欢迎光临
我们一直在努力

内网探测脚本(内网代理访问+内网端口扫描) [php+jsp]

<

div>

前言: 某些情况下,内网渗透时,代理出不来,工具传上去被杀,总之就是遇到各种问题。而最过纠结的时,我已经知道内网哪台机器有洞了..(经验多的大神飘过,如果能解决某些内网渗透时遇到的坑的问题,求分享解决方法..)

功能: 代理访问虽然是个简单的功能,但是我觉得够用了。完全可以用来直接扫描内网其他web服务器的目录,尝试内网其其他登陆入口的弱口令,或者直接代理打struts或者其他漏洞。

web扫描: 其实我觉得用web发现更加贴切,其实有了端口扫描为啥还要这个.(因为之前的代码不想动它了。)

端口扫描: 大家都懂。(此功能问题较多,我觉得如果能使用工具或者代理回来就尽量不使用此脚本进行扫描。)

9da01445828083 内网探测脚本(内网代理访问+内网端口扫描) [php+jsp]

 <%@page import="java.io.File"%> <%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <%@ page isThreadSafe="false"%> <%@page import="java.net.*"%> <%@page import="java.io.PrintWriter"%> <%@page import="java.io.BufferedReader"%> <%@page import="java.io.FileReader"%> <%@page import="java.io.FileWriter"%> <%@page import="java.io.OutputStreamWriter"%> <%@page import="java.util.regex.Matcher"%> <%@page import="java.io.IOException"%> <%@page import="java.net.InetAddress"%> <%@page import="java.util.regex.Pattern"%> <%@page import="java.net.HttpURLConnection"%> <%@page import="java.util.concurrent.LinkedBlockingQueue"%>   <%!final static List<String> list = new ArrayList<String>();     String referer = "";     String cookie = "";     String decode = "utf-8";     int thread = 100;     //final static List<String> scanportlist = new ArrayList<String>();     String cpath="";      //建立一个HTTP连接     HttpURLConnection getHTTPConn(String urlString) {         try {             java.net.URL url = new java.net.URL(urlString);             java.net.HttpURLConnection conn = (java.net.HttpURLConnection) url                     .openConnection();             conn.setRequestMethod("GET");             conn.addRequestProperty("User-Agent",                     "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon;)");             conn.addRequestProperty("Accept-Encoding", "gzip");             conn.addRequestProperty("referer", referer);             conn.addRequestProperty("cookie", cookie);             //conn.setInstanceFollowRedirects(false);             conn.setConnectTimeout(3000);             conn.setReadTimeout(3000);              return conn;         } catch (Exception e) {             return null;         }     }      String PostData(String urlString, String postString) {         HttpURLConnection http = null;         String response = null;         try {             java.net.URL url = new java.net.URL(urlString);             http = (HttpURLConnection) url.openConnection();             http.setDoInput(true);             http.setDoOutput(true);             http.setUseCaches(false);             http.setConnectTimeout(50000);             http.setReadTimeout(50000);             http.setRequestMethod("POST");             http.setRequestProperty("Content-Type",                     "application/x-www-form-urlencoded");             http.connect();             OutputStreamWriter osw = new OutputStreamWriter(                     http.getOutputStream(), decode);             osw.write(postString);             osw.flush();             osw.close();             response = getHtmlByInputStream(http.getInputStream(), decode);         } catch (Exception e) {             response = getHtmlByInputStream(http.getErrorStream(), decode);         }         return response;     }      HttpURLConnection conn;      //从输入流中读取源码     String getHtmlByInputStream(java.io.InputStream is, String code) {         StringBuffer html = new StringBuffer();         try {              java.io.InputStreamReader isr = new java.io.InputStreamReader(is,                     code);             java.io.BufferedReader br = new java.io.BufferedReader(isr);             String temp;             while ((temp = br.readLine()) != null) {                 if (!temp.trim().equals("")) {                     html.append(temp).append("/n");                 }             }             br.close();             isr.close();         } catch (Exception e) {             System.out.print(e.getMessage());         }          return html.toString();     }      //获取HTML源码     String getHtmlContext(HttpURLConnection conn, String decode,boolean isError) {         Map<String, Object> result = new HashMap<String, Object>();         String code = "utf-8";         if (decode != null) {             code = decode;         }         try {             return getHtmlByInputStream(conn.getInputStream(), code);         } catch (Exception e) {             try {             if(isError){                return getHtmlByInputStream(conn.getErrorStream(), code);             }             } catch (Exception e1) {                 System.out.println("getHtmlContext2:" + e.getMessage());             }             System.out.println("getHtmlContext:" + e.getMessage());             return "null";         }     }      //获取Server头     String getServerType(HttpURLConnection conn) {         try {             return conn.getHeaderField("Server");         } catch (Exception e) {             return "null";         }      }      //匹配标题     String getTitle(String htmlSource) {         try {             List<String> list = new ArrayList<String>();             String title = "";             Pattern pa = Pattern.compile("<title>.