
                String cssuuu = url + "/" + cssurl.get(i);
                String csshtml = "<style>"
                        + getHtmlContext(getHTTPConn(cssuuu), decode,false)
                        + "</style>";
                csscode.add(csshtml);

            }
        } catch (Exception e) {
            System.out.println("getCss:" + e.getMessage());
        }
        return csscode;

    }

    //域名解析成IP
    String getMyIPLocal() throws IOException {
        InetAddress ia = InetAddress.getLocalHost();
        return ia.getHostAddress();
    }
    
    
    
    boolean getHostPort(String task){
        Socket client = null;
        boolean isOpen=false;
        try{
             String[] s=task.split(":");
             client = new Socket(s[0], Integer.parseInt(s[1]));
             isOpen=true;
             System.out.println("getHostPort:"+task);
             //scanportlist.add(task+" >>> Open");
             saveScanReslt2(task+" >>> Open\r\n");
        }catch(Exception e){
             isOpen=false;
        }
        return isOpen;
    }
    
    void getPath(String path){
    cpath=path;
    }
    
/*  void saveScanReslt(String s){
    try{
    FileUtils.writeStringToFile(new File(cpath+"/port.txt"), s,"UTF-8",true);
    }catch(Exception e){
    System.out.print(e.getLocalizedMessage());
    }
    } */
    
     void saveScanReslt2(String content) {   
        FileWriter writer = null;  
        try {     
            writer = new FileWriter(cpath+"/port.txt", true);     
            writer.write(content);       
        } catch (IOException e) {     
           System.out.print(e.getLocalizedMessage());   
        } finally {     
            try {     
                if(writer != null){  
                    writer.close();     
                }  
            } catch (IOException e) {     
              System.out.print(e.getLocalizedMessage());   
            }     
        }   
    }
    
    
    
    String s="Result:<br/>";
    String readPortResult(String portfile){
        File file = new File(portfile);
        BufferedReader reader = null;
        try {
            System.out.println("");
            reader = new BufferedReader(new FileReader(file));
            String tempString = null;
            while ((tempString = reader.readLine()) != null) {
              s+=tempString+"<br/>";
            }
            reader.close();
        } catch (IOException e) {
             return null;
        } finally {
            if (reader != null) {
                try {
                    reader.close();
                } catch (IOException e1) {
                return null;
                }
            }
        }
        return s;
    }
    
    
    %>


<html>

<head>
<title>内网简单扫描脚本</title>
</head>
<body>
    <script>
        function showDiv(obj) {
            //var statu = document.getElementById("prequest").style.display;
            if (obj == "proxy") {
                document.getElementById("proxy").style.display = "block";
                document.getElementById("web").style.display = "none";
                document.getElementById("port").style.display = "none";

            } else if (obj == "web") {
                document.getElementById("proxy").style.display = "none";
                document.getElementById("web").style.display = "block";
                document.getElementById("port").style.display = "none";

            } else if (obj == "port") {
                document.getElementById("proxy").style.display = "none";
                document.getElementById("web").style.display = "none";
                document.getElementById("port").style.display = "block";

            }
        }
    </script>
    <p>
        <a href="javascript:void(0);" onclick="showDiv('proxy');"
            style="margin-left: 32px;">代理访问</a> <a href="javascript:void(0);"
            onclick="showDiv('web');" style="margin-left: 32px;">Web扫描</a> <a
            href="javascript:void(0);" onclick="showDiv('port');"
            style="margin-left: 32px;">端口扫描</a>
    </p>

    <div id="proxy"
        style="border:1px solid #999;padding:3px;margin-left:30px;width: 95%;height: 32%;display:block;">
        <form action="" method="POST" style="margin-left: 50px;">
            <p>
                Url:<input name="url" value="http://127.0.0.1:8080"
                    style="width: 380px;" />
            </p>
            <p>
                Method:<select name="method">
                    <option value="GET">GET</option>
                    <option value="POST">POST</option>
                </select> Decode:<select name="decode">
                    <option value="utf-8">utf-8</option>
                    <option value="gbk">gbk</option>
                </select>
            </p>
            <p>
                <textarea name="post" cols=40 rows=4>username=admin&password=admin</textarea>
                <textarea name="post" cols=40 rows=4>SESSION:d89de9c2b4e2395ee786f1185df21f2c51438059222</textarea>

