HTTP Server + Groovlet = A Back-Door Type of Trick When Using A Java App
by
·
Join the DZone community and get the full member experience.
Join For Freerecently i saw an
article
about simple
groovlet
. groovlet allows you to execute any code in your server. it looks very useful for creating a backdoor - for debugging, troubleshooting, etc.
my problem, however, is that we don't just have a server, but we also have a swing-rich client who is unable to execute groovlets. so i tried to create something like this in a standalone application without adding to the application-embedded servlet engine (jetty or tomcat).
luckily, i just read an article about a simple http server inside a standard java library. i decided to use some of its ideas.
let's start from main:
my problem, however, is that we don't just have a server, but we also have a swing-rich client who is unable to execute groovlets. so i tried to create something like this in a standalone application without adding to the application-embedded servlet engine (jetty or tomcat).
luckily, i just read an article about a simple http server inside a standard java library. i decided to use some of its ideas.
let's start from main:
public class main {
public static void main(string[] args) {
// you can set port number from command line or leave it hardcoded
httpbackdoorrunner runner = new httpbackdoorrunner(18999, true);
runner.start();
}
}
let's continue in groovy because it is simpler :)
import com.sun.net.httpserver.httpserver
import java.util.concurrent.executors
/**
* this class starts the server with our handler (embedded server is not servlet container!)
*/
class httpbackdoorrunner {
final int port
final boolean silent
httpbackdoorrunner(int port, boolean silent) {
this.port = port
this.silent = silent
}
def start() {
try {
inetsocketaddress addr = new inetsocketaddress(port);
httpserver server = httpserver.create(addr, 0);
server.createcontext("/", new backdoorhandler());
server.setexecutor(executors.newcachedthreadpool(
));
server.start();
}
catch(exception e) {
if (silent) {
// ignore
}
else throw new runtimeexception(e)
}
}
}
now - the http requests handler:
/**
* i need this abstraction level to reuse script running code in groovlet and standalone backdoor
* the way, you receive script text is different in those two situations
*/
class backdoorscriptrunner {
void runscript(script, responsebody, uri) {
def scriptoutput = new bytearrayoutputstream()
if (script) {
// redirect output
def saveout = system.out
def stream = new printstream(scriptoutput)
system.out = stream
try{
def result = new groovyshell().run(script, "dynamic.groovy");
}
catch (throwable e) {
e.printstacktrace(stream);
}
system.out = saveout
}
responsebody.println createhtml(uri, script, scriptoutput)
responsebody.close();
}
string createhtml(uri, script, scriptoutput) {
"""
< form action="${uri}" method="post">
< h2>backdoor
code comes here:
< textarea cols="120" rows="5" name="groovyscript">
${script ? script : ""}< /textarea>
< br>
< input type="submit" value="go!" />
< /form>
< br>
${scriptoutput.tostring() ? "< h2>output< /h2>< pre>${scriptoutput}< /pre>" : ""}
"""
}
}
and now - start it up!
Java (programming language)
app
Opinions expressed by DZone contributors are their own.
Comments