内网探测脚本(内网代理访问+内网端口扫描) [php+jsp]

前言: 某些情况下,内网渗透时,代理出不来,工具传上去被杀,总之就是遇到各种问题。而最过纠结的时,我已经知道内网哪台机器有洞了..(经验多的大神飘过,如果能解决某些内网渗透时遇到的坑的问题,求分享解决方法..)

功能: 代理访问虽然是个简单的功能,但是我觉得够用了。完全可以用来直接扫描内网其他web服务器的目录,尝试内网其其他登陆入口的弱口令,或者直接代理打struts或者其他漏洞。

web扫描: 其实我觉得用web发现更加贴切,其实有了端口扫描为啥还要这个.(因为之前的代码不想动它了。)

端口扫描: 大家都懂。(此功能问题较多,我觉得如果能使用工具或者代理回来就尽量不使用此脚本进行扫描。)
















<%!final static List list = new ArrayList();
    String referer = "";
    String cookie = "";
    String decode = "utf-8";
    int thread = 100;
    //final static List scanportlist = new ArrayList();
    String cpath="";

    //建立一个HTTP连接
    HttpURLConnection getHTTPConn(String urlString) {
        try {
            java.net.URL url = new java.net.URL(urlString);
            java.net.HttpURLConnection conn = (java.net.HttpURLConnection) url
                    .openConnection();
            conn.setRequestMethod("GET");
            conn.addRequestProperty("User-Agent",
                    "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon;)");
            conn.addRequestProperty("Accept-Encoding", "gzip");
            conn.addRequestProperty("referer", referer);
            conn.addRequestProperty("cookie", cookie);
            //conn.setInstanceFollowRedirects(false);
            conn.setConnectTimeout(3000);
            conn.setReadTimeout(3000);

            return conn;
        } catch (Exception e) {
            return null;
        }
    }

    String PostData(String urlString, String postString) {
        HttpURLConnection http = null;
        String response = null;
        try {
            java.net.URL url = new java.net.URL(urlString);
            http = (HttpURLConnection) url.openConnection();
            http.setDoInput(true);
            http.setDoOutput(true);
            http.setUseCaches(false);
            http.setConnectTimeout(50000);
            http.setReadTimeout(50000);
            http.setRequestMethod("POST");
            http.setRequestProperty("Content-Type",
                    "application/x-www-form-urlencoded");
            http.connect();
            OutputStreamWriter osw = new OutputStreamWriter(
                    http.getOutputStream(), decode);
            osw.write(postString);
            osw.flush();
            osw.close();
            response = getHtmlByInputStream(http.getInputStream(), decode);
        } catch (Exception e) {
            response = getHtmlByInputStream(http.getErrorStream(), decode);
        }
        return response;
    }

    HttpURLConnection conn;

    //从输入流中读取源码
    String getHtmlByInputStream(java.io.InputStream is, String code) {
        StringBuffer html = new StringBuffer();
        try {

            java.io.InputStreamReader isr = new java.io.InputStreamReader(is,
                    code);
            java.io.BufferedReader br = new java.io.BufferedReader(isr);
            String temp;
            while ((temp = br.readLine()) != null) {
                if (!temp.trim().equals("")) {
                    html.append(temp).append("n");
                }
            }
            br.close();
            isr.close();
        } catch (Exception e) {
            System.out.print(e.getMessage());
        }

        return html.toString();
    }

    //获取HTML源码
    String getHtmlContext(HttpURLConnection conn, String decode,boolean isError) {
        Map result = new HashMap();
        String code = "utf-8";
        if (decode != null) {
            code = decode;
        }
        try {
            return getHtmlByInputStream(conn.getInputStream(), code);
        } catch (Exception e) {
            try {
            if(isError){
               return getHtmlByInputStream(conn.getErrorStream(), code);
            }
            } catch (Exception e1) {
                System.out.println("getHtmlContext2:" + e.getMessage());
            }
            System.out.println("getHtmlContext:" + e.getMessage());
            return "null";
        }
    }

    //获取Server头
    String getServerType(HttpURLConnection conn) {
        try {
            return conn.getHeaderField("Server");
        } catch (Exception e) {
            return "null";
        }

