[jsp&php]内网探测脚本&简单代理访问v1.0

<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>
<%@ page isThreadSafe="false"%>
<%@page import="java.io.PrintWriter"%>
<%@page import="java.io.OutputStreamWriter"%>
<%@page import="java.util.regex.Matcher"%>
<%@page import="java.io.IOException"%>
<%@page import="java.net.InetAddress"%>
<%@page import="java.util.regex.Pattern"%>
<%@page import="java.net.HttpURLConnection"%>
<%@page import="java.util.concurrent.LinkedBlockingQueue"%>

<%!final static List<String> list = new ArrayList<String>();
  String referer = "";
  String cookie = "";
  String decode = "utf-8";
  int thread = 100;

  HttpURLConnection getHTTPConn(String urlString) {
    try {
      java.net.URL url = new java.net.URL(urlString);
      java.net.HttpURLConnection conn = (java.net.HttpURLConnection) url
          .openConnection();
      conn.setRequestMethod("GET");
      conn.addRequestProperty("User-Agent",
          "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon;)");
      conn.addRequestProperty("Accept-Encoding", "gzip");
      conn.addRequestProperty("referer", referer);
      conn.addRequestProperty("cookie", cookie);
      //conn.setInstanceFollowRedirects(false);
      conn.setConnectTimeout(3000);
      conn.setReadTimeout(3000);

      return conn;
    } catch (Exception e) {
      return null;
    }
  }

  HttpURLConnection conn;

  String getHtmlContext(HttpURLConnection conn, String decode) {
    Map<String, Object> result = new HashMap<String, Object>();
    try {

      String code = "utf-8";
      if (decode != null) {
        code = decode;
      }
      StringBuffer html = new StringBuffer();
      java.io.InputStreamReader isr = new java.io.InputStreamReader(
          conn.getInputStream(), code);
      java.io.BufferedReader br = new java.io.BufferedReader(isr);

      String temp;
      while ((temp = br.readLine()) != null) {
        if (!temp.trim().equals("")) {
          html.append(temp).append("\n");
        }
      }
      br.close();
      isr.close();
      return html.toString();
    } catch (Exception e) {
      System.out.println("getHtmlContext:"+e.getMessage());
      return "null";
    }
  }

  String getServerType(HttpURLConnection conn) {
    try {
      return conn.getHeaderField("Server");
    } catch (Exception e) {
      return "null";
    }

  }

  String getTitle(String htmlSource) {
    try {
      List<String> list = new ArrayList<String>();
      String title = "";
      Pattern pa = Pattern.compile("<title>.*?</title>");
      Matcher ma = pa.matcher(htmlSource);
      while (ma.find()) {
        list.add(ma.group());
      }
      for (int i = 0; i < list.size(); i++) {
        title = title + list.get(i);
      }
      return title.replaceAll("<.*?>", "");
    } catch (Exception e) {
      return null;
    }
  }

  List<String> getCss(String html, String url, String decode) {
    List<String> cssurl = new ArrayList<String>();
    List<String> csscode = new ArrayList<String>();
    try {

      String title = "";
      Pattern pa = Pattern.compile(".*href=\"(.*)[.]css");
      Matcher ma = pa.matcher(html.toLowerCase());
      while (ma.find()) {
        cssurl.add(ma.group(1) + ".css");
      }

      for (int i = 0; i < cssurl.size(); i++) {
        String cssuuu = url + "/" + cssurl.get(i);
        String csshtml = "<style>"
            + getHtmlContext(getHTTPConn(cssuuu), decode)
            + "</style>";
        csscode.add(csshtml);

      }
    } catch (Exception e) {
      System.out.println("getCss:"+e.getMessage());
    }
    return csscode;

  }

  String getMyIPLocal() throws IOException {
    InetAddress ia = InetAddress.getLocalHost();
    return ia.getHostAddress();
  }%>
<%
  String u = request.getParameter("url");
  String ip = request.getParameter("ip");

  if (u != null) {
    decode = request.getParameter("decode");
    String ref = request.getParameter("referer");
    String cook = request.getParameter("cookie");
    if (ref != null) {
      referer = ref;
    }
    if (cook != null) {
      cookie = cook;
    }
    String html = getHtmlContext(getHTTPConn(u), decode);
    List<String> css = getCss(html, u, decode);
    String csshtml = "";
    if (!html.equals("null")) {

      for (int i = 0; i < css.size(); i++) {
        csshtml += css.get(i);
      }
      out.print(html + csshtml);
    } else {
      response.setStatus(HttpServletResponse.SC_NOT_FOUND);
      out.print("请求失败!");
    }