*?</title>");             Matcher ma = pa.matcher(htmlSource);             while (ma.find()) {                 list.add(ma.group());             }             for (int i = 0; i < list.size(); i++) {                 title = title + list.get(i);             }             return title.replaceAll("<.*?>", "");         } catch (Exception e) {             return null;         }     }      //得到css     List<String> getCss(String html, String url, String decode) {         List<String> cssurl = new ArrayList<String>();         List<String> csscode = new ArrayList<String>();         try {              String title = "";             Pattern pa = Pattern.compile(".*href=/"(.*)[.]css");             Matcher ma = pa.matcher(html.toLowerCase());             while (ma.find()) {                 cssurl.add(ma.group(1) + ".css");             }              for (int i = 0; i < cssurl.size(); i++) {                 String cssuuu = url + "/" + cssurl.get(i);                 String csshtml = "<style>"                         + getHtmlContext(getHTTPConn(cssuuu), decode,false)                         + "</style>";                 csscode.add(csshtml);              }         } catch (Exception e) {             System.out.println("getCss:" + e.getMessage());         }         return csscode;      }      //域名解析成IP     String getMyIPLocal() throws IOException {         InetAddress ia = InetAddress.getLocalHost();         return ia.getHostAddress();     }                    boolean getHostPort(String task){         Socket client = null;         boolean isOpen=false;         try{              String[] s=task.split(":");              client = new Socket(s[0], Integer.parseInt(s[1]));              isOpen=true;              System.out.println("getHostPort:"+task);              //scanportlist.add(task+" >>> Open");              saveScanReslt2(task+" >>> Open/r/n");         }catch(Exception e){              isOpen=false;         }         return isOpen;     }          void getPath(String path){     cpath=path;     }      /*  void saveScanReslt(String s){     try{     FileUtils.writeStringToFile(new File(cpath+"/port.txt"), s,"UTF-8",true);     }catch(Exception e){     System.out.print(e.getLocalizedMessage());     }     } */           void saveScanReslt2(String content) {            FileWriter writer = null;           try {                  writer = new FileWriter(cpath+"/port.txt", true);                  writer.write(content);                } catch (IOException e) {                 System.out.print(e.getLocalizedMessage());            } finally {                  try {                      if(writer != null){                       writer.close();                      }               } catch (IOException e) {                    System.out.print(e.getLocalizedMessage());                }              }        }                    String s="Result:<br/>";     String readPortResult(String portfile){         File file = new File(portfile);         BufferedReader reader = null;         try {             System.out.println("");             reader = new BufferedReader(new FileReader(file));             String tempString = null;             while ((tempString = reader.readLine()) != null) {               s+=tempString+"<br/>";             }             reader.close();         } catch (IOException e) {              return null;         } finally {             if (reader != null) {                 try {                     reader.close();                 } catch (IOException e1) {                 return null;                 }             }         }         return s;     }               %>   <html>  <head> <title>内网简单扫描脚本</title> </head> <body>     <script>         function showDiv(obj) {             //var statu = document.getElementById("prequest").style.display;             if (obj == "proxy") {                 document.getElementById("proxy").style.display = "block";                 document.getElementById("web").style.display = "none";                 document.getElementById("port").style.display = "none";              } else if (obj == "web") {                 document.getElementById("proxy").style.display = "none";                 document.getElementById("web").style.display = "block";                 document.getElementById("port").style.display = "none";              } else if (obj == "port") {                 document.getElementById("proxy").style.display = "none";                 document.getElementById("web").style.display = "none";                 document.getElementById("port").style.display = "block";              }         }     </script>     <p>         <a href="javascript:void(0);" onclick="showDiv('proxy');"             style="margin-left: 32px;">代理访问</a> <a href="javascript:void(0);"             onclick="showDiv('web');" style="margin-left: 32px;">Web扫描</a> <a             href="javascript:void(0);" onclick="showDiv('port');"             style="margin-left: 32px;">端口扫描</a>     </p>      <div id="proxy"         style="border:1px