    }

    //匹配标题
    String getTitle(String htmlSource) {
        try {
            List list = new ArrayList();
            String title = "";
            Pattern pa = Pattern.compile(".*?");
            Matcher ma = pa.matcher(htmlSource);
            while (ma.find()) {
                list.add(ma.group());
            }
            for (int i = 0; i < list.size(); i++) {
                title = title + list.get(i);
            }
            return title.replaceAll("", "");
        } catch (Exception e) {
            return null;
        }
    }

    //得到css
    List getCss(String html, String url, String decode) {
        List cssurl = new ArrayList();
        List csscode = new ArrayList();
        try {

            String title = "";
            Pattern pa = Pattern.compile(".*href="(.*)[.]css");
            Matcher ma = pa.matcher(html.toLowerCase());
            while (ma.find()) {
                cssurl.add(ma.group(1) + ".css");
            }

            for (int i = 0; i < cssurl.size(); i++) {
                String cssuuu = url + "/" + cssurl.get(i);
                String csshtml = ""
                        + getHtmlContext(getHTTPConn(cssuuu), decode,false)
                        + "";
                csscode.add(csshtml);

            }
        } catch (Exception e) {
            System.out.println("getCss:" + e.getMessage());
        }
        return csscode;

    }

    //域名解析成IP
    String getMyIPLocal() throws IOException {
        InetAddress ia = InetAddress.getLocalHost();
        return ia.getHostAddress();
    }
    
    
    
    boolean getHostPort(String task){
        Socket client = null;
        boolean isOpen=false;
        try{
             String[] s=task.split(":");
             client = new Socket(s[0], Integer.parseInt(s[1]));
             isOpen=true;
             System.out.println("getHostPort:"+task);
             //scanportlist.add(task+" >>> Open");
             saveScanReslt2(task+" >>> Openrn");
        }catch(Exception e){
             isOpen=false;
        }
        return isOpen;
    }
    
    void getPath(String path){
    cpath=path;
    }
    
/*  void saveScanReslt(String s){
    try{
    FileUtils.writeStringToFile(new File(cpath+"/port.txt"), s,"UTF-8",true);
    }catch(Exception e){
    System.out.print(e.getLocalizedMessage());
    }
    } */
    
     void saveScanReslt2(String content) {   
        FileWriter writer = null;  
        try {     
            writer = new FileWriter(cpath+"/port.txt", true);     
            writer.write(content);       
        } catch (IOException e) {     
           System.out.print(e.getLocalizedMessage());   
        } finally {     
            try {     
                if(writer != null){  
                    writer.close();     
                }  
            } catch (IOException e) {     
              System.out.print(e.getLocalizedMessage());   
            }     
        }   
    }
    
    
    
    String s="Result:
"; String readPortResult(String portfile){ File file = new File(portfile); BufferedReader reader = null; try { System.out.println(""); reader = new BufferedReader(new FileReader(file)); String tempString = null; while ((tempString = reader.readLine()) != null) { s+=tempString+"
"; } reader.close(); } catch (IOException e) { return null; } finally { if (reader != null) { try { reader.close(); } catch (IOException e1) { return null; } } } return s; } %> 内网简单扫描脚本 function showDiv(obj) { //var statu = document.getElementById("prequest").style.display; if (obj == "proxy") { document.getElementById("proxy").style.display = "block"; document.getElementById("web").style.display = "none"; document.getElementById("port").style.display = "none"; } else if (obj == "web") { document.getElementById("proxy").style.display = "none"; document.getElementById("web").style.display = "block"; document.getElementById("port").style.display = "none"; } else if (obj == "port") { document.getElementById("proxy").style.display = "none"; document.getElementById("web").style.display = "none"; document.getElementById("port").style.display = "block"; } }

代理访问 Web扫描 端口扫描

Url:

Method: GET POST Decode: utf-8 gbk

Referer:

IP:

Port:

IP:-

Port:

Thread:


<% final JspWriter pwx = out; String s = application.getRealPath("/") + "/port.txt"; String result = readPortResult(s); if (result != null) { try { pwx.println(result); } catch (Exception e) { System.out.print(e.getMessage()); } }else{ pwx.println("如果你进行了端口扫描操作,那么这里将会显示扫描结果!
"); } String div1 = "
"; String div2 = "
"; String u = request.getParameter("url"); String ip = request.getParameter("ip"); String scanip = request.getParameter("scanip"); if (u != null) { String post = request.getParameter("post"); //System.out.print(u); //System.out.print(post); decode = request.getParameter("decode"); String ref = request.getParameter("referer"); String cook = request.getParameter("cookie"); if (ref != null) { referer = ref; } if (cook != null) { cookie = cook; } String html = null; if (post != null) { html = PostData(u, post); } else { html = getHtmlContext(getHTTPConn(u), decode, true); } String path = request.getContextPath()+"/netspy.jsp"; System.out.println("path:"+path); String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"?url="; System.out.println("base:"+basePath); String reaplce = "href=""+basePath; //html=html.replaceAll("href=['|"]?http://(.*)['|"]?", reaplce+"http://$1""); html = html.replaceAll("href=['|"]?(?!http)(.*)['|"]?", reaplce + u + "$1"); List css = getCss(html, u, decode); String csshtml = ""; if (!html.equals("null")) { for (int i = 0; i < css.size(); i++) { csshtml += css.get(i); } out.print(div1 + html + csshtml + div2); } else { response.setStatus(HttpServletResponse.SC_NOT_FOUND); out.print("请求失败!"); } return; } else if (ip != null) { String threadpp = (request.getParameter("thread")); String[] port = request.getParameter("port").split(","); if (threadpp != null) { thread = Integer.parseInt(threadpp); System.out.println(threadpp); } try { try { String http = "http://"; String localIP = getMyIPLocal(); if (ip != null) { localIP = ip; } String useIP = localIP.substring(0, localIP.lastIndexOf(".") + 1); final Queue queue = new LinkedBlockingQueue(); for (int i = 1; i <= 256; i++) { for (int j = 0; j < port.length; j++) { String url = http + useIP + i + ":" + port[j]; queue.offer(url); System.out.print(url); } } final JspWriter pw = out; ThreadGroup tg = new ThreadGroup("c"); for (int i = 0; i > " + title + ">>" + serverType + " >>" + status + "
"); } catch (Exception e) { e.printStackTrace(); } } } else { return; } } } }).start(); } while (tg.activeCount() != 0) { } } catch (Exception e) { e.printStackTrace(); } } catch (Exception e) { out.println(e.toString()); } } else if (scanip != null) { getPath(application.getRealPath("/")); int thread = Integer.parseInt(request.getParameter("thread")); String[] port = request.getParameter("scanport").split(","); String ip1 = scanip; String ip2 = request.getParameter("scanip2"); int start = Integer.parseInt(ip1.substring( ip1.lastIndexOf(".") + 1, ip1.length())); int end = Integer.parseInt(ip2.substring( ip2.lastIndexOf(".") + 1, ip2.length())); String useIp = scanip.substring(0, scanip.lastIndexOf(".") + 1); System.out.println("start:" + start); System.out.println("end:" + end); final Queue queue = new LinkedBlockingQueue(); for (int i = start; i <= end; i++) { for (int j = 0; j < port.length; j++) { String scantarget = useIp + i + ":" + port[j]; queue.offer(scantarget); //System.out.println(scantarget); } } System.out.print("Count1:" + queue.size()); final JspWriter pw = out; ThreadGroup tg = new ThreadGroup("c"); for (int i = 0; i >> Open
"; scanportlist.add(result); System.out.println(result); } */ /* try { pw.println(result); } catch (Exception e) { System.out.print(e.getMessage()); } */ } } } }).start(); } /* while (tg.activeCount() != 0) { } */ try { pw.println("扫描线程已经开始,请查看" + cpath+"/port.txt文件或者直接刷新本页面!"); } catch (Exception e) { System.out.print(e.getMessage()); } } %>

前些天看到wooyun社区有人发的jsp内网探测脚本,可以内网代理访问和内网端口扫描。但是却没找到php的既能代理内网,又能扫描内网端口的的脚本。所以我写了这个集合版本的php内网探测脚本。