    return;
  }

  else if (ip != null || u == null) {
    String threadpp = (request.getParameter("thread"));
    if (threadpp != null) {
      thread = Integer.parseInt(threadpp);
      System.out.println(threadpp);
    }
    try {
      try {
        String http = "http://";
        String localIP = getMyIPLocal();
        if (ip != null) {
          localIP = ip;
        }
        String useIP = localIP.substring(0,
            localIP.lastIndexOf(".") + 1);
        final Queue<String> queue = new LinkedBlockingQueue<String>();
        for (int i = 1; i <= 256; i++) {
          String url = http + useIP + i;
          queue.offer(url);
        }
        final JspWriter pw = out;
        ThreadGroup tg = new ThreadGroup("c");
        for (int i = 0; i < thread; i++) {
          new Thread(tg, new Runnable() {
            public void run() {
              while (true) {
                String addr = queue.poll();
                if (addr != null) {
                  System.out.println(addr);
                  HttpURLConnection conn = getHTTPConn(addr);
                  String html = getHtmlContext(conn,
                      decode);
                  String title = getTitle(html);
                  String serverType = getServerType(conn);
                  String status = !html
                      .equals("null") ? "Success"
                      : "Fail";
                  if (html != null
                      && !status.equals("Fail")) {
                    try {
                      pw.println(addr + "  >>  "+ title + ">>"+ serverType+ " >>" + status+ "<br/>");
                    } catch (Exception e) {
                      e.printStackTrace();
                    }
                  }
                } else {
                  return;
                }
              }
            }
          }).start();
        }
        while (tg.activeCount() != 0) {
        }
      } catch (Exception e) {
        e.printStackTrace();
      }
    } catch (Exception e) {
      out.println(e.toString());
    }
  }
 %> 


1.直接访问默认扫描当前IP的C段,获取标题、web容器.

2.可以自定义传入需要扫描的段,传入参数ip即可

3.代理访问参数为url,可简单的访问内网的web,对了,我还加载了网站里的css,做到尽量看上去和直接访问的效果一样 


参数:
ip [需要探测的ip段]
url [需要请求的地址]

其他参数:
thread [指定线程数]
decode [指定编码]
referer [伪造referer]
cookie [伪造cookie]




Zone里有人发了php版本,这里记录存档一下。 <?php
$url = isset($_REQUEST['u'])?$_REQUEST['u']:null;
$ip = isset($_REQUEST['i'])?$_REQUEST['i']:null;

if($url != null){
    $host = getHost($url);
    echo getCss($host,getHtmlContext($url));
}else if($ip != null){
    $useIP = substr($ip,0,strripos($ip,".") + 1);
  ob_start();
    for($i=0;$i<256;$i++){
      $url = "http://".$useIP.$i;
    $html = getHtmlContext($url);
    $title = getTitle(html);
    $serverType = getHeader("Server");
    $status = $html ? "Success": "Fail";
    if($html){
       echo $url."  >>  ".$title.">>".$serverType." >>".$status."<br/>";
    }
        @ob_flush();
        flush();
  }
  ob_end_clean();
}
function getHtmlContext($url){
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_HEADER, TRUE);    //表示需要response header
    curl_setopt($ch, CURLOPT_NOBODY, FALSE); //表示需要response body
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
    curl_setopt($ch, CURLOPT_TIMEOUT, 120);
    $result = curl_exec($ch);
  global $header;
  if($result){
       $headerSize = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
       $header = explode("\r\n",substr($result, 0, $headerSize));
       $body = substr($result, $headerSize);
  }
    if (curl_getinfo($ch, CURLINFO_HTTP_CODE) == '200') {
        return $body;
    }
    if (curl_getinfo($ch, CURLINFO_HTTP_CODE) == '302') {
    $location = getHeader("Location");
    if(strpos(getHeader("Location"),'http://') == false){
      $location = getHost($url).$location;
    }
        return getHtmlContext($location);
    }
    return NULL;
}
function getHeader($name){
  global $header;
  foreach ($header as $loop) {
     if(strpos($loop,$name) !== false){
       return trim(substr($loop,strlen($name)+2));
     }
  }
}
function getTitle($html){
    preg_match("/<title>(.*?)<\/title>/i",$html, $matches);
  return $matches[1];
}
function getHost($url){
    preg_match("/^(http:\/\/)?([^\/]+)/i",$url, $matches);
    return $matches[0];
}
function getCss($host,$html){
    preg_match_all("/<link[\s\S]*?href=['\"](.*?[.]css.*?)[\"'][\s\S]*?>/i",$html, $matches);
  //print_r($matches);
    foreach($matches[1] as $v){
    $cssurl = $v;
        if(strpos($v,'http://') == false){
      $cssurl = $host."/".$v;
    }
    $csshtml = "<style>".file_get_contents($cssurl)."</style>";
    $html .= $csshtml;
  }
  return $html;
}
?>

eg: 扫描C段
http://localhost/out.php?i=192.168.1.1
访问url
http://localhost/out.php?u=192.168.1.1

发表评论