            </p>
            <p>
                Referer:<input name="referer" value="http://www.baidu.com"
                    style="width: 380px;" />
            </p>
            <p></p>

            <p>
                <input type="submit" value="Request" />
            </p>
        </form>
    </div>

    <div id="web"
        style="border:1px solid #999;padding:3px;margin-left:30px;width: 95%;height: 32%; display:none;">
        <form action="" method="POST" style="margin-left: 50px;">
            <p>
                IP:<input name="ip" value="127.0.0.1">
            </p>
            <p>
                Port:<input name="port" value="80,8080,8081,8088">
            </p>
            <input type="submit" value="Scan">
        </form>
    </div>

    <div id="port"
        style="border:1px solid #999;padding:3px;margin-left:30px;width: 95%;height: 32%; display:none;">
        <form action="" method="POST" style="margin-left: 50px;">
            <p>
                IP:<input name="scanip" value="192.168.12.1">-<input
                    name="scanip2" value="192.168.12.10">
            </p>
            <p>
                Port:<input name="scanport"
                    value="21,80,135,443,1433,1521,3306,3389,8080,27017"
                    style="width: 300px;">
            </p>
            <p>
                Thread:<input name="thread" value="100" style="width: 30px;">
            </p>
            <input type="submit" value="Scan">
        </form>
    </div>

    <br />
</body>
</html>
<%
    final JspWriter pwx = out;
    String s = application.getRealPath("/") + "/port.txt";
    String result = readPortResult(s);
    if (result != null) {
        try {
            pwx.println(result);
        } catch (Exception e) {
            System.out.print(e.getMessage());
        }
    }else{
       pwx.println("如果你进行了端口扫描操作,那么这里将会显示扫描结果!<br/>");
    }
    String div1 = "<div style=\"border:1px solid #999;padding:3px;margin-left:30px;width:95%;height:90%;\">";
    String div2 = "</div>";

    String u = request.getParameter("url");
    String ip = request.getParameter("ip");
    String scanip = request.getParameter("scanip");

    if (u != null) {

        String post = request.getParameter("post");
        //System.out.print(u);
        //System.out.print(post);
        decode = request.getParameter("decode");
        String ref = request.getParameter("referer");
        String cook = request.getParameter("cookie");

        if (ref != null) {
            referer = ref;
        }
        if (cook != null) {
            cookie = cook;
        }

        String html = null;

        if (post != null) {
            html = PostData(u, post);
        } else {
            html = getHtmlContext(getHTTPConn(u), decode, true);
        }


        String path = request.getContextPath()+"/netspy.jsp";
        System.out.println("path:"+path);
        String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"?url=";
        System.out.println("base:"+basePath);
        String reaplce = "href=\""+basePath;
        //html=html.replaceAll("href=['|\"]?http://(.*)['|\"]?", reaplce+"http://$1\"");
        html = html.replaceAll("href=['|\"]?(?!http)(.*)['|\"]?",
                reaplce + u + "$1");
        List<String> css = getCss(html, u, decode);
        String csshtml = "";
        if (!html.equals("null")) {
            for (int i = 0; i < css.size(); i++) {
                csshtml += css.get(i);
            }
            out.print(div1 + html + csshtml + div2);
        } else {
            response.setStatus(HttpServletResponse.SC_NOT_FOUND);
            out.print("请求失败!");
        }
        return;
    }

    else if (ip != null) {
        String threadpp = (request.getParameter("thread"));
        String[] port = request.getParameter("port").split(",");

        if (threadpp != null) {
            thread = Integer.parseInt(threadpp);
            System.out.println(threadpp);
        }
        try {
            try {
                String http = "http://";
                String localIP = getMyIPLocal();
                if (ip != null) {
                    localIP = ip;
                }
                String useIP = localIP.substring(0,
                        localIP.lastIndexOf(".") + 1);
                final Queue<String> queue = new LinkedBlockingQueue<String>();
                for (int i = 1; i <= 256; i++) {
                    for (int j = 0; j < port.length; j++) {
                        String url = http + useIP + i + ":" + port[j];
                        queue.offer(url);
                        System.out.print(url);
                    }