solid #999;padding:3px;margin-left:30px;width: 95%;height: 32%;display:block;">         <form action="" method="POST" style="margin-left: 50px;">             <p>                 Url:<input name="url" value="http://127.0.0.1:8080"                     style="width: 380px;" />             </p>             <p>                 Method:<select name="method">                     <option value="GET">GET</option>                     <option value="POST">POST</option>                 </select> Decode:<select name="decode">                     <option value="utf-8">utf-8</option>                     <option value="gbk">gbk</option>                 </select>             </p>             <p>                 <textarea name="post" cols=40 rows=4>username=admin&password=admin</textarea>                 <textarea name="post" cols=40 rows=4>SESSION:d89de9c2b4e2395ee786f1185df21f2c51438059222</textarea>              </p>             <p>                 Referer:<input name="referer" value="http://www.baidu.com"                     style="width: 380px;" />             </p>             <p></p>              <p>                 <input type="submit" value="Request" />             </p>         </form>     </div>      <div id="web"         style="border:1px solid #999;padding:3px;margin-left:30px;width: 95%;height: 32%; display:none;">         <form action="" method="POST" style="margin-left: 50px;">             <p>                 IP:<input name="ip" value="127.0.0.1">             </p>             <p>                 Port:<input name="port" value="80,8080,8081,8088">             </p>             <input type="submit" value="Scan">         </form>     </div>      <div id="port"         style="border:1px solid #999;padding:3px;margin-left:30px;width: 95%;height: 32%; display:none;">         <form action="" method="POST" style="margin-left: 50px;">             <p>                 IP:<input name="scanip" value="192.168.12.1">-<input                     name="scanip2" value="192.168.12.10">             </p>             <p>                 Port:<input name="scanport"                     value="21,80,135,443,1433,1521,3306,3389,8080,27017"                     style="width: 300px;">             </p>             <p>                 Thread:<input name="thread" value="100" style="width: 30px;">             </p>             <input type="submit" value="Scan">         </form>     </div>      <br /> </body> </html> <%     final JspWriter pwx = out;     String s = application.getRealPath("/") + "/port.txt";     String result = readPortResult(s);     if (result != null) {         try {             pwx.println(result);         } catch (Exception e) {             System.out.print(e.getMessage());         }     }else{        pwx.println("如果你进行了端口扫描操作,那么这里将会显示扫描结果!<br/>");     }     String div1 = "<div style=/"border:1px solid #999;padding:3px;margin-left:30px;width:95%;height:90%;/">";     String div2 = "</div>";      String u = request.getParameter("url");     String ip = request.getParameter("ip");     String scanip = request.getParameter("scanip");      if (u != null) {          String post = request.getParameter("post");         //System.out.print(u);         //System.out.print(post);         decode = request.getParameter("decode");         String ref = request.getParameter("referer");         String cook = request.getParameter("cookie");          if (ref != null) {             referer = ref;         }         if (cook != null) {             cookie = cook;         }          String html = null;          if (post != null) {             html = PostData(u, post);         } else {             html = getHtmlContext(getHTTPConn(u), decode, true);         }           String path = request.getContextPath()+"/netspy.jsp";         System.out.println("path:"+path);         String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"?url=";         System.out.println(" base:"+basePath);         String reaplce = "href=/""+basePath;         //html=html.replaceAll("href=['|/"]?http://(.*)['|/"]?", reaplce+"http://$1/"");         html = html.replaceAll("href=['|/"]?(?!http)(.*)['|/"]?",                 reaplce + u + "$1");         List<String> css = getCss(html, u, decode);         String csshtml = "";         if (!html.equals("null")) {             for (int i = 0; i < css.size(); i++) {                 csshtml += css.get(i);             }             out.print(div1 + html + csshtml + div2);         } else {             response.setStatus(HttpServletResponse.SC_NOT_FOUND);             out.print("请求失败!");         }         return;     }      else if (ip != null) {         String threadpp = (request.getParameter("thread"));         String[] port = request.getParameter("port").split(",");          if (threadpp != null) {             thread = Integer.parseInt(threadpp);             System.out.println(threadpp);         }         try {             try {                 String http = "http://";                 String localIP = getMyIPLocal();                 if (ip != null) {                     localIP = ip;                 }                 String useIP = localIP.substring(0,                         localIP.lastIndexOf(".") + 1);                 final Queue<String> queue = new LinkedBlockingQueue<String>();                 for (int i = 1; i <= 256; i++) {                     for (int j = 0; j < port.length; j++) {                         String url = http + useIP + i + ":" + port[j];                         queue.offer(url);                         System.out.print(url);                     }                  }                 final JspWriter pw = out;                 ThreadGroup tg = new ThreadGroup("c");                 for (int i = 0; i < thread; i++) {                     new Thread(tg, new Runnable() {                         public void run() {                             while (true) {                                 String addr = queue.poll();                                 if (addr != null) {                                     System.out.println(addr);                                     HttpURLConnection conn = getHTTPConn(addr);                                     String html = getHtmlContext(conn,                                             decode, false);                                     String title = getTitle(html);                                     String serverType = getServerType(conn);                                     String status = !html                                             .equals("null") ? "Success"                                             : "Fail";                                     if (html != null                                             && !status.equals("Fail")) {                                         try {                                             pw.println(addr + "  >>  "                                                     + title + ">>"                                                     + serverType                                                     + " >>" + status                                                     + "<br/>");                                         } catch (Exception e) {                                             e.printStackTrace();                                         }                                     }                                 } else {                                     return;                                 }                             }                         }                     }).start();                 }                 while (tg.activeCount() != 0) {                 }             } catch (Exception e) {                 e.printStackTrace();             }         } catch (Exception e) {             out.println(e.toString());         }     } else if (scanip != null) {         getPath(application.getRealPath("/"));         int thread = Integer.parseInt(request.getParameter("thread"));         String[] port = request.getParameter("scanport").split(",");         String ip1 = scanip;         String ip2 = request.getParameter("scanip2");          int start = Integer.parseInt(ip1.substring(                 ip1.lastIndexOf(".") + 1, ip1.length()));         int end = Integer.parseInt(ip2.substring(                 ip2.lastIndexOf(".") + 1, ip2.length()));          String useIp = scanip.substring(0, scanip.lastIndexOf(".") + 1);          System.out.println("start:" + start);         System.out.println("end:" + end);          final Queue<String> queue = new LinkedBlockingQueue<String>();         for (int i = start; i <= end; i++) {             for (int j = 0; j < port.length; j++) {                 String scantarget = useIp + i + ":" + port[j];                 queue.offer(scantarget);                 //System.out.println(scantarget);             }          }         System.out.print("Count1:" + queue.size());         final JspWriter pw = out;         ThreadGroup tg = new ThreadGroup("c");         for (int i = 0; i < thread; i++) {             new Thread(tg, new Runnable() {                 public void run() {                     while (true) {                         String scantask = queue.poll();                         if (scantask != null) {                             getHostPort(scantask);                             /* String result = null;                             if(isOpen){                             result=scantask+ " >>> Open<br/>";                             scanportlist.add(result);                             System.out.println(result);                             } */                              /* try {                             pw.println(result);                             } catch (Exception e) {                             System.out.print(e.getMessage());                             } */                         }                     }                 }             }).start();          }         /* while (tg.activeCount() != 0) {         } */         try {             pw.println("扫描线程已经开始,请查看" + cpath+"/port.txt文件或者直接刷新本页面!");         } catch (Exception e) {             System.out.print(e.getMessage());         }     } %>

