内网探测脚本&简单代理访问 jsp/php 源码分享

作者:袖梨 2022-11-14

php内网探测脚本&简单代理访问



jsp.jpg


jsp2.jpg


jsp4.jpg


jsp5.jpg

..

1.直接访问默认扫描当前IP的C段,获取标题、web容器.

2.可以自定义传入需要扫描的段,传入参数ip即可

3.代理访问参数为url,可简单的访问内网的web,对了,我还加载了网站里的css,做到尽量看上去和直接访问的效果一样

<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> 
<%@ page isThreadSafe="false"%> 
<%@page import="java.io.PrintWriter"%> 
<%@page import="java.io.OutputStreamWriter"%> 
<%@page import="java.util.regex.Matcher"%> 
<%@page import="java.io.IOException"%> 
<%@page import="java.net.InetAddress"%> 
<%@page import="java.util.regex.Pattern"%> 
<%@page import="java.net.HttpURLConnection"%> 
<%@page import="java.util.concurrent.LinkedBlockingQueue"%> 
<%!final static List list = new ArrayList(); 
  String referer = ""; 
  String cookie = ""; 
  String decode = "utf-8"; 
  int thread = 100; 
  HttpURLConnection getHTTPConn(String urlString) { 
    try { 
      java.net.URL url = new java.net.URL(urlString); 
      java.net.HttpURLConnection conn = (java.net.HttpURLConnection) url 
          .openConnection(); 
      conn.setRequestMethod("GET"); 
      conn.addRequestProperty("User-Agent", 
          "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon;)"); 
      conn.addRequestProperty("Accept-Encoding", "gzip"); 
      conn.addRequestProperty("referer", referer); 
      conn.addRequestProperty("cookie", cookie); 
      //conn.setInstanceFollowRedirects(false); 
      conn.setConnectTimeout(3000); 
      conn.setReadTimeout(3000); 
      return conn; 
    } catch (Exception e) { 
      return null; 
    } 
  } 
  HttpURLConnection conn; 
  String getHtmlContext(HttpURLConnection conn, String decode) { 
    Map result = new HashMap(); 
    try { 
      String code = "utf-8"; 
      if (decode != null) { 
        code = decode; 
      } 
      StringBuffer html = new StringBuffer(); 
      java.io.InputStreamReader isr = new java.io.InputStreamReader( 
          conn.getInputStream(), code); 
      java.io.BufferedReader br = new java.io.BufferedReader(isr); 
      String temp; 
      while ((temp = br.readLine()) != null) { 
        if (!temp.trim().equals("")) { 
          html.append(temp).append("n"); 
        } 
      } 
      br.close(); 
      isr.close(); 
      return html.toString(); 
    } catch (Exception e) { 
      System.out.println("getHtmlContext:"+e.getMessage()); 
      return "null"; 
    } 
  } 
  String getServerType(HttpURLConnection conn) { 
    try { 
      return conn.getHeaderField("Server"); 
    } catch (Exception e) { 
      return "null"; 
    } 
  } 
  String getTitle(String htmlSource) { 
    try { 
      List list = new ArrayList(); 
      String title = ""; 
      Pattern pa = Pattern.compile(".*?"); 
      Matcher ma = pa.matcher(htmlSource); 
      while (ma.find()) { 
        list.add(ma.group()); 
      } 
      for (int i = 0; i < list.size(); i++) { 
        title = title + list.get(i); 
      } 
      return title.replaceAll("<.*?>", ""); 
    } catch (Exception e) { 
      return null; 
    } 
  } 
  List getCss(String html, String url, String decode) { 
    List cssurl = new ArrayList(); 
    List csscode = new ArrayList(); 
    try { 
      String title = ""; 
      Pattern pa = Pattern.compile(".*href="(.*)[.]css"); 
      Matcher ma = pa.matcher(html.toLowerCase()); 
      while (ma.find()) { 
        cssurl.add(ma.group(1) + ".css"); 
      } 
      for (int i = 0; i < cssurl.size(); i++) { 
        String cssuuu = url + "/" + cssurl.get(i); 
        String csshtml = ""; 
        csscode.add(csshtml); 
      } 
    } catch (Exception e) { 
      System.out.println("getCss:"+e.getMessage()); 
    } 
    return csscode; 
  } 
  String getMyIPLocal() throws IOException { 
    InetAddress ia = InetAddress.getLocalHost(); 
    return ia.getHostAddress(); 
  }%> 
<% 
  String u = request.getParameter("url"); 
  String ip = request.getParameter("ip"); 
  if (u != null) { 
    decode = request.getParameter("decode"); 
    String ref = request.getParameter("referer"); 
    String cook = request.getParameter("cookie"); 
    if (ref != null) { 
      referer = ref; 
    } 
    if (cook != null) { 
      cookie = cook; 
    } 
    String html = getHtmlContext(getHTTPConn(u), decode); 
    List css = getCss(html, u, decode); 
    String csshtml = ""; 
    if (!html.equals("null")) { 
      for (int i = 0; i < css.size(); i++) { 
        csshtml += css.get(i); 
      } 
      out.print(html + csshtml); 
    } else { 
      response.setStatus(HttpServletResponse.SC_NOT_FOUND); 
      out.print("请求失败!"); 
    } 
    return; 
  } 
  else if (ip != null || u == null) { 
    String threadpp = (request.getParameter("thread")); 
    if (threadpp != null) { 
      thread = Integer.parseInt(threadpp); 
      System.out.println(threadpp); 
    } 
    try { 
      try { 
        String http = "http://"; 
        String localIP = getMyIPLocal(); 
        if (ip != null) { 
          localIP = ip; 
        } 
        String useIP = localIP.substring(0, 
            localIP.lastIndexOf(".") + 1); 
        final Queue queue = new LinkedBlockingQueue(); 
        for (int i = 1; i <= 256; i++) { 
          String url = http + useIP + i; 
          queue.offer(url); 
        } 
        final JspWriter pw = out; 
        ThreadGroup tg = new ThreadGroup("c"); 
        for (int i = 0; i < thread; i++) { 
          new Thread(tg, new Runnable() { 
            public void run() { 
              while (true) { 
                String addr = queue.poll(); 
                if (addr != null) { 
                  System.out.println(addr); 
                  HttpURLConnection conn = getHTTPConn(addr); 
                  String html = getHtmlContext(conn, 
                      decode); 
                  String title = getTitle(html); 
                  String serverType = getServerType(conn); 
                  String status = !html 
                      .equals("null") ? "Success" 
                      : "Fail"; 
                  if (html != null 
                      && !status.equals("Fail")) { 
                    try { 
                      pw.println(addr + "  >>  "+ title + ">>"+ serverType+ " >>" + status+ "
"); } catch (Exception e) { e.printStackTrace(); } } } else { return; } } } }).start(); } while (tg.activeCount() != 0) { } } catch (Exception e) { e.printStackTrace(); } } catch (Exception e) { out.println(e.toString()); } } %>