                }
                final JspWriter pw = out;
                ThreadGroup tg = new ThreadGroup("c");
                for (int i = 0; i < thread; i++) {
                    new Thread(tg, new Runnable() {
                        public void run() {
                            while (true) {
                                String addr = queue.poll();
                                if (addr != null) {
                                    System.out.println(addr);
                                    HttpURLConnection conn = getHTTPConn(addr);
                                    String html = getHtmlContext(conn,
                                            decode, false);
                                    String title = getTitle(html);
                                    String serverType = getServerType(conn);
                                    String status = !html
                                            .equals("null") ? "Success"
                                            : "Fail";
                                    if (html != null
                                            && !status.equals("Fail")) {
                                        try {
                                            pw.println(addr + "  >>  "
                                                    + title + ">>"
                                                    + serverType
                                                    + " >>" + status
                                                    + "<br/>");
                                        } catch (Exception e) {
                                            e.printStackTrace();
                                        }
                                    }
                                } else {
                                    return;
                                }
                            }
                        }
                    }).start();
                }
                while (tg.activeCount() != 0) {
                }
            } catch (Exception e) {
                e.printStackTrace();
            }
        } catch (Exception e) {
            out.println(e.toString());
        }
    } else if (scanip != null) {
        getPath(application.getRealPath("/"));
        int thread = Integer.parseInt(request.getParameter("thread"));
        String[] port = request.getParameter("scanport").split(",");
        String ip1 = scanip;
        String ip2 = request.getParameter("scanip2");

        int start = Integer.parseInt(ip1.substring(
                ip1.lastIndexOf(".") + 1, ip1.length()));
        int end = Integer.parseInt(ip2.substring(
                ip2.lastIndexOf(".") + 1, ip2.length()));

        String useIp = scanip.substring(0, scanip.lastIndexOf(".") + 1);

        System.out.println("start:" + start);
        System.out.println("end:" + end);

        final Queue<String> queue = new LinkedBlockingQueue<String>();
        for (int i = start; i <= end; i++) {
            for (int j = 0; j < port.length; j++) {
                String scantarget = useIp + i + ":" + port[j];
                queue.offer(scantarget);
                //System.out.println(scantarget);
            }

        }
        System.out.print("Count1:" + queue.size());
        final JspWriter pw = out;
        ThreadGroup tg = new ThreadGroup("c");
        for (int i = 0; i < thread; i++) {
            new Thread(tg, new Runnable() {
                public void run() {
                    while (true) {
                        String scantask = queue.poll();
                        if (scantask != null) {
                            getHostPort(scantask);
                            /* String result = null;
                            if(isOpen){
                            result=scantask+ " >>> Open<br/>";
                            scanportlist.add(result);
                            System.out.println(result);
                            } */

                            /* try {
                            pw.println(result);
                            } catch (Exception e) {
                            System.out.print(e.getMessage());
                            } */
                        }
                    }
                }
            }).start();

        }
        /* while (tg.activeCount() != 0) {
        } */
        try {
            pw.println("扫描线程已经开始,请查看" + cpath+"/port.txt文件或者直接刷新本页面!");
        } catch (Exception e) {
            System.out.print(e.getMessage());
        }
    }
%>

前些天看到wooyun社区有人发的jsp内网探测脚本,可以内网代理访问和内网端口扫描。但是却没找到php的既能代理内网,又能扫描内网端口的的脚本。所以我写了这个集合版本的php内网探测脚本。

<?php
 
set_time_limit(0);//设置程序执行时间
ob_implicit_flush(True);
ob_end_flush();
$url = isset($_REQUEST['url'])?$_REQUEST['url']:null; 

/*端口扫描代码*/
function check_port($ip,$port,$timeout=0.1) {
 $conn = @fsockopen($ip, $port, $errno, $errstr, $timeout);
 if ($conn) {
 fclose($conn);
 return true;
 }
}

 
function scanip($ip,$timeout,$portarr){
foreach($portarr as $port){
if(check_port($ip,$port,$timeout=0.1)==True){
echo 'Port: '.$port.' is open<br/>';
@ob_flush();
@flush();
 
}
 
}
}

echo '<html>
<form action="" method="post">
<input type="text" name="startip" value="Start IP" />
<input type="text" name="endip" value="End IP" />
<input type="text" name="port" value="80,8080,8888,1433,3306" />
Timeout<input type="text" name="timeout" value="10" /><br/>
<button type="submit" name="submit">Scan</button>
</form>
</html>
';

if(isset($_POST['startip'])&&isset($_POST['endip'])&&isset($_POST['port'])&&isset($_POST['timeout'])){
    