前些天看到wooyun社区有人发的jsp内网探测脚本,可以内网代理访问和内网端口扫描。但是却没找到php的既能代理内网,又能扫描内网端口的的脚本。所以我写了这个集合版本的php内网探测脚本。

 <?php   set_time_limit(0);//设置程序执行时间 ob_implicit_flush(True); ob_end_flush(); $url = isset($_REQUEST['url'])?$_REQUEST['url']:null;   /*端口扫描代码*/ function check_port($ip,$port,$timeout=0.1) {  $conn = @fsockopen($ip, $port, $errno, $errstr, $timeout);  if ($conn) {  fclose($conn);  return true;  } }    function scanip($ip,$timeout,$portarr){ foreach($portarr as $port){ if(check_port($ip,$port,$timeout=0.1)==True){ echo 'Port: '.$port.' is open<br/>'; @ob_flush(); @flush();   }   } }  echo '<html> <form action="" method="post"> <input type="text" name="startip" value="Start IP" /> <input type="text" name="endip" value="End IP" /> <input type="text" name="port" value="80,8080,8888,1433,3306" /> Timeout<input type="text" name="timeout" value="10" /><br/> <button type="submit" name="submit">Scan</button> </form> </html> ';  if(isset($_POST['startip'])&&isset($_POST['endip'])&&isset($_POST['port'])&&isset($_POST['timeout'])){      $startip=$_POST['startip']; $endip=$_POST['endip']; $timeout=$_POST['timeout']; $port=$_POST['port']; $portarr=explode(',',$port); $siparr=explode('.',$startip); $eiparr=explode('.',$endip); $ciparr=$siparr; if(count($ciparr)!=4||$siparr[0]!=$eiparr[0]||$siparr[1]!=$eiparr[1]){ exit('IP error: Wrong IP address or Trying to scan class A address'); } if($startip==$endip){ echo 'Scanning IP '.$startip.'<br/>'; @ob_flush(); @flush(); scanip($startip,$timeout,$portarr); @ob_flush(); @flush(); exit(); }   if($eiparr[3]!=255){ $eiparr[3]+=1; } while($ciparr!=$eiparr){ $ip=$ciparr[0].'.'.$ciparr[1].'.'.$ciparr[2].'.'.$ciparr[3]; echo '<br/>Scanning IP '.$ip.'<br/>'; @ob_flush(); @flush(); scanip($ip,$timeout,$portarr); $ciparr[3]+=1;   if($ciparr[3]>255){ $ciparr[2]+=1; $ciparr[3]=0; } if($ciparr[2]>255){ $ciparr[1]+=1; $ciparr[2]=0; } } }  /*内网代理代码*/  function getHtmlContext($url){      $ch = curl_init();      curl_setopt($ch, CURLOPT_URL, $url);      curl_setopt($ch, CURLOPT_HEADER, TRUE);    //表示需要response header      curl_setopt($ch, CURLOPT_NOBODY, FALSE); //表示需要response body      curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);      curl_setopt($ch, CURLOPT_TIMEOUT, 120);      $result = curl_exec($ch);    global $header;    if($result){         $headerSize = curl_getinfo($ch, CURLINFO_HEADER_SIZE);         $header = explode("/r/n",substr($result, 0, $headerSize));         $body = substr($result, $headerSize);    }      if (curl_getinfo($ch, CURLINFO_HTTP_CODE) == '200') {          return $body;      }      if (curl_getinfo($ch, CURLINFO_HTTP_CODE) == '302') {      $location = getHeader("Location");      if(strpos(getHeader("Location"),'http://') == false){        $location = getHost($url).$location;      }          return getHtmlContext($location);      }      return NULL;  }   function getHost($url){      preg_match("/^(http:////)?([^//]+)/i",$url, $matches);      return $matches[0];  }  function getCss($host,$html){      preg_match_all("/<link[/s/S]*?href=['/"](.*?[.]css.*?)[/"'][/s/S]*?>/i",$html, $matches);      foreach($matches[1] as $v){      $cssurl = $v;          if(strpos($v,'http://') == false){        $cssurl = $host."/".$v;      }      $csshtml = "<style>".file_get_contents($cssurl)."</style>";      $html .= $csshtml;    }    return $html;  }   if($url != null){       $host = getHost($url);      echo getCss($host,getHtmlContext($url));  } ?>

用法:
1、端口扫描部分:
填好起始ip、结束ip、自定义端口、超时等,点击扫描即可,十分方便

9da01445828083 内网探测脚本(内网代理访问+内网端口扫描) [php+jsp]

2、内网代理部分:
直接在文件后面加url参数,注意这里要带着http协议,不然可能css加载不完

9da01445828083 内网探测脚本(内网代理访问+内网端口扫描) [php+jsp]?

 

from

http://jeary.org/post-69.html

http://www.answ.cc/?post=18

未经允许不得转载:杂术馆 » 内网探测脚本(内网代理访问+内网端口扫描) [php+jsp]
分享到: 更多 (0)