参数:

ip [需要探测的ip段]

url [需要请求的地址]

其他参数:

thread [指定线程数]

decode [指定编码]

referer [伪造referer]

cookie [伪造cookie]

待完善:

1.一个C段,可能有多种编码格式,所以指定一个参数是有问题的。

2.端口可以修改传入一个数组,支持探测多个端口80,8080..

3.代理访问功能并不完善,例如加载js、加载图片、超链接替换成代理访问的链接、表单替换支持真实请求..


php内网探测脚本&简单代理访问

>  “.$title.”>>”.$serverType.” >>”.$status.”
”; } @ob_flush(); flush(); } ob_end_clean(); } function getHtmlContext($url){ $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_HEADER, TRUE); //表示需要response header curl_setopt($ch, CURLOPT_NOBODY, FALSE); //表示需要response body curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ch, CURLOPT_TIMEOUT, 120); $result = curl_exec($ch); global $header; if($result){ $headerSize = curl_getinfo($ch, CURLINFO_HEADER_SIZE); $header = explode(“rn”,substr($result, 0, $headerSize)); $body = substr($result, $headerSize); } if (curl_getinfo($ch, CURLINFO_HTTP_CODE) == ‘200’) { return $body; } if (curl_getinfo($ch, CURLINFO_HTTP_CODE) == ‘302’) { $location = getHeader(“Location”); if(strpos(getHeader(“Location”),’http://’) == false){ $location = getHost($url).$location; } return getHtmlContext($location); } return NULL; } function getHeader($name){ global $header; foreach ($header as $loop) { if(strpos($loop,$name) !== false){ return trim(substr($loop,strlen($name)+2)); } } } function getTitle($html){ preg_match(“/(.*?)/i”,$html, $matches); return $matches[1]; } function getHost($url){ preg_match(“/^(http://)?([^/]+)/i”,$url, $matches); return $matches[0]; } function getCss($host,$html){ preg_match_all(“//i”,$html, $matches); //print_r($matches); foreach($matches[1] as $v){ $cssurl = $v; if(strpos($v,’http://’) == false){ $cssurl = $host.”/”.$v; } $csshtml = “”; $html .= $csshtml; } return $html; } ?>


相关文章

精彩推荐