$startip=$_POST['startip'];
$endip=$_POST['endip'];
$timeout=$_POST['timeout'];
$port=$_POST['port'];
$portarr=explode(',',$port);
$siparr=explode('.',$startip);
$eiparr=explode('.',$endip);
$ciparr=$siparr;
if(count($ciparr)!=4||$siparr[0]!=$eiparr[0]||$siparr[1]!=$eiparr[1]){
exit('IP error: Wrong IP address or Trying to scan class A address');
}
if($startip==$endip){
echo 'Scanning IP '.$startip.'<br/>';
@ob_flush();
@flush();
scanip($startip,$timeout,$portarr);
@ob_flush();
@flush();
exit();
}
 
if($eiparr[3]!=255){
$eiparr[3]+=1;
}
while($ciparr!=$eiparr){
$ip=$ciparr[0].'.'.$ciparr[1].'.'.$ciparr[2].'.'.$ciparr[3];
echo '<br/>Scanning IP '.$ip.'<br/>';
@ob_flush();
@flush();
scanip($ip,$timeout,$portarr);
$ciparr[3]+=1;
 
if($ciparr[3]>255){
$ciparr[2]+=1;
$ciparr[3]=0;
}
if($ciparr[2]>255){
$ciparr[1]+=1;
$ciparr[2]=0;
}
}
}

/*内网代理代码*/

function getHtmlContext($url){ 
    $ch = curl_init(); 
    curl_setopt($ch, CURLOPT_URL, $url); 
    curl_setopt($ch, CURLOPT_HEADER, TRUE);    //表示需要response header 
    curl_setopt($ch, CURLOPT_NOBODY, FALSE); //表示需要response body 
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); 
    curl_setopt($ch, CURLOPT_TIMEOUT, 120); 
    $result = curl_exec($ch); 
  global $header; 
  if($result){ 
       $headerSize = curl_getinfo($ch, CURLINFO_HEADER_SIZE); 
       $header = explode("\r\n",substr($result, 0, $headerSize)); 
       $body = substr($result, $headerSize); 
  } 
    if (curl_getinfo($ch, CURLINFO_HTTP_CODE) == '200') { 
        return $body; 
    } 
    if (curl_getinfo($ch, CURLINFO_HTTP_CODE) == '302') { 
    $location = getHeader("Location"); 
    if(strpos(getHeader("Location"),'http://') == false){ 
      $location = getHost($url).$location; 
    } 
        return getHtmlContext($location); 
    } 
    return NULL; 
} 

function getHost($url){ 
    preg_match("/^(http:\/\/)?([^\/]+)/i",$url, $matches); 
    return $matches[0]; 
} 
function getCss($host,$html){ 
    preg_match_all("/<link[\s\S]*?href=['\"](.*?[.]css.*?)[\"'][\s\S]*?>/i",$html, $matches); 
    foreach($matches[1] as $v){ 
    $cssurl = $v; 
        if(strpos($v,'http://') == false){ 
      $cssurl = $host."/".$v; 
    } 
    $csshtml = "<style>".file_get_contents($cssurl)."</style>"; 
    $html .= $csshtml; 
  } 
  return $html; 
} 

if($url != null){ 

    $host = getHost($url); 
    echo getCss($host,getHtmlContext($url)); 
}
?>

用法:
1、端口扫描部分:
填好起始ip、结束ip、自定义端口、超时等,点击扫描即可,十分方便

2、内网代理部分:
直接在文件后面加url参数,注意这里要带着http协议,不然可能css加载不完

 

from

http://jeary.org/post-69.html

http://www.answ.cc/?post=18

标签:端口扫描, 内网, 代理, 端口

添加新评论 »

分类
最新文章
最近回复
  • 没穿底裤: 直接在hosts里面.激活的时候访问不到正确的地址
  • Sfish: 屏蔽更新是在控制台设置一下就可以了,还是说要在其他层面做一下限制,比如配置一下hosts让他升...
  • 没穿底裤: 激活,或者屏蔽地址禁止升级
  • 没穿底裤: 呃..这个思路不错啊..
  • Sfish: 博主好,想问一下,wvs11的破解版,是不是每隔一段时间就要重新激活一次才可以?有没有什么解决...