<?php
 
set_time_limit(0);//设置程序执行时间
ob_implicit_flush(True);
ob_end_flush();
$url = isset($_REQUEST['url'])?$_REQUEST['url']:null; 

/*端口扫描代码*/
function check_port($ip,$port,$timeout=0.1) {
 $conn = @fsockopen($ip, $port, $errno, $errstr, $timeout);
 if ($conn) {
 fclose($conn);
 return true;
 }
}

 
function scanip($ip,$timeout,$portarr){
foreach($portarr as $port){
if(check_port($ip,$port,$timeout=0.1)==True){
echo 'Port: '.$port.' is open
'; @ob_flush(); @flush(); } } } echo '
Timeout
'; if(isset($_POST['startip'])&&isset($_POST['endip'])&&isset($_POST['port'])&&isset($_POST['timeout'])){ $startip=$_POST['startip']; $endip=$_POST['endip']; $timeout=$_POST['timeout']; $port=$_POST['port']; $portarr=explode(',',$port); $siparr=explode('.',$startip); $eiparr=explode('.',$endip); $ciparr=$siparr; if(count($ciparr)!=4||$siparr[0]!=$eiparr[0]||$siparr[1]!=$eiparr[1]){ exit('IP error: Wrong IP address or Trying to scan class A address'); } if($startip==$endip){ echo 'Scanning IP '.$startip.'
'; @ob_flush(); @flush(); scanip($startip,$timeout,$portarr); @ob_flush(); @flush(); exit(); } if($eiparr[3]!=255){ $eiparr[3]+=1; } while($ciparr!=$eiparr){ $ip=$ciparr[0].'.'.$ciparr[1].'.'.$ciparr[2].'.'.$ciparr[3]; echo '
Scanning IP '.$ip.'
'; @ob_flush(); @flush(); scanip($ip,$timeout,$portarr); $ciparr[3]+=1; if($ciparr[3]>255){ $ciparr[2]+=1; $ciparr[3]=0; } if($ciparr[2]>255){ $ciparr[1]+=1; $ciparr[2]=0; } } } /*内网代理代码*/ function getHtmlContext($url){ $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_HEADER, TRUE); //表示需要response header curl_setopt($ch, CURLOPT_NOBODY, FALSE); //表示需要response body curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ch, CURLOPT_TIMEOUT, 120); $result = curl_exec($ch); global $header; if($result){ $headerSize = curl_getinfo($ch, CURLINFO_HEADER_SIZE); $header = explode("rn",substr($result, 0, $headerSize)); $body = substr($result, $headerSize); } if (curl_getinfo($ch, CURLINFO_HTTP_CODE) == '200') { return $body; } if (curl_getinfo($ch, CURLINFO_HTTP_CODE) == '302') { $location = getHeader("Location"); if(strpos(getHeader("Location"),'http://') == false){ $location = getHost($url).$location; } return getHtmlContext($location); } return NULL; } function getHost($url){ preg_match("/^(http://)?([^/]+)/i",$url, $matches); return $matches[0]; } function getCss($host,$html){ preg_match_all("//i",$html, $matches); foreach($matches[1] as $v){ $cssurl = $v; if(strpos($v,'http://') == false){ $cssurl = $host."/".$v; } $csshtml = "".file_get_contents($cssurl).""; $html .= $csshtml; } return $html; } if($url != null){ $host = getHost($url); echo getCss($host,getHtmlContext($url)); } ?>

用法:

1、端口扫描部分:

填好起始ip、结束ip、自定义端口、超时等,点击扫描即可,十分方便

2、内网代理部分:直接在文件后面加url参数,注意这里要带着http协议,不然可能css加载不完

from

http://jeary.org/post-69.html

http://www.answ.cc/?post=18

标签:端口扫描, 内网 , 代理 , 端口

稿源:屌丝归档笔记 (源链) | 关于 | 阅读提示

本站遵循[CC BY-NC-SA 4.0]。如您有版权、意见投诉等问题,请通过eMail联系我们处理。
酷辣虫 » 综合技术 » 内网探测脚本(内网代理访问+内网端口扫描) [php+jsp]

喜欢 (0)or分享给?

专业 x 专注 x 聚合 x 分享 CC BY-NC-SA 4.0

使用声明 | 英豪名录